Palo Alto Networks has announced definitive plans to acquire privileged identity management vendor CyberArk for $25 billion, making it the third-largest cybersecurity M&A deal in history. This follows Google’s $32B buy of Wiz earlier this year and Cisco’s $28B acquisition of Splunk in 2024.

Founded in 1999 and IPO’d in 2014, CyberArk’s annual revenues passed the $1B mark in 2024, which places this acquisition price around an 18- 20x revenue multiple.

Palo cited three main drivers for their interest in CyberArk:

  1. The convergence of identity and security
  2. The need for platformization in identity security
  3. The rise of machine identities and AI agents

This acquisition highlights Palo Alto Networks’ continued mission to become a major security platform player.

There are areas where this acquisition makes sense; both Palo and CyberArk focus on large enterprise customers in North America and EMEA, both have strong salesforces, both provide a multitenant SaaS offering, and both have strong partner ecosystems.

Given Palo’s recent choice to pivot Prisma Cloud to Cortex Cloud and merge the offerings into one platform, it’s likely that they will pursue a similar strategy with this acquisition. However, this approach has some major challenges: namely, that the users for Cortex are security operations-focused, while the users for CyberArk are identity security-focused and typically led by the goal of protection and identification, with detection and response as secondary.

On the plus side, identity security alerts and telemetry are highly valuable for detection and response; they provide critical telemetry and alerts that improve detection and speed up response. For Cortex and CyberArk customers, this could be a valuable consolidation if done right.

However, the track record on mega security and identity tie-ups is incomplete and unproven. One can point to EMC/RSA or Broadcom/CA as examples, but those were from different eras and CA was not a security pure-play. The sensitive nature of IAM protections – and associated vendor liabilities – as well as the fact that IAM is deeply embedded within business processes and infrastructure makes identity security related acquisitions inherently riskier and with more complex sales cycles. This doesn’t mean that the Palo Alto/CyberArk merger cannot be successful, but it will require more operational support as Palo is not integrating a 100 person VC-backed startup, but a global billion-dollar+ company with thousands of employees and customers.

Palo Alto Networks Multi-Platform Push For Dominance Continues

Palo Alto Networks was one of the first mega security vendors to go all-in on “security platform” messaging, and this acquisition deepens its commitment to being a one-stop shop for its customers. Integrating smaller acquisitions to deliver on platform promises isn’t entirely easy, but this acquisition takes that to another level. In fact, given the disparate nature of these technologies in terms of users and administrators, this seems to be more of a platform-of-platforms approach. Nikesh Arora doubled down on this in the investor call about the acquisition, commenting that this acquisition helps Palo Alto bring “the most comprehensive set of platforms across the industry that deliver against the customers’ need of security.”

Palo Alto Networks is clearly assembling a platform-of-platforms to compete with the likes of CrowdStrike in a module-by-module sell-off. The challenge for Palo Alto Networks is that, with the products in their portfolio, these operational domains and budgets live in deeply segregated areas. This makes it more difficult to sell modules…at least initially.

CyberArk’s product line focus on identity does not match neatly with Palo Alto’s legacy core capabilities in network and cloud. This can yield both promise and potential pitfalls, the greatest of which is unifying integrations to create a shared data model and centralized control plane. This will challenge PANW for years to come. Forrester research shows that bundling discounts and a one-stop-shop were the least important reasons for security leaders to select a platform provider. Instead, ease of integration, ease of use, and more productivity topped the list.

Integration is a multifaceted exercise that covers 1) sales, professional services and support processes, and 2) centralized policy management and reporting across heritage Palo Alto and CyberArk product lines. There is still a lot of integration debt from previous acquisitions that built the Cortex/ex Prisma Cloud product family (Twistlock, Evident.io and others). Similarly, CyberArk has been dealing with of its own integration debt  stemming from its recent acquisitions of Venafi (October 2024) and Zilla Security (February 2025). CyberArk’s Zilla acquisition and PANW’s SaaS and cloud infrastructure CSPM/CIEM capabilities also overlap to a degree.

Emerging Technology Opportunities: Agents, Agentic, and Post Quantum

The Palo Alto Networks investor call content featured the machine identity and AI agent/agentic market opportunity as a key reason for the acquisition – as AI agents will require Just-in-Time (JIT) access controls and will need privileged credentials to connect to back-end data sources. Despite investing in securing AI, Palo Alto Networks’ platform lacked an identity component. This closes that gap in a segment that is expected to grow as AI agents and agentic architectures proliferate across enterprises in the coming years.  At present, identity is one of the pillars of agent and agentic security while observability, logging, lineage, and provenance are yet to fully form across protocols like MCP and A2A. Even then, identity security will face new challenges based on ephemeral, scalable, task- oriented identities springing up to execute portions of a workflow.

Identity security for the agentic AI future will rely on a backbone of cryptography and Palo will benefit from CyberArk’s subject matter expertise in key management, PKI, and quantum security.  Some of CyberArk’s offerings could align well with Palo Alto’s investments in application security and in quantum security, though some work will be needed to bring them together. For example, businesses looking to adapt to consumer interest in AI agent use cases will need to better understand the identity and intent of inbound agent traffic. A combination of agent identity via CyberArk and traffic analysis via Palo Alto’s WAF and bot management components could be compelling, though the integration will take some work.

The IAM market faces further disruption

Palo’s acquisition is bound to further disrupt technical alliances and strategic partnerships. This is particularly true given the state of the IAM market, which is experiencing a rise in coopetition from the convergence of IAM functional silos and adjacent vendors such as CrowdStrike, SailPoint, and Okta expanding into the privileged identity space.  Forrester expects IAM vendors technical partnerships with existing integrations to remain intact, but this will stress business partnerships and fuel additional IAM vendor consolidation.

While the acquisition serves as a validation of the importance of identity to cybersecurity, ultimately identity is a pillar in cybersecurity, not the other way around.  In the near-term, it opens opportunities for existing identity vendors including BeyondTrust, Delinea, and Saviynt to highlight their differentiation with an identity-first focus, commitment to standards-based integrations, and agility to go down-market.

 

To discuss your options and strategize on how to make the best use out of these announcements, Forrester clients can set up a guidance session or inquiry with me.

I’ll also be speaking at Forrester’s Security & Risk Summit 2025 in Austin, Texas, from November 5–7.