← Back to Library

Pam is not dead, it’s evolving

Ross Haleliuk · Venture in Security · ·15 min read
Commentary by Hex Index staff

Ross Haleliuk challenges a prevailing narrative in cybersecurity with a counterintuitive thesis: the $25 billion acquisition of CyberArk by Palo Alto Networks isn't a bet on dying technology, but a strategic pivot to a rapidly evolving necessity. While many industry voices dismissed the deal as overpaying for legacy infrastructure, Haleliuk argues that Privileged Access Management (PAM) is not dead; it is undergoing a fundamental transformation from a simple password vault to a critical orchestration layer for cloud-native and agentic systems. For leaders navigating the shift to automated workloads, this distinction is the difference between buying obsolete software and securing the future of their digital estate.

The Strategic Imperative

The core of Haleliuk's argument rests on the idea that Palo Alto Networks needed a specific type of entry into the identity market—one that a smaller startup could not provide. He notes that while the company has successfully acquired modern startups in the $200 million to $600 million range, "Identity is not so simple. Since they did not have any presence so far, a smaller identity startup acquisition would likely not have been successful." The logic here is sound: without an established brand and a massive existing customer base, a niche tool would struggle to gain traction in a crowded identity space. Haleliuk suggests that Palo Alto needed a "beachhead and a brand, more than a technology," which explains the premium paid for an established leader like CyberArk.

Pam is not dead, it’s evolving

This reframing of the acquisition as a necessary consolidation rather than a desperate gamble is compelling. It shifts the focus from the price tag to the strategic gap being filled. As Haleliuk writes, "PANW's GTM targets CISO, and so, an IAM play was never a good fit for their strategy. However, PAM and IGA do fall under the CISO's budget, so, to fill their gap in identity, it was always more likely that PANW would acquire either an IGA or a PAM company." This observation highlights a crucial nuance in how security budgets are allocated, suggesting that the deal was inevitable given the specific financial and organizational structures of the industry.

Critics might argue that paying 25 times revenue for a "legacy" category is still a risky bet, regardless of the strategic fit. However, Haleliuk's analysis of the market dynamics suggests that the alternative—trying to build this capability from scratch or buy a smaller, unproven player—would have been far more costly in terms of time and market share.

The Evolution of Access

To understand why the deal makes sense, Haleliuk takes the reader on a historical tour of how access control has changed. He breaks PAM down into three distinct phases, arguing that the technology has adapted to every major shift in infrastructure. In the early 2000s, the focus was on "vault-led PAM," where the primary goal was securing static passwords for physical servers. Haleliuk explains that "The obvious answer was the enterprise equivalent of a password manager, or a vault," which solved the problem of shared credentials in a relatively static environment.

"The hard problem was authorization. Privileged access meant controlling entitlements: who can do what, where, and for how long."

As the industry moved to the cloud, the model shifted to "bastion-led PAM," using gateways to proxy access. But Haleliuk points out that this model broke down when the nature of privileged actions moved from network connections to API calls. The real breakthrough, he argues, is the current phase: "API-first, Identity-native PAM." This modern approach delegates authentication to identity providers and uses cloud-native APIs to grant and revoke privileges dynamically. Haleliuk emphasizes that "Identity-native PAM is fully backward-compatible with the previous generations of PAM," meaning it can handle both old-school server access and modern cloud API calls.

This historical context is vital because it dismantles the idea that PAM is a static, dying market. Instead, Haleliuk presents it as a discipline that has successfully reinvented itself three times. He writes, "In an age of cloud-native developments and agentic applications, PAM has never been more relevant." This is a powerful claim, especially as organizations grapple with the rise of non-human identities like AI agents and automated pipelines that require their own governance.

The Future of Non-Human Identity

Perhaps the most forward-looking part of Haleliuk's commentary is his focus on non-human identities. He notes that "privileged actions themselves... were no longer limited to human users. Non-human identities, including workloads and CI/CD pipelines... could delete databases, grant administrator rights, or alter storage policies." This is a critical insight for modern security leaders. As automation accelerates, the number of machine identities often outnumbers human users, creating a massive new attack surface that traditional tools were never designed to handle.

Haleliuk argues that the new PAM solutions are designed specifically to manage this complexity. "Privilege is provisioned via native CSP APIs: An engineer requests a privileged role for a specific task... PAM checks policy and context, optionally requiring human approval. PAM calls the platform API to grant the role, scoped and time-bound." This level of granularity and automation is what justifies the massive investment, according to Haleliuk. He suggests that the market is moving toward a future where "every privileged access should be short-lived, least privileged, and auditable," and that only a platform with the scale of Palo Alto Networks can deliver this at an enterprise level.

A counterargument worth considering is whether a single mega-platform can truly integrate these diverse technologies without creating vendor lock-in or complexity. Haleliuk acknowledges the challenge of "platformization" but suggests that the alternative—fragmented best-of-breed tools—is no longer viable in a cloud-native world. The integration of PAM into a broader security platform may be the only way to manage the sheer volume of identities and permissions in modern enterprises.

"In an age of cloud-native developments and agentic applications, PAM has never been more relevant."

Bottom Line

Ross Haleliuk's analysis successfully reframes a controversial acquisition as a logical evolution of a critical security discipline, moving the conversation from "legacy tech" to "future-proof infrastructure." The strongest part of his argument is the detailed historical breakdown showing how PAM has consistently adapted to new technological paradigms, proving its resilience. However, the piece leaves the reader with a lingering question: can a single vendor truly master the rapid pace of cloud-native identity management without stifling innovation? As the industry watches this deal unfold, the true test will be whether the new platform can deliver on the promise of seamless, identity-native security for both humans and machines.

Sources

Pam is not dead, it’s evolving

by Ross Haleliuk · Venture in Security · Read full article

This week, I am publishing a contributed article from a friend, Shashwat Sehgal, an identity and cloud security expert best known for his security startup, P0 Security. In this piece, Shashwat is synthesing his lived experience from talking to 500+ companies using and buying PAM over the last few years. I asked Shashwat to share his thoughts about PAM following Palo Alto's acquisition of CyberArk.

Unless you are living under a rock, if you work in cybersecurity, you are aware of Palo Alto Networks’ acquisition of CyberArk, announced in late July 2025. This announcement predictably sparked a flurry of debate, with many leading voices voicing pessimism about the deal, saying “PAM is dead. Why is Palo Alto wasting $25B on a dying architecture?"

In this article, I’ll argue that the reality is the exact opposite. In an age of cloud-native developments and agentic applications, PAM has never been more relevant. And PANW’s move is the logical next step of the “platformization” strategy that Nikesh Arora set in motion a few years ago. Let’s start by analyzing PANW’s strategy, and why this move made so much sense for them.

Palo Alto Networks, and their strategy of platformization.

As Ross and I argued in a previous piece on platform evolution, no cybersecurity company starts off as a platform. Instead, they earn the title by evolving and growing alongside their environment. Both CyberArk and PANW are prime examples in their own right.

CyberArk created the PAM category in the early 2000s. Its first product was their enterprise vault, and by the 2020s, it emerged as the clear leader in PAM, with ~40% of the market share. Lately, it began expanding to become a platform for “workforce identity” security, with its moves in IGA (acquisition of Zilla Security in 2025), as well as IAM (acquisition of Idaptive in 2020).

Palo Alto Networks, meanwhile, has been executing on a “mega-platform” strategy, aiming to span all the big rocks of cybersecurity. Identity was their one missing piece. Nikesh has been vocal in the past that PANW was not an identity company. But he likely meant that they were not an “IAM”, or “Identity Management” company, since IAM tools are usually (though not always) sold to IAM teams that report to CIOs. PANW’s GTM targets CISO, and so, an IAM play was never a good fit for their strategy.

However, PAM and IGA do fall under the ...