CyberArk and Palo Alto Networks: what the acquisition means for IAM

TL;DR: Palo Alto Networks intends to acquire the company in a cash-and-stock transaction valued at about $25 billion, alongside quarterly results showing $1.274 billion in ARR and $328 million in revenue, according to CyberArk; the consolidation signals that identity security, including human, machine and AI identities, is moving deeper into platform strategy and will force practitioners to re-evaluate tooling, governance scope and vendor dependency.

NHIMG editorial — based on content published by CyberArk: second quarter 2025 results and the proposed Palo Alto Networks acquisition

By the numbers:

• Annual Recurring Revenue (ARR) was $1.274 billion, an increase of 47 percent from $868 million at June 30, 2024.
• Total revenue was $328.0 million in the second quarter of 2025, up 46 percent from $224.7 million in the second quarter of 2024.
• The Subscription portion of ARR was $1.088 billion, or 85 percent of total ARR at June 30, 2025.

Questions worth separating out

Q: Should identity teams re-evaluate their NHI and AI governance after a major platform acquisition?

A: Yes. A major acquisition can change product boundaries, roadmap priorities and the place where policy enforcement lives. Teams should check whether human IAM, NHI governance and AI delegation are still separately observable, independently controllable and auditable after the transaction. If those properties weaken, governance quality can decline even when the headline platform looks broader.

Q: Why does platform consolidation matter for machine identity governance?

A: Because machine identity controls depend on continuous lifecycle handling, not just authentication.

Q: How should organisations decide whether to keep specialist identity tooling after consolidation?

A: They should test whether a specialist tool still provides unique control depth, independent telemetry and lifecycle precision that a platform bundle cannot reproduce.

Practitioner guidance

• Reassess control ownership after platform consolidation Map which identity controls remain independently governed if identity security is absorbed into a larger platform.
• Separate human, NHI and AI identity semantics Document where workforce access, service account governance and AI delegation use different entitlement rules, review cadences and escalation paths.
• Test for identity blast-radius expansion Model how far a failure in one identity domain could propagate if controls are consolidated under a single vendor or platform.

What's in the full analysis

CyberArk's full article covers the financial and transaction detail this post intentionally leaves at the strategic level:

• Quarterly revenue, ARR and cash flow line items for the second quarter of 2025
• Transaction terms for the proposed Palo Alto Networks acquisition and the approval process
• Management commentary on subscription mix, recurring revenue and the business model shift
• Investor-relations detail on how the company reclassified revenue lines and reported non-GAAP measures

👉 Read CyberArk's quarter update and acquisition announcement →

CyberArk and Palo Alto Networks: what the acquisition means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →