Introduction
When most security professionals hear “CyberArk,” they think Privileged Access Management. But CyberArk has evolved far beyond vaulting human credentials. With CyberArk Secrets Manager, the company now tackles one of the fastest-growing attack surfaces in modern security: machine identities and non-human secrets.
From hardcoded API keys in source code to service account passwords rotated manually (or never), the secrets sprawl problem is real. CyberArk Secrets Manager is built to solve it β specifically for DevOps pipelines, Kubernetes workloads, and enterprise environments already running CyberArk’s PAM suite.
In this CyberSecurityO deep-dive, we review everything: architecture, features, pricing, integration, and whether it truly delivers on its DevSecOps promise.
Company Overview
CyberArk was founded in 1999 in Newton, Massachusetts (with R&D in Israel). It is the global leader in PAM (Privileged Access Management) and has expanded its platform to cover the full identity security spectrum.
Key milestones:
- 1999: Founded, focused on privileged account vaulting
- 2014: IPO on NASDAQ (CYBR)
- 2022: Acquired Conjur (open-source secrets management) β now the engine behind CyberArk Secrets Manager
- 2023: Acquired Venafi (machine identity management) for $1.54 billion
- 2024: Rebranded entire portfolio under the CyberArk Identity Security Platform
CyberArk serves 8,000+ customers, including the majority of the Fortune 500. The Secrets Manager product is part of their broader Workforce and Machine Identity security offerings.
What Is CyberArk Secrets Manager?
CyberArk Secrets Manager (formerly Conjur Cloud / Conjur Enterprise) is a secrets management solution purpose-built for machine and application identities. It enables:
- Secure storage and retrieval of secrets by applications, scripts, and pipelines
- Dynamic, short-lived credential issuance
- Centralized secrets governance with full audit trail
- Integration with DevOps toolchains (Jenkins, GitHub, GitLab, Kubernetes, Terraform)
Unlike CyberArk’s traditional PAM Vault (for human privileged users), Secrets Manager is designed for the non-human identity (NHI) world β where workloads, containers, and CI/CD pipelines need to authenticate and access secrets programmatically.
Key Features
1. Conjur-Based Secrets Engine
The underlying engine (based on Conjur Open Source) provides role-based access to secrets via policy-as-code. Policies define what identities can access which secrets.
2. Secrets Hub
CyberArk Secrets Hub allows organizations to sync secrets from CyberArk’s central vault to native cloud stores (AWS Secrets Manager, Azure Key Vault) β bridging enterprise governance with cloud-native developer workflows.
3. Credential Providers
For non-containerized workloads, the Central Credential Provider (CCP) allows applications to retrieve secrets via REST API without storing credentials locally.
4. Kubernetes Integration
Secrets Manager integrates with Kubernetes through:
- Secrets Provider (init/sidecar container that injects secrets)
- External Secrets Operator support
- Vault-style secret injection patterns
5. Dynamic Access
Applications receive time-limited credentials for databases, cloud providers, and APIs. CyberArk dynamically provisions and rotates these credentials β eliminating long-lived secrets.
6. DevOps Integrations
Native plugins and integrations for:
- Jenkins, GitHub Actions, GitLab CI, CircleCI
- Terraform, Ansible, Puppet, Chef
- AWS, Azure, GCP
- ArgoCD, Helm, Tekton
7. Unified Audit & Governance
All secrets access events flow into CyberArk’s audit framework β giving security teams a single pane of glass across PAM and secrets management.
Architecture
DevOps Tool / Application / Pipeline
|
βΌ
CyberArk Secrets Manager API
|
βββββββ΄βββββββ
Policy Engine Secret Store (Conjur / CyberArk Vault)
|
βΌ
Secrets Hub β AWS Secrets Manager / Azure Key Vault (sync)
|
βΌ
Audit Logs β SIEM / CyberArk Audit
Deployment options:
- SaaS (Conjur Cloud): Fully managed, recommended for new deployments
- Self-hosted (Conjur Enterprise): On-prem or private cloud, maximum control
- Hybrid: Secrets Hub bridges on-prem vault with cloud-native stores
Use Cases
CI/CD Pipeline Security
Development teams integrate CyberArk Secrets Manager into Jenkins or GitHub Actions. Pipelines authenticate using AppRole-style credentials and retrieve secrets at runtime β no more hardcoded tokens in Jenkinsfile or .github/workflows.
Kubernetes Workload Identity
Microservices running in Kubernetes pods authenticate to Secrets Manager via service account tokens. Secrets are injected at pod startup β no changes to application code required.
Database Credential Management
Secrets Manager dynamically issues database credentials for PostgreSQL, Oracle, or MSSQL. The credential TTL can be as short as a single session, eliminating shared service account passwords.
IaC Secret Injection (Terraform / Ansible)
Infrastructure-as-Code tools retrieve secrets directly from CyberArk at provisioning time. No secrets stored in Terraform state files or Ansible inventory.
SAP and Legacy Application Integration
For organizations running CyberArk PAM for SAP environments, Secrets Manager extends NHI coverage to legacy application authentication scenarios.
Pricing
CyberArk Secrets Manager pricing is enterprise-model β no public pricing page. Pricing is based on:
- Number of secrets stored
- Number of application identities (workloads)
- Deployment model (SaaS vs. self-hosted)
- Add-on modules (Secrets Hub, Venafi machine identity)
Typical Entry Point: Mid-to-large enterprises. CyberArk is not the right fit for startups or small teams due to cost and complexity.
> Recommendation: Request a demo and proof-of-concept (POC) via cyberark.com. Expect annual contracts in the six-to-seven figure range for enterprise deployments.
Pros & Cons
β Pros
- Seamlessly extends existing CyberArk PAM β single platform for human + machine identity
- Secrets Hub is a unique differentiator β sync to cloud-native stores without replacing them
- Policy-as-code (Conjur policies) enables GitOps-style secrets governance
- Enterprise-grade audit and compliance built in
- Strong Kubernetes-native integration with multiple injection patterns
- Venafi integration adds unmatched machine identity + certificate lifecycle management
β Cons
- Complex to deploy and operate β requires significant CyberArk expertise
- No public pricing β makes budgeting and evaluation difficult
- Not suitable for small teams or early-stage companies
- Conjur’s learning curve is steep, especially for policy authoring
- SaaS option (Conjur Cloud) is relatively new β some enterprise features lag behind self-hosted
Competitors Comparison
| Feature | CyberArk Secrets Manager | HashiCorp Vault | AWS Secrets Manager | Akeyless |
|---|---|---|---|---|
| PAM Integration | β (Native) | β οΈ | β | β οΈ |
| Secrets Hub (multi-cloud sync) | β | β | β | β |
| Dynamic Secrets | β | β | β οΈ | β |
| Open Source Core | β (Conjur OSS) | β | β | β |
| Machine Identity (Certs) | β (via Venafi) | β (PKI engine) | β | β οΈ |
| Enterprise Support | β | β | β (AWS) | β |
| Pricing Transparency | β | β | β | β |
Best Practices
- Start with Conjur Cloud (SaaS) if you’re new to CyberArk Secrets Manager β faster time to value.
- Define secrets policy hierarchy early β Conjur policies can become complex if not planned.
- Use Secrets Hub to sync with AWS/Azure stores and avoid disrupting existing developer workflows.
- Implement least privilege for each application identity β don’t share application credentials.
- Integrate with your existing SIEM on Day 1 β CyberArk’s audit logs are rich and compliance-critical.
- Rotate bootstrap credentials (the credentials used to authenticate Secrets Manager itself) regularly.
- Train your DevOps team β successful adoption requires developer buy-in, not just security team mandates.
FAQs
Q1: Is CyberArk Secrets Manager the same as CyberArk PAM?
No. CyberArk PAM (Privileged Access Management) is designed for human privileged users β admins, developers, and IT staff. Secrets Manager is designed for machine identities β applications, pipelines, and services that need credentials programmatically.
Q2: What is Conjur and how does it relate to CyberArk Secrets Manager?
Conjur is the open-source secrets management platform that CyberArk acquired and built Secrets Manager upon. Conjur OSS is free; CyberArk Secrets Manager / Conjur Enterprise adds enterprise features, support, and SaaS delivery.
Q3: Does CyberArk Secrets Manager work without the CyberArk PAM suite?
Yes. Secrets Manager can be deployed as a standalone product. However, it delivers the most value when integrated with CyberArk PAM for unified human + machine identity governance.
Q4: Can Secrets Manager replace HashiCorp Vault?
For organizations already running CyberArk PAM, yes β Secrets Manager offers comparable (and sometimes superior) features with the added benefit of unified governance. For pure open-source / DevOps environments, Vault may offer more flexibility.
Q5: Is CyberArk Secrets Manager FIPS 140-2 compliant?
Yes. CyberArk’s enterprise vaulting infrastructure meets FIPS 140-2 requirements, and the Secrets Manager product inherits these compliance postures.
Q6: How does Secrets Hub work?
Secrets Hub acts as a synchronization layer. It reads secrets from the CyberArk Vault and pushes them to native cloud secret stores (AWS Secrets Manager, Azure Key Vault). Applications consume secrets from their preferred cloud store while CyberArk governs them centrally.
Q7: What is the minimum organization size for CyberArk Secrets Manager?
CyberArk targets mid-market to large enterprise. Organizations with fewer than 500 employees or simple secrets needs may find better ROI with Doppler, Infisical, or HashiCorp Vault OSS.
Conclusion
CyberArk Secrets Manager is the right choice if you’re serious about unified identity security β covering both your human privileged users and your machine identities under one governance framework.
The Secrets Hub innovation alone is a compelling differentiator β enabling organizations to enforce enterprise secrets governance while keeping developers happy with their AWS or Azure-native tooling.
The caveats are real: cost, complexity, and vendor dependency. But for regulated industries β finance, healthcare, government β where audit trail and compliance are non-negotiable, CyberArk’s comprehensive platform is hard to beat.
As the Non-Human Identity (NHI) landscape evolves β and with the Venafi acquisition adding deep machine identity coverage β CyberArk Secrets Manager is positioning itself as the platform of record for the entire identity security lifecycle.
CyberSecurityO Rating: 8.9 / 10 βββββ
Alternative Searches
- CyberArk Secrets Manager Review 2025 2026: PAM + DevOps Secrets in One Platform?
- CyberArk vs HashiCorp Vault: Which Secrets Manager Wins for Enterprises?
- How CyberArk Secrets Manager Solves the Machine Identity Crisis
- CyberArk Secrets Hub Explained: The Bridge Between PAM and Cloud-Native DevOps
- 5 Reasons CyberArk Secrets Manager Is the Enterprise Choice for NHI Security
Follow Identity Pulse on LinkedIn for weekly IAM and machine identity intelligence β trusted by IAM architects and security engineers across the globe.
Join the CyberSecurityO IAM Community:
