Vaulting to success

Let's close out Cybersecurity Month with a two-part deep dive on CyberArk, its major transitions, and its evolution in the Identity Security market. This will be of interest to direct competitors like Okta and Microsoft, as well as next-gen security companies in the Zero Trust ecosystem like Zscaler, Cloudflare, Palo Alto, CrowdStrike, SentinelOne, and Rubrik – especially those providing ITDR and Zero Trust access to infrastructure.

Part 1 looked at the bundling and M&A happening across the Identity Security space, how Okta's stumbles left the door open for competitors to catch up, and CyberArk's major business & product transitions across FY20-22.

Now let's take a closer look at CyberArk financials and products.

👁️‍🗨️

This post was originally published in October 2024 (Cybersecurity Awareness Month!) as part of my Premium service. This was part of a series that walked through the recent developments & potential across the XDR, CNAPP, and SIEM markets, in addition to Identity.

Since then, I've covered CyberArk's Q3 results and discussed them on the premium podcast with Francis from the Software Analyst Cyber Research blog (along with CrowdStrike's big incident and their move into SIEM). I'll soon be catching up on their Q4/Q1 results, IR day, and product moves, as well as compare them to Okta and Sailpoint (back to being a public company).

Join Premium for insights like this every week across AI & ML, Data & Analytics, Next-Gen Security, DevOps, SaaS platforms, and the hyperscalers. I've recently covered Cloudflare's last year of GTM improvements and Workers/AI moves, Rubrik's Q1 earnings and market shifts, Samsara's Q1 earnings, NVIDIA's GTC and Q1 earnings, Axon's Q1 earnings and market shifts, and looked at rising Federal headwinds across NVIDIA (China AI chip ban), IoT stacks like Axon & Samsara, and cybersecurity platforms like CrowdStrike, Zscaler, Palo Alto, Cloudflare, CyberArk, Okta, & Rubrik.

Having successfully emerged out of their major transitions across FY20-22, CyberArk is now one of the fastest-growing identity players, and is steadily returning back to its former profitability levels. The market has noticed their improvements, and they are now up +80% over the past year, and +31% YTD [as of Oct-24].
Subscription ARR is growing +50% thanks to the ongoing momentum in their managed SaaS platform. Subscription is now 71% of the business (and 78% of ARR). [Fast forward to Jun-25, Subscriptions are now 78% of revenue and 84% of ARR.]
Profitability has been drastically improving over the last year, and they are on the cusp of returning to GAAP net profitability.
They are now shifting their GTM and modular platform to hone it around specific needs within several identity use cases across organizations, including workforce, IT, developer, and machine identities (NHI).
They have a wide variety of pricing techniques (per-user, per-host, per-deploy size, and per-machine identity). While per-user products (workforce IAM) might get impacted during mass layoffs amid macro concerns, cloud workloads & app-to-app intercommunication are driving a huge amount of growth in machine identity – which will see further tailwinds from the rise of agentic AI. They just made a major acquisition in this direction.
There are hints of weakness showing in their self-hosted side of subscription revenue, and it remains lumpy and seasonal. But looking forward, they should not only have a seasonally strong Q4 this coming February (as hinted at in their FY guide), but will get a boost from the new acquisition on both the top and bottom lines. GTM seems ready to cross-sell too, so they should start seeing some tailwinds quickly from there.
Growth drivers from here include continued international push, the rise of machine identity (and agentic AI), and the continued importance of identity across SASE, XDR, and CNAPP.

Part 1: Identity Moves

Identity landscape
Okta's stumbles
CyberArk basics

Part 2: Vaulting to success

A walk through CyberArk's financials
Product shifts & acquisitions
GTM shift
The rise of machine identities
Final thoughts

Financial picture

I find that CyberArk emerged as a much stronger company after its 3 major transitions in FY20-22, and the financials started looking a lot better in FY23 onward. The market noticed – they are up +80% over the past year, and +31% YTD with a $12.2B market cap. [This was back in October 2024. As of June 2025, they are up +51% over the past year and +16% YTD with a $19.5B market cap.]

CyberArk has always had a lot of seasonality in its license model, and its self-hosted portion has inherited some of that – I recommend looking at TTM metrics overall. Q4 was always the strongest Q, and Q1 then the weakest (seq drop). That has been lessening as SaaS has grown into nearly half the business today. I include 2 years of past metrics in the tables below (requiring you to scroll them horizontally) to get a picture of their massive transition.

Top line morphing into recurring revenue

Metric	Q222	Q323	Q423	Q123	Q223	Q323	Q423	Q124	Q224
Revenue	$142.3M	$152.7M	$169.2M	$161.7M	$175.8M	$191.2M	$223.1M	$221.6M	$224.7M
... YoY	+21.4%	+25.6%	+11.8%	+26.8%	+23.6%	+25.3%	+31.9%	+37.0%	+27.8%
... QoQ	+11.6%	+7.3%	+10.8%	-4.4%	+8.7%	+8.8%	+16.7%	-0.7%	+1.4%
TTM YoY growth	+12.8%	+15.7%	+17.7%	+20.9%	+21.5%	+21.6%	+27.1%	+29.7%	+30.5%

As a sign of their transition being complete, recurring revenue is now $208M, or 92% of revenue vs the 50% seen 4 years ago. This has been driven by the growth in Subscription Revenue, especially in their fully managed SaaS offering. However, this metric also includes the ongoing maintenance contracts for the remaining licensed customers. I think it's better to track Sub Revenue and its breakouts (SaaS and Self-Hosted) in the IR slides.

TTM Revenue growth has been steadily rising over the past 2 years, after it went heavily negative in FY20 and into FY21 during their big transitions. Since Q421, TTM growth has been reaccelerating. But it took over 2 years until they saw TTM revenue surpass its previous high (the $650M in TTM revenue in Q120 was finally beaten in Q223), and they've continued to re-accelerate in the year since. Q4 hit +32%, and Q1 accelerated further to +37% – and while Q2 fell a bit from there, the TTM finally hit +30%.

Their seasonality is lessening. As an example, after their strong Q4, the past 2 years have seen their Q1 guide signal a -3% seq drop. Their recent Q124 reported a -0.7% seq drop – so while still seasonal, this improved over the -4% seq growth seen the year prior, and is drastically improved over the -22% seq drop they saw 3 years prior!

However, Q2 then showed some surprise weakness after the always seasonally weak Q1. Thankfully, their Q3 guide expects a rebound to +5.0% seq growth. Despite this hiccup, they increased FY guide +$5M to +25.3%. Their Q3 and FY guides signal an okay Q3 and their typically strong Q4.

They mostly sell into the US (49%) and EMEA (32%). In Q2, the US grew only +21% while EMEA and APJ both grew ~40%. (Note that while they are an Israeli company, <7% of their revenue comes from Israel.) Government (across US Federal, state, and local, as well as international) represents ~10% of ARR. They are still having success internationally (and continued runway).

Metric	Q222	Q323	Q423	Q123	Q223	Q323	Q423	Q124	Q224
Sub Rev	$66.0M	$74.3M	$88.5M	$92.7M	$106.2M	$122.9M	$150.3M	$156.2M	$158.4M
... QoQ	+27.0%	+12.5%	+19.1%	+4.8%	+14.5%	+15.7%	+22.3%	+4.0%	+1.4%
... % of Rev	46%	49%	52%	57%	60%	64%	67%	71%	71%
SaaS Rev	$38.0M	$44.0M	$52.0M	$62.0M	$69.0M	$79.0M	$88.0M	$100.0M	$109.0M
... QoQ	+18.8%	+15.8%	+18.2%	+19.2%	+11.3%	+14.5%	+11.4%	+13.6%	+9.0%
... YoY				+94%	+82%	+80%	+69%	+61%	+58%
Self-hosted Rev	$28.0M	$30.0M	$36.0M	$31.0M	$37.0M	$44.0M	$62.0M	$56.0M	$49.0M
... QoQ	+40.0%	+7.1%	+20.0%	-13.9%	+19.4%	+18.9%	+40.9%	-9.7%	-12.5%
... YoY				+55%	+32%	+47%	+72%	+81%	+32%

Subscription revenue grew +49% to $158M in Q2, and is now 71% of revenue (vs 60% a year ago, and 46% 2y ago). However, its seq growth has slowed significantly over the last 2Qs due to some weakness in self-hosted.

They started breaking out SaaS vs self-hosted revenue in FY22. Their fully managed SaaS revenue was $109M, growing +58% or +9% sequentially. Seq growth levels have dropped from high teens to low teens over FY22 to FY23, and now sits at +9%. It is now 49% of revenue (vs 39% a year ago, and 27% 2yr ago). Mgmt mentioned that SaaS is 80% of bookings in the US, and 70% overall.

Self-hosted is their enterprise subscription that is self-managed by customers in either on-prem or cloud environs, and includes maintenance within the subscription. Despite being subscription-based, this segment seems to have inherited the lumpiness of their former license model (strong Q4, weak Q1).

After hitting a record $62M revenue in Q4 with a record +$18M net new (for an extremely strong +72% YoY growth or +40% seq), it has dropped over the 2Qs since (to now +32% YoY or -12.5% seq). So the recent weakness in Sub Rev seq growth was here. The sequential drop in Q1 was expected due to that quarter's seasonality after the extremely strong Q4, but the seq growth dropped again in Q2. Even looking at the seq growth in TTM revenue doesn't smooth it out much – seq growth just hit a low of +6% after being +17.6% in Q4.

While they like to note that recurring revenue is now 90%+ of the business, but that masks things a bit – the license part of the business isn't quite out of the picture yet. The revenue of new license sales is now a sub-2% part of the business (telling us they are not selling it much anymore), but as seen in the continued maintenance contracts (for upgrades and support), there is clearly a sizable subset of customers that haven't upgraded from perpetual license to subscription, who seem to be content to just ride on an ongoing support contract.

By combining License and Maint segments (the flip side of Sub Revenue), we can see that the License part of the business is really still at ~29% of the revenue and dropping (vs 40% last year). The Maintenance segment (of those Licensed customers) & ProSvcs have been fairly flat (mid $60Ms in revenue every Q), and is now finally starting to droop over the last year. Mgmt has noted it will continue to drop off from here. [As I noted above, maintenance contracts for Self-Hosted are a subscription included in Sub Revenue.]

Hopefully, the CFO will switch the outdated Income Statement breakouts at some point to better reflect the model shift. They should give us breakouts on SaaS and Self-hosted (instead of having to tell us in IR slides), and combine License and Maint from here as it continues to retreat in the mix. [Unsurprisingly, the License & Maint sides were later combined as of Q126. However, they continue to only break out the SaaS and Self-hosted sides of Sub Rev only in the slides.]

Metric	Q222	Q323	Q423	Q123	Q223	Q323	Q423	Q124	Q224
ARR	$465M	$512M	$570M	$604M	$653M	$705M	$774M	$811M	$868M
... YoY	+47.6%	+48.8%	+45.0%	+41.5%	+40.4%	+37.7%	+35.8%	+34.3%	+32.9%
... net new TTM	+$150M	+$168M	+$177M	+$177M	+$188M	+$193M	+$204M	+$207M	+$215M
Sub ARR	$255.0M	$301.0	$364.0M	$403.0M	$451.0M	$504.0M	$582.0M	$621.0M	$677.0M
... QoQ	+16.4%	+18.0%	+20.9%	+10.7%	+11.9%	+11.8%	+15.5%	+6.7%	+9.0%
... % of ARR	55%	59%	64%	67%	69%	71%	75%	77%	78%

Despite the stumble in self-hosted revenue, the rest of the topline in Q2 was impressive. ARR rose +33% in the latest Q after adding +$57M net new – a record for a non-Q4. TTM net new continues to creep up, rising +14% over the past year to +$215M. Subscription ARR grew +50% to $677M, with it rising from 55% to 69% to now 78% of ARR over the past 2 years. Maintenance contracts for licensed customers are the other component of ARR – which, again, is diminishing from here.

RPO grew +33.5% to $1004M, with cRPO representing 60% of it. As of Q423, cRPO was growing +36%. [RPO is typically only reported in the FY report (20-K), but they included 1H financial details in a recent 6-K disclosure when their Venafi acquisition closed.]

Bottom line returns to positive

CyberArk was highly profitable before FY20, but the top and bottom line were both in turmoil during its transitions over FY20-22. They have now emerged from it, and are starting to march back towards those profitability levels they had at the start of FY20. The last 4 quarters have shown a marked improvement in profitability metrics. Over the last 2 years, Q1 seems to be seasonally weakest in op margin, and Q2 the weakest in FCF. (All numbers below are non-GAAP.)

Metric	Q222	Q323	Q423	Q123	Q223	Q323	Q423	Q124	Q224
Op Margin	-7.5%	-2.6%	2.4%	-7.8%	-3.2%	8.8%	15.6%	14.9%	10.6%
Op Margin TTM	-1.1%	-1.8%	-3.8%	-3.7%	-2.7%	0.4%	4.5%	9.7%	12.6%
FCF margin TTM	5.0%	6.8%	6.3%	2.9%	3.3%	3.1%	6.8%	14.0%	19.6%
Rule of 40 TTM	17.8	22.5	23.9	23.8	24.8	24.7	33.9	43.7	50.1

They are steadily non-GAAP op profitable, and about to be steadily GAAP net profitable (last seen in Q320).

They were hitting GAAP op and net profitability in FY19-20 but retreated heavily in FY21-FY22 as they restructured. Non-GAAP op margin has swung back to positive over the last 4Qs. GAAP operating margin is still far from positive, but improving.
They've also been GAAP net profitable for 2 of the last 3Qs, and non-GAAP net profitable for 6 of the last 7Qs. I hope to see them hit GAAP net profitable in FY24.
Op margin guidance for FY24 started at 9.0%, but has been increased over Q1-Q2 to now 12.4%.
After hitting 41% FCF in Q419, it heavily worsened over FY20-FY22 as they restructured. This culminated in a low point in TTM FCF margin during Q1-Q323 of ~3% that they've been rebounding off since. They have now risen back to ~20% TTM margins, thanks to the 30% margin delivered in their seasonally strong Q4.
The FCF guidance for FY24 was raised +$30M in Q1 and Q2, rising FCF margin guide from 10% to 16%. Given that TTM FCF margin is ~20% now, it suggests it might ease from here.
They finally returned to Rule of 40 (TTM) in Q1, and rose further in Q2, doubling over the past year from 25 to 50.
Gross margin has also seen a positive inflection over the last 3Qs, to now sit at 83.7% TTM.

They are vague about the overall customer KPIs, but have reported over the last 2Qs as having over 8800 customers, after adding +245 net new in their latest Q. This includes 1900 customers>$100K (22% of base), and 340 customers>$500K (growing +38%). This includes >55% of Fortune 500 and >35% of the G2K.

👁️‍🗨️

I am now making my Security Cheat Sheet available for all readers! This provides quick definitions for the many security acronyms used across next-gen security press releases and product announcements, including XDR, CNAPP, SIEM, IAM, IGA, PAM, Zero Trust, SASE, and more.

Product Shifts

As mentioned before, Privileged Access Mgmt (PAM) is an identity security tool that helps an organization manage and oversee the administrative rights (aka permissions or privileges) granted to user identities across all enterprise systems (servers, workstations, laptops, cloud resources, services, tools, etc). There are 2 key features at play in PAM:

Privileged Account and Session Management (PASM): a more traditional PAM that manages the pre-assigned elevated permissions (standing rights) of sysadmin identities across systems
Privileged Elevation and Delegation Management (PEDM): a Zero Trust-oriented PAM that keeps all access rights minimal (zero standing), where users then have to request to elevate permissions as needed on a time-limited basis

CyberArk sells these complementary features to customers based on how that organization's ITOps likes to manage administrative access to its systems (traditional vs Zero Trust). From that base, CyberArk has continued to advance PAM features over the years, as they morphed from managing on-prem servers & services to cloud resources. Some of the other Zero Trust-oriented product features in their PAM include:

Just-in-time (JIT) access features allow the PAM to become a proxy service for real-time access, where ITOps users have to request the ability to gain direct administrative access to remote systems, which is given via an ephemeral password for time-limited access.
Vendor Privileged Access is their PAM tool that allows remote workers and 3rd party vendors to request JIT administrative access to protected systems and cloud environments. (This can also be known as Remote or B2B Privileged Access.)
App Gateway is their tool for accessing legacy apps like SAP, Sharepoint, and Oracle, as a VPN replacement for customers that haven't already adopted a fuller SSE/SASE product. [Okta added this feature when it acquired ScaleFT, but never really exploited it fully until making its new PAM product.] Note: This is an area that could ultimately get disrupted by SSE/SASE platforms.
Secure Web Sessions is their PAM tool for secure & governed administrative access into protected SaaS apps. This monitors and governs sysadmin sessions within enterprise tools like IAM (Entra ID, Okta), productivity tools (MS365, Google Workspace), and CI/CD pipelines (Jenkins), via session recording in the browser for security monitoring and audit trail. This is likely very appealing to regulated industries and companies that need high levels of audit & compliance.
Endpoint Privilege Manager (EPM) is an ITOps tool to manage administrative access rights on local Windows, Mac, and Linux systems (such as workstations and servers) through an installed agent. This includes Secure Desktop, where their PAM & IAM (SSO/MFA) are used to control access to desktop machines, and local admin rights are then provided via JIT access. [Okta added a similar feature called Device Access in Jun-23, and announced at Oktane this month a coming advanced version called Extended Device Access that is expected to go beta in Q1 2025.]

Two more recent features have been added that help differentiate their platform:

Secure Browser was announced in Mar-23 and went GA in Mar-24. This provides customers with a secure enterprise browser with embedded IAM (SSO/MFA) capabilities for securely accessing applications and tools. This browser also supports Secure Web Sessions for monitored and recorded sessions as SaaS tools are accessed. CyberArk has created its own Zero Trust enterprise browser based on Chromium (which underlies Google Chrome and Microsoft Edge). Proofpoint recently became a partner here to include its email security in the browser. [This will compete with Google's new Chrome Enterprise Premium enterprise browser that was announced at Google Cloud Next in Apr-24 (which Okta and Zscaler both partner with), as well as remote browser (RBI) features in SSE/SASE platforms like Zscaler, Palo Alto, and Cloudflare.]
Secure Cloud Access was announced in Mar-24 as a tool in their CIEM to protect and govern admin access into cloud services. This protects, records, and audits web console & API access to cloud services, allowing DevOps users and CI/CD tools to request JIT administrative access in order to create and manage cloud resources and app stacks.

As mentioned before, during its major business model transitions, CyberArk also underwent a major platform shift into IAM, IGA, CIEM, and ITDR. Like Palo Alto (in CNAPP and SASE), they moved quickly in these directions thanks to a few key acquisitions.

They acquired Conjur in 2017 to add in DevOps-focused Secrets Mgmt (typically called a "'vault"). This expanded them from ITOps to DevOps, with a tool for both IT & DevOps teams to track and manage the service accounts utilized across systems, services, apps, and API interconnections. Competitors here include HashiCorp Vault (acquired by IBM), as well as cloud-native services within AWS (Secrets Mgr), Azure (Key Vault), and GCP (Secret Mgr).
They acquired IDaptive in May-20 to add a number of capabilities across IAM, SSO, MFA, UEBA, and endpoint privilege mgmt. This marked a huge shift, where CyberArk started moving towards established IAM competitors like Okta, Ping ID, and Microsoft Entra. This also added 2000 customers, and support for hundreds of SSO integrations.
They acquired Aapi.io in Mar-22 to bolster their identity lifecycle mgmt features (a big part of IGA), which soon turned into their Identity Flows no-code automation tool.
They acquired C3M Cloud Control in Aug-22 to bolster their cloud service governance (CIEM) & real-time threat detection (ITDR) features. CIEM is a way to govern and monitor identity permissions within cloud resources (a honed mix of IGA & PAM capabilities). This was heavily extended this year with their Secure Cloud Access feature just mentioned above.
They just acquired Venafi from Thoma Bravo earlier this month, to shift their Secrets Mgmt deeper into certificate & key (PKI) lifecycle mgmt – allowing them to go deeper into machine identity mgmt. This acquisition doubles their capabilities in machine identity.

A look at the various security capabilities wtihin their Identity Security platform. Threat analytics (ITDR) is at the core, IAM in the inner ring, PAM in the middle hexagon (blue), and IGA in the outer ring (black) – with AI and ecosystem around it all.

At their annual IMPACT conference in May, they announced CORA AI and their revamped AI-driven threat detection (ITDR, backed by CORA AI). These are being infused throughout the platform, and both contributed to several platform enhancements. Most of note: they added features to continuously monitor the health and risk levels in IAM, improved passwordless access to endpoints, and expanded JIT access to database services and cloud CLI & console interfaces. They also announced the Venafi acquisition [more on that in a bit], and an ongoing effort to unify their platform's UX around personas.

They have also recently become a trusted provider in the Cloud Security Alliance (CSA) that publishes cloud security best practices around Zero Trust – joining security players like Okta, CrowdStrike, SentinelOne, Zscaler, and Palo Alto. I hope to see them continue to expand their tech alliances and integrations, as Okta is way ahead here.

GTM shift

After all those announcements and acquisitions, this former point solution is now a complete Identity Security platform across IAM, IGA, PAM, and ITDR – exactly where Okta, Microsoft, Sailpoint, PingID, and other platforms have been heading. To differentiate themselves from here, they are now positioning their platform as a set of tools that combine into solutions around specific personas across the workforce, IT, developers, and machines.

From an October 6-K filing after Venafi acquire: "In early 2024, we began selling solutions centered around solving critical customer security challenges for every type of identity: workforce, IT, developers and machines. We have taken our platform capabilities and designed solutions delivered through the CyberArk Identity Security Platform, which includes capabilities around privileged access management, access management, secrets management, endpoint privilege security, secure cloud access and identity governance and administration. The solutions are offered through a simplified packaging and pricing model, facilitating a more efficient buying process and enhancing our ability to secure a broader range of identities within our customers’ employee base. The solutions will also make it easier for our customers to buy the capabilities they need to secure every identity across the organization."

A look at how they view the 4 core personas in their Identity Security service, which have increasing complexity. Developers are considered the highest risk, as they have access to underlying code, software supply chain, and cirtical production app stacks.

Now that they are a full Identity Security platform, they have been shifting their GTM focus towards the protection of and use cases around specific types of identity personas, and have built more honed solutions atop their various capabilities within IAM, IGA, PAM, CIEM, EPM, ITDR, and Secrets Mgmt product lines – instead of selling these all as separate products or add-ons. I like this move, as it focuses more on adoption of the platform and the overall expansion of identities protected, rather than getting customers involved in the minutia of what individual products are needed across these needs, or complicated product/pricing combinations, or charging for every new module (like Okta). Mgmt noted in Q224 that ~50% of new customers land with 2+ solutions.

🙄

Note: The entire block of text below is from the "Subscription Revenues" definition. However, it makes heavy mention of "licensed" – but that just seems to be a poor choice of word given their major transition. It's probably best to just mentally substitute "priced" where it reads "licensed". Methinks I'll point this confusion out to IR.

Later in that October 6-K filing: "Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services associated with self-hosted subscriptions. Historically, our subscription revenues have been generated primarily from sales of our Privileged Access Manager (Privilege Cloud and self-hosted), Endpoint Privilege Manager, Secrets Manager, Vendor Privileged Access Manager, Workforce and Customer Access, Secure Cloud Access and Identity Management. In 2024, we shifted to selling solutions and began generating revenue from solutions to secure IT identities, workforce identity, Developer identities and Machine identities. ‌‌‌‌

An increasing percentage of our business is coming from our SaaS offerings, which have ratable revenue recognition, increasing our total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions represented 71% of our total revenues during the six months ended June 30, 2024, and we expect our subscription revenues to continue to grow in the near and long term. Sale of our IT, Workforce and Developer solutions are licensed per user through standard and enterprise packages. Endpoint Privilege Manager is licensed by target system (workstations and servers). For Machine identities, we have packages, one aimed at being a starting point with a minimum number of workload identities, and the second one with add-on of any additional workload identities. Secrets Manager has two different licensing approaches based on the types of applications being secured. The first is licensed by agent for mission-critical and static applications, and the second is licensed by site/region and number of clusters for more dynamic cloud native applications and DevOps pipelines."

On the left is the menu of Product capabilities across the platform. On the right is the menu of Solutions built atop those products, based on the identity persona being protected. (Note how there is no mention of Customer identity in those personas under Developer.)

Those personas (as shown on the Solutions menu on the right) include:

Workforce is their honed solution to protect the bulk of workforce employees as they access internal and SaaS applications, as well as remote employees and 3rd party vendors. This is built atop their IAM (SSO/MFA) solution, and most resembles the workforce identity solutions from Microsoft Entra, Okta, and PingID. This includes Secure Browser and App Gateway for enterprise app access.
IT is their core PAM product that helps protect and monitor ITOps access into servers, workstations, and cloud resources, as well as remote 3rd party vendors that need access to those same systems. This includes Endpoint PAM for endpoint mgmt, Secrets Mgmt for key vault, Secure Web Sessions for monitoring admin sessions in SaaS tools, and Secure Cloud Access over cloud consoles.
Developers is their honed solution to protect and monitor developer access to dev tools and app stack infrastructure. This includes Secrets Mgmt as a service account vault, as well as IAM/PAM access into developer services, servers, app stacks, and cloud resources. Like IT, this also includes Secure Web Sessions over admin sessions in SaaS tools (including CI/CD pipeline and dev tools), and Secure Cloud Access over cloud consoles.
Machine identities is their honed solution to protect the non-human identities (NHI) used across ITOps and DevOps above. This includes IAM for workload identities, Secrets Mgmt for service accounts, and certificate and key (PKI) lifecycle mgmt features from their recent Venafi acquisition. [More on that in a sec.]

As noted in the quote above, they have different pricing methods across these persona types, including per-user, per-host, per-machine identity (in bulk), and per-deploy size in Secrets Mgmt. I like that this insulates them from being purely per-user-based like a traditional IAM or endpoint tool, which would be impacted in rockier periods of mass layoffs (as just seen in 2023).

Mgmt noted at IR Day that they are pressing the gas on their partner ecosystem around this new persona GTM approach, suggesting that their marketing budget will completely invert to focus more deeply on channel under their new COO. One sign of this is their new MSP console announced in Apr-24, to allow security providers to oversee their customers in a multi-tenant interface.

One area that Okta went heavily towards is known as Customer IAM (CIAM), a developer-focused tool for controlling access to your externally facing web applications (where the users being tracked are your customers logging into your web or mobile app). Okta had its own platform in this direction (sold top-down), then decided to acquire its major competitor Auth0 (sold bottom-up), that are now unified as a single Customer Cloud offering. Microsoft also has a CIAM and B2B solution in Entra External ID. CyberArk isn't clear what their strategy is here. While they do have CIAM and B2B products on their website, it does not appear to be part of their Developer-focused solution [no mention of it in the Solutions menu above]. I think there was some clarity around this at their IR Day in May, after CyberArk's CEO stated this direction requires a completely different architecture, plus sells to a completely different buyer (aka tends to be bottom-up). So despite their focus on developers as a persona, my take is that CyberArk is not interested in getting distracted by this direction (like Okta was) and seems to be de-emphasizing it – and might even drop it.

The rise of machine identities

"Machine identities" are all the non-human identities (NHI) and permissions being created and used across systems and workloads.

👨‍💻

NHI and "machine identity" are now used interchangeably by vendors. Some vendors used to quibble that NHI is any and all identities and secrets (app/service-focused), while machine identity refers to the certificates & keys tied to a specific endpoint need (system-focused). But the distinction seems unimportant as customers need both, and the terms seem to have morphed into one.

Secrets Mgmt (vault) systems are used to track several types of NHIs. These are known as service accounts (from a DevOps perspective) or sysadmin accounts (from an IT perspective).

From an ITOps perspective, this includes shared admin accounts (sysadmin/root users) used within each system, database, and vital service, which are used to control that system's settings and manage end-user accounts & permissions.
From a DevOps perspective, this also includes the internal and app-to-app service accounts (passwords, keys, or access tokens) used between applications and services. This type of identity includes the credentials, certificates, keys, and tokens used across systems, services, containers, workloads, apps, APIs, and tools to access other systems and services – essentially, NHI includes the identities used within app stack interconnections, such as a service account that an app stack uses to access an underlying database service or API, or cloud admin passwords for a Jenkins CI/CD process to create, modify, or destroy test and production environments in the cloud.

Startup Astrix claims that organizations have 20K non-human identities for every 1K employees on average. A survey of CISOs in Q1 2024 by VC Felicis noted machine identities as a top pain point in security going forward (along with email security and next-gen SIEM tools).

CEO in Q224 remarks: "We believe that the market for protecting machine identities is inflecting. And we have increasingly heard from customers that there's an urgent need to protect all machine identities. Machine identities themselves are growing exponentially due to the increase in cloud computing and the rise of AI. The machine identity landscape is also becoming more complex with increasing regulatory scrutiny and emerging standards like Google's guidance to rotate [TLS/SSL web server] certificates every 90 days. All of this is happening as machine identities are increasingly targeted by adversaries as a weak point in organizational security controls.‌‌‌‌

We are very excited to be building out and expanding our leadership position in machine identities with the pending acquisition of Venafi ... All machine identities need to be discovered, secured, managed, and automated to keep their connections and communication safe. Venafi's machine identity management solutions are complementary to CyberArk with no technology overlap. We believe that by combining our Secrets Management with Venafi’s modern machine identity management, certificate lifecycle management, and SSH Key Management, we will set a new standard for end-to-end machine identity security."

To move into NIH, they first added their own native Secrets Hub service that centralizes secrets by overlaying and controlling 3rd party vaults. CyberArk then acquired Conjur in 2017 to add its own 1st party Secrets Mgmt solution, which comes in SaaS, enterprise self-hosted, and open-source editions. Conjur helps orgs track a wide variety of NHI (service accounts, tokens, keys) across all the IT- and developer-facing systems & services, and automates improved security through password rotation. This competes with HashiCorp Vault, Azure Key Vault, and AWS Secrets Mgr. These moves pushed them more deeply into DevOps needs (and eventually this whole Developer persona). CyberArk also competes with NIH security startups like Oasis, Astrix, and Clutch.

CyberArk has since advanced its machine identity solution heavily from there. Their just completed acquisition of Venafi ("Venn-ahh-fie") now bolsters their machine identity line with a certificate & key (KPI) lifecycle mgmt platform, which manages certificates & keys across an organization's entire estate of servers, apps, APIs, Kubernetes clusters, containers & microservices, as well as for remote shell (SSH) access, code signing, and IoT devices. These features pair nicely with CyberArk's existing Secrets Mgmt product line with no overlap.

Many Secrets Mgmt products have basic cert/key mgmt features, but Venafi now gives CyberArk a full line of automation features that oversee and automate certificate/key status & renewal over the entire server footprint of an organization, as well as in ephemeral cloud workloads in Kubernetes and containers & microservices (Firefly product). Competitors here include AppviewX, Keyfactor/PrimeKey (merged in 2021), Microsoft Cloud PKI (part of Intune endpoint mgmt), and the native cloud certificate managers in AWS, Azure, and GCP. Venafi has also been shifting towards a new SaaS offering (which maps well to CyberArk's own model), plus adds a marketplace ecosystem with ~200 integrations to other security tools.

After being partners for years (and watching them closely), CyberArk decided to acquire Venafi in May of this year, and the acquisition just closed on October 1. This acquisition was a major subject during their annual conference & IR day where it was announced in May. Mgmt noted they found the timing perfect for the rise of machine identities, and how they can take this solution and immediately cross-sell this to their existing base of customers.

Venafi was acquired for ~$1.6B (2/3 cash, 1/3 shares), and CyberArk believes this expands their TAM from $50B to $60B. Venafi came with 550 total customers, with mgmt hinting at ~200 shared customers (so adding +350 net new). They had a huge number of large customers, with 350 customers>$100K (63% of base) and a whopping 90 customers over $500K (16% of base).

CFO in Q224 remarks: "I want to briefly touch on our proposed Venafi acquisition, which is still expected to close in the second half of 2024. As we noted previously, Venafi had approximately $150 million in ARR with more than 550 customers. Like CyberArk, about 95% of Venafi's revenue is recurring adding to our durable subscription revenue model. Importantly, we expect Venafi to be immediately accretive to non-GAAP margins. It's rare to find an acquisition opportunity that meets both strategic and financial objectives. We're confident with Venafi, we did exactly that."

From here, Venafi adds $150M in ARR, with 95% of revenue as recurring. Their SaaS is now over 10% of that ARR, after growing +164% in 2023 and +100% over the past year (as of May). Venafi will be immediately accretive to margins and was FCF positive. It won't be included in their financials until Q4 (starts October 1, the day they closed on the acquisition), so will greatly boost Q4 numbers and is expected to immediately be margin accretive. [Of course, I hope they separate out the financials to isolate the organic growth, but it doesn't hurt to have the algos seeing a big artificial boost in reported numbers in both top & bottom line.]

Mgmt noted in IR Day Q&A that Venafi was extremely strong in product directions & going deep in existing customers (see those large customer counts above, quite impressive!) but weaker at land and non-existent in channel. They expect to drastically scale up the GTM potential, and noted that channel partners were eager to discuss Venafi products at the partner session at IMPACT. Given how well the companies know each other and their products, the COO noted that she expected GTM to hit the ground running (in both internal and channel) immediately at close, so Q424 and FY25 should see a boost as they cross-sell into their existing other 8.6K customers, as well as introduce the CyberArk platform to the remaining ~350 non-shared customers being added.

This platform doubles the capabilities in their Machine ID solution, plus is also helpful to the IT & Developer solutions for certificate mgmt around apps & services, such as client-side certificates (mTLS encryption between client services), and securing intercommunication in ephemeral workloads running in Kubernetes clusters. CyberArk's new combined focus on machine identities (over Secrets Mgmt and certificate/key lifecycle mgmt) competes with all the vault & cloud-native certificate services already mentioned. However, those are all point-products, while CyberArk now has a fuller solution here that is better geared for multi-cloud and hybrid deployments than any cloud-native solution.

As for the competition, Microsoft's Entra Workload Identities is their NHI solution for tracking cloud credentials and secrets (which I assume is built atop Entra AI & Azure Key Vault) while certification mgmt is a separate product (Microsoft Cloud PKI). Okta's Machine-to-Machine solution seems to be very limited, given that it is only embedded in their Customer Cloud (CIAM) side. It seems mostly focused on tracking DevOps service accounts and app/API keys, not the certificates & keys across servers and Kubernetes clusters. Okta only just added Secrets Mgmt in their new PAM that finally went GA in Dec-23.

The growth vectors for NHI have already been exploding lately due to cloud migration & modern cloud architectures (containers & microservices) using disparate app stacks across distributed environments. Cloud adoption and modernization both drive an increase in NHI (identities, tokens, keys) for those services and app stacks to securely intercommunicate. CyberArk believes that AI adoption will spur this further, and I agree. The coming rise in Agentic AI allows AI engines to intercommunicate with and control external APIs and services for you – so a rise in AI apps will continue to drive the need for NHI.

CORA AI

They are, of course, also improving their own internal capabilities with LLMs & Generative AI over their stack. I think of these AI-driven advancements as table stakes now, to make your platform easier for SecurityOps teams and end users to use – to not only improve the security and risk profile, but also the productivity of users through guided recommendations and automated remediation.

But let's be clear upfront - the AI growth vector that matters most for CyberArk is from the rise of NIH identities needed in agentic AI, not in new AI-driven features. The CEO made clear in IR Day that any advanced AI-driven capabilities from here will not be separate add-ons, but instead be used to distinguish their platform and its standard & enterprise tiers. (They don't have priced add-ons for every module like Okta seems prone to do.)

Both CyberArk and Okta are now adding a wide range of AI-driven features into their stacks, and it seems like they pretty neck and neck in terms of timeline and rollout. However, both are going to be consistently behind Microsoft in AI chatbot capabilities, and Microsoft also has a huge advantage in AI (Open AI) and a large SIEM+SOAR platform of security data (as well as its own 1st party data in securing its own cloud) that it can exploit.

However, I do feel that CyberArk and Okta both have a large pool of identity data and identity session logs that they can exploit to create strong AI detection & automation capabilities over identity, and have the potential to have a stronger ITDR product than emerging competitors in XDR and SSE. I think they'll likely be neck-and-neck as they roll out AI-driven features from here, and I don't really expect any huge advancements in security automation (agentic capabilities in their own AI engines) in the near term.

Okta made a huge announcement at Oktane'23 a year ago around Okta AI , unveiling a multi-year roadmap of capabilities it will drive from here (which at the time were entirely under development and yet to come). They are building a core AI capability that they are exploiting across their platform in different ways. They are leveraging Google Cloud and Vertex AI for this, to then use Okta AI to drive their new ITDR, Log Investigator, Policy Recommender, Governance Analyzer, Identity Flow Optimizer, and other AI-based features. These were set to be rolling out in beta over 2024, and most seem to be platform enhancements (table stakes) vs monetized. It was no surprise when product dates were shifted out in Oktane'24. (After ITDR, the first big feature was Governance Analyzer, which went from expected beta in Q2 2024 to Q1 2025.)

CyberArk did the same at IMPACT'24 in May with CORA AI, which is now in beta. It initially includes Session Analysis and Detection (processing web sessions), Secrets Anomaly Detection (over vaults), Identity Security Assistant (copilot over products & docs), and Automated Endpoint Policy Creator. This will assuredly continue to advance across their product line from here, but they aren't giving the roadmap as publicly as Okta. At IR day, mgmt hinted this was phase 1, and noted that phase 2 (coming soon) will be more impressive. They also plan on deeper integrations with SOC tools and next-gen SIEMs, and hinted at a coming AI protection capability over AI models and app stacks.

CEO in Q224 remarks: "CyberArk's CORA AI provides identity security focused artificial intelligence embedded within our identity security platform. Our unique data set on the behavior of all identities enables CORA AI to do more and ultimately effectively analyze sessions, detect threats, and recommend action. In addition, user and admin lives are made easier and adoption is faster with an identity security assistant that understands natural language. This will fundamentally transform how users interact with our platform, significantly reducing the time it takes to deliver critical information and analysis.

‌‌‌‌Identity threat detection and response or ITDR is sometimes discussed as a separate market or product. We at CyberArk believe ITDR capabilities need to be part of a broader platform. They should not just be about monitoring the vendor's infrastructure or limited to Active Directory, they need to look across all identities to detect identity risk, and then be able to take automated response before damage is done. Our ITDR capabilities powered by CORA AI will detect and identify risky behavior, anomalous use of secrets, and much more. The powerful combination of CORA AI and ITDR enhances security, improves resiliency, drives increased productivity, and enhances engagement with our platform."

A blog post in May on CORA AI showed how they see AI evolving in the security space, which gives a hint that CORA AI will evolve across their PAM/IAM/IGA capabilities from here, similar to what Okta has signalled.

Compare with Okta

Okta is in its Q225 and CyberArk is in its Q224. Let's do a quick compare of how they've performed recently. [Okta has continued to steadily fall every quarter since, and is now growing at +11.5%.]

Metric	Okta	CyberArk
Last 6Qs Rev Growth Trend	+24.8%, +23.0%, +21.4%, +18.6%, +19.1%, +16.2%	+26.8%, +23.6%, +25.3%, +31.9%, +37.0%, +27.8%
FY Guide	+13.4%	+25.3%
ARR	$2452M (implied)	$868M
% of Rev Recurring	97.8%	92.6% (71% sub, 49% SaaS)
Sub Rev Growth	+16.6%	+49.2%
cRPO	+12.7%	+36.3% (as of Q4)
TTM Op Margin	20.2% +13pp	12.6% +15pp
TTM FCF Margin	24.8% +13pp	19.6% +16pp
Rule of 40 TTM	41 -> 44	25 -> 50
Customers	19.3K +5%	8.8K
Custs>100K	4620 +10%	1900 +27%
NRR	115% -> 110%	(n/a)

CyberArk has been growing faster than Okta for the last 6Qs, and looks like it will continue to from here. They've also made better profitability improvements too, and have more impressive land & expand growth.

Okta has decelerated from +43% YoY growth to +23% to +16% over the last 2 years.
CyberArk has accelerated from +21% YoY growth to +23% to +28% over the last 2 years, peaking at +37%.

Okta has managed to hover above Rule of 40 thanks to its heavy focus on profitability while growth sputters. (I recapped its many stumbles in the last piece.)

Okta is at $2.4B in TTM revenue while CyberArk is at $868M ARR – so is 2.7x the size. Keep in mind that Okta is nearly entirely SaaS subscriptions (being cloud-native), whereas CyberArk is 71% subscription (48% SaaS).

Okta has over double the customers at 19.3K, but land & expand has been heavily slowing. Net new lands are dropping (+150-200 over last 3Qs vs the +600 they were seeing in FY23) while NRR has dropped to an all-time low of 110%. Unfortunately, CyberArk doesn't report NRR.

Now that CyberArk has moved into IAM/IGA, these companies will be competing much more heavily. One place that CyberArk doesn't need to worry about Okta infringing is in on-prem, hybrid, and multi-cloud environments – CyberArk's customers can deploy its self-hosted version anywhere, including into regulated & air-gapped environments. One area that Okta doesn't need to worry about CyberArk seems to be in Customer IAM, which CyberArk seems to be abandoning.

Final thoughts

I like what I see after going deeper on CyberArk.

Something to Watch: Self-hosted segment

Self-hosted has clearly inherited some of the seasonality of their old license model. This segment has faltered a bit in Q2, extending from the already seasonally weak Q1. This became an anchor in subscription revenue's seq growth. This was the only caution I had in the financials (that rippled up to sub and overall revenue), and was surprised it wasn't focused on or asked about in the earnings call. I would like to see this reverse. [Self-hosted later had a huge Q4. While this remains very seasonal, it is way less of a worry.]

What I like:

While the bulk of the major transition from license to subscription is in the rear-view mirror, it isn't fully complete. The mix is at 71/29% between sub & license now, and I want to see it continue to improve from here. This has greatly smoothed out the finances and improved the consistency of revenue/margins. International is the key to their top-line growth right now, being driven by EMEA, APJ, and LatAm.

The profitability has greatly improved over the last 4Qs, including being non-GAAP profitable, and will be GAAP net profitable hopefully by the end of FY24. I want to see these trends continue, and for them to reach GAAP op profitable in FY25.

Their broader platform shifts have worked well, despite being acquisition-heavy. Their Chief Strategy Officer in charge of acquisitions seems quite adept at filling in their needs. Overall, they seem to have their finger on the pulse of what their customers want and need. I also like the flexibility they have in their platform, in both deployment (SaaS, cloud, hybrid, on-prem) as well as how their product oversees other security solutions. Their PAM/IGA and Secrets Hub products provide oversight over competitive IAM and Secrets Mgmt solutions, giving them a foothold where they can potentially then sell customers into their own 1st party solutions. They do need to educate the market more that they are not just a PAM anymore, but are now a broader Identity Solution platform that can provide workforce IAM like Okta and Microsoft Entra. Showing up as a leader (the only leader besides giants Microsoft and Okta) in Forrester Wave's most recent IAM report helps there.

I also like their GTM shift into persona-based solutions. Instead of complicating the buyer with multi-tier options and countless priced add-ons, they have standard & enterprise tiers built around specific persona needs & use cases, with simpler-to-understand pricing around per-user/host/id/deploy. Mgmt is pushing these (IMHO simpler to sell) solutions deeper into the channel, which lets them move downmarket as well as push into other emerging international geos. This contrasts heavily with Okta, which has a per-user price on every single module add-on. I also feel the different pricing levels (per-user, per-host, per-deploy, per-machine id) help them be more resilient should macro cause workforce layoffs. (Of course, a heavy cloud optimization cycle will pull back on all those levers.)

I've started a small position and will look to take advantage of any weakness in its coming Q3 report to build it up before what should be an impressive Q4. While already seasonally strongest, Q4 will then be artificially boosted by the acquisition of Venafi. However, it should also include some immediate upsell per the COO's commentary on hitting the ground running, and I expect that to be a tailwind over the coming FY25 as AI usage continues to rise.

Add'l Reading

As I mentioned last post, Francis of Software Analyst covered the Identity Security ecosystem back in May, which just so happened to cover both CyberArk and Venafi a few weeks before the announced merger. He also covered CyberArk briefly this month in a review of the giants in security.
I mentioned in the last post that Cisco Duo didn't get into PAM and IGA, but I forgot that I acquired Oort in Aug-23 to add ITDR.
See part 1 in Identity moves. I also covered the Security Shifts in XDR, CNAPP moves, and SIEM moves in Premium [all paid].

I continue to have a position in CyberArk. They have since strengthened the IGA part of their platform with another acquisition. IGA competitor Sailpoint is also back to being a public company after its IPO in Feb-25. I'll be catching up on CyberArk and comparing it with Sailpoint & Okta soon.

-muji