Privileged Access Management (PAM)

Category leader with deepest vault and session brokering pedigree.

CyberArk is the PAM category leader by revenue (~$830M in 2024, growing roughly 30% year-over-year) and by feature depth in vaulting, session brokering, and session recording. Founded 1999 in Israel, NASDAQ-listed since 2014. The 2023-2025 push to a cloud-first Privilege Cloud and Identity Security Platform is real, but on-prem-to-cloud migrations are still meaningfully harder than the marketing admits, and the Oct 2024 Venafi acquisition ($1.54B) has stretched the integrated platform story. Best fit for regulated enterprises with mature PAM operations; worst fit for greenfield engineering-led teams expecting Teleport-style developer ergonomics.

Broadest PASM portfolio, weighed against a Dec 2024 nation-state breach.

BeyondTrust has the broadest PASM portfolio of any pure-play vendor: Password Safe (vault + session brokering), Privileged Remote Access (PRA), Remote Support, Endpoint Privilege Management, and Cloud Privilege Broker. Formed from the 2018 Bomgar+BeyondTrust merger under Francisco Partners, then re-leveraged under Francisco Partners and Clearlake Capital in 2021. The breadth is genuine; so is the trust hit from the Dec 2024 nation-state breach of the Remote Support cloud, in which a compromised API key gave attackers access to customer environments. PE-driven cost discipline has been visible in support and roadmap pacing.

Thycotic+Centrify under TPG, the cloud-first mid-market PAM pick.

Delinea is the combined entity formed when TPG merged Thycotic and Centrify in April 2021. The cloud-native push since 2023 is more visible than at most legacy peers: the Delinea Platform unifies Secret Server (vaulting), Privilege Manager (endpoint), and DevOps Secrets Vault on a single tenant. Shipping cadence is faster than CyberArk or BeyondTrust; pricing remains opaque but mid-market deal sizes routinely come in 30-50% under CyberArk equivalents. Trade-offs: TPG ownership means a sale or refinancing is on the medium-term horizon, and feature depth in session brokering still trails CyberArk.

Converged IGA + PAM on a cloud-native, AWS-favored platform.

Saviynt is the converged identity platform: IGA (identity governance and administration) plus PAM plus Application Access Governance on a single cloud-native architecture (Enterprise Identity Cloud, EIC). The identity-first positioning works best for AWS-anchored enterprises consolidating IGA and PAM rather than running two separate platforms. Carrick Capital-backed and growing healthily, but the PAM module is younger and shallower than CyberArk on pure session brokering. The bet is that converged identity is the right architecture; whether your team agrees with that thesis is the buying decision.

Quest portfolio PAM under Clearlake + Insight Partners ownership.

One Identity Safeguard is the PAM line within the broader One Identity portfolio, itself a unit of Quest Software, taken private by Clearlake Capital and Insight Partners in 2021. The breadth is real: Safeguard for Privileged Passwords (vault), Safeguard for Privileged Sessions (brokering and recording), Safeguard for Privileged Analytics, plus an integrated IGA suite (Identity Manager). The breadth is also the weakness: the portfolio shows signs of PE-era neglect, with slower roadmap pacing than Delinea or CyberArk and product modules that still feel like acquisitions rather than parts of one system.

APAC PAM leader with strong Asian financial-services foothold.

ARCON is India-headquartered and the leading PAM vendor across Asia-Pacific financial services, with reference customers across Indian, Middle Eastern, and South-East Asian banks. The product covers vaulting, session brokering, session recording, and behavior analytics, with aggressive pricing 30-60% under CyberArk and BeyondTrust in APAC deals. Trade-offs: reference customers outside APAC are thinner, the cloud-native story lags Delinea, and the partner ecosystem in North America and EU is meaningfully smaller.

EU-native PAM with strong NIS2 and CSRD compliance fit.

WALLIX is a French-headquartered, Euronext-listed PAM vendor (founded 2003) with EU data residency native to the architecture, ANSSI qualification, and a compliance-led narrative anchored in NIS2, CSRD, and the EU Data Boundary. WALLIX Bastion covers vaulting, session brokering, session recording, and privilege elevation across Windows and Linux. The fit for EU public sector and EU-regulated enterprises is real. Trade-offs: outside EU+ANZ the partner ecosystem is thinner, feature depth on the analytics side trails CyberArk and BeyondTrust, and revenue scale (~EUR 40M+) means roadmap velocity will always trail US-listed peers.

Developer-favored secrets management, now an IBM business.

HashiCorp Vault is the developer-favored secrets management standard. Founded 2012, IPO 2021, acquired by IBM in a $6.4B deal that closed February 2025. Strongest fit for platform engineering and DevSecOps teams that need ephemeral credentials, dynamic secrets for databases and cloud providers, and tight CI/CD integration. Vault is lighter on classical PAM features (session recording, human-admin brokering) than CyberArk or BeyondTrust; it competes on secrets and machine identity, not on session governance. Trust remains scarred by the Aug 2023 switch from MPL to the Business Source License (BSL), which triggered the OpenTofu / OpenBao forks and lasting community resentment.

Acquisition-built breadth for buyers on the Netwrix data-security stack.

Netwrix has grown by acquisition rather than core innovation: Stealthbits (2020) brought data-access governance, Recovery Manager (2021) brought AD recovery, PolicyPak (2022) brought endpoint policy, Imanami (2022) brought group management. Netwrix Privilege Secure (the PAM line) covers vaulting, session brokering, and just-in-time access, but its strongest value is breadth bundling for buyers already standardized on Netwrix Auditor and data-security tooling. TA Associates has owned Netwrix since 2020. Trade-offs: best-of-breed buyers will find deeper PAM elsewhere; the acquisition-driven product line shows integration seams.

Modern infrastructure access for engineering-led organizations.

Teleport (formerly Gravitational) is the modern infrastructure access platform: a single identity-aware proxy that fronts SSH, Kubernetes, databases, RDP, and internal web apps, issuing short-lived certificates rather than managing long-lived secrets. Series C ($80M, July 2022, ~$1.13B valuation, Kleiner Perkins-led) put it firmly in the cloud-native PAM conversation. Best fit is engineering-led organizations that want PAM ergonomics that engineers will actually use; trade-offs are that classical compliance/session-recording buyers still gravitate to CyberArk, and the company is private with a single-product focus that can be either an asset or a risk depending on portfolio context.