RSA 2025 was full of AI claims - but what were security leaders really worried about?
Eliot is joined by Noora Ahmed-Moshe (VP of Strategy, Hoxhunt) for a no-spin debrief on RSA 2025. With AI hype at full volume and booth gimmicks ranging from goats to deepfake demos, it’s easy to miss the real signals in the noise. Eliot and Noora cut through the chaos to unpack what security leaders were actually focused on - and what it means for your strategy.
Here’s what you’ll learn in this episode:
Timestamps:
To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter: https://hoxhunt.com/all-things-human-risk
Resources:
Host links:
Eliot Baker: https://www.linkedin.com/in/eliotebaker/
Noora Ahmed-Moshe: https://linkedin.com/in/noora-ahmed-moshe
In this episode of the All Things Human Risk Management Podcast, Eliot Baker and Noora Ahmed Moshe, VP of Strategy at Hoxhunt, dissect the key human-centric insights emerging from RSA 2025.
While the buzz was predictably dominated by AI, the most meaningful takeaways were about people, risk, and resilience.
The latest data confirms that human behavior remains the weakest link in cybersecurity. Both the CrowdStrike threat report and Verizon’s DBIR emphasize how social engineering, credential misuse, and phishing still account for the majority of breaches. Reporting behavior (not just click rates) has emerged as a critical metric of program effectiveness, shifting focus from awareness to action.
“The human element is still the dominant factor in data breaches, being involved in 60% of data breaches.”
Compliance-based training remains the status quo for many organizations, but that model is under pressure. RSA conversations revealed a growing disillusionment with programs that only satisfy regulatory checklists.
Leaders are searching for approaches that drive measurable outcomes, like improved reporting and reduced time to detection. The intent is shifting from minimal legal coverage to meaningful behavioral change.
“People were saying: we're basically trying to get compliance... but we just wanna know if there is something else out there.”
Agentic AI - a term previously confined to research - emerged as a live topic.
Hoxhunt’s own AI spear phishing agent, capable of outperforming seasoned red teamers, exemplifies how autonomous AI can escalate threat sophistication. At RSA, this research sparked concerns about attackers weaponizing AI to generate highly personalized, scalable, and fast phishing campaigns, transforming spear phishing into a commodity.
“An AI spearfishing agent that Hoxhunt developed... outperformed elite human red teams.”
Even as defenders recognize the rising threat of AI-enhanced attacks, there's hesitation to embrace AI-based training tools internally. The barrier isn’t just technical - it’s psychological.
Many security leaders fear backlash from users, confusion among staff, and unintended consequences of simulating advanced threats without sufficient education or controls. This tension is stalling proactive defense development.
“There’s a lot of misunderstanding and fear from security leaders.”
Video deepfakes are evolving, but audio is already being exploited to devastating effect in vishing attacks... often using minimal input.
“Deep fake audio even way more than deep fake video... is a real today problem for a lot of security leaders.”
Security teams worry about attacks spreading via WhatsApp and other unofficial channels used on company phones, yet policies lag behind behavior.
“People do share information on WhatsApp... and WhatsApp is one of the key vectors.”
Amid AI hype and expanding threat surfaces, security professionals face burnout. Conversations increasingly focus on sustaining defender wellbeing.
“We know that it’s largely a very stressful job.”
A major undercurrent at RSA was fatigue with static, legacy SAT tools. Leaders are hunting for solutions that prove real behavior change.
“We're just stagnant... negligible threat reporting... but we are checking the box.”
For the first time, state governments showed interest in measurable outcomes, not just regulatory minimums. This marks a strategic turning point.
“They were trying to find a new way... that would measurably impact risk.”
RSA booths were flooded with AI claims... but buyers are learning to distinguish real capability from buzzword marketing.
“It’s kind of like in 2018... everybody said they were on the blockchain.”
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.