The 10 finalists will each have three minutes to make their case for being the most innovative, promising young security company of the year.
The RSAC Innovation Sandbox contest returns to RSAC Conference and every single finalist is integrating artificial intelligence into their product. The "Shark Tank" style competition showcases young companies employing cutting-edge technologies to tackle difficult problems in cybersecurity. Finalists present a three-minute pitch and participate in a question-and-answer round before a panel of expert judges and a live RSAC Conference audience. The winner is named the "Most Innovative Startup."
The finalists, listed in alphabetical order, are Charm Security, Clearly AI, Inc., Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath.
According to the contest rules, companies interested in competing must have a product that launched between Dec. 1, 2024 and Dec. 1, 2025, "take an original and sound approach to solving a problem" and "matches an identified problem in the cybersecurity marketplace." The startup also needs to be privately held with less than $5 million in revenue or annual recurring revenue (ARR) under $5 million. Out of the hundreds of submissions, ten are selected as finalists. Each Top 10 Finalist receives a $5 million uncapped SAFE (Simple Agreement for Future Equity) investment, funded by Crosspoint Capital.
Related:ServiceNow Buys Armis for $7.75B, Boosts 'AI Control Tower'
The panel of expert judges includes David Chen, Head of Global Technology Investment Banking at Morgan Stanley; Larry Feinsmith, Head of Global Technology Strategy, Innovation & Partnerships at JPMorganChase; Paul Kocher, Independent Researcher; Niloofar Razi, Operating Partner at Capitol Meridian Partners; and Nasrin Rezai, SVP & CISO at Verizon.
Making it to the finalist round is more than just a name. Since the start of the contest, the Top 10 Finalists have collectively seen over 100 acquisitions and over $50.1 billion in investments, RSAC Conference said in a statement. Security AI, the winner of the 2020 contest, was acquired by Veeam for $1.725 billion. Google just closed on its acquisition of Wiz, a 2021 finalist, for $32 billion.
It isn't just acquisitions. BigID, the winner in 2018, hit $1.25 billion valuation in 2021 and closed on a $61.4 million Series D funding round in 2024.
There is also a network effect. Calypso AI, a 2025 finalist, was acquired by F5 Networks for $180 million. F5's current chief product officer, Kunal Anand, was the co-founder of Prevoty, a 2026 finalist. Prevoty was acquired in 2018 by Imperva, which won the contest in 2007. CrowdStrike acquired security-platform-as-a-service Pangea Cyber, a 2023 finalist, for $260 million. Oliver Friedrichs, Pangea founder and now GM of CrowdStrike, was also the founder of Phantom (2016 winner) which was acquired by Splunk for $350 million in 2018.
The RSAC Innovation Sandbox contest returns to RSAC Conference and every single finalist is integrating artificial intelligence into their product. The "Shark Tank" style competition showcases young companies employing cutting-edge technologies to tackle difficult problems in cybersecurity. Finalists present a three-minute pitch and participate in a question-and-answer round before a panel of expert judges and a live RSAC Conference audience. The winner is named the "Most Innovative Startup."
The finalists, listed in alphabetical order, are Charm Security, Clearly AI, Inc., Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath.
According to the contest rules, companies interested in competing must have a product that launched between Dec. 1, 2024 and Dec. 1, 2025, "take an original and sound approach to solving a problem" and "matches an identified problem in the cybersecurity marketplace." The startup also needs to be privately held with less than $5 million in revenue or annual recurring revenue (ARR) under $5 million. Out of the hundreds of submissions, ten are selected as finalists. Each Top 10 Finalist receives a $5 million uncapped SAFE (Simple Agreement for Future Equity) investment, funded by Crosspoint Capital.
Related:ServiceNow Buys Armis for $7.75B, Boosts 'AI Control Tower'
The panel of expert judges includes David Chen, Head of Global Technology Investment Banking at Morgan Stanley; Larry Feinsmith, Head of Global Technology Strategy, Innovation & Partnerships at JPMorganChase; Paul Kocher, Independent Researcher; Niloofar Razi, Operating Partner at Capitol Meridian Partners; and Nasrin Rezai, SVP & CISO at Verizon.
A Showcase of Cutting-Edge Technologies
Past winners of the contest have included Waratek (2015), Reality Defender (2024), and Project Discovery (2025). While all the finalists this year integrate AI in some way, they address a wide range of problems such as social engineering, authentication, identity management, governance, and code reviews.- Charm Security is Agentic AI Workforce purpose-built to prevent and resolve scams, social engineering, and human-centric fraud. The "virtual anti-fraud team," composed of multiple dedicated AI agents, covers fraud prevention, investigation, intervention, proactive discovery and other actions. The investigation agent discovers fraud patterns and automatically updates the front-line agent's detection rules. The front-line agent's new fraud scripts are fed back to the investigation agent for in-depth analysis. The real-time threat data is synchronized to all agents in real time.
- Clearly AI automates security and privacy audits and accelerates threat modeling, design review, and supplier risk assesment. The platform replaces manual work with AI-powered reviews and covers scenarios such as product security, privacy governance, third-party risks, and AI governance. The platform combines internal enterprise knowledge (via internal security policies, compliance systems, operating specifications and other documents) and industry common standards and regulatory compliance frameworks (such as GDPR, EU, CRA, etc.) to make review suggestions, compliance documents, and risk plans.
- Crash Override addresses shadow engineering, AI infiltration, and the loss of control over the software supply chain with its Engineering Relationship Management (ERM) platform. Rather than attempting to resolve the DevSecOps challenges by providing more vulnerability scanners, the platform captures build execution data that APIs can't access, proves what's deployed with automated SLSA Level-2 compliance, completes provenance tracking, and manages certificates before they impact production.
- Fig Security offers a security observability and detection reliability management technology that automatically analyze dependencies among security data flows, detection rules, and response processes. The platform monitors the operational status of current security systems, automatically identifies changes in each module and their impact on the overall system, and remdiates system failures. The validation and observability layer atop existing security technology stacks provides security teams with up-to-date health status of security data.
- Geordie AI is a security and governance platform that enables real-time discovery, behavior monitoring, and risk control of AI agents deployed within organizations. Security teams can understand which AI agents are running, which systems they are accessing, and whether any abnormal behaviors are occurring. The platform connects with code environments, cloud platforms, and endpoint devices via APIs, endpoint agents, and single sign-on to provide real-time visualization and risk intelligence analysis of all AI agents operating across diverse environments.
- Glide Identity is a digital identity security company delivering AI-safe, agent-ready authentication. The company claims its SIM-anchored cryptographic authentication platform is phishing-resistant and hard to social engineer. The platform, which leverages private keys already embedded in over 5 billion SIM cards and eSIMs globally, transforms existing mobile infrastructure into cryptographic proof of identity. The flagship product MAgicalAuth is currently live in beta with T-Mobile and Verizon in the United States.
- Humanix is designed to stop social engineering attacks using conversational AI trained on cognitive psychology. Its Human Threat Detection and Response platform relies on conversational AI trained on cognitive psychology to detect social engineering attacks as they happen across voice, chat, email, and service channels. Humanix detects the manipulation, deception, and impersonation attacks behind the most impactful breaches, from help desk agents deceived to reset MFAs to executive impersonation and control failures in payment workflows.
- Realm Labs enables enterprises to see inside the AI's "brain" and monitor the model's internal "thought structures" to detect and block risks before they materialize. Instead of just analyzing what the model says, Realm Labs focuses on monitoring how the model thinks. The company identifies regions in the large language model that store harmful information and monitors when user queries trigger access to these regions. By placing monitoring points near the source of this knowledge, the product can detect harmful information before it is output by the model.
- Token Security focuses on the security of agentic AI and non-human identities via its identity lifecycle management and intent-based access management platform. Token Security unifies the identities and credentials scattered in cloud, software-as-a-service, continuous integration/continuous delivery, vault, identity provider/single sign-on, and generative AI-related environments in enterprises. The platform conducts correlation analysis and risk ranking on the relationship between identity, authority and use, tal in a unified view, allowing security teams to manage and govern every AI agent and non-human identity.
- ZeroPath is a code scanning tool that replaces traditional static application security testing, source composition analysis, secrets scanning, and infrastructure-as-code stacks with a single, AI-native engine to discover, verify, and fix code vulnerabilities. By integrating application security analysis, vulnerability verification and repair suggestions into a unified platform, development teams can directly review the risks and implement repair actions.
More Than Just a Title
Related:Microsoft Will Bundle Security Copilot With M365 Enterprise LicensesMaking it to the finalist round is more than just a name. Since the start of the contest, the Top 10 Finalists have collectively seen over 100 acquisitions and over $50.1 billion in investments, RSAC Conference said in a statement. Security AI, the winner of the 2020 contest, was acquired by Veeam for $1.725 billion. Google just closed on its acquisition of Wiz, a 2021 finalist, for $32 billion.
It isn't just acquisitions. BigID, the winner in 2018, hit $1.25 billion valuation in 2021 and closed on a $61.4 million Series D funding round in 2024.
There is also a network effect. Calypso AI, a 2025 finalist, was acquired by F5 Networks for $180 million. F5's current chief product officer, Kunal Anand, was the co-founder of Prevoty, a 2026 finalist. Prevoty was acquired in 2018 by Imperva, which won the contest in 2007. CrowdStrike acquired security-platform-as-a-service Pangea Cyber, a 2023 finalist, for $260 million. Oliver Friedrichs, Pangea founder and now GM of CrowdStrike, was also the founder of Phantom (2016 winner) which was acquired by Splunk for $350 million in 2018.