Vendor Profile

Palo Alto Networks (CyberArk)

Vault-centric PAM platform acquired by Palo Alto Networks. Market-leading installed base in hybrid and Active Directory-heavy enterprises; JIT workflows layered on an architecture built for a different era of privileged access.

Overview

CyberArk built the dominant position in enterprise PAM by solving the credential storage and rotation problem at scale. The Privileged Access Manager product, now branded under Palo Alto Networks, provides a centralized vault for storing privileged credentials, a session proxy for brokering and recording administrative access, and an API layer for JIT session provisioning. The installed base spans most Fortune 500 companies and a significant portion of mid-to-large enterprises with complex on-premises and hybrid infrastructures.

The acquisition by Palo Alto Networks in 2025 changed the procurement context without yet changing the product. CyberArk's PAM capabilities are being positioned as part of the broader Palo Alto identity security portfolio alongside Prisma Cloud's CIEM capabilities and the Cortex platform's identity threat detection. What this means for the standalone PAM roadmap, support contracts, and long-term product investment is not yet clear from public information. Buyers in the CyberArk installed base who are mid-contract have a different decision than buyers evaluating it fresh.

Acquisition context: The Palo Alto Networks acquisition of CyberArk introduces genuine roadmap uncertainty. Legacy PAM buyers should treat this evaluation as a two-part question: does CyberArk PAM solve the current problem, and does the Palo Alto platform strategy create a viable long-term path. Those are separate questions with separate answers.

Architecture and key capabilities

The CyberArk architecture is gateway-centric. The Digital Vault stores privileged credentials. The Privileged Session Manager proxies administrative sessions through a central broker, recording keystrokes and screen activity. The Central Policy Manager enforces access policies across vaulted accounts. JIT workflows are delivered through the Privilege Cloud SaaS offering, which adds time-limited session provisioning and automated credential rotation on top of the vault model.

For hybrid environments — enterprises where active directory domains, on-premises databases, legacy servers, and cloud workloads coexist — the vault-centric model provides coverage that cloud-native JIT platforms cannot reach. A cloud-native JIT platform generating ephemeral IAM roles has no mechanism for a 20-year-old Oracle database running on-premises that does not participate in cloud IAM. The vault proxy does.

CyberArk's Conjur product handles the NHI use case: dynamic secrets, automatic rotation, and vault-based credential provisioning for DevOps pipelines, Kubernetes workloads, and service accounts. This is vault-centric rather than ephemeral-token-native, which creates a different security property: the secret exists in Conjur and is dynamically retrieved rather than not existing until needed.

Strengths

Broadest enterprise PAM installed base; mature support organization and partner ecosystem
On-premises and hybrid coverage that cloud-native JIT platforms cannot replicate
Conjur provides vault-based secret management for DevOps and Kubernetes workloads
Deep Active Directory integration for enterprises with large AD footprints
Session recording and audit trail depth that meets stringent compliance requirements
Privilege Cloud SaaS removes on-premises vault infrastructure requirement for new deployments

Limitations

Vault-centric architecture creates standing infrastructure that cloud-native ephemeral models eliminate
JIT capabilities are a workflow layer on top of a vault, not a native ephemeral architecture
Palo Alto acquisition introduces roadmap uncertainty that extends evaluation risk for multi-year contracts
Deployment and operational complexity is high relative to cloud-native alternatives
Enterprise pricing puts it out of consideration for mid-market buyers
Cloud-native workload JIT depth lags dedicated platforms like Britive or Apono

Target environment

Palo Alto Networks (CyberArk) is appropriate for enterprises where the primary JIT problem includes significant on-premises infrastructure — legacy databases, Active Directory, industrial systems — that cloud-native ephemeral token architectures cannot reach. If the estate is 80%+ cloud-native, the vault-centric model introduces overhead that cloud-native alternatives avoid. If the estate is heavily hybrid or predominantly on-premises, the coverage argument for CyberArk remains strong regardless of the acquisition context.

Buyers already running CyberArk face a different question than new evaluators. The installed base has existing integrations, trained administrators, and established policies. The cost of switching to a cloud-native alternative includes migration of that institutional investment, not just platform licensing. That cost is real and should be part of the evaluation alongside the architectural arguments.

Verdict

The strongest coverage argument in the market for hybrid and on-premises-heavy environments. The acquisition by Palo Alto Networks makes a new multi-year CyberArk commitment a bet on both the current product and the future platform strategy. Existing CyberArk customers should evaluate whether the gap between what they have and what cloud-native JIT offers is worth a migration project. New buyers with predominantly cloud estates should evaluate cloud-native alternatives before defaulting to the market incumbent.

Related comparisons

Palo Alto (CyberArk) vs. BeyondTrust — Two legacy PAM giants with different architectural centers of gravity
JIT-native vs. PAM-with-JIT — The defining fault line: ephemeral-first vs. vault-first