Sunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026
Kymberlee Price, Shostack + Associates
Some of the best parts of BSidesSF and RSAC 2026 don't make it into session recordings...
RSAC and BSidesSF 2026 brought together practitioners, researchers, and next-generation security professionals for conversations about breach transparency, AI's impact on threat modeling, and what it actually takes to build more secure systems. Here's what the week looked like from Kymberlee.
BSides SF
BSides is always great for seeing friends from the community, some of my favorite moments this year include catching up with Caleb Sima about AI use – which is always a lively conversation. Just as BSidesSF kicked off, he posted a really important LinkedIn post about Agentic AI security that I found myself cheering for not just because I agree with him, but because it is critical for industry leaders that champion AI and LLMs to be balanced in that guidance. LLMs are great tools for many things, but they’re still just tools that require governance and thoughtful implementation to reduce risk.
Another standout memory is Katie Moussouris’s keynote "Against the Tyranny of Optimization" — a clear-eyed look at how security and economic forces are intertwined, and why organizations are already behind on what AI is changing. Also, there was singing! Talks aren't published yet, but when they are, you'll find them on the Security BSides San Francisco YouTube channel.
RSA 2026
My RSAC started in the audience for Adam and Adrian Sanabria’s Monday morning presentation “A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency.” Taking a page from the aviation industry, we can all learn from one another to create a safer industry if we share information. I’ve had my AppSec teams do this in the past – something we called “ghost stories” where we would deconstruct another company’s breach based on publicly available data and try and identify how our defenses would stack up to a similar attack – these turned into super useful tabletop exercises.
Later that evening, Adam and I had the pleasure of celebrating our friend and colleague Jon Callas as he received a Champions of Security award from Portal26. Jon’s career is legendary, from DEC to PGP to Apple to EFF... and most recently, we co-founded Zatik Security. Jon has built so many things that make technology safer – this recognition is well deserved.
On Tuesday the Shostack + Associates team attended Threat Modeling Connect’s RSAC 2026 Meetup “Tacos and Threats”. It was great getting so many members of our team together in person, with Adam, Jamie, Michael, Shoshana and I all at the event. Everyone had a great time talking to threat modeling enthusiasts at RSA, with Jamie leading useful table discussions about scale and using AI to do threat modeling, while Mike discussed threat modeling of AI applications at another table. If you missed meeting up with us and getting a discount code for the upcoming Threat Modeling AI Systems course, I might have a few left... ping me on LinkedIn. 😊
The Hallway Track
RSAC runs on scheduled sessions and chance encounters in roughly equal measure. My week leaned toward the latter, with sunny courtyards being my main office thanks to the beautiful weather in San Francisco last week. An unexpected encounter with Mike Reavey, whom I first met at Black Hat in 2003, turned to discussion on vibe coding (specifically a mobile app called SneakerVault and why security leaders need to experience the power of Claude Code for themselves). A quiet bench away from the crowds led to a chance conversation with Ram Shankar Siva Kumar about AI Threat Modeling. Finally getting time to sit down with Daniel Cuthbert for a wide-ranging conversation from ransomware prevention and tech industry trends to fashion was long overdue. And while I forgot to take a selfie, the conversation I had with Michael Roytman at Empirical Security about their approach to product management and feature development as well as their ideal customer profile was fascinating. I can’t wait to see where he and the team take the company.
There were dozens more great conversations with clients, partners, and friends - truly too many to list them all. Thank you to everyone who made time for a meeting, meal, or just paused in their day to chat when we ran into one another at the con. It was great to see you all!
Image by Gemini: "san francisco on a sunny day. conference attendees talking security. zoomed out, less focus on people's faces."