Palo Alto Buys CyberArk for $25 Billion. What It Means for Identity Security.
Palo Alto Networks is buying CyberArk for $25 billion. Not for the firewalls. Not for network security. For identity.
The world's largest pure-play network security company is saying: "Identity is the missing piece in our platform." And they're willing to pay a 26% premium to close the gap.
Why is identity the new attack vector?
Identity is the attack vector in the overwhelming majority of real incidents because the rest of the security stack has been hardened first. Network controls, endpoint detection, and patching have all matured to the point where novel exploitation is expensive — but stolen credentials still work, phishing still works, mis-configured permissions still grant attackers everything they need. Attackers go where the marginal cost of success is lowest, and that has been identity for years now. The platform vendors are finally responding.
I've worked with identity security in Entra ID, Defender for Identity, and Sentinel for over three years. In almost every single engagement, identity is attack vector number one.
Not sophisticated zero-days. Not advanced malware. Stolen credentials. Phishing. Misconfigured permissions. That's what takes down organizations.
Palo Alto has figured this out. They've built a solid platform for network security, endpoint (Cortex XDR), cloud security (Prisma), and SASE. But they've been missing privileged access management, identity governance, and secrets management. CyberArk fills that gap.
Where the AiTM pattern fits
The SharePoint AiTM playbook is one concrete instance — the attack hinges on stealing a post-authentication session cookie, which is identity exploitation in its purest form. The control that breaks it (phishing-resistant FIDO2 + device-bound sessions) is fundamentally an identity control. That kind of identity-centric defence is exactly what Palo Alto can't do without CyberArk in the platform.
What does CyberArk actually bring to the table?
CyberArk is the market-leading privileged access management vendor, but the deal value is in the breadth — PAM, secrets management (Conjur), identity governance, and a workforce identity product all in one stack. Each piece is a credible standalone product, and the combined surface lets Palo Alto offer a single-vendor identity story to enterprises that today buy from three or four different identity vendors.
CyberArk is not a random acquisition. They're the market leader in privileged access management (PAM) and have built a strong position across:
- Privileged Access Management: vault, session recording, just-in-time access
- Secrets Management: Conjur, machine identities, DevOps integrations
- Identity Governance: lifecycle management, access certification
- Workforce Identity: SSO and adaptive MFA
They reported record revenue in 2025. ARR grew over 30%. This is not a company that got bought because it was struggling. It got bought because identity security is where the market is heading.
CyberArk vs Microsoft identity stack — coverage map
| Surface | CyberArk | Microsoft Entra |
|---|---|---|
| Azure / M365 roles | Via integration | Entra PIM (native) |
| Linux / Unix servers | PAM (strong) | Limited |
| Databases (Oracle, SQL, Postgres) | PAM (strong) | Limited |
| Network appliances (Cisco, Palo Alto) | PAM (strong) | None |
| OT / industrial systems | PAM | None |
| AWS / GCP consoles | PAM + governance | Federation only |
| Application secrets / API keys | Conjur (strong) | Key Vault (single-cloud) |
| Workforce SSO + adaptive MFA | Yes | Entra ID (strong) |
What does this mean for Microsoft customers?
For Microsoft-stack customers the deal creates two new conversations: a coverage conversation (CyberArk reaches surfaces Entra does not) and a strategy conversation (do we want a single-vendor Microsoft identity stack, or a defence-in-depth model where Palo Alto + CyberArk handles the long tail Microsoft does not natively cover?). The right answer depends on hybrid surface area — pure-Azure shops see less marginal value; multi-cloud or OT-heavy shops see a lot.
Microsoft has Entra ID for identity, Defender for Identity for threat detection, and Privileged Identity Management (PIM) for privileged access. Solid foundation. But with limitations.
Entra PIM handles Azure and Microsoft 365 roles. CyberArk handles everything else: Linux servers, databases, network equipment, OT systems, cloud consoles outside Azure. Most enterprises are hybrid, and in a hybrid world you need both.
The question is whether Palo Alto will now build a platform that competes directly with Microsoft's identity stack, or position themselves as a complementary layer for everything Microsoft doesn't cover.
Based on what I'm seeing in the market, I'd bet on both. They'll build integrations with Entra ID (they already have XSOAR connectors), but they'll also offer an alternative for organizations that don't want all their identity eggs in the Microsoft basket.
The consolidation wave
Palo Alto + CyberArk isn't isolated. Look at what's happened in the past year:
- Google bought Wiz for $32 billion (cloud security)
- Cisco is integrating Splunk (SIEM + observability)
- CrowdStrike is building out identity modules internally and acquired SGNL for AI agent identity ($740M)
The big platforms want to own the entire security surface. Network, endpoint, cloud, identity, data, all in one console.
For security teams, this means simpler operations: fewer vendors, fewer integrations, fewer consoles. But it also means vendor lock-in, higher switching costs, and less freedom of choice.
I've done assessments for 40+ organizations, and most don't struggle to find the right tool. They struggle to use the tools they already have. A consolidated platform play from Palo Alto doesn't solve that problem. It can make it worse if the implementation doesn't keep up.
What should I do now?
Three concrete steps if this feels relevant to your environment: map the privileged identity surface across everything (not just Azure), evaluate PAM independent of vendor (CyberArk vs Microsoft PIM vs BeyondTrust vs Delinea — the right answer is the one that produces actual risk reduction in your environment), and watch the integrations between Cortex XSIAM/XSOAR and CyberArk over the next 12-18 months because that's where tightly-coupled identity-driven response becomes possible.
1. Map your identity surface. Not just Entra ID. Where do you have privileged accounts? Service accounts? Secrets in code? Machine identities? Most organizations have 3-5x more privileged identities than they think.
2. Evaluate your PAM needs independent of vendor. Whether you end up with CyberArk (soon Palo Alto), Microsoft PIM, BeyondTrust, or Delinea matters less than actually having control over privileged access. Start with whatever gives you the most risk reduction.
3. Watch the integrations. When Palo Alto integrates CyberArk into Cortex XSIAM and XSOAR, it could enable identity-based response more tightly coupled with network and endpoint data. Automatic lockout of compromised accounts, secrets rotation. That could be powerful. But it's going to take 12-18 months.
The bottom line
$25 billion is a message to the entire security industry: identity is at the core of everything.
For those of us who've worked in identity security for years, this is validation. For those still treating IAM as an IT project rather than a security measure, it's a warning.
Palo Alto is betting that the security platform of the future starts with "who are you?" before it asks "what are you doing?" That's a bet I think they win. The same thesis is what drives the new investment in AI agent identity — see the AI agent identity crisis post for the part of the story where machine identities outnumber human ones 82-to-1 and most enterprises can't tell agents from legacy service accounts.
Key takeaways
- Identity — not network or endpoint — is now the most common attack vector in real incidents.
- Palo Alto pays a 26% premium for CyberArk because the missing piece in their platform is privileged access, secrets, and identity governance.
- CyberArk's PAM covers the hybrid surface (Linux, databases, network gear, OT, non-Azure clouds) where Entra PIM does not reach.
- Microsoft customers gain optionality — but also have to make a real architecture decision about how much identity to keep in the Microsoft stack.
- This is the third major identity-security move in 12 months — alongside Google/Wiz and CrowdStrike/SGNL — pointing the industry at the same conclusion.
FAQ
Why is Palo Alto buying CyberArk?
Palo Alto has built a strong platform across network security, endpoint (Cortex XDR), cloud security (Prisma), and SASE — but it has not had a credible privileged access management, identity governance, or secrets management story. CyberArk fills all three gaps with a market-leading PAM product, Conjur for secrets, and a mature workforce identity stack. At a 26% premium and reported $25B price tag against CyberArk's 2025 ARR (which grew over 30%), the deal closes Palo Alto's platform without forcing a multi-year internal build.
How is CyberArk different from Microsoft Entra PIM?
Entra Privileged Identity Management governs Azure roles, Microsoft 365 roles, and Entra-integrated apps. CyberArk governs everything else — Linux servers and root accounts, database admin credentials, network appliances, OT systems, and cloud consoles outside Azure (AWS, GCP, Oracle). In a hybrid enterprise that runs more than one cloud or any meaningful on-prem footprint, the two products overlap in less than half of what either covers — most real enterprises need both.
What does the deal mean for Microsoft-stack customers?
Two practical implications. First, optionality — Palo Alto + CyberArk becomes a credible single-vendor alternative for organisations that don't want their entire identity stack inside Microsoft. Second, integration pressure — Palo Alto already has XSOAR connectors into Entra, and a deeper CyberArk + XSIAM integration could make cross-platform identity response (automatic Conditional Access lockout, secrets rotation triggered by Defender XDR alerts) genuinely tight inside the next 12-18 months.
Is the consolidation wave a good thing for security teams?
It cuts both ways. The upside is simpler operations — fewer vendors to manage, fewer integration projects, fewer consoles to learn. The downside is vendor lock-in, higher switching costs, and less competitive pressure on individual products. For most teams the limiting factor is not 'which tool' but 'do we actually use the tools we already have?' — and a platform-consolidation play does not solve that, and can in fact make it worse if rollout outruns operational maturity.
What is CyberArk Conjur and why does it matter?
Conjur is CyberArk's secrets management product — a vault for the API keys, database credentials, certificates, and machine-identity credentials used by applications, CI/CD pipelines, containers, and (increasingly) AI agents. In an environment where machine identities outnumber human identities roughly 82 to 1, a credible secrets-management story is no longer optional. Conjur's relevance grows in lockstep with the [AI agent identity problem](/blog/ai-agent-identity-crisis-security) — every new agent is a credential consumer.
What other identity-security M&A is happening in 2026?
The Palo Alto / CyberArk deal sits inside a larger pattern. Google bought Wiz for $32 billion (cloud security with strong identity-graph features). Cisco is integrating Splunk for SIEM plus observability. CrowdStrike acquired SGNL for $740M, explicitly for AI agent identity governance. The thesis across all four moves is the same — identity is at the centre of the modern security platform, and the platforms competing for that centre are willing to pay heavily to own it.