RSA 2026 Field Guide

← Back

Credence Technical Cheat Sheet

Public cryptographic trust registry for MCP servers. Scans source code, verifies author identity, runs adversarial multi-agent debate, publishes signed attestation.

"npm audit for MCP servers" — except it also verifies identity and uses 5 competing AI agents to catch what scanners miss.

Pipeline: Scan. Debate. Attest.

Stage 1 — Verify Identity (Provenance)

Queries GitHub API: account age, contributor history, fork status, coordinated fork networks
Detects SmartLoader pattern: fork + original author excluded = hard reject, score forced to zero

Stage 2 — Scan the Code (8 scanners)

Semgrep (SAST), Bandit (Python), Trivy (CVEs), Gitleaks (secrets), npm-audit, pip-audit, ESLint
Custom MCP Tool Analyzer: 107 signatures across 13 check functions
Detects: prompt injection, zero-width Unicode (15 codepoints), tool poisoning, dynamic descriptions, schema poisoning, typosquatting

Stage 3 — ThinkTank (Adversarial Debate)

"One opinion isn't verification."

Agent	Stance	Role
Adversarial Attacker	Skeptic	Maps attack vectors, constructs exploitation scenarios
Supply Chain Analyst	Skeptic	Verifies provenance integrity, detects tampering
Compliance Reviewer	Neutral	Evaluates against OWASP/CWE/SLSA frameworks
Devil's Advocate	Believer	Identifies false positives, defends legitimate patterns
Pattern Matcher	Believer	Compares against known attack signatures

Up to 5 rounds, early termination when positions stabilize
Every position shift logged (audit trail)
Cannot raise score more than +10 above deterministic preliminary
Cannot override provenance hard-rejects

Research backing: ICML 2024 (Du et al.) — multi-agent debate reduces hallucination. Zhou & Chen A-HMAD — diverse roles achieve 4-6% higher accuracy, 30% fewer factual errors.

Stage 4 — Sign & Publish

Ed25519 cryptographic signature over full attestation
Pinned to exact commit SHA
Published as verifiable JSON to public registry

ASEM Framework

Agentic Social Engineering Model — maps traditional social engineering onto agentic AI systems.

14 attack categories: 10 from classical SE (pretexting, phishing, baiting, quid pro quo, tailgating, vishing, authority compliance, watering hole, consensus manipulation) + 4 AI-native (distillation/extraction, search poisoning, memory poisoning, alignment drift)
6 archetypes: MASON (builder), SAGE (analyst), MARSHALL (operator), HARPER (communicator), SCOUT (watcher), REED (advisor)
4 deployments: Solo Operator, Tool User, Social Agent, Autonomous
3 trust tiers: Constrained → Characterized → Bonded

Key insight: Most guardrails operate at per-message level. No existing tool does session-level social engineering pattern detection against LLMs. ASEM fills that gap.

The 82-to-15 Story

A server passed all 8 scanners with zero findings. Scanner score: 82/100. ThinkTank dropped it to 15/100. Provenance was unverifiable — empty owner, zero-day account, zero contributors. The Devil's Advocate (believer agent) flipped from APPROVE (0.75 confidence) to REJECT (0.45 confidence) by round 3. Final: REJECTED at 98% confidence. No scanner would have caught it.

Scoring Weights

Dimension	Weight	Risk Tier
Provenance	40%	Critical (OpenSSF)
Behavioral	30%	High
Security	30%	High

Hard override: ANY dimension ≤39 caps aggregate at 39
Provenance hard-reject (0) forces aggregate to 0
Verdict thresholds: 39/69/89 (CVSS v4.0 aligned)

Pre-Runtime vs Runtime

	Pre-Runtime (Credence)	Runtime (Viberails etc.)
Question	"Should this entity be trusted at all?"	"Should this action be allowed right now?"
When	Before installation	After agent connects
How	Source code, identity, provenance	Policy-based allow/deny/audit
Output	Cryptographic attestation	Action enforcement

Complementary framing: "You built the enforcement layer. I built the trust verification layer that feeds it. Attestation scores flow into runtime policy decisions."

Framework Alignment

CVSS v4.0 — verdict thresholds
OpenSSF Scorecard — severity weights
SLSA v1.0 — provenance levels
FIPS 199 — high-water-mark overrides
OWASP Risk Rating — category multipliers
NIST SP 800-161 — supply chain risk management

← Back

OWASP Top 10 for LLMs (2025)

Updated from 2023. The definitive risk taxonomy for LLM applications. Major shift toward agentic AI risks.

↗ owasp.org/llm-top-10

2025 key shifts: Sensitive Info Disclosure jumped #6→#2. Supply Chain jumped #5→#3. Two new entries (LLM07, LLM08). Strong emphasis on RAG and agentic AI.

LLM01 — Prompt Injection

Attacker manipulates LLM via crafted inputs (direct) or poisoned external content (indirect). Bypasses instructions, exfiltrates data, triggers unintended actions. Unchanged at #1.

Credence relevance: MCP Tool Analyzer detects prompt injection patterns in tool descriptions and dynamic content.

LLM02 — Sensitive Information Disclosure

LLM reveals PII, credentials, proprietary data in responses. Training data memorization, context window leaks, RAG data exposure. Jumped from #6 — elevated due to RAG adoption.

LLM03 — Supply Chain Vulnerabilities

Compromised training data, poisoned models, malicious plugins/extensions. Tampered model weights, vulnerable dependencies, backdoored tools. Jumped from #5.

This is Credence's core domain. MCP servers are the supply chain attack surface for agentic AI. 17K+ MCP servers in the wild, 36.7% have SSRF vulns (BlueRock).

LLM04 — Data and Model Poisoning

Manipulation of training, fine-tuning, or embedding data to introduce backdoors, biases, or vulnerabilities. Expanded to include fine-tuning and RAG poisoning.

LLM05 — Insecure Output Handling

LLM output passed to backend functions without validation. Enables XSS, SSRF, privilege escalation, RCE. Treat LLM output as untrusted user input.

LLM06 — Excessive Agency

Agents granted too many permissions, functions, or autonomy beyond intended use. Critical for agentic systems. Reframed and expanded for agentic AI surge.

Key agentic risk. Runtime enforcement (Viberails) addresses this. Pre-runtime trust verification (Credence) prevents connecting to tools that enable it.

LLM07 — System Prompt Leakage 🆕

System prompts exposed, revealing internal rules, filters, credentials, backend architecture. Don't rely on system prompts for security — use runtime enforcement.

LLM08 — Vector and Embedding Weaknesses 🆕

RAG systems vulnerable via vector/embedding exploitation — data injection, unauthorized access, model poisoning. Enforce strict access partitioning.

LLM09 — Misinformation

False but credible content through hallucinations. Renamed from "Overreliance" — now framed as security risk, not quality issue.

LLM10 — Unbounded Consumption

Uncontrolled resource usage — performance degradation, denial-of-wallet attacks. Renamed from "Denial of Service" — expanded to include cost exhaustion.

AIBOM (AI Bill of Materials)

Machine-readable inventory of datasets, models, software components, and controls in an AI system. Helen Oakley (OWASP, Monday evening) co-leads the AIBOM generator project — produces CycloneDX-format BOMs for Hugging Face models.

Talking point with Helen: "The completeness problem — most model cards are too sparse to generate useful AIBOMs. How are you solving that?"

↗ OWASP AIBOM Project

← Back

CoSAI & MCP Security

CoSAI (Coalition for Secure AI)

Industry coalition (Google, Microsoft, Amazon, NVIDIA, etc.) publishing frameworks for securing AI systems. Published MCP security white paper covering 12 threat categories and ~40 specific threats.

↗ cosai.dev

CoSAI MCP Threat Taxonomy (12 Categories)

MCP-T1: Improper Authentication & Identity Management
MCP-T2: Missing/Improper Access Control
MCP-T3: Input Validation/Sanitization Failures
MCP-T4: Input/Instruction Boundary Confusion (data misread as instructions)
MCP-T5: Inadequate Data Protection & Confidentiality
MCP-T6: Missing Integrity/Verification Controls
MCP-T7: Session & Transport Security Failures
MCP-T8: Network Binding/Isolation Failures
MCP-T9: Trust Boundary & Privilege Design Failures
MCP-T10: Resource Management/Rate Limiting Absence
MCP-T11: Supply Chain & Lifecycle Security Failures
MCP-T12: Insufficient Logging, Monitoring & Auditability

CoSAI recommends: zero-trust for AI agents, sandboxing, cryptographic verification of tool providers — exactly what Credence does at the pre-runtime layer.

MCP Attack Surface

Key Vulnerabilities

mcp-remote CVE-2025-6514 (CVSS 9.6) — OAuth token theft via malicious MCP server. Affected 437K downloads. Server sends crafted redirect, steals OAuth tokens from client.
AURA MCP attack — Malicious server published to community, contained hidden prompt injection in tool descriptions
postmark-mcp supply chain attack — Legitimate MCP server compromised via dependency tampering
SmartLoader pattern — Fork of legitimate server, original author removed from contributors, injected malicious behavior

MCP Security Gaps

No built-in authentication or authorization
No tool description integrity verification
No provenance tracking for server authors
No cross-server isolation guarantees
Tool descriptions are trusted by default — prompt injection vector

MCP was called "the USB-C of AI" by RSAC. But USB-C has cryptographic authentication (USB-C Auth spec). MCP has nothing. That's the gap Credence fills.

Forrester AEGIS Framework

Practical framework for CISOs to secure agentic architectures. Being presented at RSA 2026.

Agent identity and access management
Tool call authorization and policy enforcement
Audit trails for agent actions
Supply chain verification for agent components

← Back

Competitive Landscape

Who does what and how Credence relates.

Company	What They Do	Credence Angle
BlueRock.io	MCP Trust Registry, 8K+ servers scanned, 36.7% SSRF	Most direct overlap. Validates market. They're funded.
LimaCharlie / Viberails	Runtime policy enforcement for AI tool calls	Enforcement layer. You built the verification layer that feeds it.
Geordie AI	Agentic AI governance, ISB finalist	Governs agents — you understand the trust layer underneath.
Token Security	Identity-first security for AI agents, ISB finalist	Their identity layer needs trust verification underneath.
Akto	Agentic AI Security platform	Broader scope, less MCP-specific.
Alter (YC)	Zero-trust agents	Adjacent — agent-level trust.
Golf (YC)	AI security, YC-backed	Adjacent space.

Your Differentiator

Runtime enforcement asks "should this action be allowed." Trust verification asks "should this entity be trusted at all." You can't answer the first well without the second — and you built a working system that does the second.

Viberails (LimaCharlie) — Three Products

Product	What It Does	Target
viberails.ai	Local guardrails for AI coding assistants (Claude, Codex, Gemini). Environment isolation, rule enforcement.	Individual devs
viberails.net	Enterprise code review orchestration. Automated security vuln discovery (17 categories). Triage workflows.	Enterprise teams
viberails.io	Real-time MCP tool call interception. Rule-based blocking. Human approval for sensitive ops. <50ms latency.	Security teams

Peer conversation framing: "You built the enforcement layer. I built the trust verification layer that feeds it. Attestation scores flow into runtime policy decisions. These layers talk to each other."

What Viberails does NOT do: no provenance verification, no attestation, no adversarial analysis, no pre-installation trust check. That's the Credence gap.

ISB Finalists to Know

Geordie AI — Agentic AI governance
Token Security — Identity-first agent security
Realm Labs — AI trustworthiness
Humanix — Social engineering detection

← Back

Proof-of-Control Initiative

Monday evening, 5-9 PM, SF University Club. Highest priority evening event.

Ken Huang — CEO DistributedApps.ai, Co-Chair of Proof-of-Control Initiative. Goal: make AI governance verifiable and independently auditable.

What It Is

Framework that generates cryptographic proof artifacts at each action boundary. Makes AI governance independently verifiable — "do for AI provability what OSI did for open source."

Mechanisms

Digital signatures — cryptographic proof of action origin
DIDs (Decentralized Identifiers) — self-sovereign agent identity
Blockchain smart contracts — immutable governance records
Zero-knowledge proofs — verify compliance without exposing internals
Hardware attestation — TEE-based execution proofs
Verifiable logs — immutable, auditable action trails

Key Principle

"Verification requires no proprietary tooling." Anyone can independently verify that an AI system's governance claims are real.

Related: EQTY Lab

Hardware-rooted Verifiable Runtime for AI. Announced at GTC March 2026 with NVIDIA. Uses TEEs (Trusted Execution Environments) for proof-of-guardrail.

Critical caveat: Execution proof is not safety proof. A TEE proves code ran as written — it doesn't prove the code was correct or safe.

Credence Connection

Credence's Ed25519 attestations are a form of proof-of-control — cryptographic proof that a specific MCP server was verified at a specific commit. The attestation model aligns with Ken's framework.

Conversation opener: "I built a cryptographic trust attestation layer for MCP servers — Ed25519 signatures pinned to commit SHAs with adversarial multi-agent verification. That's proof-of-control for the tool layer."

Agent Identity Landscape

DID/VC/ZKP — Decentralized identity + verifiable credentials + zero-knowledge proofs for agent identity
SingularityNET + Privado ID — First decentralized AI agent trust registry using privacy-preserving credentials (March 2026)
Token Security (ISB finalist) — Identity-first security for AI agents

← Back

Numbers to Cite

Drop these into conversations. All sourced.

MCP Ecosystem

17,000+ MCP servers in the wild

36.7% of 8K servers scanned have SSRF vulnerabilities (BlueRock)

mcp-remote CVE-2025-6514 (CVSS 9.6) — affected 437K downloads

Enterprise Readiness

29% of orgs say they're prepared to secure agentic AI (Cisco)

Non-human identities outnumber humans 82:1 in average enterprise (CyberArk)

80% of orgs report AI agents taking unintended actions (SailPoint)

Credence Registry (Live)

25 total scans completed

9 servers published to registry

Scores range from 54 (CONDITIONAL) to 98 (APPROVED)

MCP Tool Analyzer

107 detection signatures across 13 check functions

Detects: prompt injection, zero-width Unicode (15 codepoints), tool poisoning, dynamic descriptions, schema poisoning, typosquatting, name collision with 44 official MCP tools

Market Signal

MCP security is one of RSAC's official top 7 trends for 2026
RSAC called MCP "the USB-C of AI"
Andy Ellis predicted MCP would be "massive at RSA" (CIO magazine)
CoSAI published MCP security white paper — 12 threat categories, ~40 threats
Cisco's "State of AI Security 2026" calls out MCP supply chain tampering
Forrester presenting AEGIS framework for agentic security

Key Framing

Credence is your portfolio piece, not your product. The market has moved — big companies are building this now. Credence proves you were there first. The outcome isn't "use Credence" — it's "work with the person who built it."

The Rules

12-min timer on every conversation. When it buzzes → exit line.
No laptop at Moscone. Phone only.
Log at lunch. Notes first, food second.
One beer at Google happy hour.
Recovery break 4:30-5:00 PM Tue. Walk, headphones, music.
Read Narrative Two every morning before you leave.
March 27-28 is for follow-ups. Not code.

Your Pitch [full pitch doc]

Tagline: “Your agents work for you. Probably.”
Sub: Adversarial assessment for the autonomy era

10 sec: "Everyone's building the enforcement layer for agentic AI. I built the trust verification layer that should sit underneath it — cryptographic attestation and adversarial analysis of tool definitions before they hit production."

30 sec: "Runtime enforcement asks 'should this action be allowed' — but someone needs to answer 'should this entity be trusted at all' before that question even comes up. I built a working trust registry that does that. Multi-agent adversarial analysis, cryptographic attestation, structured framework. It works. Now I'm looking at where this thinking needs to go next."

If Viberails comes up: "You built the enforcement layer — the piece the market needed to see first. I built the trust verification layer that should feed it. I've been thinking about how these layers talk to each other."

CIMD angle: "The new MCP authorization spec solves client registration but explicitly punts on trust. The spec itself documents a localhost redirect URI impersonation attack they chose not to solve. That's the gap I built for."

Remember: Credence is your portfolio piece, not your product. You're the person who built it — that's the credential.

EXIT LINE: "This deserves more time — can I send you a writeup this week?"

Gerchow Q&A Question

"Have you seen anyone implementing pre-runtime trust verification for tool identity — not just filtering calls at runtime, but adversarial analysis of what a tool actually does before the agent ever touches it? I've been building in this space and I'm curious who else is."

Conference Days

Monday March 23

Orientation Day

Sandbox · Orientation · Opening Reception

›

Morning

9:00 - 10:30 AM

Moscone

Innovation Sandbox

Watch 10 startup pitches. Note Geordie AI, Token Security, Realm Labs, Humanix framing. Study the pitch mechanics, not the products.

TBD — Monday daytime

Moscone

Gerald Auger — Simply Cyber

Existing warm relationship — not a cold contact. Phil is his recognized AI expert.

Try to connect during the day at Moscone. If you miss him here, catch him at the Irish Bank evening meetup (see below). Singularity Signals newsletter partnership pitch.

Gerald Auger — Simply Cyber founder

10:30 AM - 12:00 PM

Moscone South

ISB Finalist Teams + CSA Hallway

Find ISB finalist teams in Moscone South. Geordie AI, Token Security, Realm Labs — founders will be buzzing from adrenaline and open to conversation.

CSA Summit hallway — try to catch Jim Reavis during breaks.

Jim Reavis — CSA CEO

12:00 - 1:00 PM

LUNCH — LOG EVERYTHING

Notes first, food second.

Afternoon

1:00 - 4:00 PM

Expo Hall

Early Stage Expo Sweep

Walk every booth. Identify agentic AI startups. Introduce yourself as a peer who's been building in the MCP trust space.

CSA Summit hallway — second chance for Reavis during afternoon breaks.

4:30 - 7:00 PM

Moscone Expo Hall

Expo Opening Reception

First mass networking opportunity.

Locate BlueRock, Akto, ProcessUnity, Cymulate, Google Security booths. Note booth numbers. If you bump into someone: 3 min max, plant a seed for Tue/Wed.

5:00 PM onward

Children's Creativity Museum · 221 4th St

Decibel RSAC “Founder Festival”

Multi-day drop-in through Wednesday. This is the venue for Wednesday's Miessler/Gibler meetup. Scope it out if time allows after reception.

Evening — Three-Stop Plan

5:00 - 9:00 PM

SF University Club

⚠ Proof-of-Control Initiative Launch

HIGHEST-PRIORITY EVENING EVENT. Advanced AI Society + Polaris Collective. Proof-of-Control is a framework for cryptographically verifiable AI governance — the thesis overlap with Credence is near-total. They are formalizing the category you already built.

Go as a practitioner who's already doing this in production, not a spectator. Ask one sharp question during Q&A to signal builder credibility.

Agenda: Fireside chat (Ken Huang + Bhavya Gupta on OWASP AIVSS), Proof-of-Control deep dive, VC panel (Mike Privette moderating — Accel, Felicis, Evolution Equity), Founders panel, networking hour.

Leave during networking hour (~7:30-8 PM) for OWASP + Irish Bank.

Ken Huang — CSA AI Safety / OWASP / NIST Tricia Wang — Advanced AI Society Mike Privette — VC panel moderator

Ken Huang Script ›

~7:30 PM — Quick Stop

James Bong Building · 833 Market St, Floor 2

OWASP GenAI Security Kickoff Party

Find Helen Oakley. You've missed two consecutive Monday calls — stake your claim in person.

Reference your CoSAI ws4 contribution, express commitment to the workgroup. Be direct: “I've had conflicts the last two Mondays but I'm committed to this work. What do I need to do to get plugged back in?”

15-20 min max, then head to Irish Bank. You also have Wednesday OWASP Workshop as a second touchpoint.

Helen Oakley — OWASP AIBOM

Helen Oakley Script ›

~8:00 PM onward

The Irish Bank · 10 Mark Ln

Simply Cyber Meetup

Most important social connection of the evening.

Gerald Auger's crowd. ~5 min walk from James Bong Building. Social setting — this is where relationships stick.

Newsletter partnership pitch, AI expert positioning. Stay as long as the energy is good.

Gerald Auger — Simply Cyber founder

7:00 - 9:30 PM

Merkado SF

CyberTacos

Skip — Miessler has two confirmed Wednesday touchpoints. Irish Bank with Gerald is higher value tonight.

Daniel Miessler — Wednesday instead

Day Goal

Know where every booth is. Ken Huang conversation at PoC. Helen Oakley staked. Gerald Auger social. 1-2 meetings confirmed for Tue/Wed.

Tuesday March 24

Highest-Value Day

Expo Floor · Booths · Google Happy Hour

›

Morning

7:00 - 8:30 AM

Clancy Hotel · Room Lotline B

IANS Breakfast — Sounil Yu Book Signing

Buy the book. 3-5 min conversation. Ask about the CDM gap for agent identity. Exchange cards.

Sounil Yu — IANS Faculty / Knostic

"Where does the Cyber Defense Matrix break down when the entity is an agent with its own identity and capability scope?"COPY

8:30 AM — Session ends ~9:20 AM

Moscone West 2018 (TRACK SESSION — can't attend)

⚠ CUTOLO — "Trust Me, I'm a Tool: Attacking and Defending the MCP"

Gianpietro Cutolo, Cloud Threat Researcher, Netskope. Directly in your lane — MCP attack vectors and layered defenses including cryptographic tool verification.

Can't attend with Expo pass. Post up at Moscone West 2018 exit at ~9:15 AM. One sentence, card, walk together. Or find him at Netskope booth later in the day.

He wrote a 3-part blog series on MCP security: tool poisoning, invisible backdoors, hostile tools. Reference these.

Gianpietro Cutolo — Netskope

"Your MCP attack research is the best public work I've seen on tool poisoning patterns. I built a trust registry that addresses the pre-runtime verification gap you identified — adversarial multi-agent analysis before the agent ever connects."COPY

8:30 - 10:00 AM

James Bong Building · 833 Market St, Floor 2

Agentic AI Leadership Breakfast

Andromeda/Straiker. Sam Patel (Omada Health) and Andrew Cal (CISO, WestCap) on agentic AI as identity.

⚠ Overlaps with tail end of IANS breakfast — choose or split.

8:30 - 10:00 AM

Timbri Hotel

HiddenLayer AI Threat Landscape Breakfast

They're tracking what LC shipped. Lead with what you built and learned. Ask where they see pre-runtime verification fitting.

⚠ Conflicts with IANS + Agentic AI breakfast — pick one.

9:30 - 10:15 AM

Expo Hall

BlueRock Booth

Start 12-min timer. Lead with curiosity about their approach.

Share what you built as context, not a pitch. Demo on phone only if they ask. When timer buzzes → exit line.

Bob Tinker — CEO · Harold Byun — CPO

"The 36.7% SSRF finding was solid work. I've been approaching it from a different angle — adversarial multi-agent analysis of tool definitions before production."COPY

10:30 - 11:15 AM

Expo Hall

Akto Booth

If Ankita is there, reference the visibility gap. If not, talk to booth engineer about MCP server discovery methodology. Leave card.

Ankita Gupta — CEO

11:30 AM - 12:15 PM

Expo Hall

ProcessUnity · Cymulate · Sweep

10 min each. At every booth ask: "How are you handling pre-runtime trust verification for MCP tool definitions? I've been building in this space and I'm curious about your approach."

Afternoon

12:00 - 2:00 PM

Buena Vida Cantina · 860 Folsom St

Tacos & Tech at RSAC

Lunch networking event. Log notes from morning conversations first.

TBD — Tuesday

Jason Rebholz — Evoke Security

Warm contact — CISO at Evoke. Discussed Staff AI Security Research Engineer role in Feb. Existing relationship via Simply Cyber.

If he's at RSA, connect in person. Confirm time day-of.

Jason Rebholz — CISO Evoke Security

1:00 - 3:00 PM

Expo Hall

Cisco #6044 · Splunk #6144 · Proofpoint #N-6163

Booth theater sessions on agentic SOC. Reference Cisco's State of AI Security report on MCP supply chain tampering. Return to booths where targets were unavailable.

3:00 - 3:30 PM

Moscone hallways

Cisco Hallway Intercept

Outside "Your AI Agents Are Having an Identity Crisis" session (ends ~3:10 PM).

3:30 - 4:00 PM

Moscone hallways

Pollard — Post-Session Intro

Check Forrester session schedule, post up at exit. One sentence. Card. Walk away.

Jeff Pollard — Forrester VP / AEGIS

"I've been implementing controls across several AEGIS domains for MCP trust infrastructure — pre-runtime attestation and adversarial analysis. I have practitioner data on what works. Are you accepting case studies from builders in this space?"COPY

Evening

4:30 - 5:00 PM

⇕ RECOVERY BREAK

Walk outside. Headphones. Music. Protein bar. Do not open phone for anything except music. Non-negotiable.

5:00 - 7:00 PM

Marriott Marquis · Lower Level B2

Google Security Happy Hour

High-value event. Live MCP demos. Practitioners + product leaders. Work the room.

ONE BEER. The unplanned conversation here may be the most important one of the week.

Unplanned — be present

7:00 - 8:30 PM

Hotel Zetta

Optional: Akamai Oasis Party

Andy Ellis may be here. One hour max.

Andy Ellis — former Akamai CSO

7:00 - 10:00 PM

SPIN SF

Cloudflare After Dark

Alternative to Akamai. Bigger crowd, more serendipity. Pick one or split the evening.

Day Goal

Substantive conversations with Yu + one BlueRock founder + one other. Google contacts logged. Pollard introduced.

Wednesday March 25

Most Important Day

Gerchow · Decibel · LC Speakeasy (TOP PRIORITY)

›

Morning

6:50 AM — ARRIVE EARLY

Clancy Hotel · Room Lotline B

IANS Breakfast — George Gerchow

Your single most important hour. Sit near front. Q&A card in pocket.

Ask your prepared question. After session, approach directly. Share what you built and ask for his perspective. Demo on phone if he asks.

Up to 15 min if he's engaged. If busy, get email and follow up within 2 hours.

George Gerchow — CSO Bedrock / IANS

"George, I'm Phil Stafford — I've been building exactly what you're describing. A working trust registry with cryptographic attestation and multi-agent adversarial analysis. I'd love your take on where this kind of work fits in the stack you're advising on."COPY

9:00 - 9:45 AM

Transit to Decibel

Walk to Children's Creativity Museum (221 4th St — 5 min from Moscone).

10:00 AM - 12:00 PM

Children's Creativity Museum · 221 4th St

“Unsupervised + Unhinged: Coding Agents Unleashed”

MUST-SEE. Decibel meetup. Lightning talks and demos of agents in the wild.

Daniel Miessler presenting “Poisoned Model Protocols.” Clint Gibler (tl;dr sec / Semgrep) confirmed. Last year featured Phil Venables (Google Cloud CISO).

Builder framing: you're the practitioner who built the trust verification layer and has implementation insights to share.

Daniel Miessler · Clint Gibler Phil Venables — if present

"I saw the MCP trust gap before anyone was funding solutions for it. Built a working trust registry — adversarial multi-agent verification, cryptographic attestation. The big players are moving into this space now, which validates the thesis. I'm looking at where this thinking has the most leverage next."COPY

Afternoon

12:00 - 12:30 PM

Expo Hall

Early Stage Expo + Follow-ups

Quick sweep. Revisit missed booths. Try OASIS/CoSAI booth #N-5157 for Novotny/Clinton — they may be working the booth in the afternoon if you missed them at Decibel.

Sarah Novotny — CoSAI · Jason Clinton — Anthropic

"Sarah, I've been implementing controls against your threat taxonomy in a working trust registry — cryptographic attestation and adversarial analysis for MCP tool definitions. I have concrete findings about which mitigations work and where the gaps are. I'd like to contribute those upstream. What's the best path?"COPY

12:00 - 1:30 PM

Okta · 100 1st St, 5th Floor

Okta “Empowering Communities to Navigate AI-Cyber Frontier”

Identity + AI community event. Alternative to lunch logging — or grab food first and arrive late.

12:30 - 1:30 PM

LUNCH — LOG EVERYTHING

Gerchow + Decibel are your two most important conversations. Capture every detail now.

1:30 - 6:00 PM

Digital Jungle SF · 972 Mission St

OWASP GenAI Workshop & Agentic Hackathon

High-priority. “Latest from GenAI Security Project” + agentic deep dive sessions. Helen Oakley likely here. No RSA pass required. ⚠ Overlaps with expo floor, CoSAI booth, and Cyber PM HH — LC Speakeasy is the priority from 6 PM.

Helen Oakley — OWASP AIBOM

1:00 - 3:00 PM

Expo Hall

Expo Floor + Return Visits

Early Stage Expo sweep, ISB finalist return visits, OASIS/CoSAI booth. Return to best conversations from Tuesday. Revisit Akto for Ankita. Skip if attending OWASP workshop.

3:00 - 3:30 PM

OASIS Booth #N-5157

CoSAI Booth — Novotny/Clinton Fallback

If you missed Clinton/Novotny due to Decibel, try here. Same people may be working the booth in the afternoon. Deeper 1:1 conversation than a hallway grab.

Sarah Novotny — CoSAI · Jason Clinton — Anthropic

Evening

4:00 - 7:00 PM

Pagan Idol · 375 Bush St

Cyber Product Managers & Builders Happy Hour

3rd annual, tiki bar, vendor-pitch-free. Hosted by Mike Privette, Chris Eng, Mark Mc. Good for sharing what you built. ⚠ Overlaps with OWASP tail + LC Speakeasy start — leave by 5:30 for Speakeasy.

6:00 - 9:00 PM

Bourbon & Branch

LimaCharlie & Alpha Level Speakeasy

YOUR #1 PRIORITY EVENT.

The Viberails team will be here riding launch momentum. You are NOT a competitor — you built the adjacent layer. This is a peer conversation, not a pitch.

Talk about how enforcement and verification layers should connect. If Maxime is engaged, share what you learned building the pre-runtime piece. Daniel Miessler likely in this crowd too.

Maxime Lamothe-Brassard — LC CEO Daniel Miessler — if present

"You built the enforcement layer — that's the piece the market needed to see first. I built the trust verification layer that should feed it — attestation scores, adversarial analysis of tool definitions, the pre-runtime piece. I've been thinking about how these layers talk to each other. Want to compare notes?"COPY

7:00 - 10:00 PM

CrowdStrike at The Mint

Big party, show up late if Speakeasy wraps early. Good for serendipity.

Day Goal

Gerchow conversation completed. Novotny/Clinton contact. LC Speakeasy: peer conversation with Viberails team about how layers connect.

Thursday March 26

Close Loops

Final Pass · Srinivasan · Coffee Meetings

›

Morning

8:00 - 10:00 AM

Expo Hall

Final expo sweep

Booth staff is least busy. Better conversations. Return to BlueRock or Akto for deeper follow-up.

10:00 AM - 1:00 PM

Coffee meetings

Text anyone you connected with: “Do you have 20 minutes for coffee before you head out?”

Thursday coffee is where contacts become relationships.

Afternoon

1:00 - 2:30 PM

Moscone · outside session room

Srinivasan — CoSAI Session Exit

Session 1:30-2:20. Same approach. She's Anthropic technical staff — offer concrete findings.

Akila Srinivasan — Anthropic

2:30 - 4:00 PM

Moscone · Broadcast Alley

theCUBE / Broadcast Alley

Walk up, position yourself as a practitioner who built MCP trust infrastructure before the market arrived. Worst case: no. Best case: 5 minutes on camera you can use for months.

4:00 PM

Done — Head Home

Every card has a note. All loose ends tied. Save energy for follow-ups.

Day Goal

Srinivasan contact attempted. All cards annotated. No loose ends.

Pre-Conference

Week 1: March 3-9

›

✓

CoSAI GitHub comment on ws4 repo

One substantive implementation observation from your trust registry work

✓

LinkedIn → George Gerchow

Reference AI-SPM / MCP server inventory thesis

✓

LinkedIn → Sarah Novotny

Reference CoSAI whitepaper + your implementation experience

✓

LinkedIn → Bob Tinker

Reference Markitdown SSRF disclosure

✓

LinkedIn → Ankita Gupta

Reference 21% enterprise visibility finding

✓

LinkedIn → Harold Byun

Reference 22-rule analysis framework

✓

Via iansresearch.com/ians-at-rsa-in-2026

✓

Check if same link covers both. If not, DM Gerchow.

✓

rsvp.withgoogle.com/events/rsac26-tasting-tuesday

✓

CyberTacos, HiddenLayer breakfast, AI Agents & Eggs, Cyber PM HH, LC Speakeasy, Cloudflare After Dark, CrowdStrike

✓

Write LinkedIn post: "AI firewall" pattern

Runtime enforcement without trust verification is incomplete. Don't name LC/Viberails. Timestamp your thinking before RSA. Frame as practitioner insight, not product announcement.

✓

Internalize the differentiation doc

Three-sentence version cold: what you built, what you learned, where it fits. Builder language, not vendor language. No paper on the floor.

Week 2: March 10-16

›

✓

Polish Credence demo

Load in <3 sec on mobile. Demo-able in 30 sec. This is backup evidence, not the lead.

✓

Write one-pager PDF

What you built · what you learned · the architectural insight · contact info. Practitioner story, not product sheet.

✓

Practice pitches out loud

15-sec and 60-sec versions. Say them to Bec.

✓

Order business cards

Name · Singularity Systems · "MCP Security & Agentic Trust Infrastructure" · URL · email · LinkedIn

✓

Install vibrating timer app

Set for 12 minutes

Week 3: March 17-22

›

✓

DM Gerchow

"I'll be at your Wed breakfast. Would love 10 min after to compare notes on MCP attestation."

✓

DM Novotny

"Implementing controls against CoSAI threat categories. Would love 10 min to share findings."

✓

DM Tinker

"Building in the MCP trust space. Would love to compare approaches at your booth."

✓

DM Gupta

"Would love to talk about the pre-runtime trust gap your report identified."

✓

Screenshot expo floor map

Locate BlueRock, Akto, ProcessUnity, Cymulate, Google Security

✓

Write Gerchow Q&A on a card

Physical card in your pocket Wednesday morning

✓

Block March 27-28 on calendar

"RSA Follow-Up — No Code"

✓

Tell Bec the plan

Wednesday morning is Gerchow. She'll ask how it went.

Post-Conference

March 27-28: Follow-Ups

›

✓

Follow-up email to every substantive conversation

Reference specific discussion. One concrete next step. Not "great to meet you."

✓

LinkedIn connections for all card exchanges

By April 4: Content

›

✓

Publish post-RSA article

"What I Learned Building a Trust Verification Layer for MCP" — Medium + dev.to. Practitioner story. Tag everyone.

✓

CoSAI PR/issue to ws4 repo

Implementation findings from your trust registry. Which mitigations, what gaps.

By April 11: Leverage

›

✓

Forrester follow-up (if Pollard/Scott receptive)

Offer practitioner data for AEGIS research

✓

IANS follow-up (if Gerchow receptive)

Explore advisory content contribution

✓

Ask every receptive contact for second-order intros

"Is there anyone else working on this problem you think I should connect with?"