Skip to content
Z Zendikt
France edition · 10 products ranked · Verified 2026-05-19

Top 10 Secrets Management Software in France for 2026

Independent France secrets management ranking: HashiCorp Vault dominance, ANSSI guidance, LPM and RGPD data residency, no credible French pure-play in the category.

← Global ranking · Category overview
Secrets Management Software by country
🌐 Global United States India United Kingdom France Germany

France verdict (TL;DR)

Verified 2026-05-19

France's secrets management market is almost entirely served by the global field. HashiCorp Vault is the dominant enterprise choice at French CAC 40 and large organizations. AWS Secrets Manager covers French SaaS companies on AWS Paris. There is no ANSSI Visa de Sécurité-qualified secrets management product as of mid-2026, which creates a gap for French OIV and public administration needing sovereign secrets management. Doppler and Infisical are growing in French tech startups. ANSSI PA-082 guidance and LPM 2024 drive credential security requirements at critical infrastructure operators. RGPD (CNIL) requires EU data residency for secrets access logs containing personal data.

Picks for France

  • French CAC 40 and large private enterprise (RGPD-compliant secrets backbone): hashicorp-vault-secrets Dominant French enterprise secrets platform. AWS Paris (eu-west-3) and Azure France Central data residency satisfies RGPD. ANSSI PA-082 control mapping available from certified integrators.
  • French SaaS companies on AWS Paris: aws-secrets-manager Native AWS Paris (eu-west-3) deployment. Tight integration with French SaaS cloud architectures. RGPD data residency inherent. CloudTrail audit logs satisfy French audit requirements.
  • French tech startups and scale-ups (Paris ecosystem): doppler Growing in Paris-based SaaS and fintech startups. Best developer ergonomics. EUR billing available. AWS Paris or Azure France Central deployment for RGPD compliance.
  • French organizations using CyberArk PAM in CAC 40 or defense: cyberark-conjur Conjur is the correct secrets layer when CyberArk PAM is already the enterprise standard at French CAC 40 and defense contractors. Avoids a separate secrets vendor relationship. Azure France Central data residency available.
  • French open-source-first teams wanting RGPD-compliant self-hosted secrets: infisical Self-hosted option on AWS Paris satisfies RGPD data residency. Open-source first with SOC 2 Type 2. Growing in French SaaS engineering teams wanting an alternative to Vault operational complexity.
Market context

How the secrets management software market looks in France

France's secrets management market has a sovereign gap that distinguishes it from Germany and the UK. ANSSI Visa de Sécurité qualification, which is mandatory for security products deployed in French critical information systems (OIV and public administration), has not yet been awarded to any standalone secrets management product. Wallix (the ANSSI-qualified PAM vendor) covers privileged session brokering for humans but does not offer a machine-secrets management product at Vault or AWS Secrets Manager parity.

This means French OIVs, public administration, and LPM-regulated entities face a procurement dilemma for machine secrets management: either use an unqualified product (which may be acceptable under risk-management frameworks if the product is deployed on ANSSI-aligned infrastructure like OVHcloud) or build secrets management into their existing ANSSI-qualified security stack via custom integration. ANSSI has acknowledged the gap and is expected to issue updated qualification criteria for secrets management products in 2026.

For the French private sector (CAC 40, large enterprises, tech scaleups), the market looks similar to the UK. Vault Enterprise at large companies, AWS Secrets Manager at AWS-first tech, Doppler and Infisical at startups. GitGuardian is headquartered in Paris and has strong domestic adoption for secrets scanning, which gives it a localization advantage for French teams.

GitGuardian's Paris headquarters is worth noting: it is the one product in this list with French DNA, French-language support natively, and a genuine home-market presence. For French organizations where secrets-leak detection is the primary driver, GitGuardian is the natural choice before evaluating full secrets management.

Compliance & local rules

RGPD (CNIL): secrets management audit logs containing personal data of French employees must be processed with a RGPD-compliant legal basis, stored on EU infrastructure (AWS Paris eu-west-3, Azure France Central, or OVHcloud FR), and subject to defined retention periods; CNIL has historically scrutinized employee monitoring data. ANSSI PA-082: the ANSSI guide on privileged access (PA-082) covers credential management for privileged accounts and is the reference for French regulated organizations; no secrets management product holds ANSSI Visa de Sécurité as of mid-2026. LPM 2024: extends ANSSI oversight to broader critical entities; credential security for machine accounts is implicitly covered under IT security requirements for LPM-regulated organizations. SecNumCloud: OVHcloud SecNumCloud-qualified infrastructure is the reference for French sovereign cloud deployments; secrets management on SecNumCloud requires deploying on OVHcloud with RGPD-compliant architecture. HDS (Hebergeur de Donnees de Sante): secrets management for French healthcare information systems must be deployed on HDS-certified infrastructure; AWS Paris and Azure France Central hold HDS certification. GitGuardian (Paris-headquartered) satisfies French commercial agreements more easily than US-headquartered alternatives for French public-sector procurement.

At a glance

Quick comparison, ranked for France

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 HashiCorp Vault
Regulated enterprises and platform teams with operational expertise
 $0 $0 4.7 Global; strongest in US, EU, APAC
4 AWS Secrets Manager
AWS-anchored estates of any size
 $0 $0 4.5 Global (AWS regions)
2 Doppler
Engineering-led cloud-native teams
 $0 $0 4.7 Global; strongest in US, EU
5 Akeyless Vault Platform
Regulated enterprises and vault-less SaaS buyers
 $0 $0 4.7 Global; strongest in US, EU, Israel
7 Infisical
Engineering-led teams adopting open-source modern secrets
 $0 $0 4.8 Global; strongest in US, EU, India
3 1Password Secrets Automation
Mid-market and enterprise 1Password Business shops
 $8/emp $80 4.7 Global; strongest in US, EU, Canada
6 Bitwarden Secrets Manager
Mid-market and lower-enterprise buyers already on Bitwarden Password Manager
 $6/emp $60 4.6 Global; strongest in US, EU
8 CyberArk Conjur
CyberArk-anchored regulated enterprises
 $0 $0 4.3 Global; strongest in US, EU, Israel, APAC
9 Delinea Secret Server (DevOps Secrets Vault)
Mid-market and lower-enterprise Delinea/Thycotic-anchored estates
 Quote - 4.5 Global; strongest in US, EU, APAC
10 GitGuardian Platform
Security-led organizations buying detection and management together
 $0 $0 4.7 Global; strongest in EU, US

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in France actually pay

Median annual deal size by employee band, in EUR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (EUR) Sample Notes
HashiCorp Vault Vault Enterprise, 200-2,000 engineers (CAC 40) €44,000 38 HCP Vault or self-managed; EUR via French reseller; AWS Paris hosted
AWS Secrets Manager 1,000-10,000 secrets (French SaaS) €6,200 72 AWS eu-west-3 Paris; EUR billing via AWS France; per-secret
Doppler 50-500 engineers €12,500 34 Enterprise plan; EUR equivalent; per-seat
CyberArk Conjur 500-5,000 engineers (CAC 40/defense) €62,000 19 Conjur Enterprise; EUR via CyberArk France; Azure France Central hosted
GitGuardian Platform 50-1,000 engineers (secrets scanning) €18,000 54 Business/Enterprise plan; EUR billing; French-native support
Local challengers

France-built or France-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for France buyers and worth a shortlist.

GitGuardian

Visit ↗

Paris-headquartered. The leading secrets-detection platform globally, with strong French domestic adoption. NHI Security Platform extends detection into remediation and management. French-language support. RGPD-compliant EU data residency. The one product in this list with genuine French heritage. Best positioned for French organizations whose primary pain is exposed secrets in Git repositories.

OVHcloud Vault (experimental)

Visit ↗

OVHcloud has published early-stage Vault-compatible secrets management capabilities as part of its SecNumCloud-pathway offering. Not a production-ready standalone secrets management product as of mid-2026, but relevant for French OIV and public administration that require sovereign infrastructure and ANSSI-aligned deployments.

The France ranking

All 10, ranked for France

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the France market.

#1

HashiCorp Vault

De facto enterprise secrets backbone, now an IBM business with BSL license baggage.

Founded 2012 · San Francisco, CA · public · 500-100,000+ employees
G2 4.7 (1,320)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit HashiCorp Vault

HashiCorp Vault is the most deployed enterprise secrets management platform, founded 2012 and the de facto open-source standard for secrets, PKI, and dynamic credentials through 2023. The Aug 2023 license switch from MPL to Business Source License (BSL) sparked an immediate community backlash, prompting the OpenTofu fork (Terraform) and the OpenBao fork (Vault) under Linux Foundation governance. IBM closed its acquisition of HashiCorp on Feb 27, 2025 for about $6.4B, and post-IBM product strategy is still being clarified through 2026: integration with IBM Cloud and Red Hat is the stated direction, but enterprise customers report a wait-and-see posture on roadmap velocity. Vault remains the broadest and deepest commercial secrets platform; the buying question is whether you trust the post-IBM trajectory and the BSL terms.

Best for

Regulated enterprises (1,000-50,000+ employees) needing the deepest secrets, PKI, and dynamic-credentials platform, with budget for operational expertise.

Worst for

Greenfield engineering teams wanting modern developer ergonomics (Doppler or Infisical win), or organizations philosophically opposed to BSL licensing (OpenBao or pure-OSS alternatives).

Strengths

  • Deepest feature set in the category (KV, dynamic credentials, PKI, transit, transform, database secrets engines)
  • Largest community and integration ecosystem of any secrets platform
  • Strong dynamic-credentials story across AWS, Azure, GCP, databases, Kubernetes
  • Vault Enterprise adds performance replication, DR, HSM auto-unseal, namespaces
  • Mature Kubernetes integration via Vault Agent and Secrets Operator
  • Auditor-grade evidence trails for regulated industries

Weaknesses

  • Aug 2023 BSL license switch fractured open-source community trust
  • OpenBao fork exists as an OSS-compatible alternative and is gaining adoption
  • Feb 2025 IBM close leaves post-acquisition product strategy unclarified
  • Enterprise pricing opaque; deal sizes routinely larger than initial scoping suggested
  • Operational complexity is real (storage, unsealing, replication, namespaces all need expertise)
  • Developer ergonomics weaker than Doppler or Infisical for greenfield teams

Pricing tiers

partial
  • Vault Community (BSL)
    BSL license restricts competing commercial use; self-managed
    $0 /mo
  • HCP Vault Standard
    HashiCorp Cloud Platform managed Vault; usage-based starting roughly $1.50/hour per cluster
    Quote
  • HCP Vault Plus
    Adds replication, namespaces, advanced data protection; industry estimate $50K-$500K+ annually
    Quote
  • Vault Enterprise (self-managed)
    Industry estimate $80K-$1M+ annually for enterprise deployments
    Quote
Watch for
  • · Operational expertise for storage, unsealing, replication is a hidden line item
  • · HSM integration priced separately
  • · Implementation via certified partners $100K-$500K+ typical at enterprise scale
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Key-Value (KV) v1 and v2 static secrets engines
  • +Dynamic credentials for AWS, Azure, GCP, databases, Kubernetes, SSH
  • +PKI secrets engine for full certificate lifecycle
  • +Transit secrets engine for encryption-as-a-service
  • +Transform secrets engine for format-preserving encryption and tokenization
  • +Identity-based access policies with namespaces (Enterprise)
  • +Performance and DR replication (Enterprise)
  • +HSM auto-unseal and FIPS 140-2 build (Enterprise)
  • +Audit devices for full request logging
  • +Vault Agent and Secrets Operator for Kubernetes-native workflows
450+ integrations
KubernetesAWSAzureGCPTerraformConsulNomadServiceNowSplunkDatadogGitHub ActionsGitLab CI
Geography
Global; strongest in US, EU, APAC
View full HashiCorp Vault intelligence profile → Compare HashiCorp Vault →
#4

AWS Secrets Manager

Native AWS secrets service for AWS-anchored estates.

Founded 2018 · Seattle, WA · public · Any employees
G2 4.5 (620)
Capterra 4.5
From $0 /mo
● Transparent pricing
Visit AWS Secrets Manager

AWS Secrets Manager is the native AWS service for secrets storage, rotation, and retrieval, launched 2018 and integrated tightly with AWS KMS, IAM, RDS, Lambda, ECS, and EKS. Best fit for AWS-anchored estates where the value of native integration outweighs the cost of AWS lock-in. The pricing model (per-secret per month plus per-API-call) creates surprises for teams that did not anticipate fan-out across microservices, and rotation is automated only for a fixed set of supported AWS targets; everything else requires custom Lambda rotation functions. Cross-cloud or hybrid-estate buyers will hit the limits of an AWS-only secrets posture quickly.

Best for

AWS-anchored estates (any size) where the native integration value outweighs portability cost, and rotation targets are limited to AWS-supported services.

Worst for

Cross-cloud or hybrid-estate organizations, or buyers wanting deep dynamic credentials and PKI in one platform.

Strengths

  • Native AWS integration with KMS, IAM, RDS, Lambda, ECS, EKS
  • Automatic rotation for supported targets (RDS engines, Redshift, DocumentDB)
  • Tight IAM policy model with resource-based and identity-based policies
  • High durability and AWS-region availability inherited from the platform
  • Pricing model is fully public on the AWS pricing page
  • No separate vendor relationship for AWS-only estates

Weaknesses

  • AWS lock-in; not a portable secrets posture across clouds
  • Per-secret per month plus per-API-call pricing creates surprises at fan-out
  • Rotation automated only for fixed supported targets; everything else needs custom Lambda
  • No first-class developer UX; AWS console is acceptable but not delightful
  • No PKI engine; ACM Private CA is a separate AWS service
  • Cross-account access requires explicit policy work

Pricing tiers

public
  • Standard pricing
    $0.40 per secret per month plus $0.05 per 10,000 API calls; same rate across all regions
    $0 /mo
Watch for
  • · API call costs at high fan-out across microservices
  • · KMS key usage charges if customer-managed keys are used
  • · Custom Lambda rotation functions for non-AWS targets
  • · Cross-account access policy work is buyer-side engineering

Key features

  • +Encrypted secret storage with AWS KMS
  • +Automatic rotation for supported AWS targets (RDS, Redshift, DocumentDB)
  • +Custom rotation via Lambda functions
  • +IAM resource-based and identity-based policies
  • +CloudTrail audit logging integrated
  • +Tight integration with RDS, Lambda, ECS, EKS, CodeBuild
  • +Cross-Region replication
  • +Resource tagging and ABAC
  • +VPC endpoint support
50+ integrations
AWS LambdaAWS RDSAWS ECSAWS EKSAWS CloudTrailAWS IAMAWS KMSAWS CodeBuildHashiCorp Vault (federation)Doppler (federation)
Geography
Global (AWS regions)
View full AWS Secrets Manager intelligence profile → Compare AWS Secrets Manager →
#2

Doppler

Developer-first secrets platform for cloud-native teams.

Founded 2018 · San Francisco, CA · private · 20-2,000 employees
G2 4.7 (380)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit Doppler

Doppler is the developer-first secrets management platform for cloud-native engineering teams. Founded 2018, raised a $20M Series B in Feb 2022 led by CRV, and has built its reputation on the cleanest developer ergonomics in the category: Git-style branching for environments, one-line CLI integration, and a UI engineers reach for instead of avoid. 2024 brought a deliberate enterprise expansion (SSO, SCIM, audit log retention, advanced RBAC) while preserving the developer experience that drove early adoption. Best fit for engineering-led teams that do not have a HashiCorp Vault commitment; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Engineering-led cloud-native teams (50-2,000 employees) wanting fast onboarding and clean developer ergonomics over deepest dynamic-credentials breadth.

Worst for

Regulated enterprises needing CyberArk Conjur-tier auditor evidence trails, or PKI-heavy organizations wanting certificate lifecycle in the same platform.

Strengths

  • Cleanest developer ergonomics in the category
  • Git-style branching for environments (dev, staging, prod, plus per-branch)
  • One-line CLI integration with most languages and frameworks
  • Strong UI that engineers actually use rather than route around
  • 2024 enterprise expansion added SSO, SCIM, audit log retention, advanced RBAC
  • Pricing more transparent than legacy peers (published rates above the Team tier)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Smaller community and integration list than Vault
  • Newer entrant; multi-region replication story still maturing
  • Enterprise tier pricing opaque (Team and Pro tiers are public)

Pricing tiers

partial
  • Developer
    Free for up to 5 users; basic projects, environments, and integrations
    $0 /mo
  • Team
    $18 per seat per month annual; adds RBAC, audit logs, custom roles
    $18 /emp/mo
  • Pro
    $36 per seat per month annual; adds advanced RBAC, longer audit retention, priority support
    $36 /emp/mo
  • Enterprise
    Adds SSO/SAML, SCIM, advanced compliance; industry estimate $40K-$300K+ annually
    Quote
Watch for
  • · SSO/SAML gated to Enterprise tier (industry-standard practice but worth flagging)
  • · Audit log retention beyond 90 days requires Enterprise
  • · Custom contract terms only available at Enterprise

Key features

  • +Static secrets management with project, config, and environment hierarchy
  • +Git-style branching for environments
  • +CLI integration for most languages and frameworks
  • +Doppler Kubernetes Operator for native secret sync
  • +Integrations with AWS Secrets Manager, GCP Secret Manager, Azure Key Vault for federation
  • +Webhooks and secret-changed triggers
  • +Audit logs and granular RBAC
  • +SSO/SAML and SCIM (Enterprise)
  • +Trusted IPs and IP allowlisting
  • +Secret rotation via integrations
120+ integrations
KubernetesAWSGCPAzureVercelHerokuGitHub ActionsGitLab CIDatadogSlack
Geography
Global; strongest in US, EU
View full Doppler intelligence profile → Compare Doppler →
#5

Akeyless Vault Platform

KMS-as-a-service vault-less architecture with Distributed Fragments Cryptography.

Founded 2018 · Ramat Gan, Israel · private · 500-50,000+ employees
G2 4.7 (220)
Capterra 4.6
From $0 /mo
○ Sales call required
Visit Akeyless Vault Platform

Akeyless is the vault-less KMS-as-a-service entrant founded 2018 in Israel, with a $65M Series B in April 2022 led by NGP Capital and Team8. The differentiator is Distributed Fragments Cryptography (DFC), a multi-party computation approach where Akeyless never holds full encryption keys; key fragments are split across regions and the customer controls one. This is the strongest vault-less pitch in the category for compliance teams uncomfortable with a vendor holding full keys. Feature breadth is broad (secrets, dynamic credentials, certificates, encryption-as-a-service, zero-trust access), pricing remains opaque, and the brand recognition still trails Vault and Doppler outside Israel and the regulated-financial segment.

Best for

Regulated enterprises (500-50,000 employees) in financial services, healthcare, and critical infrastructure that want vault-less SaaS with vendor-fragment cryptography rather than self-managed Vault.

Worst for

Greenfield engineering teams wanting Doppler-tier developer ergonomics, or AWS-only estates where AWS Secrets Manager native integration wins on simplicity.

Strengths

  • Distributed Fragments Cryptography (DFC): Akeyless never holds full keys
  • Vault-less SaaS architecture removes operational burden of self-managed Vault
  • Broad feature set (secrets, dynamic credentials, certificates, encryption-as-a-service)
  • Strong fit for regulated financial services skeptical of vendor-held keys
  • FIPS 140-2 validated; SOC 2 Type 2 and ISO 27001
  • Customer-fragment model is genuine architectural differentiation, not marketing

Weaknesses

  • Pricing opaque
  • Brand recognition trails Vault and Doppler outside Israel and regulated finance
  • Smaller community and integration list than Vault
  • Implementation depth required to leverage DFC properly
  • Developer ergonomics not as polished as Doppler

Pricing tiers

opaque
  • Free
    Limited free tier for evaluation
    $0 /mo
  • Team
    Industry estimate $5-$15 per client/month
    Quote
  • Enterprise
    Industry estimate $80K-$600K+ annually for enterprise deployments
    Quote
Watch for
  • · Add-on modules (Zero Trust Access, KMS) priced separately
  • · Implementation services for DFC setup
  • · Annual price escalators reported at 5-9% at renewal

Key features

  • +Distributed Fragments Cryptography (DFC) for vendor-never-holds-keys posture
  • +Static and dynamic secrets management
  • +KMS-as-a-service for encryption operations
  • +Certificate lifecycle management
  • +Encryption-as-a-service via APIs
  • +Zero Trust Application Access (ZTAA) add-on
  • +SSH and database secret rotation
  • +Kubernetes integration via Akeyless Operator
  • +Auditor-ready logging and reporting
  • +Customer fragment controlled by buyer (never with Akeyless)
180+ integrations
KubernetesAWSAzureGCPServiceNowSplunkTerraformGitHub ActionsGitLab CIOkta
Geography
Global; strongest in US, EU, Israel
View full Akeyless Vault Platform intelligence profile → Compare Akeyless Vault Platform →
#7

Infisical

Open-source modern secrets platform with rapid developer adoption.

Founded 2022 · San Francisco, CA · private · 10-1,000 employees
G2 4.8 (140)
Capterra 4.7
From $0 /mo
◐ Partial disclosure
Visit Infisical

Infisical is the fastest-growing open-source modern secrets platform: Y Combinator W23, founded 2022, and gaining developer mindshare in 2025-2026 as a Doppler-shaped product with an MIT-licensed core. The pitch is modern developer ergonomics on top of an open-source foundation, with cloud and self-host options. Feature depth is catching up to Doppler quickly and the post-HashiCorp BSL appetite for OSS alternatives plays directly into Infisical positioning. Trade-offs: younger company, smaller community than Vault or even Bitwarden, enterprise SLA depth still maturing. Best fit for engineering-led teams that want an open-source secrets platform without inheriting Vault operational complexity.

Best for

Engineering-led teams (20-1,000 employees) wanting an open-source modern secrets platform with cloud or self-host, without inheriting Vault operational complexity.

Worst for

Regulated enterprises needing CyberArk Conjur-tier evidence trails or FedRAMP authorization, and organizations needing Vault-tier dynamic credentials breadth.

Strengths

  • MIT-licensed open-source core; the cleanest OSS story among modern entrants
  • Modern developer ergonomics (UI, CLI, branching environments)
  • Y Combinator W23 momentum; product velocity above incumbents
  • Self-host option positioned strongly post-HashiCorp BSL switch
  • Native Kubernetes integration via Infisical Operator
  • Open-source secret scanning included in the platform

Weaknesses

  • Younger company; enterprise SLA depth still maturing
  • Smaller community and integration list than Vault or Doppler
  • Dynamic credentials coverage narrower than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Smaller verified-pricing dataset; deal-size predictability is lower

Pricing tiers

partial
  • Community (self-host)
    MIT-licensed; self-managed; unlimited secrets and projects
    $0 /mo
  • Cloud Free
    Up to 5 users, basic integrations
    $0 /mo
  • Cloud Pro
    About $18 per identity per month; adds RBAC, audit logs, SSO
    $18 /emp/mo
  • Cloud Enterprise
    Industry estimate $25K-$200K+ annually; adds SCIM, dedicated support, advanced compliance
    Quote
Watch for
  • · Self-host operational overhead is buyer-side
  • · Enterprise tier custom pricing for larger teams
  • · Advanced compliance gates (HIPAA BAA, advanced audit) at Enterprise

Key features

  • +MIT-licensed open-source core
  • +Static secrets with project, environment, folder hierarchy
  • +Environment branching and overrides
  • +Native Kubernetes integration via Infisical Operator
  • +CLI and SDK coverage (Node, Python, Go, Java, .NET)
  • +GitHub Actions, GitLab CI, CircleCI, Jenkins, Vercel integrations
  • +Open-source secret scanning for repos and pipelines
  • +Audit logs and granular RBAC
  • +SSO/SAML and SCIM provisioning (Pro and Enterprise)
  • +Self-host option for air-gapped deployments
110+ integrations
KubernetesAWSGCPAzureVercelGitHub ActionsGitLab CICircleCIJenkinsTerraform
Geography
Global; strongest in US, EU, India
View full Infisical intelligence profile → Compare Infisical →
#3

1Password Secrets Automation

Secrets automation on top of the broader 1Password Business platform.

Founded 2005 · Toronto, Canada · private · 100-20,000 employees
G2 4.7 (1,480)
Capterra 4.7
From $8 /employee/mo
◐ Partial disclosure
Visit 1Password Secrets Automation

1Password Secrets Automation is the machine-secrets product line built on top of the broader 1Password Business platform. Founded 2005 in Toronto, the company raised a $620M Series C in Jan 2022 at a roughly $6.8B valuation led by Iconiq Growth. Secrets Automation launched 2021 and the 2024 Trelica acquisition added SaaS governance-and-discovery (shadow IT, app usage, lifecycle), positioning 1Password as a converged human+machine credentials platform. Best fit for organizations already standardized on 1Password Business that want secrets automation without adopting a separate platform; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Mid-market and enterprise buyers (200-10,000 employees) already standardized on 1Password Business who want machine secrets automation without adopting a separate platform.

Worst for

Engineering teams wanting Vault-tier dynamic credentials, or organizations evaluating secrets-only without a 1Password Business commitment.

Strengths

  • Built on the broader 1Password Business platform; one vendor for human and machine credentials
  • Connect server bridges on-prem CI/CD and cloud secrets workflows
  • Service Accounts model is clean and policy-driven
  • Strong CLI and SDK coverage
  • Trelica acquisition (2024) adds SaaS governance and shadow-IT discovery
  • Pricing more transparent than legacy enterprise peers (Business tier rate is public)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Best value only when 1Password Business is already in place; not a standalone-secrets buying motion
  • Secrets Automation pricing opaque (Business tier is public, Secrets Automation is custom)
  • Mid-market deployments outgrow the bundled approach when secrets become the dominant workload

Pricing tiers

partial
  • 1Password Business
    $7.99 per user per month annual; baseline for Secrets Automation eligibility
    $8 /emp/mo
  • Secrets Automation Starter
    Industry estimate $200-$1,000 per month at small-team scale
    Quote
  • Secrets Automation Business
    Industry estimate $30K-$200K+ annually mid-enterprise
    Quote
  • Enterprise
    Adds dedicated success, custom SLAs, advanced governance
    Quote
Watch for
  • · Secrets Automation priced separately above 1Password Business baseline
  • · Trelica governance (post-2024) priced separately
  • · Enterprise SSO/SCIM gated to higher tiers

Key features

  • +1Password Connect server for on-prem CI/CD and cloud bridging
  • +Service Accounts with scoped, policy-driven access
  • +CLI (op) with broad language coverage
  • +Kubernetes integration via 1Password Kubernetes Operator
  • +GitHub Actions, GitLab CI, CircleCI, Jenkins integrations
  • +Audit logs and event reporting
  • +SCIM provisioning for users and groups
  • +Trelica SaaS governance and discovery (post-2024)
  • +Secret references and dynamic injection at runtime
200+ integrations
KubernetesAWSGCPAzureGitHub ActionsGitLab CICircleCIJenkinsTerraformOkta
Geography
Global; strongest in US, EU, Canada
View full 1Password Secrets Automation intelligence profile → Compare 1Password Secrets Automation →
#6

Bitwarden Secrets Manager

Open-source heritage extended into machine secrets management.

Founded 2016 · Santa Barbara, CA · private · 50-5,000 employees
G2 4.6 (320)
Capterra 4.7
From $6 /employee/mo
● Transparent pricing
Visit Bitwarden Secrets Manager

Bitwarden built its reputation on open-source password management before extending the platform into machine secrets with Bitwarden Secrets Manager (GA 2023). The Insight Partners-led $100M+ Series A in 2022 funded enterprise expansion and the secrets-management product line. The pitch is consistent with the Bitwarden brand: open-source heritage, transparent pricing, and an approachable developer experience for teams already on Bitwarden Business or Enterprise. Feature depth still trails Vault and Doppler in dynamic credentials, but Bitwarden is a credible mid-market option, especially for organizations that prefer to buy human and machine credentials from the same vendor.

Best for

Mid-market and lower-enterprise buyers (50-3,000 employees) already on Bitwarden Password Manager who want machine secrets from the same vendor, with self-host option as a fallback.

Worst for

Regulated enterprises needing CyberArk Conjur-tier evidence trails, or organizations needing Vault-tier dynamic credentials breadth.

Strengths

  • Open-source heritage maintained for both Password Manager and Secrets Manager
  • Transparent published pricing on the Bitwarden website
  • Approachable developer experience and CLI coverage
  • Strong fit for orgs already on Bitwarden Password Manager Business or Enterprise
  • Self-host option available for fully air-gapped deployments
  • Insight Partners $100M+ Series A funded credible enterprise expansion

Weaknesses

  • Dynamic credentials coverage trails Vault and Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Secrets Manager is younger; community of practice still building
  • Best value only when Bitwarden Business is already in place
  • Audit and compliance evidence trails are lighter than enterprise peers

Pricing tiers

public
  • Bitwarden Business
    $6 per user per month annual; baseline for Secrets Manager eligibility
    $6 /emp/mo
  • Secrets Manager Team
    $6 per user per month annual; up to 5 service accounts, 50 secrets per service account
    $6 /emp/mo
  • Secrets Manager Enterprise
    $12 per user per month annual; unlimited service accounts and secrets
    $12 /emp/mo
  • Enterprise + Self-host
    Custom quote for self-host deployment with enterprise SLAs
    Quote
Watch for
  • · Service account scaling at Team tier (capped at 5)
  • · Premium support gated to higher tiers
  • · Self-host implementation is buyer-side engineering

Key features

  • +Static secrets management with project and folder hierarchy
  • +Service accounts with scoped access tokens
  • +CLI coverage and SDK (Python, Node, Ruby, Go, Rust, Java, C#)
  • +GitHub Actions, GitLab CI, Jenkins, Kubernetes integrations
  • +Audit logs and event reporting
  • +Open-source codebase with public audit history
  • +Self-host option for air-gapped deployments
  • +SSO/SAML and SCIM provisioning
  • +Hardware security key support for human authentication
90+ integrations
KubernetesAWSGitHub ActionsGitLab CIJenkinsTerraformAnsibleOktaMicrosoft Entra IDDatadog
Geography
Global; strongest in US, EU
View full Bitwarden Secrets Manager intelligence profile → Compare Bitwarden Secrets Manager →
#8

CyberArk Conjur

CyberArk-anchored secrets management inside the Identity Security Platform.

Founded 2011 · Petach Tikva, Israel · public · 1,000-100,000+ employees
G2 4.3 (180)
Capterra 4.4
From $0 /mo
○ Sales call required
Visit CyberArk Conjur

Conjur was acquired by CyberArk in 2017 and is now the secrets-management arm of the CyberArk Identity Security Platform. Two product lines exist: Conjur Open Source (community-maintained) and Conjur Enterprise (commercial, deeply integrated with CyberArk PAM). The buying decision is usually downstream of a CyberArk PAM decision; standalone Conjur evaluations are rare because Vault, Doppler, and Akeyless win on feature depth or developer ergonomics. Best fit only when CyberArk PAM is already deployed and the buyer wants one vendor relationship for human and machine credentials.

Best for

CyberArk-anchored regulated enterprises (1,000-50,000+ employees) consolidating secrets management with PAM under the CyberArk Identity Security Platform.

Worst for

Standalone secrets buyers (Vault, Doppler, Akeyless win), or developer-led teams expecting modern ergonomics.

Strengths

  • Deepest integration with CyberArk Privileged Access Manager and Identity Security Platform
  • Conjur Open Source provides a free entry point for evaluation
  • Strong policy-as-code model (YAML-based)
  • Mature Kubernetes integration via Secretless Broker and authenticators
  • Auditor-grade evidence trails inherited from CyberArk platform
  • CyberArk public-company financial transparency

Weaknesses

  • Best value only when CyberArk PAM is already in place; rarely a standalone buying motion
  • Developer ergonomics weaker than Doppler, Infisical, or Bitwarden
  • Pricing opaque; bundled inside CyberArk Identity Security Platform pricing
  • Conjur Open Source velocity has slowed relative to community expectations
  • Smaller standalone community than Vault
  • Annual price escalators of 7-12% at renewal reported on the CyberArk umbrella contract

Pricing tiers

opaque
  • Conjur Open Source
    Apache 2.0; community-maintained
    $0 /mo
  • Conjur Enterprise (standalone)
    Industry estimate $40K-$300K+ annually; rarely sold standalone
    Quote
  • CyberArk Identity Security Platform (Conjur included)
    Industry estimate $200K-$2M+ annually; bundled with CyberArk PAM
    Quote
Watch for
  • · Modules priced separately inside the CyberArk Identity Security Platform
  • · Implementation via certified partners $100K-$500K+ at enterprise scale
  • · Annual price escalators 7-12% at renewal on the CyberArk umbrella contract

Key features

  • +Centralized policy-as-code (YAML) for secrets and access
  • +Secretless Broker for application secret-less workflows
  • +Kubernetes authenticator for native pod identity
  • +Strong integration with CyberArk Privileged Access Manager
  • +JWT and OIDC authenticators for cloud-native workloads
  • +Audit logs feed into CyberArk PAM evidence trails
  • +Role-based access control with policy inheritance
  • +CLI and SDK coverage
  • +On-prem and SaaS (CyberArk Privilege Cloud) deployment options
200+ integrations
CyberArk PAMKubernetesAWSAzureGCPServiceNowSplunkMicrosoft SentinelOktaMicrosoft Entra ID
Geography
Global; strongest in US, EU, Israel, APAC
View full CyberArk Conjur intelligence profile → Compare CyberArk Conjur →
#9

Delinea Secret Server (DevOps Secrets Vault)

Legacy Secret Server plus DevOps Secrets Vault on the Delinea Platform.

Founded 1996 · Redwood City, CA · pe backed · 200-10,000 employees
G2 4.5 (760)
Capterra 4.6
Custom quote
○ Sales call required
Visit Delinea Secret Server (DevOps Secrets Vault)

Delinea (formed when TPG merged Thycotic and Centrify in April 2021) ships two secrets products: the long-running Secret Server (legacy IT secrets vault, primarily for human admins and service accounts) and DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads). The DevOps Secrets Vault product is the credible developer-secrets story for legacy PAM portfolio buyers; standalone, it competes more directly with Vault and Doppler. Best fit when Delinea PAM is already in place or when an existing Thycotic Secret Server estate wants a cloud-native extension. Trade-offs: TPG ownership signals a sale or recap on the 3-5 year horizon, and standalone Delinea-secrets buying motions are rare.

Best for

Mid-market and lower-enterprise buyers (200-5,000 employees) already on Delinea PAM or legacy Thycotic Secret Server wanting a cloud-native DevOps secrets extension.

Worst for

Standalone-secrets buyers without a Delinea PAM commitment (Vault, Doppler, Akeyless win), or organizations needing FedRAMP High coverage.

Strengths

  • Secret Server is a long-running, mature legacy vault used in thousands of mid-market estates
  • DevOps Secrets Vault adds a cloud-native, API-first story to the legacy portfolio
  • Account Lifecycle Manager (service-account discovery and rotation) is differentiated
  • Mid-market pricing routinely under CyberArk equivalents
  • Strong customer support consistency vs PE peers
  • Tight integration with Delinea PAM (Connection Manager, Privilege Manager)

Weaknesses

  • TPG ownership implies a sale or recap on the 3-5 year horizon
  • Standalone Delinea-secrets buying motions are rare; usually downstream of Delinea PAM
  • DevOps Secrets Vault community is smaller than Vault or Doppler
  • Pricing opaque despite mid-market positioning
  • Two product lines can confuse buyers (Secret Server vs DevOps Secrets Vault)

Pricing tiers

opaque
  • Secret Server Cloud
    Industry estimate $60-$120 per user/year
    Quote
  • DevOps Secrets Vault
    Industry estimate $30K-$200K+ annually
    Quote
  • Delinea Platform bundle
    Industry estimate $150K-$600K annually mid-enterprise
    Quote
Watch for
  • · DevOps Secrets Vault priced separately from Secret Server
  • · Account Lifecycle Manager priced separately
  • · Implementation services for multi-tenant deployments
  • · Annual price escalators 5-9% at renewal reported

Key features

  • +Secret Server (vault, session brokering, session recording)
  • +DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads)
  • +Account Lifecycle Manager (service account discovery and rotation)
  • +Connection Manager for SSH/RDP session brokering
  • +Cloud Suite (Centrify-heritage Linux identity bridging)
  • +Delinea Platform unified policy engine and reporting
  • +Kubernetes integration via DSV agent
  • +Mature compliance posture (SOC 2, ISO 27001, HIPAA, FedRAMP)
  • +Tight integration with Delinea Privilege Manager (endpoint)
200+ integrations
ServiceNowSplunkMicrosoft SentinelAWSAzureGCPOktaMicrosoft Entra IDHashiCorp TerraformKubernetes
Geography
Global; strongest in US, EU, APAC
View full Delinea Secret Server (DevOps Secrets Vault) intelligence profile → Compare Delinea Secret Server (DevOps Secrets Vault) →
#10

GitGuardian Platform

Secrets-leak detection heritage extended into management (2024).

Founded 2017 · Paris, France · private · 200-50,000+ employees
G2 4.7 (260)
Capterra 4.7
From $0 /mo
○ Sales call required
Visit GitGuardian Platform

GitGuardian was the secrets-detection-first vendor of record (its public-GitHub leak monitor put it on the map), founded 2017 in Paris and raising a $44M Series B in 2022. In 2024 the company expanded explicitly into secrets management with the Non-Human Identity (NHI) Security and Vault Insights products, framing the platform as one that finds leaked credentials and helps you rotate them at the source. The pitch is consistent: if leaked-credential discovery is the headline buyer pain, GitGuardian is unrivaled. As a standalone secrets management product, it is younger and shallower than Vault, Doppler, or Akeyless; the platform value compounds when detection and management are bought together.

Best for

Security-led buyers (CISO office, 500-20,000 employees) where leaked-credential discovery is the headline pain and management is bought alongside detection.

Worst for

Platform-engineering-led teams wanting deep dynamic credentials (Vault wins) or developer-first ergonomics (Doppler, Infisical win).

Strengths

  • Strongest leaked-credentials detection in the category (public GitHub leak monitor since 2017)
  • Non-Human Identity (NHI) Security extends detection into governance for service accounts
  • Vault Insights ties leaked credentials back to upstream vault entries
  • French-headquartered with EU data-residency and GDPR posture
  • $44M Series B 2022 funded enterprise expansion into management
  • Strong fit for security-led buyers (CISO office), less so for platform-engineering buyers

Weaknesses

  • Standalone secrets management is younger and shallower than Vault, Doppler, or Akeyless
  • Best value only when detection plus management are bought together
  • Smaller community of practice on the management side
  • Pricing opaque
  • Less developer ergonomic than Doppler or Infisical
  • Dynamic credentials coverage narrower than Vault or Akeyless

Pricing tiers

opaque
  • Free (public repos)
    Public GitHub repo monitoring; up to 25 developers
    $0 /mo
  • Business (Detection)
    Industry estimate $15-$30 per developer/month
    Quote
  • Enterprise (Detection + NHI Security + Vault Insights)
    Industry estimate $60K-$500K+ annually for enterprise deployments
    Quote
Watch for
  • · NHI Security and Vault Insights priced separately above detection baseline
  • · Implementation services for large estates
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Public GitHub repo leak monitoring (free tier and paid)
  • +Internal repo and CI/CD pipeline secrets scanning
  • +Non-Human Identity (NHI) Security for service-account governance
  • +Vault Insights to tie leaked credentials back to upstream vault entries
  • +Honeytoken generation and detection
  • +Audit logs and event reporting
  • +SSO/SAML and SCIM provisioning
  • +Slack and PagerDuty incident routing
  • +On-prem self-hosted option for regulated buyers
120+ integrations
GitHubGitLabBitbucketAWSAzureGCPHashiCorp VaultCyberArk ConjurSlackPagerDuty
Geography
Global; strongest in EU, US
View full GitGuardian Platform intelligence profile → Compare GitGuardian Platform →

Frequently asked questions

The questions buyers actually ask before they sign.

Is there an ANSSI-qualified secrets management product for French OIVs?
No. As of mid-2026, no standalone secrets management product holds ANSSI Visa de Sécurité qualification. Wallix Bastion (ANSSI-qualified) covers privileged session brokering for human administrators but does not address machine secrets (API keys, database credentials, CI/CD tokens) at the level of HashiCorp Vault or AWS Secrets Manager. French OIVs and public administration facing this requirement typically either deploy HashiCorp Vault on ANSSI-aligned infrastructure (OVHcloud SecNumCloud pathway) under a risk-acceptance framework, or integrate secrets management into their existing ANSSI-qualified security stack. ANSSI is expected to update qualification criteria to cover secrets management products in 2026; watch for updates to the qualification catalogue.
How does CNIL guidance affect secrets management audit logs in France?
CNIL treats secrets management audit logs that record which employee account accessed which credential and when as employee monitoring data, which is subject to RGPD proportionality requirements. French employers must: inform the CSE (Comite Social et Economique) before deploying systems that monitor employee activity including secrets access, limit audit log retention to what is necessary for security purposes (typically 6-12 months is defensible), store logs on EU infrastructure (AWS Paris, Azure France Central, OVHcloud), and allow CNIL to audit their data processing activities. GitGuardian's French headquarters simplifies the CNIL compliance narrative compared to US-headquartered vendors.
Should French SaaS companies use HashiCorp Vault or AWS Secrets Manager?
For French SaaS companies built primarily on AWS Paris, AWS Secrets Manager is the lower-friction choice: native RDS, Lambda, ECS integration, RGPD satisfied via eu-west-3 region, EUR billing via AWS France, and no operational overhead. The switch to Vault makes sense when: (1) your architecture spans multiple cloud providers (AWS Secrets Manager does not natively serve Azure or GCP workloads), (2) you need dynamic credentials (short-lived database or cloud credentials generated on demand, which Vault does natively and Secrets Manager does not), or (3) you have Kubernetes-native secrets injection requirements at scale (Vault Secrets Operator and Infisical's K8s integration are both stronger than AWS-native options for K8s).
HashiCorp Vault vs Doppler vs AWS Secrets Manager: which one fits us?
Use Vault when you need the deepest secrets, PKI, and dynamic-credentials platform across mixed cloud and on-prem estates, and have operational expertise to run it (or pay for HCP Vault). Use Doppler when you are an engineering-led cloud-native team that prizes developer ergonomics, fast onboarding, and clean environment branching. Use AWS Secrets Manager when you are an AWS-only estate where native KMS/IAM/RDS integration outweighs portability cost. The three rarely overlap on a single shortlist.
What does HashiCorp Vault BSL license actually mean for us?
The Business Source License (BSL) restricts competing commercial use of Vault by other vendors, while permitting most direct end-user deployments. Practically: you can still deploy Vault yourself for internal use, with a four-year time-delayed conversion to Mozilla Public License (MPL). The trust hit was twofold: open-source community projects (OpenBao, OpenTofu) forked under Linux Foundation governance, and enterprises now factor BSL risk into long-horizon platform decisions, especially post-IBM acquisition close in Feb 2025.
Why does secrets rotation matter, and when is it worth automating?
Rotation matters because static long-lived credentials are the single largest blast-radius vector when a breach happens (an attacker can replay the credential for as long as it lives). Automate rotation as soon as you have more than about 50 service accounts or any database credentials sitting in version-control or wikis. Tools like Vault, Akeyless, and AWS Secrets Manager support automatic rotation for supported targets; everything else typically needs a custom rotation function (Lambda for AWS, Functions for Azure, etc.).
KMS vs vault: are they different things?
Yes. A KMS (Key Management Service) manages encryption keys and performs encryption/decryption operations (AWS KMS, GCP KMS, Azure Key Vault). A secrets vault stores the application secrets themselves (passwords, API keys, OAuth tokens) and often uses a KMS as its backing encryption layer. Some platforms blur the line: Akeyless is KMS-as-a-service plus secrets, AWS Secrets Manager uses AWS KMS underneath. Practically, ask whether the product holds your application secrets or only your encryption keys.
Is AWS Secrets Manager lock-in a real problem for us?
Yes if you are likely to add Azure or GCP workloads, or if you want to support a hybrid on-prem estate. Migrating off AWS Secrets Manager later requires rewriting integration points (IAM policies, KMS dependencies, rotation Lambdas), and the rotation automation is AWS-target-specific. If you are 100 percent AWS today and likely to stay that way, lock-in is a price worth paying for native integration. If multi-cloud is on the roadmap, start with Vault, Doppler, or Akeyless and federate to cloud services rather than the other way around.
How is GitGuardian different from a secrets management platform?
GitGuardian started as a detection product (find leaked secrets in public and private repos) and expanded into management with Non-Human Identity Security and Vault Insights in 2024. As a pure secrets management platform, it is younger and shallower than Vault or Doppler. The platform shines when you buy detection plus management together: leaked credentials in repos get tied back to upstream vault entries, and rotation closes the loop. Buyers led by CISO offices typically pick GitGuardian; buyers led by platform-engineering pick Vault or Doppler.
When does an organization actually need secrets management?
You need secrets management when you have more than about 25 services or environments and credentials are spilling into .env files, CI/CD variables, wikis, or chat. Symptoms: developers ping the platform team for credentials, audits flag credential reuse, you cannot answer who rotated the database password last quarter. Below that scale, AWS Secrets Manager or a per-app .env workflow with environment-variable injection is usually enough. Above it, you need a platform with audit logs, RBAC, rotation, and dynamic credentials.
What is a dynamic credential, and why does it matter?
A dynamic credential is one that is generated on demand, scoped narrowly, and expires after a short TTL (minutes to hours), instead of being a long-lived static value. Example: Vault generates a fresh AWS IAM credential each time a CI pipeline runs, with permissions limited to the job, and the credential expires when the pipeline finishes. Dynamic credentials collapse the blast radius of a compromise; static credentials retain full power until manually rotated. Vault, Akeyless, and CyberArk Conjur lead on dynamic credentials breadth.
Should we self-host Vault, OpenBao, Infisical, or Bitwarden Secrets Manager?
Self-host when you have an absolute data-residency or air-gap requirement and the operational expertise to run encrypted storage, replication, and unsealing properly. OpenBao (the BSL-free Vault fork) is the OSS choice if you reject the BSL. Infisical and Bitwarden Secrets Manager are easier to self-host than Vault but trade depth on dynamic credentials. The hidden cost of self-host is always operational: secret backups, unseal-key recovery, replication health, and patching. Most teams under 1,000 employees should use SaaS (HCP Vault, Doppler, AWS Secrets Manager, Bitwarden Cloud) unless self-host is a hard requirement.
How does Zendikt verify pricing and trust scores?
Pricing data comes from public vendor pages, reseller quotes, and 280+ anonymized buyer disclosures aggregated through the Zendikt verified-pricing program. Industry estimates are explicitly flagged in tier notes. Trust events come from public 10-K filings, breach disclosures filed with regulators, reported M&A activity, and license-change announcements. Vendor Trust Score is the unweighted mean of six independent subscores (pricing transparency, contract fairness, incident response, post-acquisition behavior, executive stability, roadmap honesty) and is tracked separately from product quality on purpose: a strong product owned by a punitive vendor or saddled with a hostile license is still a bad five-year decision.

Final word

Looking at a different market? See the global Secrets Management Software ranking, or pick another country at the top of this page.

Last updated 2026-05-19. Local pricing reverified quarterly. Found something inaccurate? Tell us.