Does it make sense for Palo Alto Networks to acquire CyberArk?
...wait a minute, weren't we just doing exactly the same thing for SentinelOne?!
Yep. You can't make this stuff up.
Reports of a CyberArk acquisition surfaced before the ink was even dry on my analysis of a potential Palo Alto Networks-SentinelOne deal.
The news became official less than 24 hours later: Palo Alto Networks will acquire CyberArk for $25 billion.
There's no need to do an analysis of a theoretical deal this time. This is really happening.
I'm still shocked at how fast the deal materialized once the details became public. There's a lot to process here, both for Palo Alto Networks and the broader ecosystem.
The purpose of this article is still to analyze the case for and against the deal. It's just a different thought process knowing the deal has been announced and having the public version of Palo Alto Networks' strategic rationale to evaluate.
I'm mostly going to take the case for the deal as the rationale Palo Alto Networks provided and layer on some more context and analysis of my own. The case against the deal is based on my own judgment, discussions I've had, and points others have raised since the deal was first reported.
Here's the short of it: acquiring CyberArk is an excellent move by Palo Alto Networks from a business strategy standpoint. Emphasis business.
It makes a lot of sense commercially, and certainly a lot more sense than acquiring SentinelOne.
Whether this move is good or not for customers remains to be seen and will take years to play out.
It's going to depend a lot on whether Palo Alto Networks can expedite and improve the product integrations CyberArk already had in front of it with recent acquisitions. It's also going to depend on how effective the integrations are with Palo Alto Network's other platforms, especially Cortex and Prisma.
That's the flip side of identity market fragmentation: If Palo Alto Networks blows this up, there are hundreds of other companies who would be happy to take CyberArk's place in the market.
As Nikesh Arora might say, they still have to execute.
This is a long article. Transformative deals like this don't happen very often, so they're worth digging into when they do. Let's get into it.
The case for a deal
If Palo Alto Networks was going to do identity, they had to do it big.
Commercially, there was no way they were going to build a successful identity business if they had just picked up a bunch of small companies and tried to put them together. They needed to bootstrap their entry into the market, so a scaled acquisition made sense.
The identity market is at a completely different level of maturity compared to the situation when Palo Alto Networks built its cloud security business by stitching together smaller companies. That approach worked because the cloud security market was still forming. There essentially was no market leader to acquire.
Identity has been through multiple generations of market leaders (Sun, IBM, CA, Oracle, and others. The market has already gone through multiple phases of disruption and M&A. For the most part, we've seen it all.
Currently, we've landed with a handful of specialist identity players — some public, some owned by private equity firms. You know them: CyberArk, Okta, SailPoint, and Ping Identity. And then there's Microsoft. We'll get to that.
Palo Alto Networks had zero chance of competing with those four companies (plus Microsoft and the other incumbents who still hold material market share) by building, buying, and partnering their way to a coherent identity offering.
If there was one market where a massive deal had to be done, identity had to be it.
Accelerating platformization
Palo Alto Networks' multi-platform evolution of the last seven years has been a story for the ages.
Acquiring a scaled identity company like CyberArk and entering the identity market as a de facto market leader accelerates the platformization strategy that Palo Alto Networks has been working on for years.
It's worth reiterating the common misunderstandings around Palo Alto Networks' platformization strategy. They are not, and never have been, building a single end-all-be-all cybersecurity platform.
They have established and grown three core platforms on top of their existing NGFW/Network Security business in the Nikesh Arora era: SASE, Security Operations, and Cloud Security — collectively, their Next-Generation Security (NGS) portfolio.
For the most part, their strategy has worked. They have established a significant product portfolio and revenue traction in the NGS businesses, now over $5 billion ARR even without CyberArk.
They clearly felt like it was time to take the next step and enter the identity market.
Identity will become the fourth platform based on the details they've shared so far in the announcement.
This is a significant milestone both for Palo Alto Networks and the cybersecurity industry in general. It's the first time a company has held leading positions across all of the major cybersecurity categories.
We've never seen a company operate a footprint across this many domains. There are still open questions about whether this strategy is going to work long term and if it can be sustained. This is the furthest along the experiment has gone.
Why CyberArk?
Did the acquisition target for Palo Alto Networks' identity market entry absolutely have to be CyberArk?
No, but CyberArk was the best option they had among scaled identity companies. There just aren't that many viable targets with the right financial profile and product suite. CyberArk is a great option. I'm surprised they got it.
CyberArk has more pieces of a comprehensive workforce identity offering than most other scaled alternatives. They have PAM, SSO (albeit third or fifth in the market), and they just acquired IGA with Zilla, an early-stage company.
Any other targets Palo Alto Networks could have acquired would have required add-on acquisitions to round out the full workforce identity offering.
Okta likely isn't willing to sell at their current market cap of ~$17 billon, roughly half its all-time high (and now below CyberArk, even before the acquisition report). Todd McKinnon is still a relatively young CEO who looks committed for the long haul.
Ping Identity could have made sense, but their product portfolio doesn't have well-established IGA or PAM capabilities, even with ForgeRock. Palo Alto Networks likely didn't want to be in the customer identity business, either. They do have a directory product, which is nice — but again, directory is not the way the identity market will be won.
SailPoint just went public again and has had a successful return. They're primarily an IGA company that has acquired its way into PAM — nowhere near the depth of CyberArk there. They don't do SSO. Great company, not as great of a strategic fit for Palo Alto Networks.
There is a long tail of smaller companies in the identity market with varying shapes and sizes of a product portfolio. Some have eight and nine figures of revenue — Saviynt, RSA Security, SecureAuth, 1Password, Keeper, Veza, StrongDM, and dozens more.
Palo Alto Networks was playing an entirely different game here. The plan wasn't to do value acquisitions of different market leaders in multiple identity segments and slowly grow an identity business. The quest to win the competition against both hyperscalers and large competitors like CrowdStrike needed a transformative deal.
Product expansion
From a product standpoint, this is a completely different discussion from the SentinelOne deal in terms of product overlap. CyberArk brings a set of net new capabilities for Palo Alto Networks with a relatively minimal amount of overlap.
With CyberArk, Palo Alto gets a complete workforce identity suite: PAM, SSO, IGA, Machine Identity, Secrets Management, and more. There's almost no product overlap — just a few ITDR-related features, a secure browser most people didn't know CyberArk had, and some other minor tools.
They don't get a directory services product, but the best strategy is probably to concede that one to Microsoft. There is no viable strategy for beating Microsoft — not in security, and not in identity. Microsoft is going to be Microsoft.
I've done directory migrations, and let me tell you: they're gnarly. Even if Palo Alto Networks did gain a first-class directory product with this deal, it doesn't mean customers would buy it. Just ask Oracle how that went. Customers will change out their IGA, PAM, and SSO products many times over before they'll change directories. It's just not worth the pain.
The way to tame the Microsoft dragon is to keep it well fed with directory revenue so it doesn't get hangry and start breathing fire. Put the dragon in its directory corner, and go take the market for everything else.
Palo Alto Networks is not entering the identity market to beat Microsoft. They want to be competitive, of course — but they're savvy enough to know Microsoft isn't going anywhere. This move about marginalizing standalone, single-platform identity companies.
Are there products out there that practitioners like using more than CyberArk? Of course. Product and usability were secondary factors at best. This was primarily driven by commercial and financial considerations.
I do have some hope that progress will be made on the product side if they apply the Cortex platformization playbook to CyberArk. While not perfect, what I've seen of the Cortex product did turn out relatively well, especially considering the breadth and scope of what they're doing.
Market convergence and timing
The first part of the "why now" thesis Palo Alto Networks outlined is interesting. As a longtime identity person, I generally share their view the market, but with some specific nuances.
I've always seen identity as a security function, although this admittedly could be a factor of working within a cybersecurity consulting practice where CISOs are the primary buyer. Either way, the evidence is clear that identity and security are converging in a way they haven't before.
I directionally agree with their overall thesis, though I would have framed the PAM expansion differently. Maybe I'm being particular as an identity person. The differences of opinion are negligible.
I'm not completely sold on the narrative that identity is fully aligned with the PAM vision and that PAM should be deployed across the entire employee base. The PAM part is what CyberArk had been saying, especially prior to machine identity, about their own growth story.
It's not so much that PAM needs to go to everybody — it's that the very definition of PAM is changing. A broad workforce identity platform is going to have aspects of PAM that are now becoming unbundled and usable by more people. Every identity needs better security, not just the special ones.
I wouldn't over-index on the PAM part, even though that alone is a good reason to be in the identity market. To me, the narrative here is offering a broad, integrated identity platform that works for various different users.
The need for platformization in identity
The second part of the "why now" thesis is the one I wholeheartedly agree with. Identity is an established market, but at the same time, there's still a lot of room for change.
As a former systems integrator who understands the pain of identity implementations, I fully subscribe to the need for convergence in identity security. Everything they said about fragmentation on a market basis is true.
Even with some consolidation that has happened recently, the enterprise market is clearly headed in the direction where converged workforce identity platforms are the way of the future. We've made a lot of progress, but it's still fair to say this is more theory than practice right now.
Okta has expanded from its SSO roots and has become a more well-rounded identity platform with SSO, PAM, IGA and many other features through a combination of organic and inorganic activity. While there are early signs of success, it's still pretty early in the journey and just starting to gain meaningful traction in the enterprise segment.
SailPoint has also become a much broader platform, especially as it retooled for its second incarnation as a public company. They still don't have SSO, and the PAM acquisition they made is nowhere near the level of scope and maturity as CyberArk.
The interesting part about platformization and identity security is that even with acquiring CyberArk, Palo Alto Networks is still not getting a fully baked platform.
CyberArk, for its part, is still more of a suite than a platform by the strict definition. They've had PAM for a long time. Their SSO product consistently ranks in the top three to five and likely has tens of millions of dollars in ARR. They recently acquired Zilla for IGA, which is still an early stage addition to the product portfolio.
There are pieces that haven't been fully integrated across PAM, SSO, Machine Identity/Secrets Management, and especially not IGA. CyberArk is close enough as is, but there's still work to be done from a product perspective.
Machine identity and AI positioning
The third "why wow" pillar about the rise of machine identity and AI agents is where things start to get a bit more speculative, especially the AI agent part. It's also the part with the highest upside if things go well.
The case for machine identity was already pretty well established by CyberArk at the time of their Venafi acquisition. This was more than just theory. The partnership had worked for a long time leading up to the acquisition. The demand was already proven to a point where it made more sense for CyberArk to own Venafi than work with them as a partner.
The deal is fresh enough that the full upside remains to be seen, but it's helpful for Palo Alto Networks to already have that acquisition in the bag and de-risk the machine identity part of the equation (to some extent).
Venafi is an established machine identity company, not some newfangled NHI startup. It's really about certificates and cert-based authentication and authorization for machines, plus management of rotation.
I know that sounds super boring, but it's the most likely solution for how enterprises are going to handle security for AI agents.
There are a lot of theories being thrown around about how AI agents should be secured. Several of them are good, and I hope we do eventually get to standards and protocols that are the ideal implementation.
Knowing how application development works in large enterprises, my guess is that identity for AI agents is going to look fairly similar to how it already looks for apps today. This means secrets, API keys, certificates, service accounts, and the like. In other words, exactly what CyberArk already does well in PAM, secrets management, and now machine identity.
Maybe the implementations will get better eventually, but this is probably how it's going to work — especially for internal-facing stuff in big enterprises.
Financial terms and valuation
It's easy to see a $25 billion headline and get sideways about how much Palo Alto Networks paid. I get it, but the price tag is at least within reason.
One of the closest comps out there is Cisco's acquisition of Splunk for $28 billion. This had a much more reasonable multiple with Splunk at around $4 billion of revenue at the time of acquisition compared to CyberArk being just over a billion.
Another comp is Alphabet's acquisition of Wiz, which is one of the highest multiples ever recorded for a cybersecurity-related acquisition.
CyberArk falls closer to the Splunk side of the multiple spectrum, arguably with more upside and momentum at the time of acquisition.
From CyberArk's point of view, they had no need to sell. I take the $25 billion as a "make me move" price where they were only willing to sell at a significant premium. That's the position they put themselves in by completing their SaaS transition, rounding out at least the beginnings of a complete workforce identity suite and generally executing well across the board.
Acquiring CyberArk is definitely on the upper bound of Palo Alto Networks' financial guardrails, but it's also important to remember that Palo Alto Networks is trading close to all-time highs.
In this particular case, a substantial portion of the deal was equity. The cash consideration was still meaningful (roughly $1.5-2 billion based on the information they disclosed), but it's still a relatively small percentage of the overall consideration.
This is Palo Alto Networks using its momentum and current market cap to its advantage.
Upselling and cross-selling
Go-to-market and revenue synergies (bleh) could go either way in terms of whether they're part of the case for or against a deal. I think they're more likely to work in favor of Palo Alto Networks, so I'm including the analysis here.
Why?
Palo Alto Networks has significantly more customers (70,000+) compared to CyberArk's 10,000. The customer profile generally matches too, with buyers of PAM being heavily regulated large enterprises in mature industries.
Palo Alto Networks has a bit broader customer base, but many of the large eight-figure deals you see them talk about in earnings releases are the typical profile of a CyberArk customer.
The pull-through is hard to know without seeing exact customer lists, but I expect it could work both ways. Palo Alto Networks will be in more companies where CyberArk doesn't currently have a footprint. The opposite is also true, especially in some larger enterprise accounts where CyberArk is already a customer but Palo Alto Networks is not.
With the scale and ambitions of Palo Alto Networks, it's hard to understate the value of gaining new customers any way they can. Acquiring CyberArk gives Palo Alto Networks a first point of entry into many new accounts with hopes of not only keeping the customers, but also adding other platforms in the future.
TAM and revenue impact
Palo Alto Networks already had one of the largest TAMs in cybersecurity with their existing platforms. Adding identity unlocks significantly more TAM, with some estimates like both Okta and CyberArk measuring the TAM for workforce identity at $50 billion, not the $29 billion Palo Alto Networks quoted from IDC in their release.
Either way, the more impactful part now is the serviceable obtainable market (SOM) it unlocks for Palo Alto Networks — and even more specifically, the accretive revenue and free cash flow it adds.
CyberArk is a billion-dollar run rate business, which is a nice way to start your foray into the identity security market. It puts Palo Alto Networks at $10 billion of revenue already and, as discussed in the SentinelOne analysis, significantly accelerates and de-stresses its path to $15 billion.
Integration strategy and future vision
I expect we're going to see Palo Alto Networks execute the playbook they followed with Cortex.
They spent significant R&D effort building out a centralized data model, refactoring and reintegrating multiple products into a much more cohesive platform and user interface.
What Palo Alto Networks has to do (okay, should do) over the next two to five years is apply the Cortex integration strategy to CyberArk and finish their product integrations across the board.
I've seen Cortex and what they did with it — integrating what they built and acquired, adding cloud security, data security, AppSec, etc. They did a great job making it look coherent on the front end.
The next level beyond integrating all of the identity parts is integrating data into Cortex for SecOps. All this identity log data is going to get fed into Cortex for much higher-fidelity logging than we're used to with identity.
If you can get really high-fidelity authentication and authorization data into Cortex, plus cloud security, application security, data security, and more — you have a much better ability to see what's going on in your environment and then drill down and triage alerts that didn't have much visibility before.
There are definite connections to the networking and SASE sides as well. You can already see other companies doing interesting things with identity, secure browsers, SASE, network security (zero trust...gasp) and lots of other things Palo Alto Networks already does.
Acquiring CyberArk is about adding identity, but the next-level strategic move here is bringing identity to other core security functions in a more comprehensive way.
AI is the bull case
Even if you completely take any upside from the agentic market and strike that from the deal, this still looks like a smart acquisition commercially.
Palo Alto Networks is entering an important new market while adding a billion dollars of ARR that's growing at a market-leading growth rate.
None of us really know how big the market for securing AI agents is going to be. The assessment of that emerging market and the upside and downside is a completely different article, so we're not going to get into that here.
In the context of this deal, whatever happens with AI agents is part of the upside. The downside is relatively limited. If you strike that part entirely from the deal or imagine a worst case scenario where AI agents are a complete dud, this still looks like a pretty good deal.
Competing in a market for human identity alone is pretty good business. There's enough validation on the traditional side of machine identity where that's a safe bet, too.
This acquisition may not be worth the full $25 billion without some AI upside, but is it still worth over $20 billion? Probably.
The case against a deal
Here's the punch line: I don't see much of a bear case at all (again, from a business strategy standpoint). This was a savvy acquisition. Expensive, but savvy.
Most of the criticism I've seen so far is people airing out grievances with Palo Alto Networks, CyberArk, or both.
If you look at this from a hardcore business strategy standpoint and take away the other incentives and biases, it's hard to argue with their rationale.
There are risks, though. Lots and lots of risks. Those are what we need to talk about.
Valuation and financial tradeoffs
The financial risk of a transaction this large is obvious. $25 billion is a lot of capital no matter what the split is between cash and equity.
This means another scaled acquisition like SentinelOne is off the table for now. In fairness, I can't think of a scaled acquisition that would have made more of a difference to Palo Alto Networks than entering the identity market.
They'll continue to make tuck-in acquisitions within their existing NGS platforms, including CyberArk, wherever they feel like it might be lacking.
Palo Alto Networks has reached a point where building from scratch is often close the same level of effort as integrating an acquisition. They don't need to buy as many companies going forward as they did in the previous seven years now that their NGS platforms are more established.
They will still make some relatively large tuck-in acquisitions like they did with Talon or Protect AI, but the burden of proof is now a little higher and their financial position is such that deals may have to clear higher financial and technical hurdles than they did in the past.
Go-to-market
If we learned anything from other large identity acquisitions this decade, it's that GTM is a huge gotcha post-acquisition.
The GTM integration between Okta and Auth0 went very sideways. Combining the orgs didn't work. As it turns out, selling a top-down workforce/customer identity platform and a bottom-up, developer-focused customer identity platform are two wildly different things.
Palo Alto Networks has to tread lightly on the GTM side of this. Selling firewalls and the NGS portfolio is not the same as selling identity. They're probably better off keeping most or all of CyberArk's GTM org in tact and doing what they can to make their lives easier.
On the customer side, the risk of churn is real — but I certainly don't expect a material part of CyberArk's customer base to churn even if they'd rather not work with Palo Alto Networks. Complaining is one thing. Switching is another.
A specific nuance about Identity, and PAM in particular, is the products are incredibly sticky. They take millions of dollars and years to implement. Changing vendors isn't like just install a different agent to move from CrowdStrike to SentinelOne on the endpoint. There are meaningful switching costs.
Most existing CyberArk customers are just going to put up with Palo Alto Networks even if they don't use or want to use any of their products across the rest of the security or IT portfolio.
If there's going to be any customer impact at all, it's more likely to be on the net new customer acquisition side. CyberArk was doing fairly well in this category, especially given the macroeconomic circumstances.
Rather than existing customers churning, the more likely impact is going to be new customers choosing to go a different direction for their PAM and workforce identity solutions. This is generally good for other companies in the workforce identity market, but that's for another discussion.
The cross-selling opportunities are the wild card here. I'm sure the Palo Alto Networks Corp Dev team and their bankers modeled this and have good assumptions around it.
I expect some level of success with cross-selling — and possibly enough to not only net out any churn or slowdown in new customer growth, but vastly exceed it.
This could be especially true if Palo Alto Networks is able to do good things on the product side and simplify the overall purchasing, financing, licensing and transaction process that many CyberArk customers complain about.
Channel relationships
Channel is another area where you could argue there is downside, or at least substantial risk.
CyberArk is the gold standard in cybersecurity for how to grow and run a partner program. They have amazing relationships with all of the GSIs as well as several other niche boutique integrators. Palo Alto Networks works with most of them anyway, but identity will be a different capacity.
We're not going to see the channel just stop working with CyberArk now that they will be owned by Palo Alto Networks. Due care has to be taken to make sure the channel relationships and model CyberArk already has in place continues to be successful.
Palo Alto Network has its own successful channel relationships, and they already work with many of the same GSIs and partners CyberArk does. Identity implementations are a different muscle, but the GTM side is still similar.
Integration and culture
Palo Alto Networks is no stranger to integrating acquisitions, now with more than 20 reps of experience. Integrating a scaled public company with $1 billion of revenue and over 4,000 employees is a lot trickier than making things work with a startup.
As we discussed earlier, I actually like their chances with the technical side of the integration over the long run. People and process are the parts that worry me.
Tough personnel decisions have to be made. This inevitably means layoffs, as we already saw with Cisco-Splunk, Proofpoint's acquisitons, and many others.
CyberArk has a specific method and culture that's worked for them over the course of 25 years. Palo Alto Networks has it own culture — one that largely mirrors the towering ambitions and personality of Nikesh Arora.
How CyberArk responds to the limelight that inevitably follows Palo Alto Networks is one of the biggest open questions about this deal.
So, what now?
Large, multi-domain cybersecurity companies have historically stayed away from the identity market.
That era appears to be over. This is an industry-altering deal.
The place to watch next is what happens with the rest of the market.
CrowdStrike, Fortinet, Check Point, Zscaler, and anyone else who wants to be a broad cybersecurity market leader is now under tremendous pressure to enter the identity market.
This acquisition also changes the game for Okta, SailPoint, Ping, Saviynt, and several other standalone identity companies. They need to finish the job of building end-to-end workforce identity platforms and find other ways to differentiate. Or, they need to sell.
The gloves are off now. Palo Alto Networks made its move, and the ripple effect across the rest of the industry is going to be just as big.