The annual RSAC Innovation Sandbox contest, held on the first day of the RSAC Conference in San Francisco, once again showcased the most promising young cybersecurity startups. This year, the competition was dominated by artificial intelligence (AI), with every single finalist integrating AI into their products. The winner, Geordie AI, took home the "Most Innovative Startup 2026" title for its security and governance platform designed specifically for AI agents.

Geordie AI's platform allows organizations to gain deep, real-time visibility into their agentic footprint. Security teams can monitor agent posture and behavior, identify risks natively, and safely scale agentic innovation. The company's co-founder and CEO, Henry Comfort, expressed that winning the contest was a "great validation" for the problem they are solving. "When we started the company, we spoke to some of our investors, and all agreed we wanted to go for the RSAC Innovation Sandbox stage," Comfort said. "It means the world to us."

The RSAC Innovation Sandbox is a "Shark Tank"-style competition that highlights young companies using cutting-edge technologies to tackle difficult cybersecurity problems. This year, the theme was unmistakably AI. Looking at previous winners—Reality Defender (2024) for deepfake detection, ProjectDiscovery (2025) for attack surface monitoring, and HiddenLayer (2023) for safeguarding machine learning models—the trend is clear: AI needs to be secured and managed. The 2026 finalists continued this trajectory, addressing a wide range of challenges from social engineering to identity management and code security.

The Finalists: A Deep Dive into AI-Driven Security

The ten finalists, listed alphabetically, were Charm Security, Clearly AI, Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath. Each had three minutes to pitch their innovative approach to a panel of expert judges and a live audience. Here's a closer look at what they brought to the table:

• Charm Security: Its Agentic AI Workforce prevents and resolves scams, social engineering, and human-centric fraud. The platform uses multiple dedicated AI agents covering fraud prevention, investigation, intervention, and proactive discovery. These agents share real-time threat data and automatically update detection rules.
• Clearly AI: Automates security and privacy audits, threat modeling, design review, and supplier risk assessment. It replaces manual work with AI-powered reviews, combining internal enterprise knowledge with industry standards and regulatory frameworks like GDPR and EU CRA.
• Crash Override: Addresses shadow engineering and AI infiltration with an Engineering Relationship Management (ERM) platform. It captures build execution data that APIs can't access, ensures automated SLSA Level-2 compliance, and manages certificates before they impact production.
• Fig Security: Offers security observability and detection reliability management. It automatically analyzes dependencies among security data flows, detection rules, and response processes, monitoring the health of security systems and remediating failures.
• Geordie AI: The winner, providing real-time discovery, behavior monitoring, and risk control for AI agents. It connects with code environments, cloud platforms, and endpoint devices via APIs, endpoint agents, and single sign-on to visualize all AI agents across diverse environments.
• Glide Identity: Delivers AI-safe, agent-ready authentication using SIM-anchored cryptographic technology. Its platform leverages private keys embedded in over 5 billion SIM cards and eSIMs globally, offering phishing-resistant authentication. MagicalAuth is live in beta with T-Mobile and Verizon.
• Humanix: Stops social engineering attacks using conversational AI trained on cognitive psychology. Its Human Threat Detection and Response platform detects manipulation, deception, and impersonation across voice, chat, email, and service channels.
• Realm Labs: Enables enterprises to see inside an AI model's internal "thought structures" to detect and block risks before they materialize. By monitoring how the model thinks and where harmful information is stored, it can prevent risky outputs.
• Token Security: Focuses on securing agentic AI and nonhuman identities through identity lifecycle management and intent-based access. It unifies identities and credentials scattered across cloud, SaaS, CI/CD, vault, and generative AI environments.
• ZeroPath: A code-scanning tool that replaces traditional SAST, SCA, secrets scanning, and IaC stacks with a single AI-native engine. It discovers, verifies, and fixes code vulnerabilities, allowing development teams to review and implement repairs directly.

The Growing Importance of AI Security

The fact that every finalist integrated AI underscores a critical shift in cybersecurity. As AI agents become more prevalent in enterprises, securing them becomes paramount. Geordie AI's focus on agentic AI governance reflects a growing need for visibility and control over autonomous systems. Similarly, Realm Labs' monitoring of model "thought structures" highlights advanced threats like prompt injection and data poisoning.

The contest also demonstrated how AI can be both a tool and a target. Companies like Charm Security and Humanix use AI to combat social engineering, while Clearly AI and ZeroPath leverage AI to automate security processes. This dual role—AI as defender and AI as attack vector—is reshaping the cybersecurity landscape. The panel of judges, including experts from Morgan Stanley, JPMorganChase, and Verizon, recognized these trends in their selection.

Historical Context and Impact of RSAC Innovation Sandbox

The RSAC Innovation Sandbox has a storied history. Since its inception, the Top 10 Finalists have collectively seen over 100 acquisitions and raised over $50.1 billion in investments. Notable successes include Security AI (2020 winner) acquired by Veeam for $1.725 billion, and Wiz (2021 finalist) acquired by Google for $32 billion. BigID (2018 winner) hit a $1.25 billion valuation and closed a $61.4 million Series D in 2024. These outcomes demonstrate the contest's role as a launchpad for cybersecurity innovation.

The network effect is also significant. For example, Calypso AI (2025 finalist) was acquired by F5 Networks for $180 million. F5's current chief product officer, Kunal Anand, co-founded Prevoty (2026 finalist), which was acquired by Imperva (2007 winner). Such interconnections highlight the tight-knit cybersecurity community.

Eligibility and Selection Process

To compete, startups must have a product launched between December 1, 2024, and December 1, 2025. They must take an original approach to solving a problem that matches an identified cybersecurity marketplace need. The company must be privately held with less than $5 million in revenue or annual recurring revenue. Out of hundreds of submissions, ten finalists are selected. Each receives a $5 million uncapped SAFE investment from Crosspoint Capital.

The panel of expert judges this year included David Chen (Morgan Stanley), Larry Feinsmith (JPMorganChase), Paul Kocher (independent researcher), Niloofar Razi (Capitol Meridian Partners), and Nasrin Rezai (Verizon). Their diverse expertise ensured a thorough evaluation of each startup's potential.

The 2026 RSAC Innovation Sandbox clearly demonstrated that AI is no longer just a buzzword in cybersecurity—it is the core driver of innovation. From governance to authentication to code security, AI-native solutions are becoming essential. Geordie AI's victory signals that agentic AI security will be a key focus in the coming years, as enterprises race to harness AI's power while mitigating its risks.

Source: Dark Reading News