Top 8 Privileged Access Management (PAM) Tools

CyberArk Privileged Access ManagerOne Identity SafeguardThycotic Secret ServerBeyondTrust Endpoint Privilege ManagementARCON Privileged Access ManagementWALLIX BastionFudo PAMOne Identity Privileged Access Suite for Unix
  1. leader badge
    It is useful for protecting passwords. If you need to do access security management, you can first use the CyberArk console, and after that, you can connect the firewall interface or firewall command line. Similarly, if you need to do an RDP session, you need to first log in to CyberArk before connecting to the Windows RDP session. This way, the admin doesn't know the password, and that password is changed immediately. To change the password, you first discover the old password in the network, and after that, you can change the password.
  2. leader badge
    Safeguard can define and update processes and procedures into the security framework of a company, including mobile. It allows us to change the policies and configurations on a mass scale in regards to security.
  3. Find out what your peers are saying about CyberArk, One Identity, Thycotic and others in Privileged Access Management (PAM). Updated: July 2021.
    522,693 professionals have used our research since 2012.
  4. The surveillance is most valuable.I like that it is Windows-based. It is good that primarily, it is not an appliance. Some of the other applications in the space, such as a Quest Software CPAM or a Safeguard, are appliances, so you can't deploy the ends of them. With Thycotic, you can either install your Temporal Protection module physically in the VM host, or you can use BouncyCastle for high-security module capabilities.
  5. Technical support is good.What I liked about this solution is that it can also integrate for tracking malicious use or sending analytics to a host that can process them. I don't know if CyberArk, Centrify, or Thycotic can do that. The analytics was something the client really wanted, and they already had BeyondTrust. It is very scalable. The agent on the workstation is very thin, and the processing power required on a server is nothing out of the ordinary. It is also very stable and easy to deploy.
  6. 100% compliant and you don't have to maintain ID management for each and every user.The initial setup is very straightforward. It's not complex at all.
  7. I like that it's Linux-based, and you don't need to have separate implementations, extra database licenses, or enterprise licenses. I think because it's Linux-based, it's more seamless than Windows. I also like the access manager, which I think is a super tool. Everything is browser-based, and you don't need a VPN. So, that's a great thing.
  8. report
    Use our free recommendation engine to learn which Privileged Access Management (PAM) solutions are best for your needs.
    522,693 professionals have used our research since 2012.
  9. We are convinced that Fudo PAM is better than competing products like's perfect to control and administer computers in our company.
  10. The most valuable feature of this solution is that it is easy to use.

Advice From The Community

Read answers to top Privileged Access Management (PAM) questions. 522,693 professionals have gotten help from our community of experts.
Paresh Makwana
I am a director of a small tech services company. How do you think AI and ML will help or work with Privileged Identity Management (PIM) and Privileged Access Management (PAM)?
author avatarIdan Shoham
Real User

First, terminology - there really is no such thing as privileged identity management. PAM systems broker access to existing accounts and other entitlements - they do not normally create or manage the lifecycles of identities (login accounts, etc.) which is what identity management means. That's just a misnomer introduced and later abandoned by some vendors.

As for the link between ML/AI and PAM - it is basically to identify unusual but authorized access and trigger either extra authorization or at least alerts.
It's normal that John connects to root on the Linux server M-F in the morning, but it's really strange at 3AM on Saturday, so invite John's manager to approve the odd-looking request.

author avatarAslamImroze

Typically any new latest PAM comes with a great number of options for automation. Integration with JSON scripts is also possible. It depends on what is the use case you want to achieve. If an ML can trigger AI to send some request to PAM then based upon the input received and configured automation rules in PAM the action will be taken. BeyondTrust PAM can do this.

author avatarABHILASH TH

AI & ML helps in proactive threat intelligence modules, risk rating. Also, to automate operations. For eg CyberArk has a module names PTA ( privilege threat analytics )

Simone Antonaci
Kindly advise on the top 5 solutions within the industry to look at. 
author avatarKishan Kendre
Real User

Hi Simone,

Following are the products which you can look for your requirement. I recommend to select any solutions depend on the your organization need. Is it needed on premise or on cloud. Do you need SAAS service or have in house deployment. On these conditions cost will differ. My personal opinion is 





Microsoft Azure AD Premium



author avatarreviewer1447290 (Director at a tech services company with 1-10 employees)
Real User

When It comes to PAM, I would say Thycotic, CyberArk, BeyondTrust are the ones I normally include in RFPs.  However, where your environment is exclusively Azure cloud-based, I say that Microsoft's Azure AD Premium provides a pretty good PIM solution. These are different solutions to achieve the same goal of managing privileged access. 

author avatarreviewer1324719 (PAM Architect at a tech services company with 11-50 employees)
Real User

I would first state that you are asking an unqualified question. The PAM tool that matches your organizations requirements, use cases, volume, and many other considerations, will need to be considered in this equation. I like the previous answer by Kishan as I like those products and see them employed successfully. The converse is also true if not carefully scoped and evaluated.

PAM tools can be costly and contain confounding arrays of security features and terminology synchronization will be key in ensuring you are getting what you actually are asking for. On top of the software cost implications you will have the Architectural, Implementation, and Administration costs nipping at your heels. Consider also that this is not a "PAM Project", but a long term Program and buy-off must start from the very top of your organization.

I have witnessed, and participated, in projects that started out with your question, and many went off the rails, unless important considerations are taken into account:

1. Define your requirements with granularity, including integration with your existing infrastructure such as: Authentication / Authorization / MFA, syslog, analytics, Disaster Recovery and High Availability just to name a few.

2.Determine your overall goals relating to Least Privilege, Standing Privilege, Just in time Privilege, and No standing privilege. Do you require Session Recording and Keystroke Logging, as they are not always bundled  into the initial price and sometimes not together, and may be individual features in your initial quotations and can unpleasantly surprise you.

3. Provision a comprehensive test environment to confirm the viability of the product choices within your infrastructure.

4. Select a vendor or integration partner to back-fill the expertise gaps in your organization as these skill-sets are very expensive and marketable.

I apologize for not answering your question directly, but I would consider looking into the Gartner resources, KuppingerCole and so on.

In a short direct answer I favor CyberArk, BeyondTrust, Thycotic, Centrify, and StealthBits, and these are definitely not in any preferential order.

author avatarreviewer1308201 (Information Security | Cybersecurity | VP, Cybersecurity Manager at a financial services firm with 1,001-5,000 employees)
Real User

Hi Simone,

When we started the PAM journey we POC'ed three vendors based on the use cases and the roadmap for your requirements.  Since the world is shifting to cloud infrastructure, i would recommend looking at these vendors.  

One Identity (Safe Guard), CyberArk, and Beyondtrust.  We decided to go with One Identity because it was the right fit for our use cases and requirements.  We have been using safe guard for several years and it did not disappoint so far! Rock Solid tool.

Oluwatosin Soyoye
My Bank is currently looking at PAM Solutions. Kindly advise on the top 5 solutions within the industry that can be looked at. We would like to engage from the OEM point of view to have a POC carried out before we make any commercial engagement.
author avatarOleg Shaburov

I'd say that everything depends on your detailed requirements. I can tell that I know many customers who selected One Identity because it was ideal for their needs. Here is what they valued most:

1. Ease of deployment. After several months of piloting competitive solutions, One Identity pilot was started within 1 week (in basic scenarios that can be started within 2 days).

2. No need to deploy agents on servers. That is really important for critical infrastructure.

3. No need to change tools on the client's side. Admins really like it. They are not forced to use some inconvenient tools.

4. Scalability: I'd say that there is no company whose needs cannot be covered by this solution.

If you value the same things than have a look at One Identity.

author avatarAlex Lozikoff

I would advise choosing among Gartner MQ Leaders. You are a Bank so the solution should be robust. According to the latest Gartner PAM MQ the leader are CyberArk, Centrify, Beyond Trust, Thycotic. If you need 5 options, take a look at One Identity.

FUDO was excluded by Gartner from the latest PAM MQ.

author avatarAji Joseph

PAM solutions worth considering are CyberArc, Centrify, Beyond Trust, Thycotic & Fudo.

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User





One identity

These are the big players. While they can all do PAM, things you should consider in making a choice include have a success criteria, what you want to achieve, cost, ease of implementation and management, scalability, etc. 

Go for the features you need and fits your requirement and not nice to have. 

author avatarOleg Shaburov

What answer will you give for such question: 'what is the best car?'

Is it 'Ferrari, Bugatti, Aston Martin' or "BMW, Mercedes, Audi' or 'Jeep, Toyota, Mitsubishi'?

Give us more info and we will be able to give better advice.

I'd say that if session management is important for you than One Identity should definitely in the list.

And please don't make your choice based on marketing. Test in your infrastructure and you will definitely see the difference. 

Menachem D Pritzker
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
author avatarKen Shaurette
Real User

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

author avatarPrasanna VA
Real User

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

The use of two factor authentication by Twitter

author avatarParesh Makwana

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

author avatarRussell Webster
Real User

Span of control, Solid RBAC, Privileged Access Management (PAM) 

See more Privileged Access Management (PAM) questions »
Find out what your peers are saying about CyberArk, One Identity, Thycotic and others in Privileged Access Management (PAM). Updated: July 2021.
522,693 professionals have used our research since 2012.