Palo Alto Networks Acquiring CyberArk: Offense or Defense?
It's boring, and it only makes sense as a means to an end
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
It couldn’t have been more perfect timing. Last week, I wrote about a wave of M&A activity and rumors in security. Just hours later, my LinkedIn feed and post’s comments lit up with the news: Palo Alto Networks is acquiring CyberArk.
Ironically, I had just mentioned rumors of Palo Alto Networks acquiring SentinelOne as a way to bolster endpoint visibility. That would have made sense. Palo Alto has been primarily a cloud security company, and better endpoint telemetry would strengthen its position.
But instead of moving deeper into detection, Palo Alto went in a different direction: CyberArk and identity.
Quick Overview of CyberArk
I haven’t written about CyberArk before, but it’s been around for a long time. It started in the privileged access management (PAM) space, focused on securing administrator access, often the starting point of an attack chain. Back then, it sold boxes and one-time licenses.
In recent years, CyberArk has shifted to SaaS and recurring revenue, while expanding its footprint through acquisitions like Venafi, for machine identity management (certs, keys), and Zilla Security, for identity governance and administration (IGA)
These moves have pushed CyberArk into overlapping territory with Okta and SailPoint. It’s a natural evolution. PAM alone doesn’t support a large, durable company anymore.
To stay relevant, CyberArk has built out “modern” zero-trust capabilities for cloud-native environments: certificate-based access for SSH, Kubernetes, and machine identities. It’s more of an enterprise-heavy approach to what companies like Teleport and StrongDM are doing.
So, why CyberArk?
On one hand, the acquisition makes sense. Palo Alto started as a firewall company, where its roots are in perimeter security. In the cloud-native world, identity is the new perimeter. Acquiring CyberArk aligns with that evolution.
But I’m still surprised by the move, not because it’s irrational, but because it feels oddly conservative for a company that’s been so aggressive and forward-looking in cloud (and with acquisitions).
When Palo Alto missed the cloud security boom, it made a string of bold acquisitions to catch up. It bought startups and emerging players to quickly build a platform. And it worked because they’re now a legitimate cloud security leader.
This CyberArk deal feels… different. Identity is a mature market. Growth isn’t explosive, and CyberArk itself is in the middle of modernizing its offerings. This feels less like a cloud play and more like a bet on stability. Which makes it harder to justify unless there’s something more strategic behind it. I’ve written in the past about how I believe Palo Alto Networks will survive or fail in the upcoming years. I still stand by that reasoning.
I’ve written before that the developer persona is becoming one of the most important security stakeholders, just as DevOps fueled the last wave of cloud security, developers are now at the center of the next one. This thesis is playing out in unexpected ways: tools like Cursor are making it normal to spin up code from a Linear ticket as the way to increase developer velocity. It’s vibe coding, but it’s also introducing new risks that traditional security models aren’t built for.
As a result, we’re seeing more companies look for security leaders with strong engineering backgrounds, i.e., people who can build, integrate, and scale security in ways that don’t slow teams down. This is a new pattern. And it’s not surprising: security has often been reactive, while AI is speeding everything up. You can’t keep up with velocity unless you’re building, too. That’s also why I think cloud security companies like Palo Alto Networks with struggle with AI.
This is why I’m surprised that Palo Alto Networks isn’t playing more offense, but in my mind, there are three potential reasons behind the acquisition.
Reason 1: A Platform Move to Strengthen SIEM and Identity Coverage
This is the most obvious explanation. Identity is now the core of most attacks, and Palo Alto’s SIEM platform would benefit from tighter identity data. CyberArk could enrich attack timelines, improve attribution, and give them a stronger foothold in enterprise security operations.
It’s a tidy narrative. Identity data helps make Cortex/XSIAM more powerful. CyberArk’s customer base overlaps nicely. The integration story is plausible.
But this is the explanation I like the least. It pits Palo Alto directly against hardened incumbents like Okta, where GTM and market leadership are expensive battles. It’s not clear they’ll win that fight. More importantly, if Palo Alto’s goal was to strengthen its SIEM, I’d expect them to pursue something more forward-looking, like acquiring better AI tooling or detection workflows. Protect AI was a start, but they haven’t yet made a big splash in AI security. If identity is the “new perimeter,” this move is late and reactive.
On top of that, the biggest cloud security player has already been taken out of the picture by Google. Sure, Google has a SIEM and some identity offering along with an IR service, Mandiant. But their offerings are pretty far behind, and Google doesn’t have a strong track record of being successful in the enterprise. This gives Palo Alto Networks market strength that they are now risking with this acquisition.
Reason 2: A Defensive Acquisition to Boost Growth
This explanation feels more realistic. It’s possible that Palo Alto needed to do a deal. Maybe SentinelOne didn’t work out, or maybe Okta didn’t want to be acquired. I’m not surprised if they talked to a bunch of companies. Their firewall business is slowing, and the growth in cloud security is slowing too. They’re looking for inorganic ways to sustain growth.
CyberArk checks a few boxes: recurring revenue, enterprise customer overlap, relatively easy to integrate, and not outrageously valued
In this view, the acquisition isn’t about vision but about using their cash flow effectively. Instead of letting shareholders pressure them for dividends or buybacks, Palo Alto is buying something “safe” to feed the platform and appease investors.
It makes sense mechanically, but not strategically. Identity isn’t high-growth. And CyberArk is itself undergoing a transformation, not leading one. This feels more like a hedge than a bet.
Reason 3: A Cash Flow Engine to Fuel Future AI Acquisitions
The first two reasons were focused on this being a defensive move for Palo Alto Networks, and it focused on the acquisition being the end goal to boost its own growth. This reason is the most generous interpretation and maybe the most interesting.
What if this isn’t the play, but the prelude? Private equity firms like Vista and Thoma Bravo have long used the “acquire and consolidate” strategy to boost margins and redeploy capital. If Palo Alto can drive efficiency at CyberArk by consolidating GTM, cutting redundant spend, it can improve cash flow. That cash could then fund acquisitions in newer, AI-native security companies or companies with AI capabilities.
If that’s the game, it makes more sense. CyberArk becomes a steady cash machine. Palo Alto can pay premiums for high-growth, high-multiple AI companies, and as a result, like with cloud security, they can acquire their way to a more complete, future-ready platform
It would explain why they’re choosing a legacy player now. Still, that path is risky. It turns Palo Alto from a tech company into something closer to a security-focused holding company. That’s a big shift and one that requires operational excellence. We won’t know, but this would be the best reason I like the most for acquiring CyberArk. This isn’t surprising given that the current CEO, Nikesh Arora, came from SoftBank.
Final Thoughts
Palo Alto Networks has executed incredibly well in the past. But this deal feels more defensive than their earlier cloud acquisitions. It lacks the same urgency or narrative. In an era where AI is forcing security to evolve quickly, I expected Palo Alto to be offensive, not buy something safe.
To be fair, identity matters. But I’m not convinced this is the boldest way to address that. CyberArk is still modernizing. The market is mature, and the real shift in security is happening elsewhere.
Developers are already influencing more of the stack. AI is increasing the speed and scope of change. Companies like Cursor are betting on this shift with security built for engineering teams. More startups are pushing toward integrated, proactive defenses. If anything, I expected Palo Alto to learn from its cloud security moves, i.e., it would lead, not catch up.
Maybe CyberArk is a bridge to something bigger, but if not, this feels more like a pause than a pivot.