← All posts
Palo Alto Buys CyberArk for $25 Billion. What It Means for Identity Security.

Palo Alto Buys CyberArk for $25 Billion. What It Means for Identity Security.

2026-02-10 7 min read
identity-securitypalo-altocyberarkentra-idzero-trustm&a

Palo Alto Networks is buying CyberArk for $25 billion. Not for the firewalls. Not for network security. For identity.

The world's largest pure-play network security company is saying: "Identity is the missing piece in our platform." And they're willing to pay a 26% premium to close the gap.

Identity is the attack vector

I've worked with identity security in Entra ID, Defender for Identity, and Sentinel for over three years. In almost every single engagement, identity is attack vector number one.

Not sophisticated zero-days. Not advanced malware. Stolen credentials. Phishing. Misconfigured permissions. That's what takes down organizations.

Palo Alto has figured this out. They've built a solid platform for network security, endpoint (Cortex XDR), cloud security (Prisma), and SASE. But they've been missing privileged access management, identity governance, and secrets management. CyberArk fills that gap.

What CyberArk actually brings to the table

CyberArk is not a random acquisition. They're the market leader in privileged access management (PAM) and have built a strong position across:

  • Privileged Access Management: vault, session recording, just-in-time access
  • Secrets Management: Conjur, machine identities, DevOps integrations
  • Identity Governance: lifecycle management, access certification
  • Workforce Identity: SSO and adaptive MFA

They reported record revenue in 2025. ARR grew over 30%. This is not a company that got bought because it was struggling. It got bought because identity security is where the market is heading.

What this means for Microsoft customers

This is where it gets interesting for those of us living in the Microsoft ecosystem.

Microsoft has Entra ID for identity, Defender for Identity for threat detection, and Privileged Identity Management (PIM) for privileged access. Solid foundation. But with limitations.

Entra PIM handles Azure and Microsoft 365 roles. CyberArk handles everything else: Linux servers, databases, network equipment, OT systems, cloud consoles outside Azure. Most enterprises are hybrid, and in a hybrid world you need both.

The question is whether Palo Alto will now build a platform that competes directly with Microsoft's identity stack, or position themselves as a complementary layer for everything Microsoft doesn't cover.

Based on what I'm seeing in the market, I'd bet on both. They'll build integrations with Entra ID (they already have XSOAR connectors), but they'll also offer an alternative for organizations that don't want all their identity eggs in the Microsoft basket.

The consolidation wave

Palo Alto + CyberArk isn't isolated. Look at what's happened in the past year:

  • Google bought Wiz for $32 billion (cloud security)
  • Cisco is integrating Splunk (SIEM + observability)
  • CrowdStrike is building out identity modules internally

The big platforms want to own the entire security surface. Network, endpoint, cloud, identity, data, all in one console.

For security teams, this means simpler operations: fewer vendors, fewer integrations, fewer consoles. But it also means vendor lock-in, higher switching costs, and less freedom of choice.

I've done assessments for 40+ organizations, and most don't struggle to find the right tool. They struggle to use the tools they already have. A consolidated platform play from Palo Alto doesn't solve that problem. It can make it worse if the implementation doesn't keep up.

What to do now

Three concrete things if this feels relevant:

1. Map your identity surface. Not just Entra ID. Where do you have privileged accounts? Service accounts? Secrets in code? Machine identities? Most organizations have 3-5x more privileged identities than they think.

2. Evaluate your PAM needs independent of vendor. Whether you end up with CyberArk (soon Palo Alto), Microsoft PIM, BeyondTrust, or Delinea matters less than actually having control over privileged access. Start with whatever gives you the most risk reduction.

3. Watch the integrations. When Palo Alto integrates CyberArk into Cortex XSIAM and XSOAR, it could enable identity-based response more tightly coupled with network and endpoint data. Automatic lockout of compromised accounts, secrets rotation. That could be powerful. But it's going to take 12-18 months.

The bottom line

$25 billion is a message to the entire security industry: identity is at the core of everything.

For those of us who've worked in identity security for years, this is validation. For those still treating IAM as an IT project rather than a security measure, it's a warning.

Palo Alto is betting that the security platform of the future starts with "who are you?" before it asks "what are you doing?" That's a bet I think they win.

Related Posts

AI Agents in the SOC: Hype, Reality, and What You Should Actually Do

AI agents are taking over SOC tasks in 2026. Here's what actually works, what's marketing, and how to prepare your team …

2026-02-15

OWASP Agentic AI Top 10: What It Means If You Actually Run AI Agents

OWASP published its Top 10 for AI agents. Here's what the list actually means, which risks are real, and what to do firs…

2026-02-13

73% of Security Teams Say AI Threats Are Real. Half Feel Unprepared. Now What?

73% of security teams say AI threats are real, but only half feel prepared. Here's what the Darktrace data reveals and h…

2026-02-04

About the Author

Trym Håkansson is Lead of Security Operations at Crayon, specializing in MDR, incident response, and Microsoft security platforms.

View CV LinkedIn