When Palo Alto Networks announced it was acquiring CyberArk, it was huge news in the cybersecurity industry. $25 billion is nothing to sneeze at, and it clearly signals something big. Or at least, it should, right?
If identity and access management are among your IT priorities (and 100% of the organizations we talk to say it is), then it’s worth looking more at what this deal means for the options you’re soon to have available to you.
Why This Deal Matters for Identity & Access Management
On the surface, the acquisition looks like another big-ticket consolidation move. But if you zoom in, it’s far more than that. It’s a clear signal about where the privileged access management (PAM) market is headed and how identity has become the new battleground for security vendors.
CyberArk, once the undisputed leader in PAM, chose to sell rather than reinvent for the cloud-native, Zero Trust era. Palo Alto, meanwhile, is trying to stitch together a full identity and data access portfolio by bolting CyberArk onto its growing list of acquisitions.
For buyers, the implications are huge: the future of PAM, and arguably cybersecurity as a whole, is being rewritten in real time.
Palo Alto’s Patchwork Identity Strategy
I don’t intend to take away from the work Palo Alto Networks has done. The company has always excelled at network and endpoint security. Their firewalls are industry-leading, and their Cortex platform has strong capabilities for detection and response. But when it comes to identity, the story has been far less coherent.
Instead of building a unified strategy, Palo Alto has tried to fill the gaps by acquiring companies with specialized products and bolting them into their portfolio.
Take the enterprise browser play with Talon. That acquisition gave PANW a way to extend visibility and control into SaaS and web-based apps, but it’s a siloed approach that doesn’t naturally integrate with their legacy firewall or EDR stacks. The same is true for Dig Security, which they picked up to add cloud data loss prevention. Dig was strong in scanning and classifying data across cloud environments, but it was never architected to tie seamlessly into Palo Alto’s existing policy engines.
And now, with the acquisition of CyberArk, Palo Alto has pulled a legacy PAM solution into this already eclectic stack. Each of these products was built independently, with different design assumptions, control planes, and user experiences. Palo Alto’s task is to make them appear as a single integrated platform—but stitching together an enterprise browser, a DLP engine, an IGA tool, a machine identity system, and a traditional PAM vault is not the same thing as delivering a unified identity and access strategy. It’s duct tape.
Palo Alto has an incredibly smart and adept engineering team, but this is a hugely complex task. Each product speaks a different “language” when it comes to policy enforcement, user context, and telemetry. Identity data is scattered across consoles. Policies have to be replicated and re-interpreted across multiple control planes. Customers end up managing integrations instead of managing risk. And while the slideware may show a clean “platform,” the lived reality is messy and disjointed. For users, it will be slower to evolve, harder to operate, and brittle at scale.
CyberArk’s Legacy PAM Problem
CyberArk’s piece of this story is equally revealing. They were pioneers in PAM and I give them credit for defining the market, developing the concept of vaults, and setting the early rules. But the market has changed and the PAM they built doesn’t serve the needs of today’s enterprise customers.
Today’s environments are hybrid, ephemeral, and cloud-first. PAM isn’t just about checking out a credential from a vault; it has to provide real-time, policy-driven authorization to databases, servers, clusters, and cloud consoles, and it can’t drag security and ops teams through a maze of workflows.
CyberArk never made that leap. Instead of rewriting their architecture for modern Zero Trust, they doubled down on legacy paradigms. Eventually, they chose to exit rather than reinvent. That’s very revealing about the product, both as it is now and in what it was engineered to be.
The StrongDM Alternative: Unified by Design
And so, while some investors are enjoying a huge windfall, we just don’t see that the greater good is being served here.
StrongDM built a Zero Trust PAM platform to solve all of these security problems from the ground up. We didn’t do it by acquiring five different companies. Rather, it was in our code base from day one.
We have, thoughtfully and meticulously, developed a system that natively integrates policy, authentication, authorization, and audit into a single control plane. When an engineer requests access to a production database through StrongDM, there are no credentials handed over, no vault checkout, and no standing privilege. Our proxy layer enforces policies in real time, authenticating the user through your existing IdP, authorizing based on dynamic roles and conditions, and then brokering the connection—all without ever exposing a password or key. That’s how you stop credential theft dead in its tracks.
Where CyberArk leans on static vaults, StrongDM leans on ephemeral, credential-less access. Where Palo Alto is hoping to stitch together disparate products, StrongDM delivers a unified, protocol-aware proxy that works across databases, servers, Kubernetes clusters, cloud consoles, and even network devices. That’s not integration by acquisition. It’s innovation.
We also cannot neglect the impact on operations. Access operations only work when experience and accuracy work together, seamlessly. In the PANW + CyberArk world, users will have to deal with separate consoles and brittle workflows. StrongDM collapses that into a single policy engine that applies everywhere, for any and all actions.
Want to enforce MFA on SSH sessions but not on read-only database queries? You can do that in one policy. Need to record privileged sessions for compliance? It’s built into the proxy. Want to auto-expire access when someone’s PagerDuty on-call shift ends? That’s native too. The system isn’t brittle at scale—it’s adaptive.
Buyer Beware: Lock-In and Bundling Risks
Now, about lock-in. Because someone’s going to have to pay for that $25 billion, and surprise, surprise, Palo Alto hopes it’s you. They will absolutely lean on bundling and upsells to justify the acquisition; and that’s not nefarious or underhanded. It’s a common game, but like Warren Buffett said about poker: "If you've been playing poker for half an hour and you still don't know who the sucker is, you're the sucker."
We don’t think that’s a great way to form a relationship.
StrongDM integrates with what you already run. Any IdP, any SIEM, any secrets manager, any cloud. We don’t force you to rip and replace; we extend your existing stack with granular, real-time access control that doesn’t care if your workloads live in AWS, Azure, GCP, or a colo rack that’s been running since 2009. Flexibility, adaptability, agility - we operate internally like this, and we have developed a product that does the same for our customers.
Why This Acquisition Validates Zero Trust PAM
Ultimately, this deal validates something very essential to the future of this business: identity, access, and control are the future of cybersecurity.
Every breach you read about eventually comes down to some flavor of over-permissioned access, stolen credentials, or uncontrolled lateral movement. But recognizing the problem isn’t the same as solving it.
Security leaders don’t need yesterday’s PAM rebranded as “platform.” They need systems that are agile enough to handle ephemeral cloud workloads, adaptive enough to enforce continuous Zero Trust checks, and purpose-built to keep engineers productive without sacrificing control. That’s what StrongDM does.
Conclusion: The Road Ahead
So congratulations to Palo Alto and CyberArk on the deal. The next few years will determine whether this becomes a true platform shift or just another expensive exercise in duct tape.
If you’re watching it, we encourage you to think about how the future of security must align with your needs. It has to provide security teams with a single control plane that sits between people and the infrastructure they need, enforcing policy in real time, without ever handing over credentials or leaving standing privileges behind.
That’s the identity firewall and it’s the reality our customers run every day: a Zero Trust PAM platform that is unified by design, not assembled through acquisition, delivering identity-based security that’s adaptive, auditable, and ready for the next decade.
Ready to see what modern, Zero Trust PAM looks like in action? Book a demo today and experience secure access without the duct tape.
