As the cybersecurity industry gathered for RSAC 2026, the prevailing narrative underwent a seismic shift. The conversation moved decisively beyond the theoretical risks of generative AI into the operational realities of securing an agentic workforce. Vendors, channel partners, and enterprise customers collectively confronted a sobering truth: as everything moves toward agentic models, a fundamental rethinking of cybersecurity is required. Cisco’s announcements at the conference served as a critical focal point for this industry-wide pivot. The company unveiled a free-tier Explorer Edition for its AI Defense platform, introduced algorithmic red-teaming and a runtime SDK for agent validation, integrated a Model Context Protocol (MCP) proxy into Cisco Secure Access for agent-level action control, launched DefenseClaw - an open-source secure agent framework with NVIDIA OpenShell integration - and expanded its Splunk-powered “Agentic SOC” with six purpose-built AI agents spanning the full detection-investigation-response lifecycle.

For technology vendors and the channel partners responsible for architecting enterprise environments, the challenges are immediate and multifaceted. Organizations remain constrained by physical infrastructure limitations, struggling to securely network and connect the compute capabilities demanded by AI. Simultaneously, a pervasive trust deficit continues to hold customers back from moving as quickly as they desire with AI deployments. Compounding this is a growing data gap: while early AI was trained predominantly on human-generated content such as voice, video, and text, the emergence of physical and agentic AI necessitates greater reliance on machine-generated data and telemetry. Addressing these constraints demands a holistic, platform-driven approach - and Cisco’s RSAC payload attempted to address all three simultaneously.

Photo credit: Joely Urton

The Agentic Paradigm: When AI Stops Talking and Starts Doing

To understand the gravity of the current moment, one must dissect the evolutionary leap from chatbots to AI agents. The chatbot era was defined by human-to-AI interaction, in which the primary security concern was limiting what the AI might say. The risk profile was largely confined to data leakage, hallucination, or inappropriate outputs.

Agentic AI fundamentally alters this equation by automating complex workflows. These agents are designed to function essentially as co-workers, operating side by side with humans to drive unprecedented productivity. Consequently, the security industry’s primary worry has shifted from what AI says to what AI can do.

The defining, and perhaps most concerning, characteristics of AI agents are their operational velocity and literal interpretation of commands. Agents execute tasks relentlessly and entirely without judgment. They will do exactly what they are told to accomplish a task, which is not necessarily what the human operator actually meant. This autonomy means that even a minor failure or misinterpretation can instantly snowball into significant real-world consequences, transforming AI from a mere tool into a vast, active attack surface. The open-source ecosystem has already provided a vivid demonstration of this risk: the explosive adoption of OpenClaw - which attracted hundreds of thousands of GitHub stars within months - was immediately followed by a wave of critical vulnerabilities, including a remote code execution flaw, over 135,000 exposed instances on the public internet, and a coordinated supply chain attack that planted approximately 800 malicious skills into the ClawHub registry. These are not theoretical edge cases; they are the lived reality of what happens when agentic systems outrun their security foundations.

Cisco’s Tripartite Framework for Agentic Security

The threat landscape is already validating this urgency. Adversaries are using AI to compress attack cycles to near-instant exploitation windows; their targeting has shifted from basic credential theft to the centralized trust infrastructure - Active Directory, application delivery controllers, identity platforms - that will underpin agentic workloads, and most organizations are deploying AI on top of network foundations still riddled with legacy vulnerabilities. Against this backdrop, Cisco articulated a framework at RSAC that reimagines security for the agentic workforce, organized into three distinct operational pillars. For channel partners, this framework offers a structured lens for consulting engagements and a go-to-market motion for implementing AI security architectures.

1. Protecting the Agents from the World

Before enterprise customers can inherently trust agents with critical workflows, the agents themselves must be secured against malicious prompts, data poisoning, and direct adversarial attacks. Cisco’s AI Defense platform addresses this by providing full-lifecycle coverage: discovery of every AI asset across an environment, validation before deployment through algorithmic red-teaming, and continuous real-time protection via runtime guardrails.

Acknowledging that the barrier to entry for AI security remains too high for many organizations, Cisco launched an Explorer Edition at RSAC. This no-cost, self-serve offering allows development teams to validate AI assets in minutes with API-first CI/CD integration. The move is tactically astute: by lowering friction to zero, Cisco is creating an organic pull toward enterprise-grade adoption rather than relying solely on top-down sales motions. The organizational implication is significant. For the first time, a security team or a line-of-business owner can quantify their AI risk exposure before committing budget. In midmarket firms where AI adoption is often driven by individual departments rather than centralized IT, this visibility alone can transform the security conversation from abstract risk to measurable exposure.

For channel partners, the strategic value lies in the “shift-left” approach. Cisco’s runtime SDK embeds security policies directly into agent workflows at build time, supporting frameworks including AWS Bedrock AgentCore, Google Vertex Agent Builder, Azure AI Foundry, and LangChain. This matters operationally because organizations do not need to rearchitect their development pipelines to adopt AI security - the guardrails integrate with the tools developers already use, which dramatically reduces the adoption friction that has stalled many security initiatives in the past.

Complementing these capabilities, Cisco also announced an LLM Security Leaderboard - providing transparent benchmarks for evaluating model susceptibility to adversarial attacks - and a unified AI Security and Safety Framework aligned with NIST, MITRE, and OWASP. These ecosystem-level initiatives signal Cisco’s ambition to shape the category’s standards, not merely compete within it.

2. Protecting the World from the Agents: The Shift to Action Control

Once an agent is deployed, the organization must protect its own resources from what that agent might do. This requires a paradigm shift away from traditional access control toward intelligent “action control.”

AI agents occupy an unprecedented middle ground in the Zero Trust model: they possess the broad authorization scope of a human user but the complete absence of judgment of a machine. If an agent processing expense reports has access to the corporate credit card, it must be prevented from using that card to purchase a luxury vehicle, and hard-coding static exclusion rules is futile because a task-driven agent will simply find alternative paths. Security must evolve to authorize specific actions within a session based on task context, rather than just granting or denying broad access. For organizations of every size, this represents a fundamental shift in how security policies are designed. It means that every workflow an agent touches requires a deliberate mapping of permitted actions - a new category of security architecture work that most organizations have not yet begun.

Cisco operationalized this across two layers. At the identity layer, new Duo IAM capabilities allow organizations to register agents with verified identities and map each to an accountable human owner - establishing the traceability chain that regulators and auditors will inevitably demand. Cisco Identity Intelligence now discovers agentic and non-human identities across the environment, providing the baseline visibility that most organizations currently lack. At the network layer, an MCP proxy integrated into the Secure Access gateway routes all agent tool traffic through a controlled chokepoint where dynamic action controls are applied. The gateway handles both MCP and HTTP traffic, which is operationally critical because many agents still interact with legacy applications using traditional credentials. For enterprises, this means agent governance can be layered onto existing infrastructure without rearchitecting the network. For midmarket firms, it means the same Secure Access platform they may already use for human Zero Trust access can now extend to govern their emerging agent workforce - avoiding the cost and complexity of deploying a separate agent security stack.

It is worth noting that MCP remains an emerging standard, still gaining industry-wide adoption. Cisco’s early integration is a calculated move to establish control-plane relevance before the protocol landscape fully consolidates - a strategic bet that partners should communicate to customers with appropriate expectations around iterative maturation.

3. Detecting and Responding at Machine Speed: The Agentic SOC

The traditional Security Operations Center is already bottlenecked by manual processes at every stage of the detection-investigation-response pipeline. When the adversarial tempo is set by AI-accelerated attack cycles, that bottleneck becomes existential. Cisco’s strategy here hinged on Splunk as the data and automation backbone of what it termed the “Agentic SOC.”

The foundational layer is the Cisco Data Fabric, which unifies data across organizational silos through federation and intelligent processing. SPL2 advances expand query federation to Azure, Snowflake, and other sources without traditional ETL overhead. For customers, the practical impact is a reduction in both the cost and complexity of maintaining security visibility - organizations can tier their data into hot, warm, and cold storage based on operational need rather than ingesting everything at premium cost, which is particularly meaningful for midmarket firms operating under tighter budget constraints.

Within the SOC workflow itself, Cisco deployed six purpose-built AI agents spanning the full operational lifecycle. A Detection Studio provides a unified workspace for the entire detection engineering lifecycle, including automated coverage mapping against the MITRE ATT&CK framework to identify and close gaps. A Detection Builder Agent assists engineers in rapidly creating and refining rules using natural language. A Triage Agent takes the first pass on incoming alerts, enriching findings with contextual data and providing suggested dispositions. A Malware Threat Reversing Agent accelerates reverse engineering of suspicious artifacts. A Guided Response Agent offers real-time next-step recommendations aligned with organization-specific standard operating procedures (SOPs). And an Automation Builder Agent helps construct response playbooks. The cumulative impact is a SOC that requires fewer highly specialized analysts to operate effectively. For enterprises, this means existing teams can handle a larger volume of increasingly sophisticated threats. For midmarket and SMB organizations - where the traditional SOC staffing model has always been unrealistic - these capabilities create a viable path to security operations that was previously out of reach, particularly when delivered by channel partners as a managed service.

DefenseClaw: Securing the Open-Source Agent Ecosystem

Perhaps the most strategically interesting announcement - and one likely to be overlooked amid the enterprise-focused headlines - was DefenseClaw, an open-source secure agent framework designed to bridge the gap between the developer community building agents and the security governance those agents desperately need.

As discussed earlier, the OpenClaw security crisis demonstrated what happens when agentic adoption outpaces governance. NVIDIA’s OpenShell addressed part of this problem by providing infrastructure-level sandboxing - kernel isolation, deny-by-default network access, and out-of-process policy enforcement. But what remained missing was the operational governance layer: the day-to-day management of what gets installed, what gets blocked, and what happens when something goes wrong.

DefenseClaw fills that gap. It consolidates five open-source scanning tools - a skill scanner, MCP server scanner, agent-to-agent (A2A) scanner, CodeGuard static analysis, and an AI bill-of-materials generator - into a unified admission gate that scans every skill, tool, and plugin before it enters the agent environment. Beyond the gate, a content scanner inspects every message flowing through the agent’s execution loop at runtime, because a skill that was clean at installation can begin exfiltrating data days later. Enforcement is not advisory: when a skill or MCP server is blocked, sandbox permissions are revoked, and network access is denied in under two seconds, with no restart required.

Critically, DefenseClaw connects to Splunk out of the box - every scan finding, policy enforcement action, tool call, and prompt-response pair streams as structured events from the moment an agent comes online. For organizations running agents at any scale, this built-in observability eliminates the bolt-on telemetry problem that plagues most security deployments. For channel partners advising SMB and midmarket customers adopting open-source agent frameworks, DefenseClaw provides a governance wrapper that can be deployed in under 5 minutes - turning an otherwise ungoverned agent into an observable, policy-enforced, and auditable asset.

The SMB and Midmarket Imperative: Where the Real Opportunity Lives

While much of Cisco’s RSAC narrative was framed around large enterprise use cases, the implications for small and midsize businesses and midmarket organizations may be even more consequential. These firms are adopting AI-driven tools and agentic workflows at an accelerating pace - often faster than their security postures can accommodate - yet they lack the dedicated security teams, in-house AI expertise, and operational budgets that large enterprises can marshal. The agentic threat landscape does not discriminate by company size; an AI agent with a misconfigured permission set is just as dangerous in a 200-person firm as it is in a Fortune 500 environment, and arguably more so given the thinner security layers protecting it.

Several of Cisco’s RSAC announcements are particularly relevant for this segment. The Explorer Edition serves as a zero-friction prospecting tool for channel partners - getting AI Defense into a customer’s development environment at no cost, demonstrating tangible risk exposure, and building a consultative path toward paid adoption. DefenseClaw addresses the reality that many SMBs and midmarket firms are adopting open-source agent frameworks like OpenClaw without any governance layer; a five-minute deployment that delivers scanning, runtime monitoring, and Splunk-integrated observability fills a critical gap. And the Agentic SOC capabilities - particularly the Triage Agent and Guided Response Agent - address the most persistent pain point for smaller organizations: the inability to staff and retain skilled security operations analysts.

The channel partners that recognize this fastest - positioning themselves not just as resellers but as managed AI security providers for the midmarket - will capture disproportionate value in this next wave. The SMB and midmarket segment is where agentic AI security will be won or lost, because it is where the gap between risk exposure and security capability is widest.

The Path Forward for the Ecosystem

Cisco’s RSAC announcements underscored a structural advantage that pure-play AI security startups will struggle to replicate: the network remains the one enforcement plane that observes all traffic regardless of source, and Cisco’s depth in networking infrastructure - switching, routing, firewalls, and secure access - gives it unique leverage to position the network as the governance layer for agentic workloads. This is a positioning moat, not a feature.

For channel partners, the transition to agentic AI creates a new consulting engagement model. Customers need guidance on agent identity governance, action-level policy design, open-source agent hardening, and SOC modernization. Cisco’s framework provides the architectural foundation for these conversations, and the breadth of the RSAC payload - spanning development-time validation, network-layer enforcement, open-source governance, and AI-native security operations - gives partners a cohesive story to bring to market.

However, the execution challenge should not be understated. The vision Cisco presented is ambitious, and several critical components - real-time action control at scale, MCP governance maturation, and phased availability of the full SOC agent suite through mid-2026 - are still early in their delivery arc. The industry will be watching closely to see how quickly these capabilities move from conference-stage promise to production-grade reality. What is clear is that the era of conversational AI security is over; the era of governing the agentic workforce has officially begun. The vendors and partners that move fastest to operationalize this shift will define the next decade of enterprise security.