5 Crucial Cogitations on Winning @RSAC

By May 13, 2015 August 1st, 2018 Blog

RSA Innovation Sandbox 2015

Quite recently, a record 33,000 people attended the largest security conference in the world, the RSA® Conference (@RSAC). Billed as the place where “Where the World Talks Security,” – there is no question that this was the time and place to be in the face of the massive and escalating cyber attacks we have all been watching.



12 Jan 2015 0830 EST: @RSAC, the world’s leading information security conferences and expositions, announced today its annual Innovation Sandbox Contest is now accepting submissions to name the “Most Innovative Company at RSA Conference 2015.” RSA Conference Innovation Sandbox Contest is an engaging program during which up-and-coming startups grab the spotlight and demonstrate groundbreaking security technologies to the broader RSA Conference community. Every year, the event has grown to include more opportunities to network and learn from venture capital professionals, industry experts, senior level business practitioners, and thought leaders.

Oh Sh**

Companies are invited to submit an entry online no later than 2000 PST 28 Feb 2015. Over 100 companies applied last year > only ten companies get selected < and we have how much time???

Innovation Sandbox


“challenge today’s security thinking”

The days are flying by and we know that in order to have any possibility of making the cut we not only have to demonstrate that our solution is “Innovative” but that we need to address exactly how we will “challenge today’s security thinking” 4kcharacters to explain what security problem we are solving, 4kcharacters to tell the judges why our company is unique and most importantly – “In 20 words or less, how is your product innovative?” Wow, how in the world can you condense the key assertion in 20 words?

Well, we gave it our best shot.

Then on 24 Mar 2015 0830 EDT @RSAC sent out a press release “announcing the 10 finalists for its annual Innovation Sandbox Contest. The competition is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry.” And lo and behold, Waratek with our Runtime Application Self Protection Solution (RASP) was among the finalists. Simply put, RASP is cyber security at the application layer as reported by SearchSecurity.

So while we enjoyed a solid sixty seconds of excitement, we simultaneously got the email outlining our next challenge. We had 24 days to put together a deck and a 3 minute pitch. Yes, that is correct, we had 3 minutes to convince the judges that we were hands down the company that was both innovative and fully challenges today’s security thinking. As you might imagine, there were very few hours during that short period of time that we were not all fully engaged in frantic preparations. We practiced informally, formally and repeatedly and then it was off to San Francisco and @RSAC.


escalatorAs CSO Online stated, “There are over 500 vendors at the RSA Conference and I have no idea what most of them do” However, RSA does have the Innovation Sandbox Contest. The competition is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry. The 2015 event marked 10 years since the event launched at RSA Conference 2005 as Innovation Station. Past winners include Sourcefire, Imperva, and most recently RedOwl Analytics.

There is no question that this competition is a serious event. Over 100 companies submitted their pioneering security ideas and only ten make the cut. The judging panel was comprised of top leaders in the security industry including Gerhard Eschelbeck, VP of Security Engineering @Google, Patrick Heim, Head of Trust & Security @Dropbox and Asheem Chandra, Partner @Greylock Partners.

I should state that being in the position of executive rep for Waratek, it does not seem fair for me to comment on the competition. However, my peer Andrew Plato is founder and President of Anitian, the oldest information security practice in the world. Andrew’s position provides a unique perspective on the security industry, technology and governance – and of course, @RSAC, from which Andrew provided regular updates on for his peers in the security industry and gave me permission to quote his observations freely for this post.

After a morning of setting up, rehearsing, and last minute changes, approximately 1,000 people filled the “sandbox area.” Many were relegated to standing in an overflow area to watch a live stream of presentations.

To avoid any perceived conflict of interest, I defer to Andrew’s opinion:

“The Innovation Sandbox is always my favorite event. Ten upstart security tech companies vie for the award as the most innovative company.”

As well as for Andrew’s outtakes on some of the new technologies presented:

  • After a long, clumsy pitch from the BugCrowd representative, I blurted out, “You’re an eBay for hackers.”
  • The more I questioned the representative of CyberReason, the more annoyed she seemed to get, which makes me suspicious.
  • NexDefense is an ultra-boring technology with an ultra-awesome GUI. Who cares what it monitors; I could stare at those packet blob things and rays of communication all night.
  • SecurityDo does breach detection. They have a dumb name. Their website broke the night of the Sandbox. I guess they took the loss pretty hard.
  • TrustInSoft is a code scanning technology that will mathematically guarantee the quality of code. How you mathematically guarantee code is, honestly, beyond me. This company’s website also was dead after the Sandbox. Maybe they should have guaranteed the code of their website.
  • Ticto was the runner-up for the Sandbox, and I can see why. Their technology is cool. Ticto is a cross between a smart card, a one-time password fob, and a picture keychain. It has a LCD screen on the front that shows a picture ID. It can be used to badge into an environment, and is presumably compatible with existing HID-type readers.

RSA Interview


Saying it was an inventive solution to a “massive problem,” judges at the RSA Conference’s Innovation Sandbox awarded the title of Most Innovative Company to Waratek, creator of a runtime application self-protection solution for Java.

Again from Andrew:

“Waratek aims to solve a serious and pervasive problem plaguing business applications: Java sucks. Java’s flexibility and extensibility make it a popular development language. However, they also make Java difficult to secure. Java attacks have figured prominently in a few high-profile breaches.

Waratek is an elegant and practical technology. What surprised me is that the panel chose this over Ticto, Vectra, FortScale, or SecurityDo all of which have sexy, high-concept products. Could this signal a refreshing trend? Is RSA setting aside sensationalism for practicality?”

The experience of winning the Innovation Sandbox is certainly exciting, particularly as it afforded us the opportunity to interact with key leaders from the security industry following the competition. It is a wonderful opportunity for both Waratek and influential security professionals to examine and assess emergent technologies.


As reported in an interview with Fortune magazine, RSA President Amit Yoran urges, “Let’s do things differently; let’s think differently; let’s act differently. Because what the security industry has been doing has not worked.”

That puts our biggest challenge ahead of us. We have proven to the Security Industry that our RASP solution is indeed revolutionary. However, now the onus is on us to prove we can stay the course in doing, thinking and acting differently.


Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek

Leave a Reply