This year's RSA Conference has become a hot spot for AI security product announcements.

Driving the news: Companies big and small are rolling out new products this week that incorporate generative AI.

• But so far, most of the products have been pretty simple — with security firms opting to just train their own large language models on their stores of intelligence and attack data.

What's happening: Google unveiled its plans Monday to introduce its own security-focused large language model, Sec-PaLM, that will help defenders collect details about ongoing breaches and contextualize threat intelligence.

• SecurityScorecard, a company that rates internal security programs against those of other organizations, announced plans today to embed ChatGPT into its programs so customers can more easily find specific ratings data.
• Veracode and Recorded Future released similar programs earlier this month that would bring generative AI into their own products. Veracode's generative AI product will suggest fixes for flaws in code and open-source repositories, while Recorded Future trained ChatGPT to help threat analysts better interpret security risks.

Zoom out: Ever since OpenAI's ChatGPT entered the scene last fall, companies have been scrambling to figure out how they, too, can profit off of the latest tech craze.

The big picture: But until this week, cybersecurity firms have been a bit slower to embed generative AI into their systems compared to other industries.

• The first big leap didn't come until late March, when Microsoft announced Security CoPilot, a ChatGPT-enabled bot that helps defenders pull in alerts, notifications and other information during incidents.

What they're saying: "It felt natural to us to start talking about Google and its approach to AI related to security at the largest security conference of the year," Eric Doerr, vice president of security engineering at Google Cloud, told Axios.

• "If we showed up and everyone else is talking about generative AI and we weren't, that would be very strange," he added.

Between the lines: Generative AI's impact on cybersecurity is likely to be much bigger than what we'll see at RSA throughout the week.

• Generative AI has the potential to enable security products to better detect advanced phishing attacks, proactively scan networks for suspicious activity, and automatically "fight back" against ongoing attacks, Avivah Litan, distinguished vice president analyst at Gartner, told Axios.
• Most current uses of AI in security are still reactive to threats, rather than offensive, Litan added.

Yes, but: Gartner and other consulting firms recommend companies hold off on using ChatGPT for code generation, code security scanning and secure code reviews since large language models still struggle to write clean code and are prone to misinformation.

• "You have to treat an AI model as a new vector, so anything going in and out of the model directly needs special toolsets to scan for vulnerabilities," Litan said.

Be smart: Cybersecurity vendors aren't exempt from marketing hype cycles when new technology emerges.

• "If you buy these security products with AI in them, you have no visibility into what the tool is doing and if it's performing as advertised," Litan said.
• Those interested in new cyber AI products should ask vendors for specific examples and metrics to back up claims about how these tools will benefit them, she added.

A little-known partnership between the country's military cyber forces and homeland defenders has stymied the impact of two state-linked attacks, senior officials disclosed at the RSA Conference.

Why it matters: With so many cyber-related agencies in the U.S., it's often difficult for anyone outside of the government to understand which office is responsible for what during an attack.

• These disclosures are some of the first clear examples of how the Pentagon-based Cyber Command and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) cooperate during an active event.

Driving the news: Eric Goldstein, CISA's executive assistant director for cybersecurity, and Maj. Gen. William Hartman, chief of the command's Cyber National Mission Force (CNMF), detailed two previously unknown incidents involving the agencies during a panel talk Monday.

Details: During the 2020 presidential election, CNMF discovered Iranian-linked hacking group Pioneer Kitten lurking on a city's infrastructure "used to report the results of voting," Hartman said. CNMF looped in CISA, which contacted the jurisdiction — resulting in an immediate remediation of the threat, the officials said.

• In another incident, CISA identified three federal agencies facing an "intrusion campaign from foreign-based cybercriminals," Goldstein said. CISA handed this information over to the command, which weighed how it could thwart the malicious hackers. The officials did not name the affected agencies.

Between the lines: CISA and Cyber Command have unique roles in these incidents.

• CISA acts as the liaison between private and public sector organizations about what sectors are impacted in an ongoing incident and what threats everyone should track.
• Meanwhile, Cyber Command has the power to shut down the online infrastructure a malicious actor uses.

Yes, but: Much of this partnership still relies heavily on input from private sector partners.

• "Increasingly over the last number of years, we have realized that partnership with private industry — while working really closely with Eric's team at [CISA's Joint Cyber Defense Collaborative] — really allows us to get at scale in ways that previously we were unable to," Hartman said.

Google is leaning into flexibility as part of a new strategy to stymie the impact of belt-tightening among cyber chiefs.

Driving the news: Google Cloud and Mandiant, the threat intelligence unit it acquired last year, unveiled at the RSA Conference on Monday that they're opening their security products to integrations from competitors, as well as offering new Google plug-ins for other vendors' tools.

• The news, which was shared first with Axios, means that Google customers will now have more options to embed Google's tools in products from partner companies like CrowdStrike, Trellix and SentinelOne.
• Other companies, like Accenture and login management company Okta, will also be integrating their products into Google's as part of the plan.

Why it matters: Chief information security officers are facing increasing board pressure during a wobbly economy to cut down the number of vendors they work with and simplify their security programs.

• As a result, vendors have started to intertwine their competitors' products into their own tools in recent years to reach more customers.

How it works: Google Cloud's partnership expansion will let customers integrate various threat intelligence and security products into its offerings.

• Accenture, an IT services and consulting group, is integrating its entire cloud infrastructure managed services operation with Google Cloud's Chronicle Security Operations hub for incident response, threat intelligence and event management tools.
• Customers of Google Workspace will soon be able to integrate login verification tools from Okta and device management tools from VMware into their Google dashboards.
• Customers of CrowdStrike, SentinelOne, Trellix and other partners can also now plug in Mandiant's threat intelligence tools to their programs. Doing this allows those customers to see information about an ongoing attack inside the same security programs they'd need to deploy to fix it.

Yes, but: Integrating third-party vendors into a company's security operations brings additional risk for supply chain attacks, where hackers gain access to a network through a weakness in another vendor.

@ D.C.

👀 The suspect behind the recent Pentagon leak is believed to have started posting sensitive information months earlier than previously known. (New York Times)

🍿 The FBI's sour relationship with the GOP is likely to taint negotiations to renew Section 702 of the Foreign Intelligence Surveillance Act. (Politico)

@ Industry

💸 Cybereason's recent funding round came at a 90% discount, costing the firm its "unicorn" status. (Axios)

🏷️ Private industries' naming conventions for hacker groups are "now absurdly out of control," one reporter argues. (Wired)

💪🏼 A group of operational technology vendors are working together to provide early threat warnings to critical infrastructure organizations. (CyberScoop)

@ Hackers and hacks

🇰🇵 The U.S. Treasury Department sanctioned three individuals who helped the Lazarus Group facilitate crypto transactions. (CoinDesk)

⚡️ The 3CX supply chain attack also impacted four energy and financial trading organizations in the U.S. and Europe, researchers found. (Symantec)

The breeze is flowing, the coffee lines are getting longer, and the cyber vendors are out in full force. RSA is here, and it feels good to be back.

Here are some of the best sights around town so far:

• The TikTok bus raising eyebrows.
• These stickers the NSA is handing out at its vendor booth.
• And Palo Alto Networks' custom drink menu at its press reception, which included drinks named after each of the company's teams.