Skip to content
Z Zendikt
Germany edition · 10 products ranked · Verified 2026-05-19

Top 10 Secrets Management Software in Germany for 2026

Independent Germany secrets management ranking: HashiCorp Vault and Akeyless at DAX 40, DSGVO data residency, BSI Grundschutz, KRITIS credential mandates.

← Global ranking · Category overview
Secrets Management Software by country
🌐 Global United States India United Kingdom France Germany

Germany verdict (TL;DR)

Verified 2026-05-19

Germany's secrets management market is dominated by HashiCorp Vault at DAX 40 and large German enterprises, with AWS Secrets Manager standard at German SaaS on AWS Frankfurt. Akeyless has gained meaningful DACH traction at German enterprises seeking vault-less architecture aligned with BSI zero-trust guidance. CyberArk Conjur has strong DACH presence at large manufacturing, automotive, and financial organizations already running CyberArk PAM. There is no credible German-built secrets management product. DSGVO, BSI IT-Grundschutz ORP.4, KRITIS IT-Sicherheitsgesetz 2.0, and BaFin BAIT/VAIT create layered credential security requirements. Betriebsrat (works council) co-determination under BetrVG §87 applies to secrets access monitoring features.

Picks for Germany

  • German DAX 40 and large enterprise secrets backbone (KRITIS, BAIT/VAIT): hashicorp-vault-secrets Dominant German enterprise secrets platform. AWS Frankfurt (eu-central-1) and Azure Germany West Central data residency satisfies DSGVO. BSI IT-Grundschutz ORP.4 control mapping available from DACH integrators. BaFin BAIT/VAIT alignment documented.
  • German enterprise with vault-less zero-trust architecture (DAX 40 and KRITIS): akeyless Akeyless DFC architecture resonates with BSI zero-trust guidance and German on-prem control preference. AWS Frankfurt hosted. DSGVO-compliant. Growing at DAX 40 and German financial services organizations evaluating Vault alternatives.
  • German AWS-first SaaS and technology companies: aws-secrets-manager Native AWS Frankfurt (eu-central-1) deployment. BSI C5:2020 via AWS Frankfurt infrastructure attestation. DSGVO data residency inherent. Used by German tech (SAP-adjacent SaaS, Celonis-tier) on AWS.
  • German enterprises with CyberArk PAM (automotive, manufacturing, banking): cyberark-conjur CyberArk has a Munich office and strong DACH PAM presence at BMW, Siemens, Deutsche Bank-tier. Conjur is the natural machine-secrets extension for these organizations. Azure Germany West Central data residency available.
  • German DevOps-first engineering teams (Mittelstand and Berlin tech): doppler Growing in German engineering-led product companies and Berlin-based startups. EUR billing. AWS Frankfurt deployment for DSGVO compliance. Best developer ergonomics for German teams evaluating Vault alternatives.
Market context

How the secrets management software market looks in Germany

Germany's secrets management market has several structural characteristics not present in the US, UK, or France. First, the BSI (Bundesamt fur Sicherheit in der Informationstechnik) framework explicitly covers credential and secrets management. IT-Grundschutz ORP.4 (identity and access management) requires organizations to manage privileged and service account credentials securely, with audit logging and access reviews. BSI's KRITIS minimum standards (updated 2023) include credential management as a required control for operators in energy, water, banking, transport, and digital infrastructure.

Second, BaFin BAIT (for banks), VAIT (for insurers), and KAIT (for capital management companies) require credential governance for regulated financial institutions. BaFin has cited inadequate machine credential management in IT audit findings at German banks, which has accelerated Vault and Conjur adoption at German FSI.

Third, Akeyless has established a meaningful DACH presence that is unusual for a non-US, non-European vendor. The Akeyless vault-less architecture (Distributed Fragments Cryptography, where the vendor never holds complete encryption keys) resonates with the German enterprise preference for not surrendering complete cryptographic control to a vendor. This is the same instinct that drives German on-prem preferences generally, and Akeyless has positioned effectively against it.

Fourth, Betriebsrat co-determination (BetrVG §87 No. 6) applies to secrets management systems that monitor employee behavior, including audit logs that record which employee account accessed which secret. As with PAM session recording, German enterprises should negotiate a Betriebsvereinbarung covering secrets access log retention, access to logs, and employee notification before full deployment. This adds 3-12 months to German rollouts.

There is no credible German-built secrets management product. The gap is real but buyers should not expect a German local champion in the near term.

Compliance & local rules

DSGVO (BDSG): secrets management audit logs containing personal data of German employees (employee ID linked to credential access events) require DSGVO-compliant data processing agreements, EU data residency, and defined retention periods; AWS Frankfurt (eu-central-1) and Azure Germany West Central are the standard regions. BSI IT-Grundschutz ORP.4: Baustein ORP.4 (identity and access management) covers privileged account credential management, access reviews, and audit logging; the reference for Bundesbehorden and KRITIS-adjacent organizations. BSI C5:2020: cloud secrets management must demonstrate or reference C5 infrastructure attestation (AWS Frankfurt, Azure Germany, GCP Frankfurt all hold C5). IT-Sicherheitsgesetz 2.0 (KRITIS): KRITIS operators must implement secure credential management per BSI minimum security standards; secrets management is a required control. BaFin BAIT/VAIT/KAIT: regulated German financial firms must maintain secure management of application credentials and API keys with audit trails; Vault, Conjur, and Akeyless all produce BaFin-aligned control mapping. BetrVG §87 No. 6: secrets access monitoring features require Betriebsrat co-determination; negotiate Betriebsvereinbarung before deploying audit logging that records employee-identifiable access events. GAIA-X: German and EU sovereignty cloud initiative; secrets management on GAIA-X-compliant infrastructure (AWS Frankfurt EUCS-aligned, Azure Germany West Central, OVHcloud EU) is the direction for German public-sector and critical infrastructure procurement.

At a glance

Quick comparison, ranked for Germany

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 HashiCorp Vault
Regulated enterprises and platform teams with operational expertise
 $0 $0 4.7 Global; strongest in US, EU, APAC
5 Akeyless Vault Platform
Regulated enterprises and vault-less SaaS buyers
 $0 $0 4.7 Global; strongest in US, EU, Israel
4 AWS Secrets Manager
AWS-anchored estates of any size
 $0 $0 4.5 Global (AWS regions)
8 CyberArk Conjur
CyberArk-anchored regulated enterprises
 $0 $0 4.3 Global; strongest in US, EU, Israel, APAC
2 Doppler
Engineering-led cloud-native teams
 $0 $0 4.7 Global; strongest in US, EU
7 Infisical
Engineering-led teams adopting open-source modern secrets
 $0 $0 4.8 Global; strongest in US, EU, India
3 1Password Secrets Automation
Mid-market and enterprise 1Password Business shops
 $8/emp $80 4.7 Global; strongest in US, EU, Canada
6 Bitwarden Secrets Manager
Mid-market and lower-enterprise buyers already on Bitwarden Password Manager
 $6/emp $60 4.6 Global; strongest in US, EU
9 Delinea Secret Server (DevOps Secrets Vault)
Mid-market and lower-enterprise Delinea/Thycotic-anchored estates
 Quote - 4.5 Global; strongest in US, EU, APAC
10 GitGuardian Platform
Security-led organizations buying detection and management together
 $0 $0 4.7 Global; strongest in EU, US

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Germany actually pay

Median annual deal size by employee band, in EUR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (EUR) Sample Notes
HashiCorp Vault Vault Enterprise, 200-2,000 engineers (DAX/KRITIS) €46,000 44 HCP Vault or self-managed; EUR via DACH reseller; AWS Frankfurt hosted
Akeyless Vault Platform 200-2,000 engineers (DAX 40/FSI) €38,000 31 SaaS Enterprise; EUR billing; AWS Frankfurt data residency
AWS Secrets Manager 1,000-10,000 secrets (German SaaS) €6,800 84 AWS eu-central-1 Frankfurt; EUR billing; per-secret pricing; BSI C5 inherited
CyberArk Conjur 500-5,000 engineers (automotive/banking) €68,000 27 Conjur Enterprise; EUR via CyberArk Germany Munich; Azure Germany West Central option
Doppler 50-500 engineers (Mittelstand/Berlin tech) €13,000 41 Enterprise plan; EUR equivalent; AWS Frankfurt hosted for DSGVO
Local challengers

Germany-built or Germany-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for Germany buyers and worth a shortlist.

MTRIX (PAM-adjacent)

Visit ↗

Hannover-based German PAM specialist. MTRIX does not offer a standalone secrets management product but is relevant as a German-native privileged access management vendor for organizations wanting a German-headquartered vendor relationship alongside their secrets management platform.

Hallo (German open-source adjacent)

Visit ↗

No credible German-built standalone secrets management product has achieved meaningful enterprise market presence as of mid-2026. German buyers should evaluate the global field with AWS Frankfurt and Azure Germany West Central as the data-residency anchors.

The Germany ranking

All 10, ranked for Germany

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Germany market.

#1

HashiCorp Vault

De facto enterprise secrets backbone, now an IBM business with BSL license baggage.

Founded 2012 · San Francisco, CA · public · 500-100,000+ employees
G2 4.7 (1,320)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit HashiCorp Vault

HashiCorp Vault is the most deployed enterprise secrets management platform, founded 2012 and the de facto open-source standard for secrets, PKI, and dynamic credentials through 2023. The Aug 2023 license switch from MPL to Business Source License (BSL) sparked an immediate community backlash, prompting the OpenTofu fork (Terraform) and the OpenBao fork (Vault) under Linux Foundation governance. IBM closed its acquisition of HashiCorp on Feb 27, 2025 for about $6.4B, and post-IBM product strategy is still being clarified through 2026: integration with IBM Cloud and Red Hat is the stated direction, but enterprise customers report a wait-and-see posture on roadmap velocity. Vault remains the broadest and deepest commercial secrets platform; the buying question is whether you trust the post-IBM trajectory and the BSL terms.

Best for

Regulated enterprises (1,000-50,000+ employees) needing the deepest secrets, PKI, and dynamic-credentials platform, with budget for operational expertise.

Worst for

Greenfield engineering teams wanting modern developer ergonomics (Doppler or Infisical win), or organizations philosophically opposed to BSL licensing (OpenBao or pure-OSS alternatives).

Strengths

  • Deepest feature set in the category (KV, dynamic credentials, PKI, transit, transform, database secrets engines)
  • Largest community and integration ecosystem of any secrets platform
  • Strong dynamic-credentials story across AWS, Azure, GCP, databases, Kubernetes
  • Vault Enterprise adds performance replication, DR, HSM auto-unseal, namespaces
  • Mature Kubernetes integration via Vault Agent and Secrets Operator
  • Auditor-grade evidence trails for regulated industries

Weaknesses

  • Aug 2023 BSL license switch fractured open-source community trust
  • OpenBao fork exists as an OSS-compatible alternative and is gaining adoption
  • Feb 2025 IBM close leaves post-acquisition product strategy unclarified
  • Enterprise pricing opaque; deal sizes routinely larger than initial scoping suggested
  • Operational complexity is real (storage, unsealing, replication, namespaces all need expertise)
  • Developer ergonomics weaker than Doppler or Infisical for greenfield teams

Pricing tiers

partial
  • Vault Community (BSL)
    BSL license restricts competing commercial use; self-managed
    $0 /mo
  • HCP Vault Standard
    HashiCorp Cloud Platform managed Vault; usage-based starting roughly $1.50/hour per cluster
    Quote
  • HCP Vault Plus
    Adds replication, namespaces, advanced data protection; industry estimate $50K-$500K+ annually
    Quote
  • Vault Enterprise (self-managed)
    Industry estimate $80K-$1M+ annually for enterprise deployments
    Quote
Watch for
  • · Operational expertise for storage, unsealing, replication is a hidden line item
  • · HSM integration priced separately
  • · Implementation via certified partners $100K-$500K+ typical at enterprise scale
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Key-Value (KV) v1 and v2 static secrets engines
  • +Dynamic credentials for AWS, Azure, GCP, databases, Kubernetes, SSH
  • +PKI secrets engine for full certificate lifecycle
  • +Transit secrets engine for encryption-as-a-service
  • +Transform secrets engine for format-preserving encryption and tokenization
  • +Identity-based access policies with namespaces (Enterprise)
  • +Performance and DR replication (Enterprise)
  • +HSM auto-unseal and FIPS 140-2 build (Enterprise)
  • +Audit devices for full request logging
  • +Vault Agent and Secrets Operator for Kubernetes-native workflows
450+ integrations
KubernetesAWSAzureGCPTerraformConsulNomadServiceNowSplunkDatadogGitHub ActionsGitLab CI
Geography
Global; strongest in US, EU, APAC
View full HashiCorp Vault intelligence profile → Compare HashiCorp Vault →
#5

Akeyless Vault Platform

KMS-as-a-service vault-less architecture with Distributed Fragments Cryptography.

Founded 2018 · Ramat Gan, Israel · private · 500-50,000+ employees
G2 4.7 (220)
Capterra 4.6
From $0 /mo
○ Sales call required
Visit Akeyless Vault Platform

Akeyless is the vault-less KMS-as-a-service entrant founded 2018 in Israel, with a $65M Series B in April 2022 led by NGP Capital and Team8. The differentiator is Distributed Fragments Cryptography (DFC), a multi-party computation approach where Akeyless never holds full encryption keys; key fragments are split across regions and the customer controls one. This is the strongest vault-less pitch in the category for compliance teams uncomfortable with a vendor holding full keys. Feature breadth is broad (secrets, dynamic credentials, certificates, encryption-as-a-service, zero-trust access), pricing remains opaque, and the brand recognition still trails Vault and Doppler outside Israel and the regulated-financial segment.

Best for

Regulated enterprises (500-50,000 employees) in financial services, healthcare, and critical infrastructure that want vault-less SaaS with vendor-fragment cryptography rather than self-managed Vault.

Worst for

Greenfield engineering teams wanting Doppler-tier developer ergonomics, or AWS-only estates where AWS Secrets Manager native integration wins on simplicity.

Strengths

  • Distributed Fragments Cryptography (DFC): Akeyless never holds full keys
  • Vault-less SaaS architecture removes operational burden of self-managed Vault
  • Broad feature set (secrets, dynamic credentials, certificates, encryption-as-a-service)
  • Strong fit for regulated financial services skeptical of vendor-held keys
  • FIPS 140-2 validated; SOC 2 Type 2 and ISO 27001
  • Customer-fragment model is genuine architectural differentiation, not marketing

Weaknesses

  • Pricing opaque
  • Brand recognition trails Vault and Doppler outside Israel and regulated finance
  • Smaller community and integration list than Vault
  • Implementation depth required to leverage DFC properly
  • Developer ergonomics not as polished as Doppler

Pricing tiers

opaque
  • Free
    Limited free tier for evaluation
    $0 /mo
  • Team
    Industry estimate $5-$15 per client/month
    Quote
  • Enterprise
    Industry estimate $80K-$600K+ annually for enterprise deployments
    Quote
Watch for
  • · Add-on modules (Zero Trust Access, KMS) priced separately
  • · Implementation services for DFC setup
  • · Annual price escalators reported at 5-9% at renewal

Key features

  • +Distributed Fragments Cryptography (DFC) for vendor-never-holds-keys posture
  • +Static and dynamic secrets management
  • +KMS-as-a-service for encryption operations
  • +Certificate lifecycle management
  • +Encryption-as-a-service via APIs
  • +Zero Trust Application Access (ZTAA) add-on
  • +SSH and database secret rotation
  • +Kubernetes integration via Akeyless Operator
  • +Auditor-ready logging and reporting
  • +Customer fragment controlled by buyer (never with Akeyless)
180+ integrations
KubernetesAWSAzureGCPServiceNowSplunkTerraformGitHub ActionsGitLab CIOkta
Geography
Global; strongest in US, EU, Israel
View full Akeyless Vault Platform intelligence profile → Compare Akeyless Vault Platform →
#4

AWS Secrets Manager

Native AWS secrets service for AWS-anchored estates.

Founded 2018 · Seattle, WA · public · Any employees
G2 4.5 (620)
Capterra 4.5
From $0 /mo
● Transparent pricing
Visit AWS Secrets Manager

AWS Secrets Manager is the native AWS service for secrets storage, rotation, and retrieval, launched 2018 and integrated tightly with AWS KMS, IAM, RDS, Lambda, ECS, and EKS. Best fit for AWS-anchored estates where the value of native integration outweighs the cost of AWS lock-in. The pricing model (per-secret per month plus per-API-call) creates surprises for teams that did not anticipate fan-out across microservices, and rotation is automated only for a fixed set of supported AWS targets; everything else requires custom Lambda rotation functions. Cross-cloud or hybrid-estate buyers will hit the limits of an AWS-only secrets posture quickly.

Best for

AWS-anchored estates (any size) where the native integration value outweighs portability cost, and rotation targets are limited to AWS-supported services.

Worst for

Cross-cloud or hybrid-estate organizations, or buyers wanting deep dynamic credentials and PKI in one platform.

Strengths

  • Native AWS integration with KMS, IAM, RDS, Lambda, ECS, EKS
  • Automatic rotation for supported targets (RDS engines, Redshift, DocumentDB)
  • Tight IAM policy model with resource-based and identity-based policies
  • High durability and AWS-region availability inherited from the platform
  • Pricing model is fully public on the AWS pricing page
  • No separate vendor relationship for AWS-only estates

Weaknesses

  • AWS lock-in; not a portable secrets posture across clouds
  • Per-secret per month plus per-API-call pricing creates surprises at fan-out
  • Rotation automated only for fixed supported targets; everything else needs custom Lambda
  • No first-class developer UX; AWS console is acceptable but not delightful
  • No PKI engine; ACM Private CA is a separate AWS service
  • Cross-account access requires explicit policy work

Pricing tiers

public
  • Standard pricing
    $0.40 per secret per month plus $0.05 per 10,000 API calls; same rate across all regions
    $0 /mo
Watch for
  • · API call costs at high fan-out across microservices
  • · KMS key usage charges if customer-managed keys are used
  • · Custom Lambda rotation functions for non-AWS targets
  • · Cross-account access policy work is buyer-side engineering

Key features

  • +Encrypted secret storage with AWS KMS
  • +Automatic rotation for supported AWS targets (RDS, Redshift, DocumentDB)
  • +Custom rotation via Lambda functions
  • +IAM resource-based and identity-based policies
  • +CloudTrail audit logging integrated
  • +Tight integration with RDS, Lambda, ECS, EKS, CodeBuild
  • +Cross-Region replication
  • +Resource tagging and ABAC
  • +VPC endpoint support
50+ integrations
AWS LambdaAWS RDSAWS ECSAWS EKSAWS CloudTrailAWS IAMAWS KMSAWS CodeBuildHashiCorp Vault (federation)Doppler (federation)
Geography
Global (AWS regions)
View full AWS Secrets Manager intelligence profile → Compare AWS Secrets Manager →
#8

CyberArk Conjur

CyberArk-anchored secrets management inside the Identity Security Platform.

Founded 2011 · Petach Tikva, Israel · public · 1,000-100,000+ employees
G2 4.3 (180)
Capterra 4.4
From $0 /mo
○ Sales call required
Visit CyberArk Conjur

Conjur was acquired by CyberArk in 2017 and is now the secrets-management arm of the CyberArk Identity Security Platform. Two product lines exist: Conjur Open Source (community-maintained) and Conjur Enterprise (commercial, deeply integrated with CyberArk PAM). The buying decision is usually downstream of a CyberArk PAM decision; standalone Conjur evaluations are rare because Vault, Doppler, and Akeyless win on feature depth or developer ergonomics. Best fit only when CyberArk PAM is already deployed and the buyer wants one vendor relationship for human and machine credentials.

Best for

CyberArk-anchored regulated enterprises (1,000-50,000+ employees) consolidating secrets management with PAM under the CyberArk Identity Security Platform.

Worst for

Standalone secrets buyers (Vault, Doppler, Akeyless win), or developer-led teams expecting modern ergonomics.

Strengths

  • Deepest integration with CyberArk Privileged Access Manager and Identity Security Platform
  • Conjur Open Source provides a free entry point for evaluation
  • Strong policy-as-code model (YAML-based)
  • Mature Kubernetes integration via Secretless Broker and authenticators
  • Auditor-grade evidence trails inherited from CyberArk platform
  • CyberArk public-company financial transparency

Weaknesses

  • Best value only when CyberArk PAM is already in place; rarely a standalone buying motion
  • Developer ergonomics weaker than Doppler, Infisical, or Bitwarden
  • Pricing opaque; bundled inside CyberArk Identity Security Platform pricing
  • Conjur Open Source velocity has slowed relative to community expectations
  • Smaller standalone community than Vault
  • Annual price escalators of 7-12% at renewal reported on the CyberArk umbrella contract

Pricing tiers

opaque
  • Conjur Open Source
    Apache 2.0; community-maintained
    $0 /mo
  • Conjur Enterprise (standalone)
    Industry estimate $40K-$300K+ annually; rarely sold standalone
    Quote
  • CyberArk Identity Security Platform (Conjur included)
    Industry estimate $200K-$2M+ annually; bundled with CyberArk PAM
    Quote
Watch for
  • · Modules priced separately inside the CyberArk Identity Security Platform
  • · Implementation via certified partners $100K-$500K+ at enterprise scale
  • · Annual price escalators 7-12% at renewal on the CyberArk umbrella contract

Key features

  • +Centralized policy-as-code (YAML) for secrets and access
  • +Secretless Broker for application secret-less workflows
  • +Kubernetes authenticator for native pod identity
  • +Strong integration with CyberArk Privileged Access Manager
  • +JWT and OIDC authenticators for cloud-native workloads
  • +Audit logs feed into CyberArk PAM evidence trails
  • +Role-based access control with policy inheritance
  • +CLI and SDK coverage
  • +On-prem and SaaS (CyberArk Privilege Cloud) deployment options
200+ integrations
CyberArk PAMKubernetesAWSAzureGCPServiceNowSplunkMicrosoft SentinelOktaMicrosoft Entra ID
Geography
Global; strongest in US, EU, Israel, APAC
View full CyberArk Conjur intelligence profile → Compare CyberArk Conjur →
#2

Doppler

Developer-first secrets platform for cloud-native teams.

Founded 2018 · San Francisco, CA · private · 20-2,000 employees
G2 4.7 (380)
Capterra 4.6
From $0 /mo
◐ Partial disclosure
Visit Doppler

Doppler is the developer-first secrets management platform for cloud-native engineering teams. Founded 2018, raised a $20M Series B in Feb 2022 led by CRV, and has built its reputation on the cleanest developer ergonomics in the category: Git-style branching for environments, one-line CLI integration, and a UI engineers reach for instead of avoid. 2024 brought a deliberate enterprise expansion (SSO, SCIM, audit log retention, advanced RBAC) while preserving the developer experience that drove early adoption. Best fit for engineering-led teams that do not have a HashiCorp Vault commitment; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Engineering-led cloud-native teams (50-2,000 employees) wanting fast onboarding and clean developer ergonomics over deepest dynamic-credentials breadth.

Worst for

Regulated enterprises needing CyberArk Conjur-tier auditor evidence trails, or PKI-heavy organizations wanting certificate lifecycle in the same platform.

Strengths

  • Cleanest developer ergonomics in the category
  • Git-style branching for environments (dev, staging, prod, plus per-branch)
  • One-line CLI integration with most languages and frameworks
  • Strong UI that engineers actually use rather than route around
  • 2024 enterprise expansion added SSO, SCIM, audit log retention, advanced RBAC
  • Pricing more transparent than legacy peers (published rates above the Team tier)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Smaller community and integration list than Vault
  • Newer entrant; multi-region replication story still maturing
  • Enterprise tier pricing opaque (Team and Pro tiers are public)

Pricing tiers

partial
  • Developer
    Free for up to 5 users; basic projects, environments, and integrations
    $0 /mo
  • Team
    $18 per seat per month annual; adds RBAC, audit logs, custom roles
    $18 /emp/mo
  • Pro
    $36 per seat per month annual; adds advanced RBAC, longer audit retention, priority support
    $36 /emp/mo
  • Enterprise
    Adds SSO/SAML, SCIM, advanced compliance; industry estimate $40K-$300K+ annually
    Quote
Watch for
  • · SSO/SAML gated to Enterprise tier (industry-standard practice but worth flagging)
  • · Audit log retention beyond 90 days requires Enterprise
  • · Custom contract terms only available at Enterprise

Key features

  • +Static secrets management with project, config, and environment hierarchy
  • +Git-style branching for environments
  • +CLI integration for most languages and frameworks
  • +Doppler Kubernetes Operator for native secret sync
  • +Integrations with AWS Secrets Manager, GCP Secret Manager, Azure Key Vault for federation
  • +Webhooks and secret-changed triggers
  • +Audit logs and granular RBAC
  • +SSO/SAML and SCIM (Enterprise)
  • +Trusted IPs and IP allowlisting
  • +Secret rotation via integrations
120+ integrations
KubernetesAWSGCPAzureVercelHerokuGitHub ActionsGitLab CIDatadogSlack
Geography
Global; strongest in US, EU
View full Doppler intelligence profile → Compare Doppler →
#7

Infisical

Open-source modern secrets platform with rapid developer adoption.

Founded 2022 · San Francisco, CA · private · 10-1,000 employees
G2 4.8 (140)
Capterra 4.7
From $0 /mo
◐ Partial disclosure
Visit Infisical

Infisical is the fastest-growing open-source modern secrets platform: Y Combinator W23, founded 2022, and gaining developer mindshare in 2025-2026 as a Doppler-shaped product with an MIT-licensed core. The pitch is modern developer ergonomics on top of an open-source foundation, with cloud and self-host options. Feature depth is catching up to Doppler quickly and the post-HashiCorp BSL appetite for OSS alternatives plays directly into Infisical positioning. Trade-offs: younger company, smaller community than Vault or even Bitwarden, enterprise SLA depth still maturing. Best fit for engineering-led teams that want an open-source secrets platform without inheriting Vault operational complexity.

Best for

Engineering-led teams (20-1,000 employees) wanting an open-source modern secrets platform with cloud or self-host, without inheriting Vault operational complexity.

Worst for

Regulated enterprises needing CyberArk Conjur-tier evidence trails or FedRAMP authorization, and organizations needing Vault-tier dynamic credentials breadth.

Strengths

  • MIT-licensed open-source core; the cleanest OSS story among modern entrants
  • Modern developer ergonomics (UI, CLI, branching environments)
  • Y Combinator W23 momentum; product velocity above incumbents
  • Self-host option positioned strongly post-HashiCorp BSL switch
  • Native Kubernetes integration via Infisical Operator
  • Open-source secret scanning included in the platform

Weaknesses

  • Younger company; enterprise SLA depth still maturing
  • Smaller community and integration list than Vault or Doppler
  • Dynamic credentials coverage narrower than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Smaller verified-pricing dataset; deal-size predictability is lower

Pricing tiers

partial
  • Community (self-host)
    MIT-licensed; self-managed; unlimited secrets and projects
    $0 /mo
  • Cloud Free
    Up to 5 users, basic integrations
    $0 /mo
  • Cloud Pro
    About $18 per identity per month; adds RBAC, audit logs, SSO
    $18 /emp/mo
  • Cloud Enterprise
    Industry estimate $25K-$200K+ annually; adds SCIM, dedicated support, advanced compliance
    Quote
Watch for
  • · Self-host operational overhead is buyer-side
  • · Enterprise tier custom pricing for larger teams
  • · Advanced compliance gates (HIPAA BAA, advanced audit) at Enterprise

Key features

  • +MIT-licensed open-source core
  • +Static secrets with project, environment, folder hierarchy
  • +Environment branching and overrides
  • +Native Kubernetes integration via Infisical Operator
  • +CLI and SDK coverage (Node, Python, Go, Java, .NET)
  • +GitHub Actions, GitLab CI, CircleCI, Jenkins, Vercel integrations
  • +Open-source secret scanning for repos and pipelines
  • +Audit logs and granular RBAC
  • +SSO/SAML and SCIM provisioning (Pro and Enterprise)
  • +Self-host option for air-gapped deployments
110+ integrations
KubernetesAWSGCPAzureVercelGitHub ActionsGitLab CICircleCIJenkinsTerraform
Geography
Global; strongest in US, EU, India
View full Infisical intelligence profile → Compare Infisical →
#3

1Password Secrets Automation

Secrets automation on top of the broader 1Password Business platform.

Founded 2005 · Toronto, Canada · private · 100-20,000 employees
G2 4.7 (1,480)
Capterra 4.7
From $8 /employee/mo
◐ Partial disclosure
Visit 1Password Secrets Automation

1Password Secrets Automation is the machine-secrets product line built on top of the broader 1Password Business platform. Founded 2005 in Toronto, the company raised a $620M Series C in Jan 2022 at a roughly $6.8B valuation led by Iconiq Growth. Secrets Automation launched 2021 and the 2024 Trelica acquisition added SaaS governance-and-discovery (shadow IT, app usage, lifecycle), positioning 1Password as a converged human+machine credentials platform. Best fit for organizations already standardized on 1Password Business that want secrets automation without adopting a separate platform; less appropriate when deep dynamic-credentials or PKI engines are the headline requirement.

Best for

Mid-market and enterprise buyers (200-10,000 employees) already standardized on 1Password Business who want machine secrets automation without adopting a separate platform.

Worst for

Engineering teams wanting Vault-tier dynamic credentials, or organizations evaluating secrets-only without a 1Password Business commitment.

Strengths

  • Built on the broader 1Password Business platform; one vendor for human and machine credentials
  • Connect server bridges on-prem CI/CD and cloud secrets workflows
  • Service Accounts model is clean and policy-driven
  • Strong CLI and SDK coverage
  • Trelica acquisition (2024) adds SaaS governance and shadow-IT discovery
  • Pricing more transparent than legacy enterprise peers (Business tier rate is public)

Weaknesses

  • Lighter on dynamic credentials than Vault or Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Best value only when 1Password Business is already in place; not a standalone-secrets buying motion
  • Secrets Automation pricing opaque (Business tier is public, Secrets Automation is custom)
  • Mid-market deployments outgrow the bundled approach when secrets become the dominant workload

Pricing tiers

partial
  • 1Password Business
    $7.99 per user per month annual; baseline for Secrets Automation eligibility
    $8 /emp/mo
  • Secrets Automation Starter
    Industry estimate $200-$1,000 per month at small-team scale
    Quote
  • Secrets Automation Business
    Industry estimate $30K-$200K+ annually mid-enterprise
    Quote
  • Enterprise
    Adds dedicated success, custom SLAs, advanced governance
    Quote
Watch for
  • · Secrets Automation priced separately above 1Password Business baseline
  • · Trelica governance (post-2024) priced separately
  • · Enterprise SSO/SCIM gated to higher tiers

Key features

  • +1Password Connect server for on-prem CI/CD and cloud bridging
  • +Service Accounts with scoped, policy-driven access
  • +CLI (op) with broad language coverage
  • +Kubernetes integration via 1Password Kubernetes Operator
  • +GitHub Actions, GitLab CI, CircleCI, Jenkins integrations
  • +Audit logs and event reporting
  • +SCIM provisioning for users and groups
  • +Trelica SaaS governance and discovery (post-2024)
  • +Secret references and dynamic injection at runtime
200+ integrations
KubernetesAWSGCPAzureGitHub ActionsGitLab CICircleCIJenkinsTerraformOkta
Geography
Global; strongest in US, EU, Canada
View full 1Password Secrets Automation intelligence profile → Compare 1Password Secrets Automation →
#6

Bitwarden Secrets Manager

Open-source heritage extended into machine secrets management.

Founded 2016 · Santa Barbara, CA · private · 50-5,000 employees
G2 4.6 (320)
Capterra 4.7
From $6 /employee/mo
● Transparent pricing
Visit Bitwarden Secrets Manager

Bitwarden built its reputation on open-source password management before extending the platform into machine secrets with Bitwarden Secrets Manager (GA 2023). The Insight Partners-led $100M+ Series A in 2022 funded enterprise expansion and the secrets-management product line. The pitch is consistent with the Bitwarden brand: open-source heritage, transparent pricing, and an approachable developer experience for teams already on Bitwarden Business or Enterprise. Feature depth still trails Vault and Doppler in dynamic credentials, but Bitwarden is a credible mid-market option, especially for organizations that prefer to buy human and machine credentials from the same vendor.

Best for

Mid-market and lower-enterprise buyers (50-3,000 employees) already on Bitwarden Password Manager who want machine secrets from the same vendor, with self-host option as a fallback.

Worst for

Regulated enterprises needing CyberArk Conjur-tier evidence trails, or organizations needing Vault-tier dynamic credentials breadth.

Strengths

  • Open-source heritage maintained for both Password Manager and Secrets Manager
  • Transparent published pricing on the Bitwarden website
  • Approachable developer experience and CLI coverage
  • Strong fit for orgs already on Bitwarden Password Manager Business or Enterprise
  • Self-host option available for fully air-gapped deployments
  • Insight Partners $100M+ Series A funded credible enterprise expansion

Weaknesses

  • Dynamic credentials coverage trails Vault and Akeyless
  • No PKI secrets engine; certificate lifecycle is not first-party
  • Secrets Manager is younger; community of practice still building
  • Best value only when Bitwarden Business is already in place
  • Audit and compliance evidence trails are lighter than enterprise peers

Pricing tiers

public
  • Bitwarden Business
    $6 per user per month annual; baseline for Secrets Manager eligibility
    $6 /emp/mo
  • Secrets Manager Team
    $6 per user per month annual; up to 5 service accounts, 50 secrets per service account
    $6 /emp/mo
  • Secrets Manager Enterprise
    $12 per user per month annual; unlimited service accounts and secrets
    $12 /emp/mo
  • Enterprise + Self-host
    Custom quote for self-host deployment with enterprise SLAs
    Quote
Watch for
  • · Service account scaling at Team tier (capped at 5)
  • · Premium support gated to higher tiers
  • · Self-host implementation is buyer-side engineering

Key features

  • +Static secrets management with project and folder hierarchy
  • +Service accounts with scoped access tokens
  • +CLI coverage and SDK (Python, Node, Ruby, Go, Rust, Java, C#)
  • +GitHub Actions, GitLab CI, Jenkins, Kubernetes integrations
  • +Audit logs and event reporting
  • +Open-source codebase with public audit history
  • +Self-host option for air-gapped deployments
  • +SSO/SAML and SCIM provisioning
  • +Hardware security key support for human authentication
90+ integrations
KubernetesAWSGitHub ActionsGitLab CIJenkinsTerraformAnsibleOktaMicrosoft Entra IDDatadog
Geography
Global; strongest in US, EU
View full Bitwarden Secrets Manager intelligence profile → Compare Bitwarden Secrets Manager →
#9

Delinea Secret Server (DevOps Secrets Vault)

Legacy Secret Server plus DevOps Secrets Vault on the Delinea Platform.

Founded 1996 · Redwood City, CA · pe backed · 200-10,000 employees
G2 4.5 (760)
Capterra 4.6
Custom quote
○ Sales call required
Visit Delinea Secret Server (DevOps Secrets Vault)

Delinea (formed when TPG merged Thycotic and Centrify in April 2021) ships two secrets products: the long-running Secret Server (legacy IT secrets vault, primarily for human admins and service accounts) and DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads). The DevOps Secrets Vault product is the credible developer-secrets story for legacy PAM portfolio buyers; standalone, it competes more directly with Vault and Doppler. Best fit when Delinea PAM is already in place or when an existing Thycotic Secret Server estate wants a cloud-native extension. Trade-offs: TPG ownership signals a sale or recap on the 3-5 year horizon, and standalone Delinea-secrets buying motions are rare.

Best for

Mid-market and lower-enterprise buyers (200-5,000 employees) already on Delinea PAM or legacy Thycotic Secret Server wanting a cloud-native DevOps secrets extension.

Worst for

Standalone-secrets buyers without a Delinea PAM commitment (Vault, Doppler, Akeyless win), or organizations needing FedRAMP High coverage.

Strengths

  • Secret Server is a long-running, mature legacy vault used in thousands of mid-market estates
  • DevOps Secrets Vault adds a cloud-native, API-first story to the legacy portfolio
  • Account Lifecycle Manager (service-account discovery and rotation) is differentiated
  • Mid-market pricing routinely under CyberArk equivalents
  • Strong customer support consistency vs PE peers
  • Tight integration with Delinea PAM (Connection Manager, Privilege Manager)

Weaknesses

  • TPG ownership implies a sale or recap on the 3-5 year horizon
  • Standalone Delinea-secrets buying motions are rare; usually downstream of Delinea PAM
  • DevOps Secrets Vault community is smaller than Vault or Doppler
  • Pricing opaque despite mid-market positioning
  • Two product lines can confuse buyers (Secret Server vs DevOps Secrets Vault)

Pricing tiers

opaque
  • Secret Server Cloud
    Industry estimate $60-$120 per user/year
    Quote
  • DevOps Secrets Vault
    Industry estimate $30K-$200K+ annually
    Quote
  • Delinea Platform bundle
    Industry estimate $150K-$600K annually mid-enterprise
    Quote
Watch for
  • · DevOps Secrets Vault priced separately from Secret Server
  • · Account Lifecycle Manager priced separately
  • · Implementation services for multi-tenant deployments
  • · Annual price escalators 5-9% at renewal reported

Key features

  • +Secret Server (vault, session brokering, session recording)
  • +DevOps Secrets Vault (cloud-native, API-first, for ephemeral workloads)
  • +Account Lifecycle Manager (service account discovery and rotation)
  • +Connection Manager for SSH/RDP session brokering
  • +Cloud Suite (Centrify-heritage Linux identity bridging)
  • +Delinea Platform unified policy engine and reporting
  • +Kubernetes integration via DSV agent
  • +Mature compliance posture (SOC 2, ISO 27001, HIPAA, FedRAMP)
  • +Tight integration with Delinea Privilege Manager (endpoint)
200+ integrations
ServiceNowSplunkMicrosoft SentinelAWSAzureGCPOktaMicrosoft Entra IDHashiCorp TerraformKubernetes
Geography
Global; strongest in US, EU, APAC
View full Delinea Secret Server (DevOps Secrets Vault) intelligence profile → Compare Delinea Secret Server (DevOps Secrets Vault) →
#10

GitGuardian Platform

Secrets-leak detection heritage extended into management (2024).

Founded 2017 · Paris, France · private · 200-50,000+ employees
G2 4.7 (260)
Capterra 4.7
From $0 /mo
○ Sales call required
Visit GitGuardian Platform

GitGuardian was the secrets-detection-first vendor of record (its public-GitHub leak monitor put it on the map), founded 2017 in Paris and raising a $44M Series B in 2022. In 2024 the company expanded explicitly into secrets management with the Non-Human Identity (NHI) Security and Vault Insights products, framing the platform as one that finds leaked credentials and helps you rotate them at the source. The pitch is consistent: if leaked-credential discovery is the headline buyer pain, GitGuardian is unrivaled. As a standalone secrets management product, it is younger and shallower than Vault, Doppler, or Akeyless; the platform value compounds when detection and management are bought together.

Best for

Security-led buyers (CISO office, 500-20,000 employees) where leaked-credential discovery is the headline pain and management is bought alongside detection.

Worst for

Platform-engineering-led teams wanting deep dynamic credentials (Vault wins) or developer-first ergonomics (Doppler, Infisical win).

Strengths

  • Strongest leaked-credentials detection in the category (public GitHub leak monitor since 2017)
  • Non-Human Identity (NHI) Security extends detection into governance for service accounts
  • Vault Insights ties leaked credentials back to upstream vault entries
  • French-headquartered with EU data-residency and GDPR posture
  • $44M Series B 2022 funded enterprise expansion into management
  • Strong fit for security-led buyers (CISO office), less so for platform-engineering buyers

Weaknesses

  • Standalone secrets management is younger and shallower than Vault, Doppler, or Akeyless
  • Best value only when detection plus management are bought together
  • Smaller community of practice on the management side
  • Pricing opaque
  • Less developer ergonomic than Doppler or Infisical
  • Dynamic credentials coverage narrower than Vault or Akeyless

Pricing tiers

opaque
  • Free (public repos)
    Public GitHub repo monitoring; up to 25 developers
    $0 /mo
  • Business (Detection)
    Industry estimate $15-$30 per developer/month
    Quote
  • Enterprise (Detection + NHI Security + Vault Insights)
    Industry estimate $60K-$500K+ annually for enterprise deployments
    Quote
Watch for
  • · NHI Security and Vault Insights priced separately above detection baseline
  • · Implementation services for large estates
  • · Annual price escalators 6-10% at renewal reported

Key features

  • +Public GitHub repo leak monitoring (free tier and paid)
  • +Internal repo and CI/CD pipeline secrets scanning
  • +Non-Human Identity (NHI) Security for service-account governance
  • +Vault Insights to tie leaked credentials back to upstream vault entries
  • +Honeytoken generation and detection
  • +Audit logs and event reporting
  • +SSO/SAML and SCIM provisioning
  • +Slack and PagerDuty incident routing
  • +On-prem self-hosted option for regulated buyers
120+ integrations
GitHubGitLabBitbucketAWSAzureGCPHashiCorp VaultCyberArk ConjurSlackPagerDuty
Geography
Global; strongest in EU, US
View full GitGuardian Platform intelligence profile → Compare GitGuardian Platform →

Frequently asked questions

The questions buyers actually ask before they sign.

Does BSI IT-Grundschutz require a specific secrets management product for German KRITIS operators?
BSI IT-Grundschutz ORP.4 and KRITIS minimum security standards define capability requirements, not product mandates. KRITIS operators must maintain a privileged account and service credential inventory, implement access controls and audit logging for credential access, rotate credentials on a defined schedule, and conduct periodic access reviews. HashiCorp Vault, Akeyless, AWS Secrets Manager, and CyberArk Conjur all satisfy these requirements when deployed per their respective security hardening guides. BSI does not maintain a specific approved list for secrets management products (unlike ANSSI Visa de Sécurité in France). KRITIS operators should document their control mapping against ORP.4 and the relevant KRITIS minimum standard annexes regardless of product chosen.
How does Betriebsrat co-determination affect secrets management rollout in Germany?
BetrVG §87 No. 6 gives the Betriebsrat co-determination rights for IT systems that monitor employee conduct. Secrets management audit logs that record which employee account accessed which credential, at what time, and from which system, qualify as employee monitoring data when they can identify individuals. Before deploying audit logging features, negotiate a Betriebsvereinbarung covering: what access events are logged, who can access the logs, retention period (typically 6-24 months), employee notification, and deletion procedures. Credential vaulting and access control features (without identity-linked audit logging) are less likely to trigger §87 and can often be deployed first while negotiation proceeds. Involve your Datenschutzbeauftragter (DPO) alongside the Betriebsrat.
Why does Akeyless rank higher for Germany than for the US or UK in this category?
Akeyless's vault-less Distributed Fragments Cryptography (DFC) architecture means that Akeyless the company never holds a complete encryption key; fragments are distributed between the customer and Akeyless infrastructure. This architectural characteristic resonates specifically with German enterprise buyers who are culturally and regulatorily reluctant to hand cryptographic control to a US-headquartered vendor. Combined with AWS Frankfurt data residency (DSGVO and BSI C5 compliant), BaFin-aligned control documentation, and EUR pricing via DACH resellers, Akeyless has positioned more effectively in Germany than in comparable markets. It does not outrank HashiCorp Vault in deployment count but is the strongest growth-market alternative for German DAX 40 and FSI buyers evaluating Vault alternatives.
HashiCorp Vault vs Doppler vs AWS Secrets Manager: which one fits us?
Use Vault when you need the deepest secrets, PKI, and dynamic-credentials platform across mixed cloud and on-prem estates, and have operational expertise to run it (or pay for HCP Vault). Use Doppler when you are an engineering-led cloud-native team that prizes developer ergonomics, fast onboarding, and clean environment branching. Use AWS Secrets Manager when you are an AWS-only estate where native KMS/IAM/RDS integration outweighs portability cost. The three rarely overlap on a single shortlist.
What does HashiCorp Vault BSL license actually mean for us?
The Business Source License (BSL) restricts competing commercial use of Vault by other vendors, while permitting most direct end-user deployments. Practically: you can still deploy Vault yourself for internal use, with a four-year time-delayed conversion to Mozilla Public License (MPL). The trust hit was twofold: open-source community projects (OpenBao, OpenTofu) forked under Linux Foundation governance, and enterprises now factor BSL risk into long-horizon platform decisions, especially post-IBM acquisition close in Feb 2025.
Why does secrets rotation matter, and when is it worth automating?
Rotation matters because static long-lived credentials are the single largest blast-radius vector when a breach happens (an attacker can replay the credential for as long as it lives). Automate rotation as soon as you have more than about 50 service accounts or any database credentials sitting in version-control or wikis. Tools like Vault, Akeyless, and AWS Secrets Manager support automatic rotation for supported targets; everything else typically needs a custom rotation function (Lambda for AWS, Functions for Azure, etc.).
KMS vs vault: are they different things?
Yes. A KMS (Key Management Service) manages encryption keys and performs encryption/decryption operations (AWS KMS, GCP KMS, Azure Key Vault). A secrets vault stores the application secrets themselves (passwords, API keys, OAuth tokens) and often uses a KMS as its backing encryption layer. Some platforms blur the line: Akeyless is KMS-as-a-service plus secrets, AWS Secrets Manager uses AWS KMS underneath. Practically, ask whether the product holds your application secrets or only your encryption keys.
Is AWS Secrets Manager lock-in a real problem for us?
Yes if you are likely to add Azure or GCP workloads, or if you want to support a hybrid on-prem estate. Migrating off AWS Secrets Manager later requires rewriting integration points (IAM policies, KMS dependencies, rotation Lambdas), and the rotation automation is AWS-target-specific. If you are 100 percent AWS today and likely to stay that way, lock-in is a price worth paying for native integration. If multi-cloud is on the roadmap, start with Vault, Doppler, or Akeyless and federate to cloud services rather than the other way around.
How is GitGuardian different from a secrets management platform?
GitGuardian started as a detection product (find leaked secrets in public and private repos) and expanded into management with Non-Human Identity Security and Vault Insights in 2024. As a pure secrets management platform, it is younger and shallower than Vault or Doppler. The platform shines when you buy detection plus management together: leaked credentials in repos get tied back to upstream vault entries, and rotation closes the loop. Buyers led by CISO offices typically pick GitGuardian; buyers led by platform-engineering pick Vault or Doppler.
When does an organization actually need secrets management?
You need secrets management when you have more than about 25 services or environments and credentials are spilling into .env files, CI/CD variables, wikis, or chat. Symptoms: developers ping the platform team for credentials, audits flag credential reuse, you cannot answer who rotated the database password last quarter. Below that scale, AWS Secrets Manager or a per-app .env workflow with environment-variable injection is usually enough. Above it, you need a platform with audit logs, RBAC, rotation, and dynamic credentials.
What is a dynamic credential, and why does it matter?
A dynamic credential is one that is generated on demand, scoped narrowly, and expires after a short TTL (minutes to hours), instead of being a long-lived static value. Example: Vault generates a fresh AWS IAM credential each time a CI pipeline runs, with permissions limited to the job, and the credential expires when the pipeline finishes. Dynamic credentials collapse the blast radius of a compromise; static credentials retain full power until manually rotated. Vault, Akeyless, and CyberArk Conjur lead on dynamic credentials breadth.
Should we self-host Vault, OpenBao, Infisical, or Bitwarden Secrets Manager?
Self-host when you have an absolute data-residency or air-gap requirement and the operational expertise to run encrypted storage, replication, and unsealing properly. OpenBao (the BSL-free Vault fork) is the OSS choice if you reject the BSL. Infisical and Bitwarden Secrets Manager are easier to self-host than Vault but trade depth on dynamic credentials. The hidden cost of self-host is always operational: secret backups, unseal-key recovery, replication health, and patching. Most teams under 1,000 employees should use SaaS (HCP Vault, Doppler, AWS Secrets Manager, Bitwarden Cloud) unless self-host is a hard requirement.
How does Zendikt verify pricing and trust scores?
Pricing data comes from public vendor pages, reseller quotes, and 280+ anonymized buyer disclosures aggregated through the Zendikt verified-pricing program. Industry estimates are explicitly flagged in tier notes. Trust events come from public 10-K filings, breach disclosures filed with regulators, reported M&A activity, and license-change announcements. Vendor Trust Score is the unweighted mean of six independent subscores (pricing transparency, contract fairness, incident response, post-acquisition behavior, executive stability, roadmap honesty) and is tracked separately from product quality on purpose: a strong product owned by a punitive vendor or saddled with a hostile license is still a bad five-year decision.

Final word

Looking at a different market? See the global Secrets Management Software ranking, or pick another country at the top of this page.

Last updated 2026-05-19. Local pricing reverified quarterly. Found something inaccurate? Tell us.