Palo Alto Networks is making what could be its biggest bet yet by agreeing to buy Israeli identity security company CyberArk for around $25 billion. The companies announced they had reached an agreement on Wednesday.
The deal will mark a seismic shift for an industry that’s been consolidating at breakneck speed. More importantly for security chiefs, it signals that the days of managing dozens of different security tools are numbered.
Why Palo Alto is breaking its own rules
Here’s what makes this deal fascinating: Palo Alto Networks has spent years deliberately avoiding the identity management business. And for good reason — asking customers to rip out and replace their identity systems is like asking them to rewire their entire digital nervous system.
“Palo Alto avoided identity management for years because of its deep integration demands,” said Akshat Tyagi, associate practice leader at HFS Research. “Unlike firewalls or endpoint tools, identity systems tie into HR databases, cloud platforms, legacy infrastructure, and application access layers, making them complex to deploy and harder to monetize at scale.”
But that’s exactly what CEO Nikesh Arora is now willing to tackle with this massive acquisition, as he explained in a letter to shareholders on Wednesday. The math is simple: if you can’t beat the complexity, buy the company that’s already solved it.
CyberArk isn’t just any identity company. It’s become the go-to choice for organizations trying to manage “identity sprawl” — the explosion of digital identities that need protection. According to CrowdStrike research, machine identities now outnumber human identities by 45 to 1, with CyberArk’s own 2025 research showing 79% of organizations expect machine identities to spike by as much as 150%.
The identity crisis driving this deal
Walk into any CISO’s office these days, and they’ll tell you the same story: hackers don’t need to break down the front door anymore. They just steal legitimate credentials and walk right in.
“Today, most breaches originate not from malware or misconfigured ports but from stolen or misused credentials,” Tyagi noted. “Attackers gain access by impersonating users, escalating privileges, and pivoting through cloud and on-premise environments using real-looking identities.”
CyberArk has positioned itself at the center of this challenge, generating over $1 billion in revenue in 2024 — a 33% year-over-year increase — by expanding beyond traditional privileged access management through strategic acquisitions, including Venafi ($1.54 billion) for machine identity management and Zilla ($165 million) for identity governance.
Will the integration work?
“If integration happens effectively, focusing on security posture improvement, ensuring consolidated interfaces, operational optimization, intel event sharing, and proactive identification of threats, it will be a great story,” said Sunil Varkey, advisor at Beagle Security.
That’s the optimistic view. But cybersecurity acquisitions have a mixed track record at best. Under Arora’s leadership, Palo Alto has been buying companies left and right, trying to build what he calls a “cybersecurity supermarket.”
But this CyberArk deal is different. At $25 billion, it’s roughly 25 times larger than Palo Alto’s typical acquisitions. And identity management isn’t just another security tool. It’s foundational infrastructure that touches every corner of an organization.
“But if this is purely to capture market share or to improve revenue share or lock in of customers, it will be a bad chapter,” Varkey cautioned. “It may not be so easy considering different cultures, stakeholder segments, and sub-domains.”
The consolidation wave
“Security buyers increasingly seek end-to-end platforms that offer integration, visibility, and faster response across cloud, identity, and endpoints,” said Tyagi. “The emerging ‘cybersecurity superpowers’ are expanding their capabilities and positioning themselves as core layers of enterprise infrastructure.”
This deal marks cybersecurity’s second-largest transaction this year, following Google’s $32 billion Wiz acquisition. Together, these mega-deals suggest the industry is moving toward comprehensive platform providers rather than specialized point solutions.
“Many will face challenges in maintaining relevance as customer budgets shift toward consolidated contracts and larger platforms that promise unified management and lower operational overhead,” Tyagi warned regarding mid-tier cybersecurity vendors.
If you’re running security for a mid-sized company, this should grab your attention. The cybersecurity industry is rapidly splitting into two camps: massive platform providers like Palo Alto and specialized niche players fighting for scraps.
However, the consolidation trend brings risks. “Buyers will need to pay closer attention to how their security architectures evolve,” Tyagi cautioned. “Maintaining flexibility through modular designs, setting clear exit terms, and avoiding complete dependence on a single ecosystem will be critical to preserving long-term agility and control.”
The bigger picture
Strip away the financial details, and this deal is really about one thing: the recognition that identity security isn’t a nice-to-have anymore—it’s table stakes for any organization serious about protecting itself.
The old model of building walls around networks and hoping for the best is dead. The new model requires knowing exactly who and what is inside your systems at all times, and having the tools to respond instantly when something looks wrong.
Whether Palo Alto can successfully integrate CyberArk’s capabilities remains to be seen. But one thing is clear: the company is betting its future on the idea that customers want comprehensive security platforms, not collections of individual tools.