← Back to Library

PAM is not dead, it’s evolving

By Ross Haleliuk · Venture in Security · · 15 min read

This week, I am publishing a contributed article from a friend, Shashwat Sehgal, an identity and cloud security expert best known for his security startup, P0 Security. In this piece, Shashwat is synthesing his lived experience from talking to 500+ companies using and buying PAM over the last few years. I asked Shashwat to share his thoughts about PAM following Palo Alto's acquisition of CyberArk.

Unless you are living under a rock, if you work in cybersecurity, you are aware of Palo Alto Networks’ acquisition of CyberArk, announced in late July 2025. This announcement predictably sparked a flurry of debate, with many leading voices voicing pessimism about the deal, saying “PAM is dead. Why is Palo Alto wasting $25B on a dying architecture?"

In this article, I’ll argue that the reality is the exact opposite. In an age of cloud-native developments and agentic applications, PAM has never been more relevant. And PANW’s move is the logical next step of the “platformization” strategy that Nikesh Arora set in motion a few years ago. Let’s start by analyzing PANW’s strategy, and why this move made so much sense for them.

Palo Alto Networks, and their strategy of platformization

As Ross and I argued in a previous piece on platform evolution, no cybersecurity company starts off as a platform. Instead, they earn the title by evolving and growing alongside their environment. Both CyberArk and PANW are prime examples in their own right.

CyberArk created the PAM category in the early 2000s. Its first product was their enterprise vault, and by the 2020s, it emerged as the clear leader in PAM, with ~40% of the market share. Lately, it began expanding to become a platform for “workforce identity” security, with its moves in IGA (acquisition of Zilla Security in 2025), as well as IAM (acquisition of Idaptive in 2020).

Palo Alto Networks, meanwhile, has been executing on a “mega-platform” strategy, aiming to span all the big rocks of cybersecurity. Identity was their one missing piece. Nikesh has been vocal in the past that PANW was not an identity company. But he likely meant that they were not an “IAM”, or “Identity Management” company, since IAM tools are usually (though not always) sold to IAM teams that report to CIOs. PANW’s GTM targets CISO, and so, an IAM play was never a good fit for their strategy.

However, PAM and IGA do fall

...
Read full article on Venture in Security →

This excerpt is provided for preview purposes. Full article content is available on the original publication.