Executive Summary
Privileged credentials are the keys to the kingdom — but the keys you can’t find are the ones that get you breached, which is why PAM is judged on what it discovers and reaches, not on the vault it demos.
Privileged Access Management secures the most powerful credentials in the enterprise: domain and root accounts, database and hypervisor logins, cloud-console superusers, the service accounts that glue systems together, and the API keys and secrets that infrastructure and pipelines pass around all day. Compromise one of these and an attacker stops being a visitor and becomes an administrator — free to move laterally, disable controls, exfiltrate data, and deploy ransomware. That is why privileged accounts sit at the center of so many serious breaches, and why PAM is treated as foundational to a Zero Trust program rather than as one more security tool.
This guide evaluates 8 platforms — CyberArk, BeyondTrust, Delinea, One Identity, WALLIX, HashiCorp Vault, Teleport, and Keeper Security — across the capabilities a real program lives or dies on: credential vaulting and rotation, privileged session control and recording, just-in-time access, secrets management for cloud and DevOps, and the discovery and analytics that find what you forgot you had. It is written for the CISO, the IAM architect, and the platform-engineering lead who have to make those pieces cover one messy, hybrid estate.
The hardest trade-off is not which vendor scores best on a feature grid; it is which model your environment actually needs. Legacy PAM is built around a hardened vault, jump hosts, and recorded sessions — excellent control for human administrators on long-lived systems, but it leans on agents, proxies, and connectors that are slow to deploy and easy to route around. The modern camp — secrets management, identity-native infrastructure access, and just-in-time, zero-standing-privilege grants — fits cloud and ephemeral workloads far better, but trades session-recording depth and turnkey compliance reporting for engineering effort. Most enterprises end up needing both, and the deciding question is whether a given platform can actually reach, discover, and govern every privileged and non-human identity you own — not just the fifty admin accounts that are easy to vault.
Why PAM Is the Control Attackers Hope You Skipped
Privileged accounts are the difference between a contained incident and a catastrophic one. Standard user credentials buy an attacker a foothold; a privileged credential — a domain admin, a root key, a cloud organization owner, a CI/CD pipeline token — buys them the building. The same power that makes these accounts indispensable to operations is exactly what makes their compromise unrecoverable: with them, an adversary can disable logging, alter access policy, pivot across trust boundaries, and erase their own tracks. PAM is the control that shrinks that blast radius, and it is consequential precisely because almost every other security investment assumes it is already in place.
What makes the PAM decision genuinely hard is that the privileged estate is far larger and messier than anyone’s inventory says. For every named human administrator there are typically many more non-human identities — service accounts, scheduled tasks, application-to-application credentials, embedded secrets, SSH keys, and the machine and agent identities now multiplying across cloud-native stacks. These are the accounts nobody rotates, nobody owns, and nobody can fully enumerate, and they are where real attacks land. A PAM program that vaults the obvious human accounts while leaving service accounts and secrets sprawling is not a smaller win; it is a false sense of security with an audit-clean dashboard on top.
The 2026 dynamics all push in one direction: away from the standing vaulted password and toward ephemeral, brokered access. Secrets management for DevOps and cloud-native workloads has become table stakes; identity-native infrastructure access issues short-lived certificates instead of passwords; cloud infrastructure entitlement management (CIEM) is being folded in to right-size standing cloud permissions; and identity threat detection and response (ITDR) watches privileged activity for the misuse a static control can’t catch. The newest pressure is non-human and agentic identity — AI agents and autonomous workloads that need scoped, governed, revocable privilege in real time, which is precisely the gap the modern PAM challengers are racing to fill.
The other unmistakable trend is consolidation. PAM is converging with the rest of identity security: vendors are unifying privileged access with secrets management, CIEM, ITDR, and secure remote access into single platforms, and the ownership of the category is shifting through major M&A as the platform vendors absorb the specialists. That makes roadmap and ownership a first-class part of the decision — the standalone PAM you buy today may be a module inside a larger identity-security suite tomorrow.
The Real Sourcing Decision
Almost nobody builds a full PAM platform from scratch — the vaulting, rotation, session brokering, and compliance machinery are too specialized and too consequential to get wrong. The genuine build-vs-buy question in this category is narrower and sharper: where it makes sense to use open-source or platform-native primitives (HashiCorp Vault, a hyperscaler’s secrets manager and short-lived credentials, certificate-based SSH) versus where you need a packaged PAM suite with session recording, approval workflows, and audit-ready reporting out of the box. Engineering-led organizations frequently start by assembling secrets management themselves and discover, a year in, that they have built a credential store but not the human-administrator controls, discovery, and compliance evidence that an auditor actually asks for.
So the real decision is which camp to buy from and how to split the estate between them. A traditional vault-and-session suite is the right anchor when the dominant risk is human administrators touching long-lived servers, databases, and network gear under a compliance regime that demands recorded sessions. A modern secrets-and-just-in-time platform is the better fit when the privileged surface is ephemeral — cloud workloads, Kubernetes, pipelines, and machine identities that live for minutes. Frame the choice around what your privileged identities look like and how long they live, not around which vendor has the longest feature list, and assume most enterprises will run a legacy core for people and a modern layer for infrastructure rather than forcing one tool to do both badly.
| Scenario | Recommendation | Rationale |
|---|---|---|
| No PAM at all — shared admin passwords, local admin everywhere | Deploy a vault-led PAM now | Shared and unmanaged privileged credentials are the most common serious audit finding and the easiest path to lateral movement. Start with discovery, vault the highest-risk human accounts, and enforce rotation before anything else. |
| Legacy PAM for servers, no cloud or DevOps coverage | Extend to secrets and JIT | The vault protects human logins but not pipeline tokens, cloud roles, or Kubernetes secrets. Add secrets management and just-in-time cloud access rather than forcing developers through a jump host they will route around. |
| HashiCorp Vault in place for secrets only | Add session control & reporting | Vault handles machine secrets well but lacks privileged session recording, human approval workflows, and packaged compliance evidence. Layer a PAM suite for the human and audit side rather than rebuilding it on top of Vault. |
| Cloud-native, ephemeral infrastructure, engineering-led | Adopt identity-native / JIT access | Short-lived certificates, brokered access, and zero standing privilege fit ephemeral workloads far better than vaulting passwords that may not exist next hour. Prioritize discovery of machine and service identities first. |
| Strict compliance, recorded-session mandate (finance, healthcare, OT) | Buy a session-recording PAM suite | When regulators or auditors require keystroke-level recording, four-eyes approval, and isolated jump hosts, a purpose-built suite delivers that turnkey; assembling it from primitives is slow and hard to defend in an audit. |
| Mid-market or lean team, hybrid but not huge | Choose cloud-native, low-friction PAM | A SaaS-delivered platform with light agents and fast onboarding gets you to vaulting and JIT without standing up appliances and connectors you don’t have staff to run; validate discovery depth before you commit. |
Key Capabilities & Evaluation Criteria
Weight these domains against your own estate before you score a single vendor. An organization running mostly long-lived Windows and network infrastructure under a recorded-session mandate will rank session control and vaulting highest; a cloud-native, DevOps-heavy shop will push secrets management and just-in-time access to the top and treat session recording as secondary. The one domain nobody should under-weight is discovery: a platform that cannot find your unmanaged privileged and service accounts cannot protect them, and that gap is invisible on every demo. Force the trade-off explicitly rather than assuming one tool maximizes all five.
| Capability Domain | Weight | What to Evaluate |
|---|---|---|
| Credential Vaulting & Rotation | 25% | Encrypted vault with checkout/check-in, automated rotation for passwords, SSH keys, and certificates, service-account and application-to-application credential management, vault high availability and disaster recovery, and the strength of the break-glass design when the vault itself is unavailable |
| Privileged Session Management | 20% | Session brokering and isolation (the credential never reaches the endpoint), full keystroke and video recording with searchable audit, real-time monitoring and session termination, four-eyes approval, and how heavily it depends on jump hosts and proxies that add latency or single points of failure |
| Just-in-Time & Zero Standing Privilege | 20% | Time-bound, request-and-approve elevation, removal of standing admin rights in favor of ephemeral grants, runtime/continuous authorization, certificate-based access without persistent passwords, and emergency break-glass that is fast yet fully audited |
| Secrets & Non-Human Identity Management | 20% | Dynamic, short-lived secrets, API-based retrieval and injection into CI/CD, native Kubernetes and cloud-provider integration, broad authentication backends, governance of machine, workload, and emerging AI-agent identities, and whether it brokers existing cloud secret stores rather than forcing yet another silo |
| Discovery, Analytics & Compliance | 15% | Continuous discovery of privileged, service, and orphaned accounts across AD, cloud, databases, and SaaS, secrets and SSH-key discovery, risk scoring and privileged-behavior analytics (ITDR), SIEM integration, and out-of-the-box certification and reporting for SOX, PCI DSS, HIPAA, SOC 2, and DORA |
Vendor Landscape
The PAM field sorts into two camps that increasingly bleed into each other. The legacy core — CyberArk, BeyondTrust, Delinea, One Identity, and WALLIX — grew up around a hardened vault, jump hosts, and recorded sessions, and remains the gold standard for governing human administrators on long-lived systems with audit-grade evidence; all five are now racing to add secrets management, CIEM, ITDR, and just-in-time access on top. The modern camp — HashiCorp Vault for secrets, Teleport for identity-native infrastructure access, and the cloud-native, zero-knowledge approach of Keeper Security — was built for ephemeral cloud workloads, machine identities, and developer velocity, and trades session-recording depth and turnkey compliance for short-lived credentials and lighter deployment. The deciding question is rarely which camp is “better” — it is which one matches the shape and lifespan of your privileged identities, and most large enterprises end up buying from both.
Ownership and M&A are reshaping this market in real time, so confirm current status before you sign. Palo Alto Networks agreed in July 2025 to acquire CyberArk in a roughly $25 billion cash-and-stock deal; CyberArk shareholders approved it in November 2025, and the deal closed on 11 February 2026 — a signal of how strategically the platform vendors now view privileged identity. IBM completed its acquisition of HashiCorp (Vault and Terraform) in February 2025, putting the leading secrets manager inside IBM’s hybrid-cloud portfolio. Delinea was formed in 2021 from the merger of Thycotic and Centrify — led by TPG Capital, with Thoma Bravo retaining a minority stake — and rebranded from ThycoticCentrify in February 2022; in January 2026 it agreed to acquire modern access vendor StrongDM, a deal that closed in March 2026 and bolts just-in-time runtime authorization onto its platform. BeyondTrust is owned by Francisco Partners with Clearlake Capital as a minority investor (its roots trace to the 2018 Bomgar acquisition), and One Identity is a business unit of Quest Software, owned by Clearlake Capital. WALLIX remains the lone European pure-play of scale, and Teleport and Keeper are independent challengers.
Profiles below run from the enterprise leaders through the modern challengers. Treat the badges as shorthand for where each vendor sits in the legacy-versus-modern split, not as a ranking — the right shortlist depends on which problem dominates your estate.
Strengths: The category benchmark and a Gartner Magic Quadrant Leader for PAM for the seventh consecutive time, trusted by more than 10,000 organizations and over half of the Fortune 500. Deepest enterprise vaulting and session control, the broadest connector and compliance coverage, and a serious modern stack — Secrets Manager (formerly Conjur), Secrets Hub to broker AWS, Azure, and HashiCorp Vault stores, and SPIFFE-based workload identity — now unified under its Identity Security Platform. Considerations: Power comes with weight: classic deployments are complex and agent/proxy-heavy, pricing sits at the premium end, and the SaaS modernization spans many modules to license and stitch together. The Palo Alto Networks acquisition closed in February 2026, so packaging, roadmap, and integration direction are still settling under new ownership.
Strengths: A Gartner Magic Quadrant Leader that unifies privileged password and session management, endpoint privilege management, and secure remote access — a genuine strength for organizations that also support third parties and help-desk access. Its Pathfinder platform, launched in 2025, folds PAM together with ITDR, secrets management, CIEM, and remote access into a single identity-security view, often at more approachable commercials than the category leader. Considerations: The breadth spans products with different lineages still converging onto one platform, so test the seams; cloud-native secrets and DevOps depth trail the most engineering-focused tools. Francisco Partners has publicly explored a sale, so weigh potential ownership change into a multi-year commitment.
Strengths: Formed from Thycotic and Centrify, Delinea is a Gartner Magic Quadrant Leader known for fast time-to-value and a notably cleaner administrator experience than the legacy norm, anchored by Secret Server and a cloud-delivered platform. Its March 2026 acquisition of StrongDM adds just-in-time runtime authorization, developer-first infrastructure access, and a credible zero-standing-privilege path for cloud-native and agentic workloads. Considerations: Some of the deepest, most specialized enterprise scenarios still favor CyberArk’s coverage, and the StrongDM capabilities are freshly acquired, so validate how far the integration has matured for your use cases rather than assuming a single seamless platform on day one.
Strengths: Safeguard delivers hardened appliance-based (and now SaaS) vaulting and session management with strong privileged session recording and analytics, recognized in the 2025 Gartner Magic Quadrant for PAM. Its real differentiator is breadth across the One Identity family — PAM, IGA, and Active Directory management under one roof — which appeals to teams that want privileged access governed alongside the rest of identity rather than in a silo. Considerations: The portfolio can feel like integrated parts more than one seamless fabric, and cloud-native secrets and DevOps depth trail the specialists. As a Clearlake-owned business unit inside Quest, track investment focus and roadmap priority over a long contract.
Strengths: The leading European pure-play and the only European vendor in the 2025 Gartner Magic Quadrant for PAM. WALLIX Bastion combines session manager, password vault, access manager, privilege elevation (PEDM), and application-to-application password management, with a notably lightweight, agentless-leaning proxy architecture and recent web-session control — and genuine strength in OT and industrial environments where many tools struggle. Considerations: Smaller scale and partner ecosystem than the global leaders, with a footprint strongest in EMEA; secrets management and cloud-native DevOps depth are lighter than the specialist tools. Best fit where European data residency, sovereignty, or OT coverage is a hard requirement.
Strengths: The de facto standard for secrets management and the heart of the modern, machine-first approach: centralized secret storage, dynamic short-lived secrets, encryption-as-a-service, and best-in-class integration with Kubernetes, cloud providers, and CI/CD. A large practitioner community, a self-managed Enterprise edition, and the consumption-based HCP Vault cloud service. Now part of IBM following the February 2025 acquisition, broadening its hybrid-cloud and support backing. Considerations: Vault is a secrets engine, not a full PAM suite — no privileged session recording, human approval chains, or packaged compliance reporting — so it covers the machine side and leaves the human and audit side to another tool. Running it well demands real engineering capacity, and the source moved to the Business Source License in 2023.
Strengths: An identity-native infrastructure access platform built on short-lived certificates rather than passwords, giving engineers unified, audited access to SSH servers, Kubernetes, databases, and internal apps with session recording and just-in-time approvals included — PAM patterns reimagined for cloud-native teams. Its 2025 push into machine and workload identity extends the same model to non-human and AI-agent access, with a popular open-source community edition. Considerations: Scope is deliberately infrastructure access, not enterprise-wide PAM — it does not cover Windows desktop privilege, classic password vaulting for legacy estates, or the breadth of compliance reporting the suites provide. It complements rather than replaces a traditional vault for organizations with heavy legacy footprints.
Strengths: KeeperPAM is a unified, zero-trust and zero-knowledge platform that brings password and passkey management, secrets management, connection and session management, remote browser isolation, and endpoint privilege management together in one cloud-native service that is genuinely fast to deploy. Recognized in the 2025 Gartner Magic Quadrant for PAM, with strong compliance posture including FedRAMP and GovRAMP authorization and FIPS 140-3 validation. Considerations: A newer entrant to enterprise PAM relative to the incumbents, so validate references at your scale and the depth of session recording and approval workflows against the established suites. Its zero-knowledge architecture is a security strength but shapes how recovery and administration work — understand the model before committing.
Pricing Models & Cost Structure
PAM pricing rarely reduces to a single number because vendors meter on different units — privileged users, managed targets or assets, protected resources, secrets or nodes, consumption — and the license is often the smaller half of the bill. The reliable surprises live in deployment: the connectors, jump hosts, and high-availability vault infrastructure you stand up; the professional services to onboard thousands of targets; the internal engineers who run the platform; and the modules that turn the base vault into a full program. A platform with an attractive per-user list price can become the expensive option once session managers, secrets management, endpoint privilege, and analytics are each licensed separately.
Model the cost against your real privileged estate and the modules you will actually switch on, not the seat count alone. Open-source and platform-native options (HashiCorp Vault’s community edition, a hyperscaler’s native secrets) look free until you price the engineering time to operate and secure them at scale — the cost moves from license to labor, it does not disappear. And weigh the friction of the deployment model directly: an agent- and proxy-heavy architecture carries real implementation and operational cost that a lighter SaaS approach avoids, which is why time-to-coverage belongs in the TCO conversation alongside the subscription.
| Vendor | Pricing Model | Relative Tier | Key Cost Drivers |
|---|---|---|---|
| CyberArk | Per-identity / per-target, modular subscription | Premium | Privileged user and target counts; modules (vault, session manager, EPM, Secrets Manager, Secrets Hub); SaaS platform services; professional services and HA infrastructure |
| BeyondTrust | Per-asset / per-user, bundled platform | Moderate–Premium | Managed assets and users; module bundle (password, session, endpoint privilege, remote access); Pathfinder platform scope; deployment model |
| Delinea | Per-user / per-secret, SaaS or self-hosted | Moderate | Privileged user count; Secret Server vs. full Platform tier; added JIT/StrongDM access; cloud vs. on-prem; session and analytics add-ons |
| One Identity | Per-user / per-asset; appliance or SaaS | Moderate | Managed users and assets; Safeguard appliance vs. SaaS; session management and analytics; bundling with One Identity IGA/AD modules |
| WALLIX | Per-target / per-resource subscription or perpetual | Lower–Moderate | Managed resources and sessions; Bastion components (session, password, access, PEDM, AAPM); on-prem vs. cloud; OT/web-session scope |
| HashiCorp Vault | Open source; Enterprise per-node; HCP consumption | Lower–Moderate | Free community edition; Enterprise priced by node/cluster; HCP Vault consumption-based; engineering effort to operate and secure at scale |
| Teleport | Per-resource, tiered (Community / Enterprise) | Lower–Moderate | Protected resources and connected agents; Enterprise tier for SSO, RBAC, and compliance; machine/workload identity scope; self-hosted vs. cloud |
| Keeper Security | Per-user subscription, modular add-ons | Lower–Moderate | User count; KeeperPAM modules (secrets, connection manager, remote browser isolation, EPM); compliance/FedRAMP edition; deployment scale |
Implementation & Migration
Sequence a PAM rollout around risk and reachability, not around the module list. The two parts that run long are discovering and onboarding the full privileged estate — including the service accounts and secrets nobody inventoried — and getting administrators and developers to actually work through the new access paths instead of around them. Plan the agents, proxies, and break-glass from the start, and treat coverage as the metric that matters.
Run continuous discovery across AD, cloud, databases, and SaaS to find privileged, service, and orphaned accounts; vault the highest-risk human credentials (domain admin, root, hypervisor, cloud owners) first; enable automated rotation; and stand up break-glass before anyone depends on the vault. Expect discovery to surface far more than your CMDB shows — that gap is the real scope.
Turn on session brokering and recording for critical systems, replace standing admin rights with just-in-time, time-bound elevation and approval chains, and onboard administrators in waves. The friction here is human: if the proxy adds latency or breaks a workflow, admins find a bypass, so co-design the access path with the teams who live in it.
Extend to the machine side — integrate secrets management into CI/CD, replace embedded credentials with dynamic short-lived secrets, govern service accounts and SSH keys, and wire in Kubernetes and cloud secret stores (brokering existing ones rather than creating another silo). This is where developer adoption is won or lost, so meet engineers in their pipelines, not a separate console.
Enable privileged-behavior analytics and ITDR, feed sessions and events to the SIEM, drive toward zero standing privilege, and operationalize compliance certification and reporting. Re-run discovery on a schedule and track coverage as a living KPI — a PAM program is operated continuously, not finished at go-live, because new privileged and machine identities appear every week.
Selection Checklist & RFP Questions
Use this checklist on a real RFP to make sure each shortlisted platform covers what actually decides a PAM program — reach and discovery, control depth, the modern secrets-and-JIT layer, and audit-ready evidence — proven on your own estate rather than promised on a slide.