Each morning at Black Hat USA 2025, a crowd gathers outside the Business Hall as 10 a.m. approaches, waiting for the gates to open and another day of cybersecurity exploration to begin. For first-time attendees, it’s hard not to be struck by the scale, and the eye-watering marketing budgets of the industry’s biggest players vying for attention and brand dominance. But if you keep walking to the far end of the hall, you’ll find a very different scene.
Here, the energy of fresh ideas meet the discipline and careful management of early-stage investment. These startups don’t have the lavish marketing budgets of the legacy giants, but they make up for it with bold visions and the prospect of enormous growth. This is Black Hat’s Startup City, the incubator of innovation, where teams are building solutions to tackle emerging cybersecurity challenges or reimagining old ones. Many of these companies will vanish before the broader industry ever hears their names. But a few will discover the right blend of technology, marketing, and execution to break out, and will eventually become some of the most influential players in the future cybersecurity marketplace. For the Innovation Team at Trace3, this is home during Black Hat week. A place where vision meets execution, and the next generation of cybersecurity leaders begins shaping the industry’s future.
We spent the week in Startup City, talking with founders and leaders, learning about the problems they aim to solve, the inventive ways they’re tackling them, and capturing the trends that we observed. This is what we saw:
Agentic AI is now a pervasive force throughout the vulnerability lifecycle. Agents bring autonomy to security-first engineering as well as SOC tasks. Agents also leverage LLM data awareness on the overwhelming firehose of data that accompanies detections and decision-making. Finally, the monitoring and security of agent activity itself in operations is another growing trend: local agent activity and interfacing with the growing force of MCP services cause need for new data protection.
On the application development side of the fence, we see new efforts in vulnerability detection for code. AI agents are prompted to focus on risk patterns to discover problems at the source code level, now with a deep understanding of the broader context of the code base and a robust understand of application process and data-flows.
Agents then assist with the aggregation and prioritization of detections. AI insight into the details of vulnerabilities enables dependency analysis to remove cascading detections in addition to duplicates, to the point that some services boast 97% redundancy reduction.
Remediation of issues is also automated in support of existing dev workflows. Fully-automated remediation does not have to be fully-autonomous: it can function in a human-in-the-loop style via increasingly flexible integration points such as code diff patches, version control and container commits, and the pull requests popular with existing processes. These can be managed within existing CI/CD or release processes as a secure-by-design development team requires.
On the operations side of the fence, Agentic processes have expanded from enterprise runtime oversight to API-style MCP interface monitoring services. MCP server integrations require monitoring in the same vein of API monitoring services. These may be standalone services, integrated with MDM, or part of a larger operational SOC monitoring system. These are also sometimes integrated as AI components within the other vulnerability management tools in less formal or less personified ways.
The prevalence of deepfake technology creates a growing need for tools to detect its use in real-time and after-the-fact. Where existing services have focused on issues related to brand protection (see https://blog.trace3.com/a-deepfake-dilemma-navigating-the-new-uncanny-valley), the new focus of Black Hat startups is protection against social engineering and biometric bypass attacks. Deep fake technologies are a new method of generating a false identity where generative AI technology enables attackers with video or audio impersonation. So, new startups defend against social engineering by bringing liveness and anti-spoofing technology to live communication tools. Prevention of these attacks effectively introduces multiple layers of monitoring to live communication channels. These layers include analysis of both identity/biometrics and detection of more signs of manipulation such as liveness, visual boundary distortion, object permanence gaps, inconsistent textures, real-time rendering defects, and others. These controls can be instrumental in detecting media manipulation and deep fakes across multiple forms of digital media.
One of our key takeaways from Black Hat 2024 was the accelerating use of AI to provide richer context across a wide range of cybersecurity disciplines. Application security, cloud security, and even security operations tools were increasingly leveraging large language models (LLMs) to build deeper contextual awareness of entire codebases, cloud environments, and security alerts. Findings and events were being analyzed, triaged, rationalized, prioritized, and even acted upon within the context of this broader ecosystem view. These early examples made it clear: no cybersecurity market is immune to disruption from AI-driven contextual intelligence.
What already felt like a broadly disruptive trend in 2024 has only expanded in 2025, now influencing nearly every cybersecurity market. One notable holdout in 2024 was vulnerability management. Perhaps because the space had already undergone several rounds of (only partially successful) refinement, or because it is one of the more established cybersecurity markets, and less enticing as a first target for context-driven disruption. Regardless of the reasons, AI-contextualized vulnerability management arrived in Startup City in 2025. This long-stagnant market is now being revitalized by multiple players introducing cross-platform analysis and enriched context (organizational, environmental, and threat intelligence) into processes such as false positive reduction, rationalization, patch management, and remediation workflows.
Beyond vulnerability management, the same “disruption through context” trend is expanding into more specialized cybersecurity markets, including User and Entity Behavior Analytics (UEBA), insider risk management, Internet of Things (IoT) security, and Operational Technology (OT) security.
Over the past several years, a phrase has been gaining traction in technology circles: “the browser is the new OS.” Traditionally, browsers were primarily used for web surfing, while most productivity and business applications ran directly on the operating system through installed software. However, as Software-as-a-Service (SaaS) has become the dominant delivery model, the center of work has shifted from the broader operating system to the more confined but increasingly capable browser environment. This transformation is increasingly blurring the line between user behavior and cybersecurity risk, especially in SaaS-heavy, hybrid work environments
Today, the browser is where critical business processes happen and where sensitive data is accessed and manipulated. As this shift continues, the browser has become not just a tool for work, but a new frontier of digital exposure—introducing fresh attack surfaces and drawing the attention of threat actors eager to exploit them. These challenges have steadily intensified year after year and are now reaching a critical tipping point. Client-side attacks, and particularly those exploiting undisclosed or zero-day browser vulnerabilities, are climbing to unprecedented levels annually. As a result, it’s no surprise that browser security has become a growing area of focus for cybersecurity startups.
This year’s Black Hat Startup City lineup included multiple companies tackling this growing problem. These companies are embedding security visibility and controls directly into the browser or browser-adjacent layers, offering protection against phishing, session hijacking, shadow SaaS usage, and malicious browser extensions. These solutions employ lightweight, real-time approaches to monitor user actions, flag risky behaviors, and often intervene before a threat fully materializes. The overarching goal is to reduce browser-based threats with visibility that follows the user across SaaS tools and web apps, regardless of device or location.
SOC Transformation has been a major theme our team has been tracking over the last year and it was definitely present throughout Startup City. Vendors each had their own taglines and ways of presenting the challenges surrounding the SOC, but it all boiled down to the copious amounts of security data that make it increasingly difficult for organizations to respond to alerts. What was interesting was not only the amount of emerging solutions tackling this problem, but also the variations in how these solutions are responding to these challenges.
While there were solutions leaning into becoming next-gen SOC tools, mainly next-gen SIEMs, the main theme we noticed was emerging solutions leaning into agentic AI. Regardless of the solution, AI was in their pitch and throughout their features. Within agentic AI, each solution differentiated how they were leveraging agents and to what extent. There were plenty of these agentic AI SOC solutions handling triage and investigation, but they differentiated in how they do so, the flexibility of human in the loop, and expansion their platforms beyond these core capabilities and into other areas through security operation, including detection engineering, response, and beyond into more proactive and compliance use cases. What was interesting from Startup City is evidence that these additional security operations use cases are becoming the core offering in some emerging platforms. Even the solutions in Startup City that are next-gen SIEMs were leaning into this agentic future, creating agents as part of their platforms to further enhance the investigation process.
It’s an exciting time to see how agentic AI can make an impact in SOC processes and It's clear they provide opportunities to create a more efficient and scalable SOC.
While walking through Startup City, a phrase on many booths and marketing flyers was "Auto-Remediation." AI creates the ability for existing solutions to automatically remediate vulnerabilities and issues found, eliminating this burden from developers and security teams. This was present mainly within application security and cloud security, but signs were apparent throughout other use cases as well.
As we met with each of these vendors, they presented us with their solution, which usually started with consolidating the context of their given security domain, and then provided a host of flexible options for remediation. Almost all the new remediation features were leveraging AI to do some level of auto-remediation; however, the specific capabilities for auto-remediation differed. Developer-focused solutions provided automated ways for providing code fixes, typically integrating changes through pull requests. Cloud solutions looked to remediate misconfigurations and risky data through policy as code enhancements.
While auto-remediation technology is evolving, In the cases where auto-remediation may not be the preferred step, these solutions offer remediation recommendations or proposed next steps. Even for auto-remediation workflows, many of these solutions offered options for human in the loop, where the human analyst could verify or approve the work of the agent before the action was taken.
Our team always leaves Black Hat feeling energized about the future, and this year was one to remember. Each startup brought a level of enthusiasm and determination to provide an impactful solution in their respective use case. While we have only called out a few of the main themes throughout the hall, there were many startups tackling a variety of security challenges in unique ways. We’re excited to continue tracking these solutions and how these core cybersecurity areas continue to unfold.
Below is a comprehensive list of the emerging solutions at Startup City.
The Innovation team scouts and vets emerging technologies, offering clients expert advice on market trends and solutions across enterprise IT. Comprised of members with varying years of practical experience, the team is structured around two pillars: technical research and client advisory. Together, these pillars create informed perspectives on market landscapes and emerging technology, guiding clients through education, advisory, and integration strategies to keep them ahead in the evolving enterprise tech landscape.