What to expect at RSAC 2026: A practical guide from someone who's been there

RSAC 2026 is coming up fast — March 23–26, 2026, in San Francisco. Opcito will be there, and if you're planning to attend (or still on the fence), here's the most important information you need to know before you walk through those doors.

What is RSAC and why does it matter?

RSA Conference is the largest cybersecurity conference in the world. This year marks its 35th edition, and it draws over 44,000 attendees, 700+ exhibitors, and 600+ speakers from across the globe. It's where CISOs, engineering leaders, security researchers, vendors, and policy makers all land in the same room. For anyone in the software development or IT leadership space, this is the one conference where the signal-to-noise ratio is actually worth your time.

The 2026 theme is "Power of Community" — which sounds like marketing until you actually experience RSAC. The real value is the density of conversations you can have in four days.

When and where Is RSAC 2026?

• Dates: March 23–26, 2026
• Venue: Moscone Center, 747 Howard Street, San Francisco, CA 94103

The Moscone Center is massive. First-timers often underestimate how much walking is involved — wear comfortable shoes. Most major hotels are within walking distance, and RSAC has negotiated rates through onPeak (you can access those after registration).

What are the RSAC 2026 pass options and how much do they cost?

There are three main pass types:

• All Access Pass:  This gets you everything: all 22 tracks, keynotes, seminars, the Expo, the Connection Hub, and on-demand access to sessions approximately four hours after they go live.
• Expo Plus Pass: Good if you're primarily going for the expo floor, vendors, and select programming.
• Expo Pass: Basic access to the exhibition floor.

If you're a decision-maker or engineering leader coming here to actually learn and make connections, All Access is the right call. Don't compromise on this one. The track sessions and seminars alone make the difference.

For the most up-to-date pass details and registration information, visit the official RSA Conference site: https://www.rsaconference.com/usa/passes-and-rates

Tip: Several sponsors offer $150 discount codes on All Access passes. Worth hunting for before you register.

Are the RSAC 2026 keynotes worth attending?

The keynotes are the anchor of RSAC. They run across all four days on two stages, and some of the best conversations I've had at this conference started because of what someone said on that stage that morning. Here's what stands out at RSAC 2026:

• Steve Vintz, Co-CEO of Tenable will address the widening gap between AI adoption and security governance — specifically, how boards and executives can build clear governance frameworks before systemic risk catches up with them. If you're responsible for engineering or IT strategy, this one is directly relevant.
• Jen Easterly, alongside Chris Inglis, Sarah Gosler, and Chase Cunningham, will tackle a provocative question around the evolving global cyber landscape and what it means for CISOs operating in a borderless threat environment. The discussion brings together policy, enterprise defense, and frontline threat intelligence — the kind of session that shifts how you think about systemic cyber risk.
• Bruce Schneier, one of the most respected voices in security, will explore why integrity has often been overlooked in security design and what it means to build systems that are genuinely resilient. This is foundational thinking — not vendor pitching.
• The Rt. Hon. Dame Jacinda Ardern, former Prime Minister of New Zealand, brings a completely different lens — community-centered leadership, empathy, and how those qualities translate into organizational resilience. For IT heads and engineering leaders managing teams under pressure, this is worth the room.
• Lawrence Baldwin and Brian Krebs present what reads like a true crime story but is actually a masterclass in threat intelligence: a firsthand account of investigating and disrupting major cybercrime operations, including activity linked to groups like JabberZeus that targeted small and medium businesses. Krebs is a compelling storyteller — and sessions grounded in real cases tend to resonate long after the conference ends.
• Lawrence Baldwin and Brian Krebs present what sounds like a true crime story but is actually a masterclass in threat intelligence: a firsthand account of infiltrating and eventually disrupting the JabberZeus cybercrime group, which stole over $100 million from small and medium businesses between 2007 and 2013. Krebs is a compelling storyteller. Don't skip this.

The Closing Celebration features a conversation between RSAC Executive Chairman Dr. Hugh Thompson and Hugh Jackman. Yes, that Hugh Jackman. RSAC turns 35 this year and they're not being subtle about celebrating it.

What RSAC sessions should you put on your schedule?

Beyond keynotes, the full agenda has over 520 sessions. A few that are already drawing attention:

• When IaC Goes Wrong (March 24): Sean Juroviesky CISSP examines what happens when Infrastructure as Code becomes a source of technical debt and operational risk. Relevant for any engineering-heavy organization moving fast on cloud infrastructure.
• Andrew Plummer's AI framework session (March 23): Goes beyond generative AI demos to present a working framework for cyber operations: identifying threat actors and deploying risk management processes. Practical and timely.
• Cloud Security Alliance (CSA) Summit (Monday, March 23, 8AM–3PM): A full-day deep dive on the duality of AI in security: securing AI systems and using AI for security. If cloud security is on your 2026 agenda, this is a full-day investment that pays off.

The full agenda is available on the RSAC website. Build your schedule in advance — popular sessions fill up fast, and some require reserving a seat ahead of time.

What are RSAC Villages and should you visit them?

The Villages are one of the most underrated parts of RSAC, especially if you have technical people on your team. They're community-organized spaces focused on hands-on learning, and they run on a different energy than the main conference floor.

• AI Village: Hackers and data scientists working on the security and misuse of AI. Practical, technically dense, and increasingly important given how fast AI is being embedded into every product stack.
• Adversary Village: Attack simulation, ransomware-APT simulators, guided breach simulations, and purple-team exercises. If you want to understand how attackers actually operate, this is the place.
• AppSec Village: Software security from IoT to medical devices to everyday applications. Given that software is what most of us ship, this one hits close to home.
• Cloud Village: Offensive and defensive cloud security, CTF challenges running across all three days, and talks on real-world cloud vulnerabilities. If your organization is cloud-native or cloud-migrating, bookmark this.
• ICS Village: Industrial control system security and critical infrastructure protection. Hands-on threat detection exercises for control systems.
• IoT Village: Hands-on research and expert talks on IoT security vulnerabilities and industry practices.
• Physical Security Village: Often overlooked, but eye-opening. They demonstrate physical security vulnerabilities: locks, access control, badge systems: that digital-first security teams often don't think about.
• Cyber Starter Lounge: Specifically valuable for first-timers. Hosted by the Pacific Hackers community, this is a low-pressure space to get oriented, find the sessions worth attending, and meet people with shared interests. If this is your first RSAC, start here.

How do you actually network at RSAC?

This is the part that takes first-timers by surprise: RSAC is as much about hallway conversations as it is about sessions. The conference is dense with decision-makers, and structured networking opportunities are built into the schedule.

The Connection Hub inside the Moscone Center is the dedicated space for peer networking. Think of it as a curated meeting zone, not a generic lounge. Use it.

There are also affiliate events happening around the conference, including invitation-only breakfasts (like the eFraud Global Forum on Tuesday, March 24 and SAFE on Wednesday, March 25). These tend to be where more focused business conversations happen.

Pro tip: Don't try to attend everything. Build a schedule with gaps. The best meetings we've had at RSAC weren't on any agenda. They happened because we had 30 minutes free and ended up in a conversation that led somewhere real. Leave room for that.

What should first-timers know before attending RSAC 2026?

A few things that will save you time and frustration:

• Download the RSAC mobile app before you arrive. It has the agenda, maps, session schedules, and speaker bios. You'll use it constantly.
• Business casual is the dress code. Comfortable shoes are non-negotiable. The Moscone Center is large.
• Badge rules are strict. Keep it on you at all times. Losing it costs $50 to replace, and badge sharing will get you removed with no refund.
• Build your session schedule in advance. Some sessions require seat reservations that open in advance. Don't show up hoping to walk in.
• On-demand access is available for All Access pass holders — sessions go live approximately four hours after they conclude. So if you miss something, you're not completely out of luck.

Will Opcito be at RSAC 2026?

Yes. Our experts will be at RSAC 2026 from March 23–26, representing Opcito Technologies. We work at the intersection of engineering and security — DevSecOps, cloud-native platforms, application security, AI integration, and engineering accelerators are core to what we do for clients in the software development space.

If you're an IT head or decision-maker attending RSAC and want to talk about where your engineering organization is headed — or where it's getting stuck — let's find 30 minutes.

Book a meeting with our experts at RSAC 2026