Aikido at RSAC 2026: A GTM Teardown.

RSAC is the biggest, noisiest event in the security industry, 40,000+ attendees, hundreds of vendors, an expo floor where every booth blurs into the next. Most vendors return with a stack of business cards and no story to tell.

Aikido Security (Belgian application-security platform, $60M Series B at a $1B valuation in January 2026) ran a campaign at RSAC 2026 that did the opposite of what most vendors do. Architected by Madeline Lawrence (CGO) and executed by a small founder-led team, the playbook treated the booth as the least important asset of the week and treated the hours around the conference as where the real budget should go.

Not a client, just a teardown of a company I admire.

Aikido Security is a Ghent-founded application-security platform (founded 2022) that consolidates the SAST / DAST / secrets / SCA / cloud-posture sprawl into a single developer-friendly product. They're known in the dev-tool world for two things:

1. A free tier that converts and an irreverent, opinionated brand voice that stands out in the famously beige world of cybersecurity marketing.
2. A go-to-market team that out-punches its weight class. Aikido raised €5M seed in 2023, $17M Series A in May 2024, and $60M Series B at a $1B valuation in January 2026 (DST Global led, PSG Equity participated). They were also recognised with the Frost & Sullivan 2026 Customer Value Leadership Award in ASPM , independent third-party validation, not an awards-for-pay scheme.

The architect.

The CGO running brand and growth is Madeline Lawrence, formerly a Partner at the €150M Peak VC fund, joined Aikido as CBO and now sits as Chief Growth Officer. Her thesis on cybersecurity marketing is that the category is so risk-averse and lookalike that the highest-leverage move is to not look like a cybersecurity company at all. RSAC 2026 was the cleanest expression of that thesis to date.

The default RSAC playbook for a Series A–B vendor looks like this:

• Spend $200K–$500K on a 20×20 booth on the expo floor.
• Print a giant banner with a tagline no one will remember.
• Bring 8–12 sales reps to do badge scans on whoever wanders past.
• Do a giveaway, yeti tumblers, AirPods raffle, a putting green.
• Sponsor a generic happy hour at a hotel bar.
• Wait for the leads to come in.
• Discover, six weeks later, that the leads are mostly job-seekers, students, and badge-scan tourists.
• Argue with the CFO about whether to do it again next year.

The villain isn't a competitor. The villain is noise.

RSAC week has three problems:

1. Every vendor sounds identical. Every booth says "AI-powered, agentic, end-to-end, unified platform." A buyer can't tell vendor X from vendor Y from the floor.
2. Buyers attend the conference for the conversations, not the booths. The expo hall is the 9-to-5 obligation; the parties, dinners, and side events are where decisions form.
3. The week is over as soon as it ends. Without an asset that lives past the week, you've spent half a million on a four-day moment.

Madeline's team made four upfront calls that shaped the entire campaign:

1. Don't try to win the booth war. Be present, but don't pretend a 20×20 will out-shout a 60×60. Spend the freed-up budget on hours outside Moscone instead.
2. Become the connective tissue of the week. Be the brand people open in their browser to find out where to go after 5pm, not the brand they avoid eye contact with on the floor.
3. Use the founder, not the SDR. Roeland Delrue (co-founder, CRO/COO) and Mackenzie Jackson (developer advocate) on every podcast and every panel. Salespeople work the booth. Founders work the narrative.
4. Ship a product moment and a research moment that ride the news cycle. Don't show up empty-handed. Show up with something journalists actively want to write about the same week the show is happening.

Each of those decisions is observable in the campaign artefacts.

1. The RSAC 2026 Parties & Security Events Guide.

This is the masterstroke of the entire campaign.

Aikido published a comprehensive, ordered-by-date guide to every party, side event, dinner, and meetup happening during RSAC week , far broader than just their own. It became the de facto reference document for the week. Other vendors linked to it because it was genuinely useful. Marketers shared it in private Slack channels. Attendees opened it on their phones at 4:55pm on Monday to figure out where to go.

The Trojan-horse logic is exact: by being the brand that helps everyone else find the parties, Aikido put themselves in front of the entire RSAC audience without ever pitching anything. The guide dominates Google for "RSAC 2026 parties", a search query that spikes in the two weeks before and during the event.

2. A dedicated, paid-search-targeted landing page.

aikido.dev/aikido-rsac-2026, not a product page, not a calendar. A focused page with the specific events Aikido was at or hosting, with a "let's talk" CTA. Backed by Google Ads on rsac 2026 exact match. This means anyone searching for the event during the lead-up was seeing Aikido in paid + Aikido in organic + Aikido in their friend's WhatsApp recommending the parties guide.

3. Multiple events, mostly co-hosted, deliberately positioned as anti-event events.

• BSidesSF Rooftop Afterparty at Chotto Matte, co-hosted with Chainguard, Sublime, Tailscale, and Torq. 300+ attendees. Tagline: "No stages, no sales decks, no synergy." Five-brand co-host means each brand's CAC on the event is one-fifth of a solo party, but the perceived event size and credibility goes up.
• Jazz Evening with PSG Connect, investor-network leverage, surfacing executive-level conversations rather than developer happy-hour energy.
• Cybersecurity Marketing Society rooftop lunch, hosted by Madeline herself. Goodwill to the community of marketers who decide whether to feature your brand in their content for the next twelve months.

4. The State of AI in Security & Development 2026 report, the centrepiece.

This is the most important asset of the entire campaign and the one most worth studying. Looking at the actual artefact (52 pages, 16:9 landscape, designed for screen-share rather than print), it's clear the report was built to do five jobs at once: lead-gen anchor, journalistic citation source, contributor-relationship builder, sales-conversation prop, and visible proof that Aikido has a point of view on the category.

Methodology and scale.

Sapio Research conducted the survey on behalf of Aikido, capturing 450 full-time professionals, 150 developers, 150 security leaders (CISOs or equivalent), 150 application security engineers, across Europe (Belgium, Germany, France, UK) and the US.

The eight key findings.

Each one was designed to be quotable in a headline.

1. AI-generated code creates real-world risk. 69% of organizations have uncovered vulnerabilities introduced by AI-generated code; 1 in 5 suffered a serious incident directly tied to it.
2. AI optimism vs reality. 96% believe AI will one day write near-perfect secure code, but the average expected timeline is 5+ years. Only 21% think AI will ever do it without human oversight.
3. Incidents are the norm. 27% of organizations had a material security incident in the past year. 3 in 4 CISOs were impacted in the last 12 months.
4. Europe prevents, USA reacts. EU orgs report fewer serious incidents (20% vs 43% US) but more near-misses (53% vs 40%), suggesting EU teams catch issues earlier.
5. Tool sprawl correlates with more incidents, not more security. Teams that suffered incidents ran 5.1 vendor tools vs 4.2 in incident-free teams. Triage time scales with tool count: 4.1 hrs/week with 1-2 tools, 7.8 hrs/week with 5+.
6. Integrated AppSec + CloudSec means lower incident rates. Teams with separate AppSec and CloudSec tools are 50% more likely to report incidents (31% vs 20%); 93% report integration headaches.
7. Security engineers are essential. 1 in 4 CISOs admit losing one top security engineer could directly cause a serious breach.
8. Better DevEx = fewer incidents. Teams using tools built for both developers AND security report fewer incidents than those using single-audience tools.

The Kairos number that lands with CFOs.

The report puts a dollar figure on the alert-triage problem:

This is the line that gets pulled out of the report and into board decks.

The contributor list, the masterstroke.

Aikido didn't just do survey research. They sprinkled the report with attributed quotes from 13+ named industry figures, every one of them carrying weight in their own community.

The design choice.

The PDF is 1920×1080 landscape, built for screen-share on a Zoom call, not for print. Every page has the "TM 2026" mark in the corner. Section dividers use big numbered cards (01–07). Stats are pulled out as huge typography with the chart underneath. Quotes are styled as visual punctuation between data sections.

The hosting URL.

The report lives at aikido.dev/stateofdev (clean vanity URL, easy to say on a podcast) and aikido.dev/state-of-ai-security-development-2026(SEO-friendly long-form URL). Both lead to the same gated download , turning every citation, every podcast mention, every contributor share into top-of-funnel pipeline.

5. Aikido Endpoint product launch tied to the news cycle.

In March 2026, the worst stretch of supply-chain attacks in open-source history hit: TeamPCP chained stolen credentials across Trivy, Checkmarx KICS, LiteLLM, and Telnyx in under ten days. Days later, Axios (100M+ weekly downloads) was compromised through a hijacked maintainer account.

Aikido launched Aikido Endpoint (a lightweight agent that inspects and blocks risky packages, IDE extensions, browser plugins, and AI tools at install time, with a 48-hour minimum-package-age policy as default) on April 20, exactly when journalists were writing the postmortem on TeamPCP. SiliconANGLE, SC Media, FinancialContent, GlobeNewswire, BriefGlance, and CyberDefenseWire all picked it up.

6. The Neo stunt, paid actors as walking media.

Madeline hired a group of actors dressed as Neo from The Matrix , full black trench coats, shades, the lot, and had them walk the blocks around Moscone all week. No badge scan, no booth duty, no pitch. Just a visual gag that made every attendee pull out their phone, and made every LinkedIn feed in the security industry post the same clip back to itself for 72 hours straight.

The economics are absurd in Aikido's favour: a few hundred dollars of day-rate against a 20×20 booth that runs into six figures and generates none of the same organic reach. The stunt is on-brand for a security company (Matrix = the canonical hacker visual), disarming rather than salesy, and ownable, nobody else did it, so every share is unambiguously Aikido. Madeline's own LinkedIn post about hiring them ("hired these dudes on the internet to walk…") became one of the most-engaged pieces of RSAC 2026 content from any vendor.

7. The decoy booth and the loud-shirt crew, attention as infrastructure.

For two RSACs in a row, Aikido has set up a second “joke” booth in the hall opposite their actual one. Last year it was the Anti Magic Quadrant Club, which Michiel Denis (marketing lead at Aikido) describes as “a joking reference to the Gartners of this world.” This year, they framed it around having “spent all of our money on the other booth”, with copy so on-the-nose that, in Michiel's words, “RSA had us cover up the word ‘bullsh*t’ day of the event.” The purpose, per Michiel: “attention-grabber, get people talking while driving interest to our actual booth.”

The same instinct scales to the team itself. As Michiel puts it: “for the RSAs and Black Hats of this world, we usually show up with a large crew (and in loud shirts) so we're unignorable.” Screenshot-worthy on the floor, screenshot-worthy on LinkedIn, and a constant in-person reminder that this is the company everyone keeps seeing.

8. Founder-led podcast distribution.

Roeland Delrue did the TWiT podcast with Leo Laporte at RSAC. His framing on autonomous AI pen testing, "AI agents that alternate between static code analysis and dynamic exploitation, cycling rapidly between the two in a way that mimics how the most skilled human pen testers actually work", became the soundbite version of the Aikido positioning that podcast listeners carried forward.

In parallel, Mackenzie Jackson (Aikido dev advocate, ex-GitGuardian) hosted Aikido's own podcast, The Secure Disclosure, recording on-site at RSAC with guests including Casey John Ellis (Bugcrowd founder). Casey wrote his own blog recap ("Spicy Takes from my Aikido Security Podcast") promoting Aikido's podcast on his own audience, a perfectly executed reciprocal-distribution play.

9. The cycle keeps running through April.

• Casey John Ellis's recap published April 25, extending the conversation a month past RSAC.
• SiliconANGLE published a feature analysis: "Bringing the cyber community into the battle against agentic insecurity at RSAC 2026."
• The Endpoint launch press cycle ran April 20 onwards, layering on top of RSAC mindshare while every other vendor's RSAC coverage was already fading.
• The State of AI report continues to be cited, the report is a campaign asset that earns links for months, not a one-time PR drop.
• The team used the trip itself as a writers' room for the next campaign. Michiel: “We try to take advantage of the conference environments to think about our next creative campaign.” They shot their April Fools spot, a fake Aikido perfume ad, in San Francisco the days right after RSAC, turning travel cost into a second piece of owned content.

I cannot get into Aikido's CRM (I tried, trust me!). Few founders publish that. But the observable outcomes are unambiguous.

Distribution and earned media.

• TWiT podcast appearance (Leo Laporte's audience: ~400K+ monthly downloads across the network).
• SiliconANGLE feature article + standalone Endpoint launch coverage.
• SC Media, GlobeNewswire, FinancialContent, CyberDefenseWire, BriefGlance, Yahoo Finance, KnowledgeNile picking up the Endpoint launch.
• Casey John Ellis publishing a recap blog post promoting Aikido's podcast.
• The RSAC 2026 Parties Guide ranking #1 for "RSAC 2026 parties" on Google.

Community goodwill.

• 300+ attendees at the co-hosted rooftop afterparty.
• Cybersecurity Marketing Society lunch, Aikido permanently lodged in the goodwill bank of the community of cybersecurity marketers.
• PSG Connect dinner, investor-side relationship building.

Brand reinforcement.

• Frost & Sullivan 2026 Customer Value Leadership Award in ASPM.
• State of AI report cited by independent third parties (academics, investors, marketers) within weeks of release.

Business context (correlation, not causation).

• $60M Series B at $1B valuation closed January 2026, RSAC sits inside the post-Series-B momentum window, when narrative and distribution are doing more for the company than any single feature ship.

Aikido has now run this playbook at one major event. The hard test is whether it scales, to Black Hat, KubeCon, AWS re:Invent, the European security circuit. The playbook generalises if four conditions hold:

1. The category has a flagship event (it usually does).
2. The team has a founder willing to be the face on podcasts and panels (Roeland is, and Mackenzie covers the developer-advocate angle separately).
3. The team has a product moment or research moment to ship into the news cycle around the event.
4. The team is willing to spend on hours-around-the-event rather than booth-during-the-event.

If those four hold, the Aikido RSAC playbook becomes a transferable framework, not an event-by-event reinvention.

If you take only a handful of things from how Aikido ran this:

1. Become the calendar. Publish the most useful guide to the whole event week, not just your slice of it. The brand that helps everyone else find the parties wins distribution without pitching.
2. Co-host, don't solo-host. Five brands sharing one rooftop costs each of you 1/5 the spend and produces 5× the perceived credibility. Pick co-hosts that lift you, not ones you compete with.
3. Stage the anti-event. Tag your event with "no stages, no sales decks, no synergy" and the right people will show up specifically because of that line.
4. Ship product into the news cycle, not the calendar. Look at what journalists in your category are actually writing about that month and time your launch to it. Aikido shipped Endpoint into the TeamPCP news cycle, not into a pre-planned launch slot.
5. Invest in original research with strong creative direction. A 450-respondent report with sharp findings and a strong visual treatment becomes a citation engine for a year. A vendor whitepaper with a stock-photo cover becomes nothing.
   • Commission a third-party research firm so the methodology is credible.
   • Sample at least three roles for cross-segment quotes.
   • Split EU/US so you have two distinct news angles.
   • Put 12+ named contributors in the report so each becomes a distribution node when it drops.
   • Include at least one of your own customers and one of your own investors' people for quiet status.
   • Put a dollar figure on the problem somewhere ($20M/1000-developers in this case) so CFOs can quote it in board decks.
6. Send the founder, not the SDR. Founder voice on a podcast carries the soundbite. SDRs scanning badges does not.
7. Goodwill events for the community of people who decide whether to feature you. Aikido hosted the Cybersecurity Marketing Society lunch. That isn't a leadgen play, it's a permanent deposit in the bank account of the marketers who will write about Aikido for the next year.
8. Pay for the exact-match keyword. "rsac 2026" as a Google Ads exact match for two weeks. Tiny spend. Caught the planning-week traffic at the highest-intent moment.

Primary sources used in this case study.

• The State of AI in Security & Development 2026 report itself (52-page PDF, conducted by Sapio Research on behalf of Aikido, hosted at aikido.dev/stateofdev).
• Aikido's RSAC 2026 landing page (aikido.dev/aikido-rsac-2026) and parties guide (aikido.dev/blog/rsa-2026-parties).
• TWiT podcast episode 19, RSAC 2026: Securing the Agentic Era, with Roeland Delrue interviewed by Leo Laporte.
• The Aikido Secure Disclosure podcast with Casey John Ellis (Bugcrowd founder), and Casey's recap on his blog cje.io (April 25, 2026).
• SiliconANGLE coverage: the standalone Aikido Endpoint launch piece and the "Bringing the cyber community into the battle against agentic insecurity at RSAC 2026" feature.
• Madeline Lawrence's LinkedIn (linkedin.com/in/madelinelawren).
• GlobeNewswire and SC Media releases for the Aikido Endpoint launch (April 20, 2026).
• The Frost & Sullivan 2026 Customer Value Leadership Award in ASPM announcement.
• BleepingComputer, TechCrunch, and PSG Equity press releases for the $60M Series B (January 2026).
• Connect Ventures' opinion piece "Fun marketing. Serious growth." (Pietro Bezza on Aikido).