The Intelligence Arms Race: How Threat Intelligence Evolved at RSAC 2025

In a world where digital threats evolve faster than our defenses, the latest developments from RSAC 2025 reveal how threat intelligence is becoming both more sophisticated and more accessible. But at what cost?

The annual RSA Conference has long served as cybersecurity's crystal ball, offering glimpses into the industry's future. This year's gathering, which concluded on May 1st at San Francisco's Moscone Center, didn't disappoint. With over 41,000 attendees and 650+ exhibitors, RSAC 2025 showcased a fundamental shift in how we approach digital security—particularly in the realm of threat intelligence[4].

As I navigated the bustling exhibition halls and packed keynotes last week, one thing became abundantly clear: we're witnessing not just an evolution but a revolution in how organizations detect, analyze, and respond to cyber threats. The convergence of AI, attack surface management, and threat intelligence has created a perfect storm of innovation—and potential risk.

The Rise of Autonomous Threat Intelligence

The most striking development at RSAC 2025 wasn't just the presence of AI in cybersecurity solutions—that's been happening for years—but rather the dramatic shift toward fully autonomous "agentic AI" systems capable of making security decisions without human intervention[4].

Where previous generations of security tools merely flagged suspicious activity for human analysts, today's advanced platforms are increasingly capable of completing the entire OODA Loop (Observe, Orient, Decide, Act) independently. As Sunil Yu, CTO and co-founder of Knostic, explained during a packed session on AI autonomy, these systems can now perform all four phases—including making decisions once reserved exclusively for human analysts[4].

This autonomy represents both opportunity and peril. While Microsoft's Security Copilot agents and Google's Gemini security offerings demonstrated impressive capabilities in reducing analyst workloads, industry leaders like Jeetu Patel, EVP and Chief Product Officer at Cisco, cautioned that autonomous AI agents introduce "a whole new class of risks that we've never seen before"[4].

Attack Surface Management Takes Center Stage

Criminal IP, a global cybersecurity platform specializing in AI-powered threat intelligence, made waves at RSAC by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI)[3]. With a presence in over 150 countries and partnerships with more than 40 global cybersecurity leaders—including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake—the company has positioned itself as a trusted leader in providing real-time, actionable insights to proactively detect and respond to advanced cyber threats[3].

What makes Criminal IP's approach particularly noteworthy is how it combines OSINT-based data analytics with AI to create a comprehensive threat intelligence ecosystem. By exhibiting at Booth S-634 in the South Expo Hall, the company demonstrated how organizations can leverage these tools to gain visibility into their expanding digital footprints—a critical capability in an era where attack surfaces continue to grow exponentially[3].

The Shifting Tactics of Threat Actors

While conference exhibitors showcased their latest defensive technologies, the threat landscape itself continues to evolve in concerning ways. According to IBM's recently released 2025 X-Force Threat Intelligence Index, cybercriminals are increasingly pivoting to stealthier tactics, with lower-profile credential theft spiking while ransomware attacks on enterprises declined[5].

The report, which tracks attack patterns from incident response engagements and dark web intelligence, revealed an 84% increase in emails delivering infostealers in 2024 compared to the previous year[5]. This shift represents a strategic pivot by threat actors who are adapting to improved ransomware defenses by focusing on credential theft—a method that provides multiple pathways to quickly access, exfiltrate, and monetize sensitive information.

Perhaps most concerning is that nearly one in three security incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access and monetize login information[5]. As Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM, noted, "Cybercriminals are most often breaking in without breaking anything—capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points"[5].

Critical Infrastructure Remains in the Crosshairs

The IBM X-Force report also highlighted that critical infrastructure organizations accounted for 70% of all attacks that their team responded to last year, with more than one quarter of these attacks caused by vulnerability exploitation[5]. This trend was further evidenced by Check Point Research's April 28th Threat Intelligence Report, which documented new vulnerabilities in SAP NetWeaver and Craft CMS that could lead to remote code execution[2].

These findings underscore the ongoing tension between offensive and defensive capabilities. As security vendors showcase increasingly sophisticated threat intelligence platforms, attackers continue to find new ways to exploit vulnerabilities in essential systems.

What This Means for the Future

The developments showcased at RSAC 2025 and documented in recent threat intelligence reports point to several important trends that will shape cybersecurity in the coming months:

First, the line between human and machine decision-making in security operations will continue to blur. As agentic AI systems become more capable, organizations will need to carefully consider which security decisions can be safely delegated to autonomous systems and which require human judgment.

Second, the focus on credential theft over ransomware suggests that attackers are adapting to improved defenses by seeking paths of least resistance. This shift demands that organizations pay particular attention to identity management and authentication systems.

Finally, the growing sophistication of threat intelligence platforms means that security teams have more data than ever before—but translating that data into actionable insights remains a significant challenge.

As we process the lessons from RSAC 2025, one thing is certain: the intelligence arms race between attackers and defenders shows no signs of slowing down. Organizations that can effectively leverage the latest threat intelligence capabilities while maintaining appropriate human oversight will be best positioned to navigate the increasingly complex threat landscape.

In the words of an industry veteran I spoke with at the conference, "We're not just building better mousetraps anymore—we're creating entire ecosystems that can predict where the mice will appear before they even leave their holes." Whether those predictions prove accurate remains to be seen, but the tools to make them have never been more powerful.