Live from RSAC 2025: Dave Merkel on AI, identity, ransomware, and more

An interview with Dave Merkel at RSAC 2025.

Videos · Marketing Admin · TAGS: AI / Malware / Ransomware / Threat intelligence

An exclusive interview with Dave Merkel, CEO and co-founder of Expel, discussing key findings from the 2025 Annual Threat Report, the geopolitical threat landscape, and the role of AI in cybersecurity.

Date: May 1, 2025
Location: RSA Conference 2025, San Francisco

Featuring:

  • Anna Delaney, Senior Editor, Information Security Media Group
  • Dave Merkel, CEO and Co-founder, Expel

Executive summary

In this RSAC 2025 interview, Expel CEO Dave Merkel discusses the major cybersecurity trends emerging from the company’s latest Annual Threat Report. The conversation covers the shift from ransomware to identity-focused attacks, the challenges organizations face in defending against nation-state threats amid rising geopolitical tensions, and practical guidance for evaluating AI-powered security solutions. Merkel also shares updates on Expel’s expansion into new attack surfaces, including Oracle Cloud Infrastructure and enhanced email security capabilities.

The rise of identity-based attacks

Anna Delaney: You’ve just released an Annual Threat Report. What are the key takeaways you can share?

Dave Merkel: The most interesting development we’re seeing is attackers’ intense focus on identity—going after users, their credentials, and authentication mechanisms. This shift is largely driven by the massive volume of assets stored in cloud infrastructure and applications. When you steal credentials from someone at a large enterprise, you essentially get the keys to the kingdom.

We’ve seen years of ransomware dominance, and while it hasn’t disappeared, it’s simply not in vogue anymore. Identity attacks present a different challenge for defenders because identity is much more ephemeral than traditional attack surfaces. When someone attacks your laptop, there’s substantial security instrumentation and footprints to analyze. With identity attacks, there’s significantly less signal for security practitioners to work with.

Industry Context: According to Expel’s 2025 Annual Threat Report, identity-based incidents continued to dominate SOC investigations, rising 4% year-over-year from 2023. This aligns with broader industry trends, as IBM’s X-Force 2025 Threat Intelligence Index also found that valid credentials were among the top initial access vectors used by attackers.

Anna Delaney: Can you expand on the specific challenges organizations face with identity attacks?

Dave Merkel: The fundamental challenge starts with basic identity management. Many organizations lack a central source of truth for identities. They don’t have proper single sign-on environments—instead, they have fragmented systems. Questions organizations need to ask include: Do we have robust multifactor authentication? Do we have comprehensive logging and instrumentation across all applications and infrastructure where identities are used?

Unlike deploying a firewall or endpoint agent that provides comprehensive coverage, identity security requires much more sophisticated management of information assets. Whether it’s your internal team or a partner like Expel providing protection, we need comprehensive visibility to effectively defend against these threats.

The evolving ransomware landscape

Anna Delaney: You mentioned ransomware. What specific challenges are security leaders facing in defending against it?

Dave Merkel: Ransomware is definitely still a threat, but organizations have significantly improved their defenses. During the COVID era, we saw massive spikes in ransomware attacks, with many organizations unprepared and cyber insurance providers struggling to handle claims.

That wake-up call led organizations to implement fundamental but unglamorous security hygiene practices: proper backup management and, critically, the ability to restore from those backups. Having backups is useless if you can’t get the data back into your systems and make them operational—it’s just ones and zeros on a disk.

Companies like Rubrik have emerged specifically to address these challenges. As organizations improved their ransomware defenses, attackers pivoted to areas where security hygiene and infrastructure maturity lag behind—hence the focus on identity attacks.

Geopolitical threats and nation-state activity

Anna Delaney: How is the current geopolitical landscape impacting cybersecurity threats?

Dave Merkel: The situation became particularly challenging with Russia’s invasion of Ukraine. Suddenly, any U.S. business with Russian ties—whether through joint ventures or other business relationships—became potential high-priority nation-state targets.

Today’s landscape shows nothing but escalation: Hamas versus Israel, Hezbollah versus Israel, Iran versus Israel and the U.S., ongoing Russian conflicts, and China-Taiwan tensions. When geopolitical tensions increase, we inevitably see corresponding increases in nation-state cyber activity.

The fundamental challenge for U.S. organizations is that unlike physical conflicts, there’s no military or government buffer between private companies and nation-state cyber attacks. A bank in the Midwest might think it’s immune to nation-state attacks, but that assumption could be dangerously wrong.

Anna Delaney: What specific challenges do these geopolitical threats present for organizations?

Dave Merkel: If you’re targeted by a nation-state, you simply cannot win through spending alone. You’re a small private organization facing the resources of an entire country. The strategy must focus on being as diligent and nimble as possible while preparing for potential compromise and recovery scenarios.

There’s a high likelihood that sophisticated nation-state attacks will succeed, given the resource disparity. Organizations need to accept this reality and build resilience accordingly.

The AI hype at RSAC 2025

Anna Delaney: What are you hearing on the RSAC show floor this year?

Dave Merkel: It’s AI everywhere, all the time. If I had to create an RSA rule, it would be taking a shot every time someone mentions AI—though that might be dangerous given the frequency!

While innovation in AI applications is encouraging, the security industry has a problematic habit of latching onto buzzwords. Remember “big data”? We’re seeing the same pattern now. The challenge for buyers is cutting through the marketing speak to understand actual outcomes.

When vendors say “AI,” buyers need to ask: What specific outcome are you delivering? How exactly are you using AI? The term is so generic—are you referring to machine learning, large language models, or something else entirely?

Critical questions for evaluating AI security solutions

Anna Delaney: What specific questions should organizations ask vendors about their AI implementations?

Dave Merkel: Start with fundamentals: What’s the actual outcome you’re delivering? Once they mention AI, demand specifics. Is it machine learning or large language models? If it’s an LLM, which one? Did you develop it in-house, or are you using platforms like OpenAI or Anthropic’s Claude?

Then dive deeper: Where does the training data come from? If it’s customer data, how are you handling it? Can you delete it upon request, or does it get absorbed into larger training datasets that can’t be disaggregated?

The worst answer isn’t any particular technical approach—it’s “I don’t know.” Without specifics, you have no agency to calculate or mitigate risks. You need concrete details to determine whether the product will work and whether it introduces new risks you’re willing to accept.

Related Resource: For more guidance on evaluating security vendors and their AI claims, organizations can reference CISA’s guidance on secure AI deployment and best practices for vendor risk assessment.

AI’s impact on the cybersecurity workforce

Anna Delaney: How is AI emergence affecting cybersecurity professionals?

Dave Merkel: AI has tremendous potential to enable defenders by helping individuals scale their capabilities and work more effectively. However, attackers are simultaneously leveraging the same technologies for social engineering, phishing campaigns, and other malicious activities.

This creates an ongoing arms race where both sides continuously adopt new technologies. Defenders must start thinking strategically about countering enhanced attacker capabilities, despite the confusing landscape.

Anna Delaney: What skills should security teams develop to work with AI technologies?

Dave Merkel: I heard this phrase on a podcast—I can’t attribute it properly—but it perfectly captures the situation: “It’s not that AI will take your job; it’s that someone who understands AI will take your job.”

This parallels the 1980s accounting profession: some accountants stuck with adding machines and pencils while others adopted PC spreadsheets. Security practitioners must get curious about AI technologies and take ownership of their career development rather than expecting their organizations to manage their professional growth.

Start experimenting with AI applications in your environment. Engage with vendors using AI in their tools and understand how it’s implemented. When you interview for your next position, you’ll be asked about your AI experience. Being able to say “I experimented with this approach” or “I used it for this specific purpose” puts you at a significant advantage.

The resources for self-education are abundant. Take initiative, get curious, and own your learning outcomes.

Expel’s evolution and new capabilities

Anna Delaney: What has Expel been focusing on over the past year?

Dave Merkel: Our mission is reducing the impact of security talent shortages in this dynamic threat environment. We focus on three constantly evolving areas: attack surfaces, attackers, and protective technologies.

For attack surfaces, we recently became the first MDR provider supporting Oracle Cloud Infrastructure because our customers are expanding into that environment. We expect continued cloud competition, including international expansion, and we need to move with our customers as they adopt different platforms.

We’re also expanding email security capabilities. Yes, email might seem boring in 2025, but it remains the most ubiquitous communication platform worldwide. More importantly, we’re seeing significant innovation in email security with companies like Abnormal and Sublime developing new solutions.

We’ve announced MDR for email because the attack surface is evolving rapidly. As customers invest in new email security technologies, we want to help them operationalize these investments and extract maximum value from their security spending.

Our focus remains on staying ahead of attack surface evolution while continuously adapting to changing attacker tactics—both areas that require constant vigilance and adaptation.

Additional resources

External resources on cybersecurity trends

 


This transcript has been edited for clarity and readability.

For more insights from Dave Merkel and the Expel team, visit expel.com or follow Expel on social media.

Resources home