CyberArk at JPMorgan Conference: Identity Security Momentum

On Wednesday, 14 May 2025, CyberArk Software Ltd (NASDAQ:CYBR) participated in the 53rd Annual JPMorgan Global Technology, Media and Communications Conference. The company’s CEO, Matt Cohen, outlined CyberArk’s robust Q1 performance and strategic initiatives in identity security. While the company showed strong growth and maintained its full-year guidance, it remains cautious due to the macroeconomic environment.

Key Takeaways

• CyberArk’s Q1 performance exceeded expectations, with strong growth in net new ARR, especially in subscriptions.
• The Venafi acquisition has propelled the machine identity business, currently at $170 million ARR, with a target of $1 billion in the future.
• Strategic initiatives include AI agent security and modern Identity Governance and Administration (IGA) through the Zilla acquisition.
• The company is expanding its MSP partner program to drive growth.
• CyberArk differentiates itself from competitors by offering a security-first approach.

Financial Results

• CyberArk reported strong net new ARR growth, particularly in subscription services.
• The company surpassed all guided metrics on revenue, margin, and free cash flow.
• Despite the positive performance, CyberArk reiterated its full-year guidance without increase, citing macroeconomic caution.
• Venafi’s ARR reached approximately $170 million, with a broader goal of expanding the machine identity business to $1 billion.
• The combination of secrets and certificates contributes over $250 million in ARR.

Operational Updates

• Machine Identity: Post-Venafi acquisition, CyberArk is experiencing strong momentum, with significant industry tailwinds from changes in certificate lifespan mandates.
• AI Agents: The Secure Agenic AI solution is in development, with partnerships with Accenture and ServiceNow. Scaling is expected in 2026.
• Zilla Acquisition (Modern IGA): Early customer feedback is positive, with quick integration into SaaS and cloud environments.
• Partner and MSP Strategy: CyberArk is enhancing its partner program and scaling the MSP program to meet growing demand.

Future Outlook

• Machine Identity: The business, including certificates and secrets, aims to reach $1 billion.
• AI Agents: Proof of concepts (POCs) are ongoing, with full scaling anticipated by 2026.
• Certificates: The move towards real-time certificates and new algorithms is driven by post-quantum concerns.

Q&A Highlights

• Certificates: Emphasis on real-time certificates and replacing RSA algorithms within the NIST framework.
• AI Agents: Each agent will require unique identifiers, with a focus on dynamic certificates and anomaly monitoring.
• Competition: CyberArk is positioned as a consolidation point for security tools, differentiating itself with a comprehensive, security-first platform compared to Okta and CrowdStrike.

CyberArk’s strategic initiatives and strong Q1 performance position it well for future growth. For more details, refer to the full transcript below.

Full transcript - 53rd Annual JPMorgan Global Technology, Media and Communications Conference:

Brian Essex, Security Software Analyst, JPMorgan: All right, here we go. All right, good morning everyone. My name is Brian Essex. I’m JPMorgan’s security software analyst. Thank you for joining us this morning.

With me I have Matt Cohen, the CEO of CyberArk, and Eric Smith, their newly minted CFO. So thank you so much both of you for joining us. One thing before we get started, I do think for those listening via webcast, there’s an opportunity to answer questions online and I could take those as we go along. And then I’ll also leave ten, maybe a little more minutes at the end for any of you in the audience live that want to ask some questions. With that, again Matt, Erica, thank you for joining us.

Matt Cohen, CEO, CyberArk: Thanks for having us, Brian.

Brian Essex, Security Software Analyst, JPMorgan: A great place to start, you guys reported earnings yesterday. And I guess maybe one of the things I wanted to do is just overall kind of like recap of the results and feedback that you’ve gotten from investors after you reported.

Matt Cohen, CEO, CyberArk: Yes, sure. Maybe I’ll start. So it was a strong first quarter start to the year for us. We had really, really strong net new ARR growth across the board, especially subscription net new ARR growth. We beat all of the guided metrics on revenue, on margin, free cash flow.

And ultimately what we saw was a start to the quarter that kind of spoke to the durable demand for our part of security, identity security. And ultimately, I think what we talked a lot about with the investors and on the earnings call itself was that the threat landscape around us is evolving at such a rate that even with this macro backdrop, people understand that they need to get their identity security programs and strategy under control. It’s both human and machine, which I’m sure we’ll talk about throughout today. We saw a nice growth in our machine identity business on the back of our Venafi acquisition. And ultimately what we saw is that customers are still moving, forging ahead with their programs, and it was demonstrated in our results.

The other side is we reiterated our guidance for the year. We thought it was prudent not to take up guidance given the backdrop, but that’s based more on just conservatism than based upon anything that we’re seeing in the market.

Brian Essex, Security Software Analyst, JPMorgan: Was that just because we can kind of thing?

Matt Cohen, CEO, CyberArk: Was listen, it’s Q1. And always coming out of Q1, we have a history of being somewhat wanting to see what’s going to materialize. And then in addition, just with macro backdrop, it was like, let’s wait another ninety days and see what happens.

Brian Essex, Security Software Analyst, JPMorgan: Yeah. And on the macro, what exactly are you I mean, can’t be saying nothing, but is it that budgets are still durable and projects are just so large with long sales cycles that they’re like a freight train that just kind of keeps going? Or is it that maybe the buyers are seeing a heightened sense of urgency where the priority is kind of like moving up the stack?

Matt Cohen, CEO, CyberArk: Maybe I think it’s a little bit of both, which is when you think about so first of let’s start with what you said to begin with. Of course, they’re noticing the macros. And I go in and I talk with the C suite of most of these organizations and they’re worried about tariffs, especially if they’re in manufacturing or auto or retail. They’re worried about overall spend environment. So it’s on their mind.

But then we quickly transition to, okay, but what do we need to do from a security perspective? And as you said, identity security kind of sits at the top of where the spend would go. And so they’re not shutting down all spend. So they’re shutting down spend that’s, let’s say, below a certain line. We’re well above that line.

So then it’s back to what’s our roadmap, where were we planning on heading, and in some cases, how can we actually speed up because we can’t afford a security incident in this environment.

Brian Essex, Security Software Analyst, JPMorgan: Got it. And then maybe on the I think you mentioned machine identity and recent acquisition of Venafi. What are you seeing in terms of momentum there? I mean, if you had the acquisition and then now you’ve trained the sales force and you’re working on the channel, like where are we in that process as Venafi becomes integrated with your direct and indirect sales force and when you might start to see momentum pick up there?

Matt Cohen, CEO, CyberArk: Yeah. So we talked a lot yesterday about the momentum we’re seeing in that side of the business and actually how it’s exceeding our expectations. We’re several quarters in now, the sales teams are ramped, the partner teams are excited and really starting to position out in the market. We see kind of these industry tailwinds kicking in for we spent a little bit of time yesterday talking about this CA browser forum mandate to bring certificate lifespans down to forty seven days by 2029 with the kind of ramping down. Right now certificates, which is a core piece of the Venafi business, was well over three hundred days, the average lifespan.

And when you have thousands and thousands of certificates, if it’s a long lifespan, maybe, maybe you can maintain it with manual tools or with automated automated spreadsheets. When you start to think about having to rotate or reissue these certificates every forty days, thousands and thousands, and if one doesn’t get issued, your your your website, your applications are out. There’s an outage, And basically, you can shut down your business efficiency, your business performance. When that starts to become real for people, it becomes a strong industry tailwind for our machine identity space. And so what we’re seeing is like a dramatic increase.

I use the word dramatic on purpose. In pipeline, we saw great execution in terms of close rates in the Q1 period. And ultimately, we’re seeing the Venafi acquisition being ahead of schedule in terms of where we would like to be in terms of momentum. It

Brian Essex, Security Software Analyst, JPMorgan: was further down on my list of questions, but since you mentioned it, can we dig into that certificate business a little bit and what it means? One, how do customers manage that lifecycle process for certificates now? You mentioned maybe manually and some automated, but maybe you could help us understand what the opportunity is there and how penetrated are automated solutions for that?

Matt Cohen, CEO, CyberArk: Sure. Maybe just a layer on top of the question to help again for people who maybe are less familiar. When we talk about identity security, we talk about human and machine, and I’m sure we’ll get to we also talk about AI. But in the machine space, there are multiple types of identities. Ways in which applications, workloads, pieces of code, devices identify themselves for the ability to be able to access or authorize to get access to other machine data, to applications or systems.

The machine identity itself can be what’s called a secret. It’s like a username and a password for a machine. It can be a token, a crypto key. It can also be a certificate. Almost all machines have a certificate on them.

And the certificates get either issued by the organization or by a certificate authority. And it basically is like think about it as like your driver’s license or your passport that tells other systems who you are and what you’re granted what you’re allowed to have access to. It has an expiration on it, but that expiration can be either long or it can be short. What the industry is going towards because of security concerns, because of kind of the rate of change, is shorter and shorter lifespans for these certificates. So that means that in order to be able to keep the machines up and running, to keep them protected and secure, you need to constantly be reissuing more and more certificates.

That calls for a life cycle management process that basically can discover these certificates, rotate or reissue these certificates, and then ultimately keep those organizations safe. That’s what the Venafi offering does. It complements what CyberArk does on the secret side and the key management side. And what we what we find is that five years or so ago, only the largest organizations were really worried about this because they had tens of thousands, even hundreds of thousands of certificates. But as we start to see this lifespan come down, every organization, large and small, needs to deal with this problem.

And that brings into focus thousands and thousands, actually tens of thousands of organizations that today do not have a solution at all that can benefit from our solution. When we acquired Venafi, they were about 500 customers. We have 10,000 customers at CyberArk. All 10,000 customers are a great target for cross sell of this motion and that’s why we’re so bullish on the opportunity to be able to grow that business.

Brian Essex, Security Software Analyst, JPMorgan: And how meaningful can that business be for Venafi from revenue perspective?

Matt Cohen, CEO, CyberArk: Yeah, so it sits today at roughly 170,000,000 ARR. We think that the total machine business for us, both certificates and secrets, is a billion dollar business. And we see it as our fastest growing line. When you combine the two together, we’re well over $250,000,000 of ARR and we see it going to $1,000,000,000

Brian Essex, Security Software Analyst, JPMorgan: in the next couple of years. Got it. And then this decision by the forum to adopt these standards, when does that go into practice and how might we see that in the marketplace? I mean, mid and small sized businesses going to wait till the

Matt Cohen, CEO, CyberArk: last minute and wait till they can’t? Yeah. So, it’s basically a gradual phase out from an authority perspective. It drops to two hundred days next year, it then goes down to one hundred and something days, and then by 2029 it’s down to 40. But since it’s been set in stone, it’s basically accelerated people’s timelines.

When we were at RSA two weeks ago, it feels like a whirlwind here, the number one question at our booth, and we had a lot of booth traffic as you might imagine, was actually about this issue.

Brian Essex, Security Software Analyst, JPMorgan: Yeah, great. And then sticking with the theme of machine identity, you mentioned secrets. How does that play into Venafi and machine identity platform? Because you had the secrets business before. So does the combination look like?

Matt Cohen, CEO, CyberArk: So, it’s a synergistic combination because basically secrets just manages another machine identity type. Again, secrets is generally you’re taking the username and password or SSH keys and you’re vaulting and rotating them as a centralized policy. If you went back ten years ago, people used to hard code the secrets, the username and password into the code of the application. That’s a really bad practice. Luckily, industry has kind of gotten away from that.

But if you still use static secrets that are one time never rotated, if that application gets compromised, you’re basically opening up a giant door to your organization. And so the ability to be able to vault, rotate and policy manage secrets, username and passwords goes hand in hand with the ability to be able to rotate and reissue certificates. By the way, it goes hand in hand with a newer offering that we came out with an Impact around modern workload identity, which is kind of ephemeral or dynamic secrets. It’s a universal or unique ID that only lives for minutes or hours. And across all of that, we’re the only provider, the only the only platform that can do certificates, secrets, workload identities.

We do discovery and put it in context. We do controls. We do automate the life cycle, and we do governance. And really it’s a unique position because each one of those individual areas are often handled by tiny little point solutions, and we’re the only one who can do it all.

Brian Essex, Security Software Analyst, JPMorgan: Got it. When I think about machine identity initially, I think about a relatively simple relationship. It’s a network talking to a server or an application talking to an application, but now we’ve got the agentic horizon. And I think about something that can act like a human based on what that application is requested to do, but can scale like a machine. So how do you think about your AgenTic roadmap?

I think at Impact you highlighted a little bit, you gave us a little bit of a sneak peek around what the roadmap looks like, but maybe talk about the opportunity there and what your roadmap looks like on the AgenTic side.

Matt Cohen, CEO, CyberArk: Yeah, Brian. So you framed it up really nicely. And I think when we started down the path or the industry started down the path of AI adoption, there’s been a lot of focus on the data side of AI. How do you protect the data, data leakage, how do you put in place kind of prompt controls to protect against prompt engineering, How do you protect the LLMs? And and I think that’s an interesting space, but I think that space is pretty well covered by both existing companies and by a slew of start ups.

What’s happening now, and as a CEO, I’m focused on it for for efficiency and cost effectiveness, is the rise of of AI agents. And AI agents to basically augment or replace human use cases, human behavior, human work tasks. And the idea here is, again, just as as an agent, I’m sure you all are are familiar with it, is it goes well beyond what a traditional automation provider like an RPA bot can do because these agents are task or outcome focused and then they’re left to be autonomous. They’re left to be able to figure out the best way to go accomplish that task, just like a human. Well, when you start to think about it like that, it becomes an identity problem, not a data problem.

Where are these agents? How many are there? That’s a discovery. What do these agents actually have access to? What are their entitlements?

That’s context. How do we actually authenticate these agents when they go in and log in to go do their daily work? That’s authentication or credential management. When they’re doing their work, what happens if they do something that isn’t allowed? What happens if they elevate their privilege or elevate their entitlements?

They go into a secret system that holds your data. That’s session management. And so all aspects of an Identity security platform come to play in the agentic world. And as you said, you’re trying to to secure them as they’re humans, as they’re going about their day doing their work practices at a scale that’s even beyond the machine level scale. So it must be automated.

And our belief is that lifecycle, that circle of security is best offered by an Identity security platform. At Impact, we launched our secure Agenic AI solution. We’re working on a deep partnership with Accenture, with ServiceNow, with others out there in the market so that we can embed our platform capabilities from day one. As organizations ramp up their agentic workforce. They need to think security.

They can’t leave that behind. And it allows CEOs like myself to be able to push harder on adopting an agentic workforce because you know security is under control. I think the agentic world from a security perspective is in POC mode. I think we will see POCs throughout the course of this year. We’re working with a lot of customers around that.

I think you will see scaling start to happen in 2026. And I think you’ll see it start to impact our business model around those times as well. So it’s still a futures for sure, but it’s a futures where there’s not a company I talk to that isn’t experimenting or trying something around their ergetic architecture. Got it. That’s super helpful.

And also kind

Brian Essex, Security Software Analyst, JPMorgan: of segues into the next question is, if you’ve got privileged access and I think about the identity space where you’ve privileged access management, you’ve got governance, you’ve got Identity and Access Management. What dictates Privileged Access Management as the right platform to expand into agentic machine identity? I think you have a governance peer that’s trying to do the same. And there’s an access management, public access management peer that’s also announced an initiative to get into machine identity and agentic identity. What makes PAM and then specifically CyberArk’s platform unique in your ability to win in that space?

Matt Cohen, CEO, CyberArk: Yeah. I think it starts with organizations look for a partner or a vendor they can trust. And the trust is built on the idea of do you understand the real security challenges that our organization face. This is ultimately a CISO conversation and a CISO sale. And I think when you talk to security leaders, you understand quickly that the piece of security that got it right, that actually keeps them secure, that’s a security first mindset is PAM.

It’s it’s CyberArk. And so I think that creates a ground a foundation of trust between us and our our our our partners and our customers. I think then the question becomes really how do you put in place the controls across workforce, IT, developers, machines that have the right level of privileged controls? And then how do you layer around that access management, governance, administration. But the core of security, the heart of security is controls.

And I think that’s what CyberArk does really well. And so that puts us in in a pole position, if you will, from a trust position with our vendors, with our customers. They’re more likely to trust us to expand out from our base than trust people who kind of live on the periphery of security, either in just pure life cycle and governance or pure access, trying to come into the heart of security. And sometimes I talk about it like, you know, in this threat environment, would you would you rather, you know, in The US world, are you US, would you rather the FBI, CIA go out and do lighter security? Or would you rather the TSA be in charge of terrorism?

Like, it has to be core security at its heart in this environment, and I think that’s what puts us at the forefront.

Brian Essex, Security Software Analyst, JPMorgan: Got it. Super helpful. We touched on governance slightly, but on Zillow, you recently made an acquisition of a small governance vendor. What’s the initial feedback been and how has traction been through sales organization?

Matt Cohen, CEO, CyberArk: Yeah. I mean, you go into every acquisition and you have your thesis and you have your upside of what you’re hoping and you have your downside. And as I mentioned on Venafi, momentum continues to build and we’re in this really strong place. On Zillow, now it’s only been six weeks or eight weeks since we closed. I’m amazed by the level of conversations we’re having with customers.

They basically have spent years and lots of dollars implementing traditional IGA for their on prem heterogeneous environments. That’s in the upper end of the enterprise. In the lower end of the enterprise, they’ve avoided IGA solutions because it’s incredibly heavy, incredibly hard, time consuming and costly. And what Zillow brings is what we call modern IGA. It’s the ability to be able to stand up and integrate to modern applications and SaaS environments, your most common on prem environments, cloud environments in a incredibly quick time to value.

Think days, not months, or even years. And then the ability to be able to do user access reviews and provisioning for those environments. And what we expected is that a lot of our enterprise clients might be hesitant to even talk about it. And as you go down market, okay, we’d we’d have to do a lot of pushing of the message. What we’re actually finding is our enterprise customers and kind of across the market are pulling us into the conversation and they’re saying, yeah, we’re we’re a little stalled.

And, you know, I’m not denigrating the vendors that they have on place, but they were built for a different era. They were built for an era where it was a very static workload, a very static data center. And they’re saying, we have hundreds and hundreds, for example, of SaaS applications, and the entitlements are not understood. We’re circulating manual spreadsheets that tells everybody who has access to what in in in their ERP system or in their Workday system or in their Salesforce system. And we can stand up with Zillow, a quick modern IGA solution.

So again, incredibly early days. I would not say that it’s still six to nine months sales cycles, we’re six to eight weeks in. But the conversations have surprised me with the level of openness. And I kind of went into some of those conversations a little sheepish when I got started around like, hey, alright, I know you’ve got x, y, and z provider. And they’re engaging and saying, no, no, want to talk about this with you.

So let’s see where it plays out. I think Zillow will be a big piece of our 2026 plan. Great.

Brian Essex, Security Software Analyst, JPMorgan: And how do you think about the competitive environment there from the perspective of I mean, you’ve got public governance vendors that have built SaaS platforms. You’ve got an identity access management vendor that’s nudged their way into governance as well. Seems as though there’s just a lot of share to be had from legacy providers, your Oracles, IBMs, HPs of the world, and that’s where there’s a lot of friction. How do you perceive your go to market strategy? Is it going to be kind of displacing those legacy vendors?

Or is it going to be going head to head against some of the other kind of like public identity specialists in each of the governance and access management categories?

Matt Cohen, CEO, CyberArk: So, think day one you go in and you stand alongside whatever IGA tool they have and you basically modernize their approach, again, for SaaS applications, for modern cloud environments, and you sit side by side, I think then over time you have conversations with customers around what do they want to do around realizing their total footprint from a governance perspective. I think when you talk about a provider like SailPoint who’s embedded in a lot of these organizations, you’re not talking about trying to replace them out of the gate. That would be a silly conversation. When you mentioned the other provider you were referencing on the access side, Okta, listen, that’s head to head and we believe we have a significantly superior solution from a standpoint of how they come at it, which is at the group level, which is a very, very rudimentary way of doing governance and entitlements management. And we come in at the granular entitlements level within the actual target applications.

It’s just a more practical and more efficient approach. So I think those are two different answers. For SailPoint, you kind of sit side by side and I think we can coexist. I think for Okta for this piece of the product, it’s certainly head to head.

Brian Essex, Security Software Analyst, JPMorgan: Got it. And one more and then I’ll open it up for questions because I think at that point we’ll have like less than ten minutes left. But I wanted to ask I’ll jump ahead here and ask about your partner in MSP strategy. I think you mentioned Accenture. How is that evolving and how is that different from what you’ve kind of like worked with in the past?

Matt Cohen, CEO, CyberArk: I mean, I think we think of our partner strategy and partner program as a unique differentiator for CyberArk. The global SIs, all of them have dedicated CyberArk practices. We go to market together. We, from day one, weren’t trying to be a services provider. That was helpful in terms of building those relationships.

We have really strong reselling relationships with some of the best in the business like Optiv and GuidePoint and others. And then in addition, as you mentioned, we continue to build up and scale the MSP program, which often are standalone MSPs, but can be also the SIs or the Optivs of the world who are building out their MSP practices. And I think you see more and more of the business shifting to an MSP model because of the complexity. A lot of these organizations just kind of say, hey, this MSP, just take this off our plate. And I think you’ll see more and more of that drive growth over time.

And as those MSPs standardize on the CyberArk platform, I think that makes it so that we win anytime the MSP wins, which is what we want.

Brian Essex, Security Software Analyst, JPMorgan: Got it. With that, are there any questions from the audience? If you could do me a favor and wait for the mic and we’ve got someone running up here with that. They’ll hear the question on the webcast. Thank you.

Unidentified speaker: Two questions. First, certificates eventually will become real time. How close are we to that? And I’ve heard it articulated that that needs to happen, that’s inevitable. And then secondly, how do we think about AgenTiK AI identification?

Is there going to be a tail number for an aircraft that allows us to white list AgenTiK AIs to determine which ones are valid and which ones are nefarious or bad actors?

Matt Cohen, CEO, CyberArk: Yep. So great great questions. I think we are moving to real time on certificates. By the way, we’re moving to real time on all credentials. On the human side as well, the idea of static usernames and passwords, the idea of standing access with entitlements, all needs to move to dynamic and real time.

So I think you’re going to see it on the human side, you’re to see it the machine side, and you’re certainly going to see it on the certificate side. On the certificate side, we talk a lot about kind of post quantum and what happens then. I think that is the driving factor for, you know, kind of the ability of the need to be able to replace everything real time or even move beyond kind of traditional certificates and have dynamic certificates, which is something we’re able to do with our platform today. Our platform today can actually replace the old RSA algorithms, put in place the new algorithms as part of the NIST framework and be able to rotate that for all certificates so that you can do real time. You know, maybe it’s not every forty five days, it’s every time you you you have a crack in the algorithm.

So I think that is a real place where we’re headed over the next couple of years. And security leaders understand that. They’re preparing for today, but they’re actually thinking about tomorrow and you need a enterprise level tool like CyberArk offers. I think on the Agenix side, I I think you will see all of that come to play. And that’s why I talk about kind of discovery and context, authentication and credential management, life cycle management, compliance and governance all around the the agentic world.

For sure, each agent as it comes online is going to need a unique identifier or a unique ID. It might be in the form of a dynamic certificate, it might be in a form of a dynamic key or even in some cases it might end up ending being a crypto key. So in those cases, absolutely, there’ll be a unique identifier for every agent. There’ll be orchestrator agents that maybe live for months, years, and then there’ll be the agent farm itself that might get stood up for a minute or an hour or, you know, a a couple workdays. And all of those will need a unique identifier.

That’s why the CyberArk platform is so key because we’ll need to be able to discover them, then understand the entitlements, and then watch them. And a lot of people are missing that element. They think it’s it’s all about just authenticating the agent. It’s about watching the agent for anomalous behavior, not only if it’s a bad actor, but what happens if that agent grants itself extra privilege or extra entitlements? We need to be able to turn it off on fly.

Brian Essex, Security Software Analyst, JPMorgan: Thanks for taking questions. On the certificate life cycle management business, can you talk about who are your direct competitors today? Who are you disrupting because of their legacy offerings?

Matt Cohen, CEO, CyberArk: Yes, sure. It’s an interesting market because if you followed the Venafi business for years, everybody always thought they were about to break out. And it’s like fifteen years and they’re about to break out because they were the leader by far. And there really wasn’t any breakout moment because I think it wasn’t the moment yet. It wasn’t the moment yet where the forces around us were driving the need for this enterprise grade enterprise level solution.

So they lived in the upper end of the enterprise. I think what you and because of that, there wasn’t this large emergence of of competition. You know, there’s a few privately owned companies. There’s a company called Keyfactor. There’s a smaller company AppViewX.

And they kind of compete in the standalone certificate lifecycle management business. Some of the certificate authority providers have really lightweight lifecycle management. Think of it like basic use cases. Sometimes people will build an automated system with ServiceNow or or Microsoft, but none of that really speaks to the scale and the enterprise grade that’s required. None of that integrates with secrets and other form of machine identity types, and none of it is built into a platform that also integrates back to the human side, which we haven’t talked much about today, but also is sitting on our platform.

And so in this market at the moment, we believe that the competitive thrust is less than just going in and helping people understand the why now to act, whereas it’s obviously more competitive on the human side.

Brian Essex, Security Software Analyst, JPMorgan: I’ll leave one in back.

Unidentified speaker: Good morning. Thank you for taking the question. Two part question. First is, could you maybe elaborate on why your moat is better than Okta and some of the other players you mentioned? Maybe help us understand the architecture.

And secondly, an average organization has over 80 sort of vendors, and there’s so much innovation in this space. Maybe help us understand how should we get comfortable given the landscape is changing so much that somebody else would not come and perhaps disrupt you? Thank you.

Matt Cohen, CEO, CyberArk: Yes. So let me answer the second part first. I think what security teams and CSOs are looking for and it’s not actually overplayed, it’s actually not talked enough is consolidation, not more fragmentation. And they’re looking to figure out how to bring tools together onto common platforms. No CSO is looking for one platform for everything, but they’re looking to drive common platforms around identity, around cloud, around, you know, kind of next gen firewall and around identity.

And so within identity, think you’re gonna see more coming together than people launching out to other tools. I think also when you look at all the any of you who were at RSA or you walked around, you heard about it, all these little tools solving little use cases are features, not companies. And I don’t think that organizations, especially enterprises, are going to trust their security strategy to companies that may or may not be there in years to come. So I think as you look at the that that outline, you see them trying to consolidate and certainly they’re gonna consolidate to one of the bigger platforms. Then going back, that brings you back to the first part of the question which is, okay, well, what is our differentiation, for example, versus Okta?

Alright. So on the access side, their bread and butter, workforce access, customer access. You know, I think at that at that in that stage, access itself, single sign on multifactor authentication, it’s kind of become a commodity. Like, that’s the the little secret in the industry is if you’re just trying to do SSOMFA, to be honest, if that’s all you’re trying to do, you’re probably gonna do that with Microsoft because you’re gonna get it for free and you’re gonna scale the business that way. So what is our differentiation versus Okta or Microsoft is our ability to layer security controls like secure web sessions, secure password management, greater greater levels of privileged controls on top of SSO, on top of core access components.

And that’s where we try to differentiate from Okta or from Microsoft. In that case, we are clearly fighting from the behind, meaning we are not at the scale of Okta or Microsoft for core workforce workforce access. But when this mindset buyer is security minded and really wants to integrate security back to a platform, that’s where we win. If you take the governance side, the IGA, modern IGA side, that’s what I was referencing to Brian, where their new product that they brought out, their OIC or OIG product, it sits with a mindset coming from an access perspective. It thinks about governance in terms of groups and roles, which is what you normally find in a directory.

We don’t believe that actually that’s the right approach to governance. We want to live at the actual individual entitlements layer that sits in the end application, not in the directory itself. That’s what differentiates us there. And then on core PAM, I don’t think I really need to explain that, but what they’re doing in PAM is one of those sliver use cases. It doesn’t cover the full PAM landscape.

Brian Essex, Security Software Analyst, JPMorgan: Sorry, we

Imran, Unidentified speaker: Thanks, Imran. So can I actually flip the question? What about bigger companies like CrowdStrike? They are competing with you because they have a bigger platform, bigger distribution, and can buy the smaller guys and compete with you. Forgive me for asking this question because I heard from another company, that a lot of times people view you that you are more of a single point of so how do you compete with the platforms?

Matt Cohen, CEO, CyberArk: Sure. So I I think the the last piece, go comb through our results and you’ll see that actually our business is growing across all parts of our platform. While there’s still healthy gross growth in PAM, which is what people know us for, the other product suites from endpoint to access to machine is growing at a significantly higher rate, and our deals are are actually multiproduct, multisolution. In fact, our nine of our top 10 deals were across human and machine last quarter. So I think the results kinda show how people are buying from us as a platform and and that’s versus certainly, you know, the others who are competing in our direct space.

When you bring in a CrowdStrike, I have a lot of respect for CrowdStrike. I think they are a phenomenal security company. I I think they have a great go to market engine. But the way they think about identity, the way they’re talking about identity is from the endpoint and from the point of view of the SOC. And so that’s a different organization and it’s a different approach and it’s never gonna cover the kind of standing policy and standing authority and architecture that you need in order to be managing identity across an enterprise of 20 or 30,000 people.

CrowdStrike’s PAM solution that they launched is a sliver solution that basically allows you to look at what happened on the endpoint and grant access or or not access to small targets like Entra and AD in that area. That’s not how you run an access strategy or an identity strategy for an enterprise grade company. And so it’s a nice, again, feature add to their EDR or endpoint platform, excuse me, but it’s not going to solve an identity security problem.

Brian Essex, Security Software Analyst, JPMorgan: Great. Thanks, Imran. With that, I think we’re out of time. So thank you, Matt, Erica and thank you all for joining us.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.