I mapped every cybersecurity startup at RSA 2026. 303 companies across 18 categories. The top three categories alone tell you where the market is heading — and the biggest story is one that barely existed a year ago.
The full interactive database is at jakee.vc/rsa-2026-landscape.html — click to zoom, visit any company’s site, or use AI-powered semantic search. Below, we break down the data.
The Top 3 Categories
Agent Security / NHI (41 companies) — Securing AI agents, non-human identities, and MCP connections. This category barely existed a year ago. Geordie AI won the Innovation Sandbox. Oasis raised $120M. As AI agents proliferate in production — each with its own credentials, API keys, and access patterns — non-human identities now outnumber human ones at most enterprises. The security tooling is racing to catch up.
Dev Security / AppSec (37 companies) — No longer just SAST/SCA. Now it’s securing AI coding tools and the code they generate. Palo Alto acquired Koi for ~$400M. Snyk launched MCP governance. With AI-generated code becoming the norm, the attack surface in developer workflows has expanded dramatically.
AI SOC / SecOps (34 companies) — The SOC is being rebuilt AI-native. 7AI raised the largest cyber Series A ever ($130M). Databricks CEO said “AI will kill the SIEM.” The chronic shortage of security analysts — an estimated 3.4 million unfilled positions globally — is being addressed not by hiring, but by replacing Tier 1 and Tier 2 analysts with AI agents that triage, investigate, and respond autonomously.
Other Clusters Worth Watching
AI Pen Testing (16 companies) — Autonomous offensive security is now its own category. XBOW, founded by GitHub Copilot’s creator, hit $1B+ valuation. Novee raised $51.5M eight months after founding. The premise: AI agents that find vulnerabilities faster than human red teams, running continuously instead of annually.
Data Pipelines (10 companies) — The quiet infrastructure play. Cribl at $3.5B proved the market. Now startups are building AI-native pipelines that cut SIEM costs 50–90% and make security data AI-ready. Unsexy but essential — every AI SOC tool needs clean, routable data underneath it.
Human Risk (12 companies) — AI-powered social engineering simulations — deepfakes, voice cloning, smishing — replacing checkbox compliance training. The attack surface shifted from phishing emails to AI-generated voice calls, and the training has to follow.
Explore the full database of 303 companies at jakee.vc/rsa-2026-landscape.html. Interactive visualizations built with Inktype.