Secrets Management Software

De facto enterprise secrets backbone, now an IBM business with BSL license baggage.

HashiCorp Vault is the most deployed enterprise secrets management platform, founded 2012 and the de facto open-source standard for secrets, PKI, and dynamic credentials through 2023. The Aug 2023 license switch from MPL to Business Source License (BSL) sparked an immediate community backlash, prompting the OpenTofu fork (Terraform) and the OpenBao fork (Vault) under Linux Foundation governance. IBM closed its acquisition of HashiCorp on Feb 27, 2025 for about $6.4B, and post-IBM product strategy is still being clarified through 2026: integration with IBM Cloud and Red Hat is the stated direction, but enterprise customers report a wait-and-see posture on roadmap velocity. Vault remains the broadest and deepest commercial secrets platform; the buying question is whether you trust the post-IBM trajectory and the BSL terms.

Developer-first secrets platform for cloud-native teams.

Doppler is the developer-first secrets management platform for cloud-native engineering teams. Founded 2018, raised a $20M Series B in Feb 2022 led by CRV, and has built its reputation on the cleanest developer ergonomics in the category: Git-style branching for environments, one-line CLI integration, and a UI engineers reach for instead of avoid. 2024 brought a deliberate enterprise expansion (SSO, SCIM, audit log retention, advanced RBAC) while preserving the developer experience that drove early adoption. Best fit for engineering-led teams that do not have a HashiCorp Vault commitment; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Secrets automation on top of the broader 1Password Business platform.

1Password Secrets Automation is the machine-secrets product line built on top of the broader 1Password Business platform. Founded 2005 in Toronto, the company raised a $620M Series C in Jan 2022 at a roughly $6.8B valuation led by Iconiq Growth. Secrets Automation launched 2021 and the 2024 Trelica acquisition added SaaS governance-and-discovery (shadow IT, app usage, lifecycle), positioning 1Password as a converged human+machine credentials platform. Best fit for organizations already standardized on 1Password Business that want secrets automation without adopting a separate platform; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Native AWS secrets service for AWS-anchored estates.

AWS Secrets Manager is the native AWS service for secrets storage, rotation, and retrieval, launched 2018 and integrated tightly with AWS KMS, IAM, RDS, Lambda, ECS, and EKS. Best fit for AWS-anchored estates where the value of native integration outweighs the cost of AWS lock-in. The pricing model (per-secret per month plus per-API-call) creates surprises for teams that did not anticipate fan-out across microservices, and rotation is automated only for a fixed set of supported AWS targets; everything else requires custom Lambda rotation functions. Cross-cloud or hybrid-estate buyers will hit the limits of an AWS-only secrets posture quickly.

KMS-as-a-service vault-less architecture with Distributed Fragments Cryptography.

Akeyless is the vault-less KMS-as-a-service entrant founded 2018 in Israel, with a $65M Series B in April 2022 led by NGP Capital and Team8. The differentiator is Distributed Fragments Cryptography (DFC), a multi-party computation approach where Akeyless never holds full encryption keys; key fragments are split across regions and the customer controls one. This is the strongest vault-less pitch in the category for compliance teams uncomfortable with a vendor holding full keys. Feature breadth is broad (secrets, dynamic credentials, certificates, encryption-as-a-service, zero-trust access), pricing remains opaque, and the brand recognition still trails Vault and Doppler outside Israel and the regulated-financial segment.

Open-source heritage extended into machine secrets management.

Bitwarden built its reputation on open-source password management before extending the platform into machine secrets with Bitwarden Secrets Manager (GA 2023). The Insight Partners-led $100M+ Series A in 2022 funded enterprise expansion and the secrets-management product line. The pitch is consistent with the Bitwarden brand: open-source heritage, transparent pricing, and an approachable developer experience for teams already on Bitwarden Business or Enterprise. Feature depth still trails Vault and Doppler in dynamic credentials, but Bitwarden is a credible mid-market option, especially for organizations that prefer to buy human and machine credentials from the same vendor.

Open-source modern secrets platform with rapid developer adoption.

Infisical is the fastest-growing open-source modern secrets platform: Y Combinator W23, founded 2022, and gaining developer mindshare in 2025-2026 as a Doppler-shaped product with an MIT-licensed core. The pitch is modern developer ergonomics on top of an open-source foundation, with cloud and self-host options. Feature depth is catching up to Doppler quickly and the post-HashiCorp BSL appetite for OSS alternatives plays directly into Infisical positioning. Trade-offs: younger company, smaller community than Vault or even Bitwarden, enterprise SLA depth still maturing. Best fit for engineering-led teams that want an open-source secrets platform without inheriting Vault operational complexity.

CyberArk-anchored secrets management inside the Identity Security Platform.

Conjur was acquired by CyberArk in 2017 and is now the secrets-management arm of the CyberArk Identity Security Platform. Two product lines exist: Conjur Open Source (community-maintained) and Conjur Enterprise (commercial, deeply integrated with CyberArk PAM). The buying decision is usually downstream of a CyberArk PAM decision; standalone Conjur evaluations are rare because Vault, Doppler, and Akeyless win on feature depth or developer ergonomics. Best fit only when CyberArk PAM is already deployed and the buyer wants one vendor relationship for human and machine credentials.

Legacy Secret Server plus DevOps Secrets Vault on the Delinea Platform.

Delinea (formed when TPG merged Thycotic and Centrify in April 2021) ships two secrets products: the long-running Secret Server (legacy IT secrets vault, primarily for human admins and service accounts) and DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads). The DevOps Secrets Vault product is the credible developer-secrets story for legacy PAM portfolio buyers; standalone, it competes more directly with Vault and Doppler. Best fit when Delinea PAM is already in place or when an existing Thycotic Secret Server estate wants a cloud-native extension. Trade-offs: TPG ownership signals a sale or recap on the 3-5 year horizon, and standalone Delinea-secrets buying motions are rare.

Secrets-leak detection heritage extended into management (2024).

GitGuardian was the secrets-detection-first vendor of record (its public-GitHub leak monitor put it on the map), founded 2017 in Paris and raising a $44M Series B in 2022. In 2024 the company expanded explicitly into secrets management with the Non-Human Identity (NHI) Security and Vault Insights products, framing the platform as one that finds leaked credentials and helps you rotate them at the source. The pitch is consistent: if leaked-credential discovery is the headline buyer pain, GitGuardian is unrivaled. As a standalone secrets management product, it is younger and shallower than Vault, Doppler, or Akeyless; the platform value compounds when detection and management are bought together.