Trends at the 2024 RSA Startup Competition

Startups at Innovation Sandbox 2024 brought clarity to artificial intelligence, protecting data from AI, and accomplishing novel security solutions with new models.

Paul Shomo, Cybersecurity Analyst

May 22, 2024

5 Min Read
Person holding and pointing to a tablet, with a glowing light bulb hovering over it
Source: Aleksia via Alamy Stock Photo


Artificial intelligence (AI) security, automation's nonhuman identity problem, and the reinvention of detection and response (DR) were emerging trends at the RSA Conference 2024's top startup competition, Innovation Sandbox. 

Reality Defender took the crown for deepfake detection. In the space of a month, its CEO and co-founder Ben Colman testified before the US Senate and the company wowed the Innovation Sandbox judging panel with its expertise in detecting deepfakes. Promoting the threat deepfakes pose to global democracy in this election year, investors also saw commercial opportunities in protecting bank voice authentication and corporate brand reputation.

At the moment, building machine learning (ML) models from scratch is not that common. With powerful new foundational models coming out each week, today's startups typically tout flexible architectures to reuse models. Startups then add value by tuning foundational models, training them on private data, or quantizing them into smaller performative versions. 

In this regard, Reality Defender's bespoke AI stands out. Its constellation of ensemble models detect deepfakes and understand indicators of aliveness, such as heartbeats and blushing. 

New Data Security Emerges for the AI Era

Organizations are repositories of knowledge, secrets, and technologies that they hope can be leveraged with artificial intelligence. Yet it's a scary process exposing different AI models to select data from enterprise wikis, repositories, and databases. 

Everyone seemed sensitive about calling Harmonic Security "DLP for AI," but it didn't bother Harmonic. It knows that data loss prevention for AI is the Holy Grail in 2024. Harmonic Security deploys endpoint large language models (LLMs) that the company says don't need to train against your private data and can coach user behaviors at the point of data loss.

Finalist Antimatter provides engineers in DevOps with application programming interfaces (APIs) that enable safe access to internal training data. With Antimatter's control plane, SecOps can impose global data access levels on DevOps. 

AI data security is important, but chief information security officers (CISOs) need to know what data they have before tackling AI policies. Bedrock is working on answering these age-old questions: What data do you have, where is it, and who's accessing it? Bedrock reduces data into a smaller vector space before classifying with LLMs. Claiming AI reasoning capability instead of rules, it groups data with trust boundaries. 

Reimagining Detection and Response

Detection and response is different from preventative security technologies, such as posture management. DR guides human investigators through the advanced attacks that got thorough, a labor-intensive process that GenAI threatens to revolutionize. In addition to DR automation, the industry needs platforms that span multicloud telemetry. 

Dropzone's LLM-enabled product looks like a post-SOAR automation architecture. It doesn’t require building sequential playbooks or writing code, and it doesn't need manual intervention. Dropzone requires an hour of training against your past 100 cases, then can automate response for low-priority alerts typically handled by imprecise tier 1 analysts.

For each alert, Dropzone's LLMs iteratively pull context from integrations with security operations center products and build investigation summaries. Alert summaries are readable in minutes and include recommendations and artifact evidence to reduce hallucinations

RAD Security detects increasingly sophisticated malware in Kubernetes and is kind of a next-gen convergence of behavioral AppSec and container detection and response. 

RAD Security uses a "declarative model" defining drift from the norm. It promises to be a powerful approach in Kubernetes because DevOps heavily reuses open source code. RAD Security claims that container states mostly converge on its catalog of top 50 images, with only a long tail of container variance beyond.

RAD's drift artifacts are what you'd expect from eBPF telemetry: process trees, file access, events, and container information. Yet when drift artifacts are fed into LLMs, multiple alerts suddenly collapse into broader attack stories.

True multicloud detection and response is much broader than malware detection. Unlike old XDR, the cloud's unit of focus is more identity-based. Most cloud attacks happen through authenticated APIs or stolen credentials.

Mitiga helps SecOps graduate into full multicloud investigations. First, providing visibility scores to ensure enough telemetry is collected into its data lake, Mitiga's timeline of events spans cloud, identity solutions, and SaaS applications.

VulnCheck ruminated on the monthlong process of disclosure to CVE assignment and to final storage in the National Vulnerability Database. By the time CVEs make it to scanners and patching, exploit kits have already proliferated on GitHub. VulnCheck speeds up the process with rapid and prioritized vulnerability intelligence and millions of contextual records. 

Securing Automation's Identity

A few companies like Okta and Microsoft have mostly solved user identities in cloud hybrid environments. Yet automation and service accounts are producing a much larger set of identities. 

With automation often falling under the chief technology officer or chief information officer, it's tough for CISO organizations to govern nonhuman identities. Thus, these final two startups share the approach of spanning from SecOps into the engineers of DevOps.

Aembit is a workload identity and access management platform securing nonhuman identities across clouds, SaaS services, and third-party APIs. Aembit reduces the pain of managing long-lived secrets. 

P0 Security is a universal platform for authentication, authorization, and governance of both humans and nonhumans. P0 automates short-lived access to things like SSH or S3, and special access for admins or data editors. P0 Security manages tokens and bulk deprovisioning through the gatekeepers in DevOps. 

Startups are rapidly adjusting to both the world of AI adversaries and data vulnerabilities in organizational AI initiatives. They know AI's novel use will soon reinvent all security product categories. Nobody can predict how this will play out, but Innovation Sandbox provides the best glimpse into this future.

About the Author(s)

Paul Shomo

Cybersecurity Analyst

Paul Shomo is an experienced analyst focusing on emerging cybersecurity and early-growth startups. A prescient forecaster, Paul is featured in Dark Reading, CSO Online, eWeek, and the Genealogy of Cybersecurity podcast. A patent holder and engineering leader behind EnCase, Paul was a founding pioneer of DFIR and enterprise forensics from 2006 to 2015. Paul was also a former kernel developer for Wind River Systems.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights