Overview
CyberArk Privileged Access Manager is the long-standing market leader for privileged access management. The product combines a tamper-resistant credential vault, session isolation through the Privileged Session Manager, application credential delivery for non-human accounts, and threat analytics that detect anomalous use of privileged credentials. CyberArk is sold both as a self-hosted suite and as a SaaS offering branded Privilege Cloud.
CyberArk dominates regulated industries — particularly banking, government, and energy — where it is often a mandated control for compliance with PCI DSS, SOX, NERC CIP, and the EU's NIS2 directive. The platform is recognised as a Leader in the Gartner Magic Quadrant for Privileged Access Management every year since the category was created. CyberArk has expanded beyond traditional PAM into a broader Identity Security Platform that covers workforce identity (CyberArk Identity), endpoint privilege management, secrets management for DevOps, and cloud entitlements (Cloud Entitlements Manager).
Key Features
- Enterprise Password Vault (EPV) with FIPS 140-2 cryptography
- Privileged Session Manager (PSM) with full session recording and live monitoring
- Central Policy Manager (CPM) for automated credential rotation
- Application Access Manager for non-human secrets retrieval
- Privileged Threat Analytics with behavioural anomaly detection
- Just-in-time access with adaptive policies
- Endpoint Privilege Manager for Windows, macOS, and Linux
- Secrets Manager for DevOps tools (Conjur, Conjur Cloud)
- Cloud Entitlements Manager for AWS, Azure, and GCP IAM
- Native integration with leading SIEM, IGA, and ITSM platforms
- Privilege Cloud SaaS offering with multi-region availability
- Comprehensive certification portfolio (Common Criteria, FedRAMP, ISO 27001)
Pricing
| Edition | Model | Typical Cost |
|---|---|---|
| CyberArk Privilege Cloud | Per privileged account / year | Custom (annual median ~$30K / 100 accounts) |
| Self-Hosted PAM Suite | Perpetual + maintenance | From $150K + 20% maintenance |
| Endpoint Privilege Manager | Per endpoint / year | Custom quote |
| Secrets Manager (Conjur) | Per secret / API call tier | Custom quote |
Pricing verified from third-party reseller data May 2026. CyberArk publishes no list price; enterprise deals typically range from $150K to $2M+ annually. Customers can negotiate 20–30% off list with 3-year commitments and bundled modules.
Strengths
- Most complete privileged access feature set in the market, particularly for legacy Windows and Unix estates
- Recognised Leader in the Gartner MQ for PAM in every consecutive evaluation
- Mature ecosystem of certified partners and a large pool of skilled consultants
- Comprehensive compliance and audit coverage for regulated industries
- Tamper-resistant vault architecture remains a differentiator versus newer entrants
- Conjur secrets management is widely adopted in DevOps and Kubernetes workflows
Limitations
- Implementation is complex; projects routinely require 6–18 months and specialist consultants
- Total cost of ownership is the highest in the category — enterprise deployments commonly exceed $1M annually
- Self-hosted upgrades remain disruptive; many customers run 2–3 versions behind
- Administrative UX is dated compared to newer cloud-native PAM entrants like Teleport or HashiCorp Boundary
- Pricing model is opaque; customers must negotiate without published list prices