Skip to content
Z Zendikt
Australia edition · 9 products ranked · Verified 2026-05-24

Top 10 Secrets Management Software in Australia for 2026

Independent Australian secrets management ranking, AUD pricing, APRA CPS 234 and Essential Eight ML2 / ML3 mandates, IRAP-aware vendor selection for federal workloads.

← Global ranking · Category overview
Secrets Management Software by country
🌐 Global United States India United Kingdom France Germany Australia Canada

Australia verdict (TL;DR)

Verified 2026-05-24

HashiCorp Vault dominates Aussie enterprise secrets management at CBA, Westpac, NAB, ANZ, Telstra, Optus and Atlassian-tier SaaS. AWS Secrets Manager is the default at Aussie cloud-native workloads in AWS Sydney. Azure Key Vault holds federal-government and Microsoft-stack enterprise via Azure Australia East and Australia Central. Doppler covers Aussie SaaS scale-ups wanting dev-friendly secrets-as-a-service. 1Password Secrets sits adjacent to existing 1Password Business deployments. Bitwarden Secrets and Infisical are open-source options. CyberArk Conjur and Delinea hold legacy enterprise. GitGuardian detects leaked secrets in code. APRA CPS 234 plus ASD Essential Eight ML2/3 cryptographic-key-management mandate is the dominant Aussie compliance driver.

Picks for Australia

  • CBA, NAB, Westpac, ANZ-tier Aussie enterprise secrets management: hashicorp-vault-secrets HashiCorp Vault is the default at Big Four banks and large Aussie enterprise. APRA CPS 234-aware deployments, Essential Eight ML2/3 cryptographic key management, IRAP-assessed federal options.
  • Aussie cloud-native workloads on AWS Sydney: aws-secrets-manager AWS Secrets Manager in ap-southeast-2 Sydney and ap-southeast-4 Melbourne is the native choice for AWS-first Aussie workloads at Atlassian, Canva, Employment Hero and Go1.
  • Federal-government and Microsoft-stack Aussie enterprise: azure-key-vault Azure Key Vault in Azure Australia East and Azure Australia Central (Canberra sovereign) is the default for Services Australia, DTA, federal agencies and Microsoft-stack enterprise.
  • Aussie SaaS scale-ups wanting dev-friendly secrets-as-a-service: doppler Doppler is the modern Aussie SaaS scale-up choice for secrets-as-a-service across multi-cloud and multi-env workloads. AUD-friendly pricing and strong dev UX.
  • Aussie SMB and mid-market with 1Password Business already deployed: 1password-secrets 1Password Secrets Automation extends the existing 1Password Business password footprint into developer secrets, which is the simplest Aussie SMB starting point.
  • Legacy Aussie banking and insurance PAM-adjacent secrets: cyberark-conjur CyberArk Conjur is the natural choice where CyberArk PAM is already the privileged-access standard at Big Four banks and tier-one insurers.
Market context

How the secrets management software market looks in Australia

Aussie secrets management is one of the most compliance-driven software categories in 2026. The Australian Signals Directorate Essential Eight Maturity Model, the default cyber baseline for federal government and effectively the de facto baseline for APRA-regulated entities, mandates cryptographic key management and credential security at ML2 and ML3. APRA CPS 234 requires regulated entities (banks, insurers, super funds) to maintain an information security capability that covers third-party credentials. The Security of Critical Infrastructure (SOCI) Act 2018 extends similar discipline to telco, energy, water and food critical-infrastructure operators.

The Aussie vendor landscape concentrates around HashiCorp Vault at large enterprise, AWS Secrets Manager and Azure Key Vault at cloud-native workloads, and Doppler at SaaS scale-ups. CBA, Westpac, NAB and ANZ run HashiCorp Vault in production for application secrets and rotation, often paired with CyberArk for human privileged access. Telstra, Optus and Macquarie Telecom run hybrid HashiCorp plus cloud-native deployments. Aussie SaaS scale-ups (Atlassian, Canva, SafetyCulture, Employment Hero, Go1, Bigtincan, Octopus Deploy) tend toward AWS Secrets Manager or Doppler depending on cloud architecture.

Federal and state government deployments centre on Azure Australia Central (Canberra sovereign) and IRAP-assessed HashiCorp Vault Enterprise. The Department of Home Affairs Cyber Security Strategy 2023-2030 and the Critical Infrastructure Risk Management Program have raised the bar on secrets and key management for SOCI-covered sectors. Modern Slavery Act 2018 vendor disclosure and Privacy Act APP 11 sit alongside as foundational requirements.

Compliance & local rules

Australian secrets management deployments must address multiple overlapping regimes. The ASD Essential Eight Maturity Model, while not legally mandatory outside federal government, is the de facto baseline for regulated entities and increasingly for ASX-listed enterprise. ML2 and ML3 require cryptographic key management, restricted privileged access and credential security. APRA CPS 234 (information security, effective 2019) requires regulated entities (banks, credit unions, insurers, super funds) to maintain assurance over credential and key management, with auditable evidence. CPS 230 (operational risk management, effective July 2025) extends operational resilience requirements. The Security of Critical Infrastructure (SOCI) Act 2018 obliges critical-infrastructure operators across 11 sectors to maintain a Critical Infrastructure Risk Management Program covering cyber and supply-chain risks, including credential management. The Privacy Act 1988 and APP 11 require reasonable security over personal information, which catches secrets governing personal-data access. Federal-government workloads require IRAP-assessed hosting; HashiCorp Vault Enterprise, Azure Key Vault and AWS Secrets Manager all have IRAP coverage. The Notifiable Data Breaches scheme captures eligible breaches caused by credential compromise. Modern Slavery Act 2018 reporting picks up vendor selection for revenue >A$100M.

At a glance

Quick comparison, ranked for Australia

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 HashiCorp Vault
Regulated enterprises and platform teams with operational expertise
 $0 $0 4.7 Global; strongest in US, EU, APAC
4 AWS Secrets Manager
AWS-anchored estates of any size
 $0 $0 4.5 Global (AWS regions)
2 Doppler
Engineering-led cloud-native teams
 $0 $0 4.7 Global; strongest in US, EU
3 1Password Secrets Automation
Mid-market and enterprise 1Password Business shops
 $8/emp $80 4.7 Global; strongest in US, EU, Canada
8 CyberArk Conjur
CyberArk-anchored regulated enterprises
 $0 $0 4.3 Global; strongest in US, EU, Israel, APAC
9 Delinea Secret Server (DevOps Secrets Vault)
Mid-market and lower-enterprise Delinea/Thycotic-anchored estates
 Quote - 4.5 Global; strongest in US, EU, APAC
6 Bitwarden Secrets Manager
Mid-market and lower-enterprise buyers already on Bitwarden Password Manager
 $6/emp $60 4.6 Global; strongest in US, EU
5 Akeyless Vault Platform
Regulated enterprises and vault-less SaaS buyers
 $0 $0 4.7 Global; strongest in US, EU, Israel
10 GitGuardian Platform
Security-led organizations buying detection and management together
 $0 $0 4.7 Global; strongest in EU, US

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Australia actually pay

Median annual deal size by employee band, in AUD. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (AUD) Sample Notes
HashiCorp Vault 500-5,000 employees A$195,000 19 HashiCorp Vault Enterprise, Aussie banking and large enterprise tier
AWS Secrets Manager 50-1,000 employees A$8,400 38 AWS Secrets Manager consumption in ap-southeast-2
azure-key-vault 100-2,000 employees A$9,200 27 Azure Key Vault consumption in Australia East / Central
Doppler 20-200 employees A$14,500 22 Doppler Team, Aussie SaaS scale-up tier
1Password Secrets Automation 50-500 employees A$18,000 16 1Password Business plus Secrets Automation
CyberArk Conjur 500-5,000 employees A$165,000 11 CyberArk Conjur Enterprise with PAM bundle
Local challengers

Australia-built or Australia-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for Australia buyers and worth a shortlist.

HashiCorp ANZ

Visit ↗

Sydney commercial team. The default Aussie enterprise secrets management choice at Big Four banks, Telstra, Optus and large ASX-listed enterprise.

AWS Sydney

Visit ↗

AWS Secrets Manager in ap-southeast-2 Sydney and ap-southeast-4 Melbourne is the native choice for the AWS-first Aussie majority. IRAP-assessed for PROTECTED.

Microsoft Azure Australia Central

Visit ↗

Azure Key Vault in Canberra-based sovereign regions is the federal-government and Microsoft-stack enterprise default. IRAP-assessed for PROTECTED.

The Australia ranking

All 9, ranked for Australia

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Australia market.

#1

HashiCorp Vault

De facto enterprise secrets backbone, now an IBM business with BSL license baggage.

Founded 2012 · San Francisco, CA · public · 500-100,000+ employees
G2 4.7 (1,320)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit HashiCorp Vault

HashiCorp Vault is the most deployed enterprise secrets management platform, founded 2012 and the de facto open-source standard for secrets, PKI, and dynamic credentials through 2023. The Aug 2023 license switch from MPL to Business Source License (BSL) sparked an immediate community backlash, prompting the OpenTofu fork (Terraform) and the OpenBao fork (Vault) under Linux Foundation governance. IBM closed its acquisition of HashiCorp on Feb 27, 2025 for about $6.4B, and post-IBM product strategy is still being clarified through 2026: integration with IBM Cloud and Red Hat is the stated direction, but enterprise customers report a wait-and-see posture on roadmap velocity. Vault remains the broadest and deepest commercial secrets platform; the buying question is whether you trust the post-IBM trajectory and the BSL terms.

Best for

Regulated enterprises (1,000-50,000+ employees) needing the deepest secrets, PKI, and dynamic-credentials platform, with budget for operational expertise.

Worst for

Greenfield engineering teams wanting modern developer ergonomics (Doppler or Infisical win), or organizations philosophically opposed to BSL licensing (OpenBao or pure-OSS alternatives).

Strengths

  • Deepest feature set in the category (KV, dynamic credentials, PKI, transit, transform, database secrets engines)
  • Largest community and integration ecosystem of any secrets platform
  • Strong dynamic-credentials story across AWS, Azure, GCP, databases, Kubernetes
  • Vault Enterprise adds performance replication, DR, HSM auto-unseal, namespaces
  • Mature Kubernetes integration via Vault Agent and Secrets Operator
  • Auditor-grade evidence trails for regulated industries

Weaknesses

  • Aug 2023 BSL license switch fractured open-source community trust
  • OpenBao fork exists as an OSS-compatible alternative and is gaining adoption
  • Feb 2025 IBM close leaves post-acquisition product strategy unclarified
  • Enterprise pricing opaque; deal sizes routinely larger than initial scoping suggested
  • Operational complexity is real (storage, unsealing, replication, namespaces all need expertise)
  • Developer ergonomics weaker than Doppler or Infisical for greenfield teams

Pricing tiers

partial
  • Vault Community (BSL)
    BSL license restricts competing commercial use; self-managed
    $0 /mo
  • HCP Vault Standard
    HashiCorp Cloud Platform managed Vault; usage-based starting roughly $1.50/hour per cluster
    Quote
  • HCP Vault Plus
    Adds replication, namespaces, advanced data protection; industry estimate $50K-$500K+ annually
    Quote
  • Vault Enterprise (self-managed)
    Industry estimate $80K-$1M+ annually for enterprise deployments
    Quote
Watch for
  • · Operational expertise for storage, unsealing, replication is a hidden line item
  • · HSM integration priced separately
  • · Implementation via certified partners $100K-$500K+ typical at enterprise scale
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Key-Value (KV) v1 and v2 static secrets engines
  • +Dynamic credentials for AWS, Azure, GCP, databases, Kubernetes, SSH
  • +PKI secrets engine for full certificate lifecycle
  • +Transit secrets engine for encryption-as-a-service
  • +Transform secrets engine for format-preserving encryption and tokenization
  • +Identity-based access policies with namespaces (Enterprise)
  • +Performance and DR replication (Enterprise)
  • +HSM auto-unseal and FIPS 140-2 build (Enterprise)
  • +Audit devices for full request logging
  • +Vault Agent and Secrets Operator for Kubernetes-native workflows
450+ integrations
KubernetesAWSAzureGCPTerraformConsulNomadServiceNowSplunkDatadogGitHub ActionsGitLab CI
Geography
Global; strongest in US, EU, APAC
View full HashiCorp Vault intelligence profile → Compare HashiCorp Vault →
#4

AWS Secrets Manager

Native AWS secrets service for AWS-anchored estates.

Founded 2018 · Seattle, WA · public · Any employees
G2 4.5 (620)
Capterra 4.5
From $0 /mo
● Transparent pricing
Visit AWS Secrets Manager

AWS Secrets Manager is the native AWS service for secrets storage, rotation, and retrieval, launched 2018 and integrated tightly with AWS KMS, IAM, RDS, Lambda, ECS, and EKS. Best fit for AWS-anchored estates where the value of native integration outweighs the cost of AWS lock-in. The pricing model (per-secret per month plus per-API-call) creates surprises for teams that did not anticipate fan-out across microservices, and rotation is automated only for a fixed set of supported AWS targets; everything else requires custom Lambda rotation functions. Cross-cloud or hybrid-estate buyers will hit the limits of an AWS-only secrets posture quickly.

Best for

AWS-anchored estates (any size) where the native integration value outweighs portability cost, and rotation targets are limited to AWS-supported services.

Worst for

Cross-cloud or hybrid-estate organizations, or buyers wanting deep dynamic credentials and PKI in one platform.

Strengths

  • Native AWS integration with KMS, IAM, RDS, Lambda, ECS, EKS
  • Automatic rotation for supported targets (RDS engines, Redshift, DocumentDB)
  • Tight IAM policy model with resource-based and identity-based policies
  • High durability and AWS-region availability inherited from the platform
  • Pricing model is fully public on the AWS pricing page
  • No separate vendor relationship for AWS-only estates

Weaknesses

  • AWS lock-in; not a portable secrets posture across clouds
  • Per-secret per month plus per-API-call pricing creates surprises at fan-out
  • Rotation automated only for fixed supported targets; everything else needs custom Lambda
  • No first-class developer UX; AWS console is acceptable but not delightful
  • No PKI engine; ACM Private CA is a separate AWS service
  • Cross-account access requires explicit policy work

Pricing tiers

public
  • Standard pricing
    $0.40 per secret per month plus $0.05 per 10,000 API calls; same rate across all regions
    $0 /mo
Watch for
  • · API call costs at high fan-out across microservices
  • · KMS key usage charges if customer-managed keys are used
  • · Custom Lambda rotation functions for non-AWS targets
  • · Cross-account access policy work is buyer-side engineering

Key features

  • +Encrypted secret storage with AWS KMS
  • +Automatic rotation for supported AWS targets (RDS, Redshift, DocumentDB)
  • +Custom rotation via Lambda functions
  • +IAM resource-based and identity-based policies
  • +CloudTrail audit logging integrated
  • +Tight integration with RDS, Lambda, ECS, EKS, CodeBuild
  • +Cross-Region replication
  • +Resource tagging and ABAC
  • +VPC endpoint support
50+ integrations
AWS LambdaAWS RDSAWS ECSAWS EKSAWS CloudTrailAWS IAMAWS KMSAWS CodeBuildHashiCorp Vault (federation)Doppler (federation)
Geography
Global (AWS regions)
View full AWS Secrets Manager intelligence profile → Compare AWS Secrets Manager →
#2

Doppler

Developer-first secrets platform for cloud-native teams.

Founded 2018 · San Francisco, CA · private · 20-2,000 employees
G2 4.7 (380)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit Doppler

Doppler is the developer-first secrets management platform for cloud-native engineering teams. Founded 2018, raised a $20M Series B in Feb 2022 led by CRV, and has built its reputation on the cleanest developer ergonomics in the category: Git-style branching for environments, one-line CLI integration, and a UI engineers reach for instead of avoid. 2024 brought a deliberate enterprise expansion (SSO, SCIM, audit log retention, advanced RBAC) while preserving the developer experience that drove early adoption. Best fit for engineering-led teams that do not have a HashiCorp Vault commitment; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Engineering-led cloud-native teams (50-2,000 employees) wanting fast onboarding and clean developer ergonomics over deepest dynamic-credentials breadth.

Worst for

Regulated enterprises needing CyberArk Conjur-tier auditor evidence trails, or PKI-heavy organizations wanting certificate lifecycle in the same platform.

Strengths

  • Cleanest developer ergonomics in the category
  • Git-style branching for environments (dev, staging, prod, plus per-branch)
  • One-line CLI integration with most languages and frameworks
  • Strong UI that engineers actually use rather than route around
  • 2024 enterprise expansion added SSO, SCIM, audit log retention, advanced RBAC
  • Pricing more transparent than legacy peers (published rates above the Team tier)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Smaller community and integration list than Vault
  • Newer entrant; multi-region replication story still maturing
  • Enterprise tier pricing opaque (Team and Pro tiers are public)

Pricing tiers

partial
  • Developer
    Free for up to 5 users; basic projects, environments, and integrations
    $0 /mo
  • Team
    $18 per seat per month annual; adds RBAC, audit logs, custom roles
    $18 /emp/mo
  • Pro
    $36 per seat per month annual; adds advanced RBAC, longer audit retention, priority support
    $36 /emp/mo
  • Enterprise
    Adds SSO/SAML, SCIM, advanced compliance; industry estimate $40K-$300K+ annually
    Quote
Watch for
  • · SSO/SAML gated to Enterprise tier (industry-standard practice but worth flagging)
  • · Audit log retention beyond 90 days requires Enterprise
  • · Custom contract terms only available at Enterprise

Key features

  • +Static secrets management with project, config, and environment hierarchy
  • +Git-style branching for environments
  • +CLI integration for most languages and frameworks
  • +Doppler Kubernetes Operator for native secret sync
  • +Integrations with AWS Secrets Manager, GCP Secret Manager, Azure Key Vault for federation
  • +Webhooks and secret-changed triggers
  • +Audit logs and granular RBAC
  • +SSO/SAML and SCIM (Enterprise)
  • +Trusted IPs and IP allowlisting
  • +Secret rotation via integrations
120+ integrations
KubernetesAWSGCPAzureVercelHerokuGitHub ActionsGitLab CIDatadogSlack
Geography
Global; strongest in US, EU
View full Doppler intelligence profile → Compare Doppler →
#3

1Password Secrets Automation

Secrets automation on top of the broader 1Password Business platform.

Founded 2005 · Toronto, Canada · private · 100-20,000 employees
G2 4.7 (1,480)
Capterra 4.7
From $8 /employee/mo
◐ Partial disclosure
Visit 1Password Secrets Automation

1Password Secrets Automation is the machine-secrets product line built on top of the broader 1Password Business platform. Founded 2005 in Toronto, the company raised a $620M Series C in Jan 2022 at a roughly $6.8B valuation led by Iconiq Growth. Secrets Automation launched 2021 and the 2024 Trelica acquisition added SaaS governance-and-discovery (shadow IT, app usage, lifecycle), positioning 1Password as a converged human+machine credentials platform. Best fit for organizations already standardized on 1Password Business that want secrets automation without adopting a separate platform; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Mid-market and enterprise buyers (200-10,000 employees) already standardized on 1Password Business who want machine secrets automation without adopting a separate platform.

Worst for

Engineering teams wanting Vault-tier dynamic credentials, or organizations evaluating secrets-only without a 1Password Business commitment.

Strengths

  • Built on the broader 1Password Business platform; one vendor for human and machine credentials
  • Connect server bridges on-prem CI/CD and cloud secrets workflows
  • Service Accounts model is clean and policy-driven
  • Strong CLI and SDK coverage
  • Trelica acquisition (2024) adds SaaS governance and shadow-IT discovery
  • Pricing more transparent than legacy enterprise peers (Business tier rate is public)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Best value only when 1Password Business is already in place; not a standalone-secrets buying motion
  • Secrets Automation pricing opaque (Business tier is public, Secrets Automation is custom)
  • Mid-market deployments outgrow the bundled approach when secrets become the dominant workload

Pricing tiers

partial
  • 1Password Business
    $7.99 per user per month annual; baseline for Secrets Automation eligibility
    $8 /emp/mo
  • Secrets Automation Starter
    Industry estimate $200-$1,000 per month at small-team scale
    Quote
  • Secrets Automation Business
    Industry estimate $30K-$200K+ annually mid-enterprise
    Quote
  • Enterprise
    Adds dedicated success, custom SLAs, advanced governance
    Quote
Watch for
  • · Secrets Automation priced separately above 1Password Business baseline
  • · Trelica governance (post-2024) priced separately
  • · Enterprise SSO/SCIM gated to higher tiers

Key features

  • +1Password Connect server for on-prem CI/CD and cloud bridging
  • +Service Accounts with scoped, policy-driven access
  • +CLI (op) with broad language coverage
  • +Kubernetes integration via 1Password Kubernetes Operator
  • +GitHub Actions, GitLab CI, CircleCI, Jenkins integrations
  • +Audit logs and event reporting
  • +SCIM provisioning for users and groups
  • +Trelica SaaS governance and discovery (post-2024)
  • +Secret references and dynamic injection at runtime
200+ integrations
KubernetesAWSGCPAzureGitHub ActionsGitLab CICircleCIJenkinsTerraformOkta
Geography
Global; strongest in US, EU, Canada
View full 1Password Secrets Automation intelligence profile → Compare 1Password Secrets Automation →
#8

CyberArk Conjur

CyberArk-anchored secrets management inside the Identity Security Platform.

Founded 2011 · Petach Tikva, Israel · public · 1,000-100,000+ employees
G2 4.3 (180)
Capterra 4.4
From $0 /mo
○ Sales call required
Visit CyberArk Conjur

Conjur was acquired by CyberArk in 2017 and is now the secrets-management arm of the CyberArk Identity Security Platform. Two product lines exist: Conjur Open Source (community-maintained) and Conjur Enterprise (commercial, deeply integrated with CyberArk PAM). The buying decision is usually downstream of a CyberArk PAM decision; standalone Conjur evaluations are rare because Vault, Doppler, and Akeyless win on feature depth or developer ergonomics. Best fit only when CyberArk PAM is already deployed and the buyer wants one vendor relationship for human and machine credentials.

Best for

CyberArk-anchored regulated enterprises (1,000-50,000+ employees) consolidating secrets management with PAM under the CyberArk Identity Security Platform.

Worst for

Standalone secrets buyers (Vault, Doppler, Akeyless win), or developer-led teams expecting modern ergonomics.

Strengths

  • Deepest integration with CyberArk Privileged Access Manager and Identity Security Platform
  • Conjur Open Source provides a free entry point for evaluation
  • Strong policy-as-code model (YAML-based)
  • Mature Kubernetes integration via Secretless Broker and authenticators
  • Auditor-grade evidence trails inherited from CyberArk platform
  • CyberArk public-company financial transparency

Weaknesses

  • Best value only when CyberArk PAM is already in place; rarely a standalone buying motion
  • Developer ergonomics weaker than Doppler, Infisical, or Bitwarden
  • Pricing opaque; bundled inside CyberArk Identity Security Platform pricing
  • Conjur Open Source velocity has slowed relative to community expectations
  • Smaller standalone community than Vault
  • Annual price escalators of 7-12% at renewal reported on the CyberArk umbrella contract

Pricing tiers

opaque
  • Conjur Open Source
    Apache 2.0; community-maintained
    $0 /mo
  • Conjur Enterprise (standalone)
    Industry estimate $40K-$300K+ annually; rarely sold standalone
    Quote
  • CyberArk Identity Security Platform (Conjur included)
    Industry estimate $200K-$2M+ annually; bundled with CyberArk PAM
    Quote
Watch for
  • · Modules priced separately inside the CyberArk Identity Security Platform
  • · Implementation via certified partners $100K-$500K+ at enterprise scale
  • · Annual price escalators 7-12% at renewal on the CyberArk umbrella contract

Key features

  • +Centralized policy-as-code (YAML) for secrets and access
  • +Secretless Broker for application secret-less workflows
  • +Kubernetes authenticator for native pod identity
  • +Strong integration with CyberArk Privileged Access Manager
  • +JWT and OIDC authenticators for cloud-native workloads
  • +Audit logs feed into CyberArk PAM evidence trails
  • +Role-based access control with policy inheritance
  • +CLI and SDK coverage
  • +On-prem and SaaS (CyberArk Privilege Cloud) deployment options
200+ integrations
CyberArk PAMKubernetesAWSAzureGCPServiceNowSplunkMicrosoft SentinelOktaMicrosoft Entra ID
Geography
Global; strongest in US, EU, Israel, APAC
View full CyberArk Conjur intelligence profile → Compare CyberArk Conjur →
#9

Delinea Secret Server (DevOps Secrets Vault)

Legacy Secret Server plus DevOps Secrets Vault on the Delinea Platform.

Founded 1996 · Redwood City, CA · pe backed · 200-10,000 employees
G2 4.5 (760)
Capterra 4.6
Custom quote
○ Sales call required
Visit Delinea Secret Server (DevOps Secrets Vault)

Delinea (formed when TPG merged Thycotic and Centrify in April 2021) ships two secrets products: the long-running Secret Server (legacy IT secrets vault, primarily for human admins and service accounts) and DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads). The DevOps Secrets Vault product is the credible developer-secrets story for legacy PAM portfolio buyers; standalone, it competes more directly with Vault and Doppler. Best fit when Delinea PAM is already in place or when an existing Thycotic Secret Server estate wants a cloud-native extension. Trade-offs: TPG ownership signals a sale or recap on the 3-5 year horizon, and standalone Delinea-secrets buying motions are rare.

Best for

Mid-market and lower-enterprise buyers (200-5,000 employees) already on Delinea PAM or legacy Thycotic Secret Server wanting a cloud-native DevOps secrets extension.

Worst for

Standalone-secrets buyers without a Delinea PAM commitment (Vault, Doppler, Akeyless win), or organizations needing FedRAMP High coverage.

Strengths

  • Secret Server is a long-running, mature legacy vault used in thousands of mid-market estates
  • DevOps Secrets Vault adds a cloud-native, API-first story to the legacy portfolio
  • Account Lifecycle Manager (service-account discovery and rotation) is differentiated
  • Mid-market pricing routinely under CyberArk equivalents
  • Strong customer support consistency vs PE peers
  • Tight integration with Delinea PAM (Connection Manager, Privilege Manager)

Weaknesses

  • TPG ownership implies a sale or recap on the 3-5 year horizon
  • Standalone Delinea-secrets buying motions are rare; usually downstream of Delinea PAM
  • DevOps Secrets Vault community is smaller than Vault or Doppler
  • Pricing opaque despite mid-market positioning
  • Two product lines can confuse buyers (Secret Server vs DevOps Secrets Vault)

Pricing tiers

opaque
  • Secret Server Cloud
    Industry estimate $60-$120 per user/year
    Quote
  • DevOps Secrets Vault
    Industry estimate $30K-$200K+ annually
    Quote
  • Delinea Platform bundle
    Industry estimate $150K-$600K annually mid-enterprise
    Quote
Watch for
  • · DevOps Secrets Vault priced separately from Secret Server
  • · Account Lifecycle Manager priced separately
  • · Implementation services for multi-tenant deployments
  • · Annual price escalators 5-9% at renewal reported

Key features

  • +Secret Server (vault, session brokering, session recording)
  • +DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads)
  • +Account Lifecycle Manager (service account discovery and rotation)
  • +Connection Manager for SSH/RDP session brokering
  • +Cloud Suite (Centrify-heritage Linux identity bridging)
  • +Delinea Platform unified policy engine and reporting
  • +Kubernetes integration via DSV agent
  • +Mature compliance posture (SOC 2, ISO 27001, HIPAA, FedRAMP)
  • +Tight integration with Delinea Privilege Manager (endpoint)
200+ integrations
ServiceNowSplunkMicrosoft SentinelAWSAzureGCPOktaMicrosoft Entra IDHashiCorp TerraformKubernetes
Geography
Global; strongest in US, EU, APAC
View full Delinea Secret Server (DevOps Secrets Vault) intelligence profile → Compare Delinea Secret Server (DevOps Secrets Vault) →
#6

Bitwarden Secrets Manager

Open-source heritage extended into machine secrets management.

Founded 2016 · Santa Barbara, CA · private · 50-5,000 employees
G2 4.6 (320)
Capterra 4.7
From $6 /employee/mo
● Transparent pricing
Visit Bitwarden Secrets Manager

Bitwarden built its reputation on open-source password management before extending the platform into machine secrets with Bitwarden Secrets Manager (GA 2023). The Insight Partners-led $100M+ Series A in 2022 funded enterprise expansion and the secrets-management product line. The pitch is consistent with the Bitwarden brand: open-source heritage, transparent pricing, and an approachable developer experience for teams already on Bitwarden Business or Enterprise. Feature depth still trails Vault and Doppler in dynamic credentials, but Bitwarden is a credible mid-market option, especially for organizations that prefer to buy human and machine credentials from the same vendor.

Best for

Mid-market and lower-enterprise buyers (50-3,000 employees) already on Bitwarden Password Manager who want machine secrets from the same vendor, with self-host option as a fallback.

Worst for

Regulated enterprises needing CyberArk Conjur-tier evidence trails, or organizations needing Vault-tier dynamic credentials breadth.

Strengths

  • Open-source heritage maintained for both Password Manager and Secrets Manager
  • Transparent published pricing on the Bitwarden website
  • Approachable developer experience and CLI coverage
  • Strong fit for orgs already on Bitwarden Password Manager Business or Enterprise
  • Self-host option available for fully air-gapped deployments
  • Insight Partners $100M+ Series A funded credible enterprise expansion

Weaknesses

  • Dynamic credentials coverage trails Vault and Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Secrets Manager is younger; community of practice still building
  • Best value only when Bitwarden Business is already in place
  • Audit and compliance evidence trails are lighter than enterprise peers

Pricing tiers

public
  • Bitwarden Business
    $6 per user per month annual; baseline for Secrets Manager eligibility
    $6 /emp/mo
  • Secrets Manager Team
    $6 per user per month annual; up to 5 service accounts, 50 secrets per service account
    $6 /emp/mo
  • Secrets Manager Enterprise
    $12 per user per month annual; unlimited service accounts and secrets
    $12 /emp/mo
  • Enterprise + Self-host
    Custom quote for self-host deployment with enterprise SLAs
    Quote
Watch for
  • · Service account scaling at Team tier (capped at 5)
  • · Premium support gated to higher tiers
  • · Self-host implementation is buyer-side engineering

Key features

  • +Static secrets management with project and folder hierarchy
  • +Service accounts with scoped access tokens
  • +CLI coverage and SDK (Python, Node, Ruby, Go, Rust, Java, C#)
  • +GitHub Actions, GitLab CI, Jenkins, Kubernetes integrations
  • +Audit logs and event reporting
  • +Open-source codebase with public audit history
  • +Self-host option for air-gapped deployments
  • +SSO/SAML and SCIM provisioning
  • +Hardware security key support for human authentication
90+ integrations
KubernetesAWSGitHub ActionsGitLab CIJenkinsTerraformAnsibleOktaMicrosoft Entra IDDatadog
Geography
Global; strongest in US, EU
View full Bitwarden Secrets Manager intelligence profile → Compare Bitwarden Secrets Manager →
#5

Akeyless Vault Platform

KMS-as-a-service vault-less architecture with Distributed Fragments Cryptography.

Founded 2018 · Ramat Gan, Israel · private · 500-50,000+ employees
G2 4.7 (220)
Capterra 4.6
From $0 /mo
○ Sales call required
Visit Akeyless Vault Platform

Akeyless is the vault-less KMS-as-a-service entrant founded 2018 in Israel, with a $65M Series B in April 2022 led by NGP Capital and Team8. The differentiator is Distributed Fragments Cryptography (DFC), a multi-party computation approach where Akeyless never holds full encryption keys; key fragments are split across regions and the customer controls one. This is the strongest vault-less pitch in the category for compliance teams uncomfortable with a vendor holding full keys. Feature breadth is broad (secrets, dynamic credentials, certificates, encryption-as-a-service, zero-trust access), pricing remains opaque, and the brand recognition still trails Vault and Doppler outside Israel and the regulated-financial segment.

Best for

Regulated enterprises (500-50,000 employees) in financial services, healthcare, and critical infrastructure that want vault-less SaaS with vendor-fragment cryptography rather than self-managed Vault.

Worst for

Greenfield engineering teams wanting Doppler-tier developer ergonomics, or AWS-only estates where AWS Secrets Manager native integration wins on simplicity.

Strengths

  • Distributed Fragments Cryptography (DFC): Akeyless never holds full keys
  • Vault-less SaaS architecture removes operational burden of self-managed Vault
  • Broad feature set (secrets, dynamic credentials, certificates, encryption-as-a-service)
  • Strong fit for regulated financial services skeptical of vendor-held keys
  • FIPS 140-2 validated; SOC 2 Type 2 and ISO 27001
  • Customer-fragment model is genuine architectural differentiation, not marketing

Weaknesses

  • Pricing opaque
  • Brand recognition trails Vault and Doppler outside Israel and regulated finance
  • Smaller community and integration list than Vault
  • Implementation depth required to leverage DFC properly
  • Developer ergonomics not as polished as Doppler

Pricing tiers

opaque
  • Free
    Limited free tier for evaluation
    $0 /mo
  • Team
    Industry estimate $5-$15 per client/month
    Quote
  • Enterprise
    Industry estimate $80K-$600K+ annually for enterprise deployments
    Quote
Watch for
  • · Add-on modules (Zero Trust Access, KMS) priced separately
  • · Implementation services for DFC setup
  • · Annual price escalators reported at 5-9% at renewal

Key features

  • +Distributed Fragments Cryptography (DFC) for vendor-never-holds-keys posture
  • +Static and dynamic secrets management
  • +KMS-as-a-service for encryption operations
  • +Certificate lifecycle management
  • +Encryption-as-a-service via APIs
  • +Zero Trust Application Access (ZTAA) add-on
  • +SSH and database secret rotation
  • +Kubernetes integration via Akeyless Operator
  • +Auditor-ready logging and reporting
  • +Customer fragment controlled by buyer (never with Akeyless)
180+ integrations
KubernetesAWSAzureGCPServiceNowSplunkTerraformGitHub ActionsGitLab CIOkta
Geography
Global; strongest in US, EU, Israel
View full Akeyless Vault Platform intelligence profile → Compare Akeyless Vault Platform →
#10

GitGuardian Platform

Secrets-leak detection heritage extended into management (2024).

Founded 2017 · Paris, France · private · 200-50,000+ employees
G2 4.7 (260)
Capterra 4.7
From $0 /mo
○ Sales call required
Visit GitGuardian Platform

GitGuardian was the secrets-detection-first vendor of record (its public-GitHub leak monitor put it on the map), founded 2017 in Paris and raising a $44M Series B in 2022. In 2024 the company expanded explicitly into secrets management with the Non-Human Identity (NHI) Security and Vault Insights products, framing the platform as one that finds leaked credentials and helps you rotate them at the source. The pitch is consistent: if leaked-credential discovery is the headline buyer pain, GitGuardian is unrivaled. As a standalone secrets management product, it is younger and shallower than Vault, Doppler, or Akeyless; the platform value compounds when detection and management are bought together.

Best for

Security-led buyers (CISO office, 500-20,000 employees) where leaked-credential discovery is the headline pain and management is bought alongside detection.

Worst for

Platform-engineering-led teams wanting deep dynamic credentials (Vault wins) or developer-first ergonomics (Doppler, Infisical win).

Strengths

  • Strongest leaked-credentials detection in the category (public GitHub leak monitor since 2017)
  • Non-Human Identity (NHI) Security extends detection into governance for service accounts
  • Vault Insights ties leaked credentials back to upstream vault entries
  • French-headquartered with EU data-residency and GDPR posture
  • $44M Series B 2022 funded enterprise expansion into management
  • Strong fit for security-led buyers (CISO office), less so for platform-engineering buyers

Weaknesses

  • Standalone secrets management is younger and shallower than Vault, Doppler, or Akeyless
  • Best value only when detection plus management are bought together
  • Smaller community of practice on the management side
  • Pricing opaque
  • Less developer ergonomic than Doppler or Infisical
  • Dynamic credentials coverage narrower than Vault or Akeyless

Pricing tiers

opaque
  • Free (public repos)
    Public GitHub repo monitoring; up to 25 developers
    $0 /mo
  • Business (Detection)
    Industry estimate $15-$30 per developer/month
    Quote
  • Enterprise (Detection + NHI Security + Vault Insights)
    Industry estimate $60K-$500K+ annually for enterprise deployments
    Quote
Watch for
  • · NHI Security and Vault Insights priced separately above detection baseline
  • · Implementation services for large estates
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Public GitHub repo leak monitoring (free tier and paid)
  • +Internal repo and CI/CD pipeline secrets scanning
  • +Non-Human Identity (NHI) Security for service-account governance
  • +Vault Insights to tie leaked credentials back to upstream vault entries
  • +Honeytoken generation and detection
  • +Audit logs and event reporting
  • +SSO/SAML and SCIM provisioning
  • +Slack and PagerDuty incident routing
  • +On-prem self-hosted option for regulated buyers
120+ integrations
GitHubGitLabBitbucketAWSAzureGCPHashiCorp VaultCyberArk ConjurSlackPagerDuty
Geography
Global; strongest in EU, US
View full GitGuardian Platform intelligence profile → Compare GitGuardian Platform →

Frequently asked questions

The questions buyers actually ask before they sign.

How does APRA CPS 234 affect secrets management tool selection?
CPS 234 requires APRA-regulated entities to maintain an information security capability covering all material information assets, including credentials and cryptographic keys. In practice, banks expect a secrets management deployment that produces auditable evidence of rotation, access and revocation, plus alignment with ASD Essential Eight ML2/3 cryptographic key management requirements. HashiCorp Vault Enterprise, AWS Secrets Manager (with appropriate logging) and Azure Key Vault all meet this bar with proper configuration. Open-source options need a clear assurance model.
Does Essential Eight ML2 or ML3 apply to non-government Aussie firms?
Essential Eight is mandatory for federal government and strongly recommended for state government. APRA-regulated entities are not formally bound but increasingly map their security capability to ML2/3 because APRA expects them to and shareholders expect them to post-Optus and Medibank. ASX 200 boards now ask about Essential Eight maturity as standard. ML2 covers cryptographic key management and restricted privileged access; ML3 adds tighter controls. Aussie SaaS scale-ups commonly run ML2 by Series C.
AWS Secrets Manager vs HashiCorp Vault for an Aussie 200-person SaaS?
AWS Secrets Manager if workloads are AWS-only, you want zero infrastructure to operate, and the Aussie team is comfortable inside the AWS console. HashiCorp Vault if workloads span clouds, you want centralised dynamic-secret generation, or compliance requires a vendor-agnostic abstraction layer. Most Aussie 100-500-person SaaS firms start on AWS Secrets Manager and add Vault when multi-cloud or dynamic-secret requirements emerge.
Do federal-government workloads need IRAP-assessed secrets management?
PROTECTED-level workloads at Services Australia, ATO, DTA and Defence require IRAP-assessed processing. Azure Key Vault on Azure Australia Central, AWS Secrets Manager and HashiCorp Vault Enterprise all have IRAP coverage. Doppler, Bitwarden Secrets and Infisical do not currently service PROTECTED workloads. OFFICIAL-tier government use has more flexibility but still benefits from IRAP-assessed vendors.
HashiCorp Vault vs Doppler vs AWS Secrets Manager: which one fits us?
Use Vault when you need the deepest secrets, PKI, and dynamic-credentials platform across mixed cloud and on-prem estates, and have operational expertise to run it (or pay for HCP Vault). Use Doppler when you are an engineering-led cloud-native team that prizes developer ergonomics, fast onboarding, and clean environment branching. Use AWS Secrets Manager when you are an AWS-only estate where native KMS/IAM/RDS integration outweighs portability cost. The three rarely overlap on a single shortlist.
What does HashiCorp Vault BSL license actually mean for us?
The Business Source License (BSL) restricts competing commercial use of Vault by other vendors, while permitting most direct end-user deployments. Practically: you can still deploy Vault yourself for internal use, with a four-year time-delayed conversion to Mozilla Public License (MPL). The trust hit was twofold: open-source community projects (OpenBao, OpenTofu) forked under Linux Foundation governance, and enterprises now factor BSL risk into long-horizon platform decisions, especially post-IBM acquisition close in Feb 2025.
Why does secrets rotation matter, and when is it worth automating?
Rotation matters because static long-lived credentials are the single largest blast-radius vector when a breach happens (an attacker can replay the credential for as long as it lives). Automate rotation as soon as you have more than about 50 service accounts or any database credentials sitting in version-control or wikis. Tools like Vault, Akeyless, and AWS Secrets Manager support automatic rotation for supported targets; everything else typically needs a custom rotation function (Lambda for AWS, Functions for Azure, etc.).
KMS vs vault: are they different things?
Yes. A KMS (Key Management Service) manages encryption keys and performs encryption/decryption operations (AWS KMS, GCP KMS, Azure Key Vault). A secrets vault stores the application secrets themselves (passwords, API keys, OAuth tokens) and often uses a KMS as its backing encryption layer. Some platforms blur the line: Akeyless is KMS-as-a-service plus secrets, AWS Secrets Manager uses AWS KMS underneath. Practically, ask whether the product holds your application secrets or only your encryption keys.
Is AWS Secrets Manager lock-in a real problem for us?
Yes if you are likely to add Azure or GCP workloads, or if you want to support a hybrid on-prem estate. Migrating off AWS Secrets Manager later requires rewriting integration points (IAM policies, KMS dependencies, rotation Lambdas), and the rotation automation is AWS-target-specific. If you are 100 percent AWS today and likely to stay that way, lock-in is a price worth paying for native integration. If multi-cloud is on the roadmap, start with Vault, Doppler, or Akeyless and federate to cloud services rather than the other way around.
How is GitGuardian different from a secrets management platform?
GitGuardian started as a detection product (find leaked secrets in public and private repos) and expanded into management with Non-Human Identity Security and Vault Insights in 2024. As a pure secrets management platform, it is younger and shallower than Vault or Doppler. The platform shines when you buy detection plus management together: leaked credentials in repos get tied back to upstream vault entries, and rotation closes the loop. Buyers led by CISO offices typically pick GitGuardian; buyers led by platform-engineering pick Vault or Doppler.
When does an organization actually need secrets management?
You need secrets management when you have more than about 25 services or environments and credentials are spilling into.env files, CI/CD variables, wikis, or chat. Symptoms: developers ping the platform team for credentials, audits flag credential reuse, you cannot answer who rotated the database password last quarter. Below that scale, AWS Secrets Manager or a per-app.env workflow with environment-variable injection is usually enough. Above it, you need a platform with audit logs, RBAC, rotation, and dynamic credentials.
What is a dynamic credential, and why does it matter?
A dynamic credential is one that is generated on demand, scoped narrowly, and expires after a short TTL (minutes to hours), instead of being a long-lived static value. Example: Vault generates a fresh AWS IAM credential each time a CI pipeline runs, with permissions limited to the job, and the credential expires when the pipeline finishes. Dynamic credentials collapse the blast radius of a compromise; static credentials retain full power until manually rotated. Vault, Akeyless, and CyberArk Conjur lead on dynamic credentials breadth.
Should we self-host Vault, OpenBao, Infisical, or Bitwarden Secrets Manager?
Self-host when you have an absolute data-residency or air-gap requirement and the operational expertise to run encrypted storage, replication, and unsealing properly. OpenBao (the BSL-free Vault fork) is the OSS choice if you reject the BSL. Infisical and Bitwarden Secrets Manager are easier to self-host than Vault but trade depth on dynamic credentials. The hidden cost of self-host is always operational: secret backups, unseal-key recovery, replication health, and patching. Most teams under 1,000 employees should use SaaS (HCP Vault, Doppler, AWS Secrets Manager, Bitwarden Cloud) unless self-host is a hard requirement.
How does Zendikt verify pricing and trust scores?
Pricing data comes from public vendor pages, reseller quotes, and 280+ anonymized buyer disclosures aggregated through the Zendikt verified-pricing program. Industry estimates are explicitly flagged in tier notes. Trust events come from public 10-K filings, breach disclosures filed with regulators, reported M&A activity, and license-change announcements. Vendor Trust Score is the unweighted mean of six independent subscores (pricing transparency, contract fairness, incident response, post-acquisition behavior, executive stability, roadmap honesty) and is tracked separately from product quality on purpose: a strong product owned by a punitive vendor or saddled with a hostile license is still a bad five-year decision.

Final word

Looking at a different market? See the global Secrets Management Software ranking, or pick another country at the top of this page.

Last updated 2026-05-24. Local pricing reverified quarterly. Found something inaccurate? Tell us.