Marc Manzano, General Manager of Cybersecurity at SandboxAQ, shares how his team is tackling the urgent challenges of quantum-era cryptography and the explosion of AI agents across enterprise environments. From real-time cryptographic agility to continuous non-human identity management, this episode reveals how organizations can modernize security before it’s too late.
Quantum computing and AI are no longer theoretical concepts for tomorrow—they’re shaping how organizations must secure their infrastructure today. In this episode of the podcast, Marc Manzano, General Manager of Cybersecurity at SandboxAQ, joins the conversation to share how his team is helping organizations confront some of the most urgent and complex cybersecurity shifts of our time.
SandboxAQ, a company spun out of Alphabet, operates at the intersection of quantum technology and artificial intelligence. Manzano highlights two immediate challenges that demand new approaches: the looming need for quantum-resistant cryptography and the unchecked proliferation of AI agents across enterprise systems.
Post-Quantum Migration and Cryptographic Agility
Manzano describes an industry-wide need for massive cryptographic migration in response to the quantum threat. But rather than treating it as a one-time fix, SandboxAQ promotes cryptographic agility—a framework that enables organizations to dynamically and automatically rotate credentials, replace algorithms, and manage certificates in real-time. Their approach replaces decades of static key management practices with a modern, policy-driven control plane. It’s not just about surviving the post-quantum era—it’s about staying ready for whatever comes next.
Taming the Complexity of AI Agents and Non-Human Identities
The second challenge is the surge of non-human identities—AI agents, machine workloads, and ephemeral cloud infrastructure. SandboxAQ’s platform provides continuous visibility and control over what software is running, who or what it communicates with, and whether it adheres to security policies. This approach helps teams move beyond manual, one-off audits to real-time monitoring, dramatically improving how organizations manage software supply chain risks.
Real Use Cases with Measurable Impact
Manzano shares practical examples of how SandboxAQ’s technology is being used in complex environments like large banks—where decades of M&A activity have created fragmented infrastructure. Their platform unifies cryptographic and identity management through a single pane of glass, helping security teams act faster with less friction. Another use case? Reducing vendor risk assessment from months to minutes, allowing security teams to assess software posture quickly and continuously.
Whether it’s quantum cryptography, AI risk, or identity control—this isn’t a vision for 2030. It’s a call to action for today.
Learn more about SandboxAQ: https://itspm.ag/sandboxaq-j2en
Note: This story contains promotional content. Learn more.
Guest:
Marc Manzano, General Manager of Cybersecurity at SandboxAQ | https://www.linkedin.com/in/marcmanzano/
Resources
Learn more and catch more stories from SandboxAQ: https://www.itspmagazine.com/directory/sandboxaq
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
marc manzano, marco ciappelli, sean martin, cryptography, quantum, ai, cybersecurity, nonhuman, keymanagement, rsac2025, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Security at the Edge of Change: Preparing for the Cryptographic and AI Tipping Point | A Brand Story with Marc Manzano from SandboxAQ | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Marco. Sean, we are rolling. We are rolling. We've been rolling for a while. We've been rolling for a while. You've rolling for a while. It's a good day. I've been on back to back, but the energy is good when you have great guests. Oh yeah. I'm excited about this one. All right, mark. All the way from Bilbao.
Spain. All the way from Spain. Yes, I know. Welcome. Thank you. Thank you for having me. Yeah, it's good. It's my, my pleasure. It's great to have you. You find, you find RSAC conference. Good. It's been very good this year. It is been the best so far. So how many years have you been here? I've been here coming for like a decade in a row, so Very good.
Yeah, I've seen the evolution also. Every year is kind of hot topics and what worries to the sector, so. Yeah. Alright. I wanna ask you, I, I will ask you about the evolution that you have seen mm-hmm. And how things have changed. I love that kind of question. Mm-hmm. But let's start with a little introduction about who you are mm-hmm.
And what's your role in the company. Sure. So, I'm, uh, I'm Mark Manzano. I am the General [00:01:00] Manager of cybersecurity, uh, at SandboxAQ Sandbox. Uh, AQ is a company that spun out from, uh, Google, uh, three years ago, and it works at the intersection of quantum tech and ai. Our vision is to have a deep impact at scale, at every single, uh, corner of society.
Eh, one of the areas that we focus on, of course, it's cybersecurity, uh, otherwise I wouldn't be here. Right, exactly. Um, especially at RSA. Right. So, eh, I it's important to note that Sandbox AQ takes that seriously enough to have you in looking after that and have a practice looking after that and mm-hmm.
And tackling specific problems. It is. Because we know there are specific problems there, right? It is, it is a really specific kind of core aim of our, our CEO to, to provide the, the necessary solutions to protect the future. So, well, talking about the future, let, let, let's start with that. And I think it's connected with the [00:02:00] evolution that you've seen.
Mm-hmm. So they, you go to a conference like this, there's always the, the buzz word or what people are talking about. I have to say that the moment you say. The Sandbox AQ works with Quantum and ai. You just said the two big words. Yeah, the mind. The mind blows up everybody in everybody's mind right now. So I think you got the attention of people, but a lot of people still think about it.
I feel like it's almost like a sci-fi thinking. Mm-hmm. Especially when you put the two together. Mm-hmm. But you guys are actually doing concrete things mm-hmm. With this. So tell mm-hmm. Tell me what, what you guys focus on. So on the quantum side, what we are, uh, like specifically, um, our, our group, my group at, at Sandbox, what we focus on on the quantum side is mainly considering that there is these upcoming massive migration in terms of algorithms, in terms of protocols that needs to happen everywhere, that needs to go, uh, [00:03:00] uh, across the globe, and that all entities need to go through.
In order pretty much touching everything. Yeah. In, in, in banking and healthcare and all, all sectors, all sorts of entities, all governments need to go through this with the objective of kind of using a new set of algorithms that are secure in the quantum era. So this what actually we, uh, we do from a quantum aspect, we leverage the quantum thread in order to push a much bigger mission, which is, uh, giving the solutions to customers to stay ahead.
Of evolving threats, especially the quantum threat is one, but the AI threat is another one that we are also leveraging. The proliferation of agents, uh, across, across the enterprise is scaling like very rapidly. And, uh, we don't have cybersecurity solutions, AI agents, specifically ai, AI agents, and we don't have the necessary solutions to keep pace with that, with that growth.[00:04:00]
Our goal is to give, uh, our customers the, the, the right solution for them to be able to, uh, observe and understand the risk that these evolving technologies pose at scale, and also give them the right solution to be able to do more with less like infrastructure And, um, information security teams are, uh, very, very busy, right, and very demanded nowadays.
So you, and we want to give the right solutions to these teams for them to operate more efficiently. So, so you touched on one points with respect to, uh, cryptography specifically. Mm-hmm. And the quantum evolution, that that's gonna expose a lot of things. And that basically you described is, I'll put it this way, a ton of legacy stuff that's gonna have to shift mm-hmm.
Very, very fast. And, um, buddy of ours, we were talking to John Sapp. Uh. Uh, CSO of Texas [00:05:00] Mutual Insurance. Mm-hmm. He, he quoted a, I guess an open letter from JP Morgan Chase Yeah. Around, uh, ai. And he basically is calling the same thing that says, we're deploying this stuff so fast. Yeah. That we're gonna end up in a world where we have all this legacy tech and legacy basically debt.
Mm-hmm. That we're not gonna be able to build, dig ourselves out of at some point in time. So I, I think those two, and especially when you combine them together, I think we're creating an environment that, that it's gonna be very difficult to manage and get out of. Yeah. And we're gonna be stuck, not unlike Yeah.
Industrial control systems and SCADA systems Yeah. That they're trying to, so your thoughts on all of that? Yeah. So, uh, so actually on, to add on that, so I don't know if, if it's the same letter or not, but, um, JPMC, cso. Eh, you should, like, made a post, um, last week [00:06:00] on, uh, his thoughts on why we still need to focus on software supply chain security.
Right? Mm. This is a major open topic nowadays. Still it's related to, it's related to the topics and the threats that you, that you were referring to, but also it's, it's something that has been there. For decades, and we still, nowadays, we still don't have the necessary solutions to tackle that problem. So what we provide in this, in this domain is the right, the, the right solution for customers, not, not only to keep pace with this constant evolving threats mm-hmm.
For them to be able to control, uh, which workloads, which pieces of software, which machines, which AI agents. Are talking to which resources, when are, when is that happening, which resources are they accessing, and to basically like have a really good grasp on everything that's going on around that part.
We, [00:07:00] we refer to that as kind of non-human identity management, which is also something that we tackle. But on top of that, we are all about kind of solving these problems that have been black boxes for a couple of decades at least. Right? Yep. The software supply chain has been one of them. And we want to give the necessary, uh, tools to customers for them to shed light on what kind of software they're bringing in the infrastructure.
When they deploy a third vendor, a third party vendor in their, in on their premises, how much are they reassured that that's a secure software and that the vendor has been following the, the, the necessary security guidelines that are recommended. Right. For, for a given environment, can you give us a case study, like an example of real application where, where you step in, maybe pick an industry Yeah.
And, and you know, what could go wrong and where you come in [00:08:00] into. Yeah. So, uh, so I can think of, uh, a couple. So, eh, a large, a very large bank. Um, usually large banks nowadays are the result of a lot of merger and acquisition processes. So their infrastructure usually is extremely heterogeneous and there is not single pane of glass in order to have, uh, an easy view on all the specific sensitive aspects of the cybersecurity infrastructure that governs that, that, that, that financial institution.
So what we do is we create that single piece of, uh, like a dashboard, exactly this single pane of glass that. Allows, uh, information security teams to actually visualize in a very easily to digest, prioritize and filtered way, what is really important for them to tackle without taking into account all the heterogeneity and the complexity of the underlying, um, infrastructure.
So that's one. And we focus on cryptographic [00:09:00] management and we focus on non-human identities. Mm-hmm. But that's one use case. We, we work with banks that are, uh, worried about the post quantum migration. But their big picture is they need modern tools to manage cryptography. And they are, they haven't been available in the market, uh, in, in, in a, in a, in, in a, in, in, in the same, um, form factor that we provide until, until recently.
So we're really proud that, um, we've been able to kind of push the boundaries, uh, of, of this challenge providing a solution that is bringing value to customers. Within the first kind of few hours of them using our, our, our solution. Uh, and uh, and that's kinda one use case that we, we know very well. There is another one which is related to software, uh, supply chain.
Uh, when an entity, a large entity wants to onboard a vendor, the procurement process, uh, process is usually like very lengthy. Mm-hmm. It can take up to like [00:10:00] months, like we're talking about like quarters, sometimes two, three quarters, four quarters, and. The, the, the main issue of that process is there is no mechanism to actually evaluate if that vendor is going to give you something that you can rely on.
And then there is a bunch of like manual process that is put on top that, that requires a lot of people to go there and spend hours, right, in order to kind of create a document that tells you, okay, this makes sense for you to use in this particular environment. With our solution, you can kind of put the vendor through it, and then you can actually get a really easy quick digest of what's the security posture of that piece of software.
Right. Basically like cutting from months to like a few, a few minutes, a few hours. What happens? It's very great. Yeah. What happens when the, uh, the open source library gets updated by that vendor? You guys pick up [00:11:00] exactly. So the, the. We are not a one-off solution. We're not scanning once and then leaving, uh, the customer premises.
Like we, we, we, we are there, uh, 24 7, 365, like the, the monitoring needs to be constant. We, we firmly believe that if you are not there monitoring in real time what's going on in your infrastructure, you won't be able to know everything that that's happening because infrastructure nowadays, especially on.
On the backend side, on the cloud side, it's pretty ephemeral. So you create workloads, you create like certain, um, computing power when there is a peak of demand that you need to serve. But when that demand kind of, uh, plateaus and, and, and, and disappears, all of that piece of infrastructure goes away. And if you are not like monitoring that, that, uh, piece of infrastructure during that time, you'll never be [00:12:00] able to know.
If that was secure or not. And what was the security posture or the risk that that was posing on, on, on your organization? Right. So I mean that one year check, one month, one day, all it takes is like an update or buy a patch and you, it needs to be real time, time back to, yep. I wanna, it needs to be real time.
I wanna ask this. Um, so we've talked about that moment in time, whether it's five years or 10 years. Cryptography is broken by quantum. Capabilities and there's a, perhaps a, a move before that and then move after that to kind of reset the world mm-hmm. With new stuff. Mm-hmm. That's not the end. So I want it, I want your view of where cryptography goes.
Mm-hmm. At that point, driven by quantum, I presume. Mm-hmm. And also since you're also looking at the AI piece. And non-human identities and agent ai, agent ai [00:13:00] and all this stuff. How does that change the future of, of management mm-hmm. Of things in an environment, talking to each other. Trust becoming, yeah.
Ever even more important than ever. What's that future look like? And how, how is that gonna impact organizations? How do you help? Because it, it's, it seems like a huge mess to me. Yeah. So, on on, on the, on the cryptographic piece, um. So there are now some, uh, algorithms that nest, the National Institute of, um, standards and technology from the US has, uh, defined as the new set of standards that need to be applied across, across the globe, as we've seen.
Okay. Uh, uh, and across any domain. Uh, all organizations need to go through this update. And then they have two choices. They have like. They have a choice of doing this like manually and doing it once, [00:14:00] uh, or they have the choice to actually take this as an opportunity to improve and upgrade the way that they actually perform these updates.
And if, if you are, um, uh, going this later route where you actually deploy solutions to help you migrate in a much more seamless way. Mm-hmm. Basically what you are going to be embracing is what we call cryptographic agility, which is we want to give this level of resiliency to infrastructure that allows infrastructure to be upgraded, to be migrated dynamically without the necessary, uh, human intervention, manual intervention, going there and kind of doing things, uh, one by one.
Right? So. So that's one. One of these areas. So what we believe is this is one migration, right? But there are going to be endless migrations. There will always be new algorithms. There will be one algorithm broken. At [00:15:00] some point we'll have to replace it with another one. We just want you to give you the solution to do that seamlessly for you to forget about this problem.
Does it this include key management as well? So key management is, 'cause I'm just thinking the number of keys gonna be required. Exactly, exactly. And this is also linked to the, the, the non-human identity piece. So what we are aiming at is, uh, giving a full automated solution for key management and the life cycle of keys, um, keys and non-human identities alike for us, they, they're, they're like very, very similar in, in the way that we think on.
Uh, lifecycle, uh, and, and, and the management of those assets. So what we would like is customers to be able to define in a single pane of glass a policy. How often would I like to rotate my credentials? Do I want my credentials to last for 10 minutes? Regardless of the environment? Can I actually push the boundaries farther?
[00:16:00] Am I fine with having digital certificates with a one week of validity date? This should be, this should be kind of part of the bread and butter of a very easy to digest, uh, UI that allows, uh, information security team to just click a button and then push it and, and enforce it across the entire infrastructure.
So that's, I want that now before, yeah. Well, that, that's a good thing is I'm thinking like, this is great. I mean, this is everybody's dream. Yeah. How hard it is, or easy it is to. Yeah, make that first step where you, where you change your system into a quantum, a SandboxAQ system. Yeah. So the journey basically starts by, um, first shedding light into the piece of infrastructure that you have and, and, and cataloging, creating an inventory of everything that you have.
Uh, and then once you know, and you have the, the capability to do that in real time, which is. Part [00:17:00] of, um, our value proposition, like we are actually the best in, in, in class. In doing this, uh, you can also deploy this control plane on top of, on, on top of this inventory that takes whatever is seen that needs to be addressed.
Let's say you have an an, uh, a certificate, a digital certificate that's expiring next week, the control plane will pick it up. Yeah. And we'll make sure that by the time that that certificate is expired, the key management system has already issued another credential and provisioned and revoked the previous one.
I'm picturing as So plays with what you got, it plays with what you have. Yeah. Yeah. It, it's totally fully integrated, end to end from discovery management to actually control, enhance protection, uh, in, in, in, in the platform that we have built. So I'm, I'm picturing the, the, the company's. Infrastructure is the orchestra and they're all over the place.
Mm-hmm. And your first step is [00:18:00] to bring the orchestra together on stage and then you also give them plane to Yeah. Actually conduct. Yeah. The orchestra in an easy way. Yeah. So AqtiveGuard actually create something beautiful. Yeah. AqtiveGuard Protect is the line. I'm glad you mentioned AqtiveGuard is the, make sure we, we connected that 'cause it's a new release.
AqtiveGuard. Yeah. So AqtiveGuard is the product that we launched, uh, last week. Um, it's generally available already for discovery, cryptographic inventory management, issue remediation. The automated, um, the automated lifecycle management is coming up next. It's a capability that we are calling AqtiveGuard Protect.
Okay. And that's going to be the TRO of the orchestra. So yeah. A maestro. Yeah. I love it. Well, I think we ended with a, with a nice. Good news. It's actually there. Yeah. It's, you know, which go backs to it is not the future. It's future right now. It's now. And we're as eager, uh, as, uh, [00:19:00] anyone else can be to show this to the world and get feedback and get people, uh, on, on this trend to, to modernize cryptography management and non-human identity management.
Yeah. Which has, it's been a problem for a long time. I'm, I'm surprised. Well, it's a hard problem to solve. Clearly, you've, you've, uh, tackled that problem. We do. There's no reason to wait, from my perspective, don't wait for the, the break to happen. Yep. Get a hold of handle on it. Now. Be prepared for the change.
Be prepared for the future is only gonna be more complex, sounds like. Mm-hmm. So, um, indeed. Sandbox aq, AqtiveGuard. Connect with Mark, connect with the Sandbox AQ team. Yep. Good stuff. Good stuff. And I'm actually looking forward to talk more about this 'cause it's fascinating. Thanks for having me. More, more user stories would be fantastic.
More story with you guys. Let's talk soon and, uh, and more story with RSA Conference. We're not done. We're not done. We'll, that's coming. ITB magazine.com/rsac [00:20:00] 25, everything including this story with Mark and links to their page and, and all the good stuff that they offer. Thanks everybody. Hope you enjoyed it.
Stay tuned. Thank you.