Palo Alto Networks Completes Its Platform Play With CyberArk Deal

Palo Alto Networks’ proposed $25 billion acquisition of CyberArk reflects the growing importance of identity management — and would fill a crucial gap in the Palo Alto Networks portfolio.

SOPA Images/LightRocket via Getty Images

On the heels of a new partnership with identity and access management leader Okta, Palo Alto Networks surprised the tech industry with its recent announcement to acquire identity stalwart CyberArk for an eye-opening $25 billion. If approved by regulators, this deal represents a massive combination of two highly successful and mature cybersecurity infrastructure providers. This opens up a discussion about the value of identity management, what this tie-up could produce both short and long term and how customers might benefit. With that context set, let’s dive in.

(Note: Palo Alto Networks is an advisory client of my firm, Moor Insights & Strategy.)

The Value Of Identity And Privileged Access Management

Identity and access management provides a critical control point that weaves together policy, provisioning and lifecycle management, ensuring that users are authenticated to specific resources while blocking the occurrence of malicious lateral movement across networks. Privileged access management takes identity frameworks to higher levels of security, infusing least-privileged-access and zero-trust principles to safeguard access to high-value digital assets. Together, IAM and PAM serve to reduce attack surfaces, secure session activity, improve security posture, provide audit trails and ensure compliance.

By all measures, identity is the new hack. It is estimated that an overwhelming majority of data breaches today are a result of stolen or compromised credentials. To address this challenge, a plethora of infrastructure providers including Cisco, CyberArk, IBM, Microsoft, Okta, SailPoint and others offer viable solutions. I have written about many of these companies in the past, highlighting their perceived strengths and weaknesses.

I seldom call out an absolute winner, but Palo Alto Networks’ decision to acquire CyberArk is interesting for two reasons. First, CyberArk has a strong reputation in PAM, as well as in securing identity across human users and machines. To this end, the company provides workforce password, secrets and endpoint privilege management. Second, CyberArk has experienced high annualized recurring revenue growth over the last two years, nearly doubling its top-line revenue to more than $1 billion at the end of last year. Given CyberArk’s portfolio depth and hypergrowth, it is not surprising that it would be attractive to Palo Alto Networks.

A New Category For Palo Alto Networks

Palo Alto Networks has become one of the largest cybersecurity infrastructure providers in the world. Many pundits, including myself, attribute the company’s achievements to a platform approach in delivering security services. I have written about this concept on many occasions, highlighting the power of a platform to consolidate disparate tools to address sprawl, improve security and networking operational efficiency and deliver optimized business outcomes. I also continue to spend considerable time with chief executive Nikesh Arora and his leadership team, and I appreciate their vision for the company to serve as a trusted advisor and provide the right balance of solutions that do not burden customers with a plethora of incremental licensing.

The timing of the company’s acquisition of CyberArk is not surprising to me. It represents a net-new category entry with significant revenue and profitability upside. Last year, the combined total addressable markets for IAM and PAM were estimated to be just shy of $25 billion. Palo Alto Networks should be able to capitalize and take market share based on a demonstrated history of category leadership realized through its organic solution development efforts and its history of successfully integrating acquisitions.

What I also like about the CyberArk acquisition is its potential to serve as a foundation for Palo Alto Networks’ Cortex AgentiX agentic AI framework — previewed at RSA Conference earlier this year — to manage agent and machine-to-machine interactions. The framework promises to provide enterprise-grade security, enable intuitive human-AI interaction and massively scale automation using AI. The company’s Prisma Access Browser also provides another layer of protection for the safe use of generative AI applications, ensuring that data is protected and that only sanctioned applications are used. In my RSA Conference event wrap-up piece this year, I highlighted my biggest takeaway that the provisioning and identity management of super agents and task agents represents one of the most important aspects of agentic AI’s adoption and longer-term success. This is an area where CyberArk’s expertise should be a big winner. By my estimation, Palo Alto Networks is well positioned to capitalize on that.

Grading The CyberArk Acquisition

The $25 billion acquisition of CyberArk represents a significant step forward to allow Palo Alto Networks to complete its cybersecurity platform play. CEO Arora points to three benefits of the transaction — accelerating the company’s platform strategy, disrupting the legacy IAM market and securing agentic AI. From my perspective, these are all reasonable assumptions and point to an opportunity for Palo Alto Networks to further its success and capitalize on the modern AI gold rush.

Moor Insights & Strategy provides or has provided paid services to technology companies, like all tech industry research and analyst firms. These services include research, analysis, advising, consulting, benchmarking, acquisition matchmaking and video and speaking sponsorships. Of the companies mentioned in this article, Moor Insights & Strategy currently has (or has had) a paid business relationship with Cisco, CyberArk, IBM, Microsoft, Okta and Palo Alto Networks.