When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time.

PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK.

I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.

CyberArk PAM is a very broad product as everyone's requirements for implementation are different. In our particular case, the initial implementation was planned and developed by people who didn't know our specific network requirements, so the initial implementation needed to be tweaked over time. While this is normal, at the time all these "major" changes required CyberArk professional services to come in-plant and "assist" with the changes.  

Over time, the CyberArk product team has made this process simpler and has enabled more local administrator configuration and update functionality, which doesn't require sub-contracts.

My personal wishlist of features has been fulfilled with versions 12.6 and 13.2, which provide a host of improvements that the administrator community has been asking for.  

With these version releases, that leaves my only "unfulfilled" product improvement request to be the creation of some kind of memo field for each device account, which could be used, in our network at least, to leave a note about the device for either the security or network engineering team members.

The product is very vaulting-focused. I'd love to see it expanding its capabilities a bit further into areas like just-in-time elevation, and access with non-vaulted credentials.

The upgrade options are good but could be further simplified.

The high availability options could be improved, and the load distribution as well for both the vaults and the credentials managers.

The web interface should allow having multiple sites for location-aware access control within the same web server.

A more friendly and functionally complete user interface would be nice to have. The current interface is not very intuitive. It is somewhat clunky and difficult to navigate, and many times have to toggle between the somewhat underdeveloped new interface and the older classic UI. This state of basically having two interfaces is a prime opportunity for CyberArk to improve its product.

Also, it would be nice if the vaults could run on Linux instead of Windows.

There is a lot of room for improvement in the report section. I also work on other tools, such as Thycotic, which allows you to create customized reports for your organization's needs. In CyberArk, there are limited reports, whereas in Thycotic or some of the other PAM tools, because the database is different, you can customize the report based on your needs through SQL queries.

The GUI part can be better. Previously, they had a classic one, and then they upgraded to the new one, but it is less user-friendly than other PAM solutions. Its GUI is a little bit complex.

Cost management. There should be more models and licensing plans for this software. They should also be flexible, allowing you to purchase selected features at a favorable price.

User Experience. The current interface is OK, however, sometimes it is not very intuitive. There is also no possibility of advanced modification and adaptation to your own needs and requirements.

Performance. The performance of the application could be a bit better, especially in the case of remote sessions - delays in remote sessions can be annoying.

What could be improved in CyberArk Privileged Access Manager is the licensing model. It should be more flexible in terms of the users. Currently, it's based on the number of users, but many users only log in once in four months or once in five months. It would be great if the licensing model could be modified based on user needs. We even have users who have not logged in even once.

Another area for improvement in CyberArk Privileged Access Manager is the release of vulnerability patches because they don't release it for all versions. They would say: "Okay, you should upgrade it to this point. The patches are available", but sometimes it is not feasible to do an upgrade instantly for any environment, because it has to go through the change management process and also have other application dependencies. If that can be sorted out, that would be nice.

The greatest area of improvement is with the user interface of the Password Vault Web Access component. The latest long-term support version of CyberArk (12.x)  still includes and still leverages the version 9.x UI in order to maintain some of the administrative functionality.   

The performance of the 9.x UI leaves much to be desired and there are still some administrative tasks that require the use of a thick "PrivateArk" client.   

Many improvements have been made over time, however, there is still work needed.

CyberArk PAM could greatly benefit from an under-the-hood update; integrating machine learning algorithms could provide predictive insights.

The user interface lacks intuitiveness; revamping the UX of the web access panel through intuitive navigation, customization, contextual assistance, visual coherence, and accessibility considerations will undoubtedly result in higher user satisfaction, increased engagement, and ultimately, a more competitive offering in the market.

In addition, several tools seem to be outdated, however, you can see that CyberArk is constantly working on them.

Remediation of some of the platform settings in the master policies section would be handy.

Overall what I would really love to see is the third-party PAS reporter tool pulled more into the overall solution, ideally as its own deployable component service installation package, that could be installed/branded alongside the PVWA service, and build out API integration so that third party calls could draw valuable data directly out of the management backend with very little amount of additional admin overhead.

The solution needs better features for end users to manage their own whitelisting for API retrieval. 

There is room for improvement in the pricing model. From a technical point of view, there are no issues. Support could be faster, though. We have mentioned that better support from CyberArk would be beneficial.

So, support could be faster, and pricing can be improved.

As configuration options are very extensive, it is sometimes hard to find the correct and complete way of customization or specific configuration. 

The documentation is rather basic and it is missing many use cases. 

It's also hard to test solutions without a development environment as CyberArk doesn't provide the possibility to run the environment for personal purposes.

It should be easier to install. It is a comprehensive product, which makes it difficult to install. You need to have their consulting services in order to get it all installed and set up correctly because there is so much going on. It would be nice if there were an easier way to do the installation without professional services. I suspect they get a fair amount of their money from professional services. So, there is not a huge incentive.

It would be nice to do personal password management so that we could roll something out to the entire organization to manage people's passwords. At the moment, we're rolling out LastPass to do that, at least to some groups. I'm not sure if everybody in the organization is going to get it because most people only have a couple of accounts that we're concerned about. We're using LastPass because it is significantly less money than the CyberArk solution. CyberArk has one, but it is rather expensive. The LastPass solution is integrated into browsers. So, you can use it in your browser. I don't remember if I had to install a client on my machine or not. I probably just installed a browser extension. So, I'm not sure how that'll work with some of the other things. There must be a client that I didn't get around to because that's also in the very beginning currently. They have sent me links to training on how to use it and set it up, but I haven't had time to take the training yet.

The interface could be updated a bit. Right now, it's not very good. 

It is very complex and difficult to set up the solution. 

Maybe some customers have a lot of systems. For example, we have 1000 Windows systems and 500 Linux systems. I need a remote desktop management solution for the CyberArk. I'd like to be able to change desktops with one click. We'd like the next release to have remote desktop management tools. 

The PTA could be improved. Currently, companies often have multiple domains and sometimes it's difficult to implement CyberArk in this kind of infrastructure. For example, you can add CPM (Central Policy Manager) and PSM (Privileged Session Manager and PVWA (Password Vault Web Access) for access, but if you want to add PTA (Privileged Threat Analysis) to scan Vault logs, it is difficult because this component may be adding multiple domain environments. 

CyberArk, as a solution, can easily adapt to a lot of environments, and you can add a lot of components to different zones, and that will work with the Vault. But not all the components, such as the PTA, can do so.

Also, it would be helpful if CyberArk added some features for monitoring machines when we access them. For example, they need to improve the PVWA. In general, when we don't use the PVWA, we don't have a lot of problems. For me, the PVWA is not perfect. I would like to see more features in the PVWA to administer our machines and to improve the transfer of data.

The admin interface of the Password Vault Web Access (PVWA) is moving from an old style (the classic interface) to a new style (the v10 interface) and unfortunately, this process is quite slow. That said, it has been moving in the right direction with features becoming available in the v10 interface and some user features are available in both classic and v10 interfaces. I would love to see all the classic interface features moved into the v10 interface or available in both interfaces within the next version. 

CyberArk's web console isn't in a great state. Over the last three years, if not more, it has been transitioning from what they call the "classic UI" to its modern interface. However, there are a lot of features that you can only use in the classic interface. Hence, each version seems to put more makeup on the modern interface, but all of the complex functionality you need is still in the classic UI. 

I'm not sure they've figured out how to transition, and they're kind of in a weird state. So, while CyberArk has made strides, the web interface is painful, particularly as an administrator, because you have to bounce between these different user interfaces. It is an incredibly complex solution that requires at least a dedicated employee or more to maintain it, support it, and understand it thoroughly. If you don't have that, it's just not the right solution for you because it is very complicated. 

Many of the infrastructure folks who use the product dislike it because it complicates their workflow. They get a little less control, and they have to go through a specific solution. It proactively logs in for them, which obfuscates some of the issues that they may be troubleshooting. And I think some of the consumers aren't big fans of the product. Also, I feel that in the last year or so, CyberArk has been pushing very hard for customers to go to their cloud solution. It doesn't have the same flexibility as the on-premise version, which is problematic because that's where I see a lot of value in the solution.

PAM could be more user-friendly and CyberArk could update the documentation to include more real-world examples. You have to learn it yourself through trial and error. In particular, the online documentation should have more information about troubleshooting.

The components of their web view, policy manager, and session manager, most of them are separated. We need something which can unify those components into a single appliance. Sometimes the infrastructure team is hesitant to provide more resources. 

They have a lot of out-of-the-box integrations with a lot of other products. However, I would want them to bring on some kind of similar platform. If they can bring up the SSO on-prem, that would be ideal, as they don't have those things on-premises. They only provide that for the cloud. If they can do that, it would actually help a lot of us and keep us from trying to acquire multiple technologies for solutions.

In the beginning, CyberArk Privileged Access Manager didn't have a multifactor authentication feature, so that was an area for improvement, but now it's part of the solution.

Having just one console for two CyberArk products would be good, particularly for the CyberArk Privileged Access Manager and the CyberArk Endpoint Privilege Manager, with the latter being a product for endpoint management that supports the workstations and allows you to manage workstations.

In the next update of CyberArk Privileged Access Manager, it would be good to have a local agent where you can manage all users and processes, and have an agent on the servers such as Linux and Windows.

Some aspects of the administration need improvement, though they have recently made improvements to the API. However, the management with the interface and configuration are not so user-friendly. It has not changed much during all the years that CyberArk has been on the market. The management part, like platform management as well as PSM connectors definition and management, could be improved, even if it has already been done with the API.

Onboarding is always a difficult path for every PAM solution. It is not immediate.

We would, of course, always prefer it if the pricing was cheaper. 

We work with CyberArk's customer success team and we work with its engineering team back in Israel. We've been doing things on CyberArk which a lot of its customers, we know, have not been doing.

The one place where we found that this product really needs to improve is the cloud. Simple integrations don't exist, even today. We don't have anything specific on CyberArk for managing SaaS products, SaaS vendors, and SaaS credentials. I understand it's a vendor-based thing and that they have to coordinate with the other vendors to be able to do that, and there are integrations coming, but these are the major places where CyberArk definitely needs to invest some more time. Because this is what the future is. You're not going to have a lot of on-prem applications. Most stuff is going to the cloud.

The solution could improve by adding more connectors. 

Like any software, improvements and upgrades are a necessity. As CyberArk is used by many Fortune 100 and Global 2000 companies, they offer custom solutions that need to be continuously improved as the company changes. I am looking forward to new ways to utilize accounts within the current CyberArk system allowing a more seamless flow for technicians.

The issue is that in many environments, what I purchase via text is different. We have some policies that are specific to Microsoft environments. For example, my actual manager may not be able to connect to a Microsoft product due to a policy on it. The issue that comes to mind now is how six credentials are managed.

Currently, if you try to log in to any server within the environment, you would need to log in every time, regardless of whether you have already received the credential or if the connecting device is present or not. It is a problem with CyberArk. If CyberArk could find a way to solve this, it would greatly improve the experience.

I'm not sure if it is possible to fix this. It's not a point of entry, but it may require a longer string than the user might want to know, or maybe cheaper right now. If CyberArk can find a solution that improves the experience, it would be beneficial to customers.

Another thing is that there are some time needs that could be improved in the future. One thing that could be improved is to create of a better alternative for fixing group policy fees. We currently use Microsoft, but they have introduced new policies that may not be compatible.

The initial setup has room for improvement to be more straightforward.

CyberArk PAM is able to find all pending servers that can be integrated, but we cannot get this as a report. We can only see the list of servers on CyberArk PAM. This is a problem that could be improved.

If you are an administrator or architect, then the solution is kind of complicated, as it is mostly focused on the end user. So, they need to also focus on the people who are implementing it.

Better search functionality in the EPM console. It becomes difficult to search lengthy policies for specific items. Additionally, some of the windows sizes cannot be manipulated to allow a better user experience.

Make it easier to deploy. In 10.4, we did it with the cloud and could actually script the installs.

It can be made user-friendly, in the sense of the console is pretty outdated. They could add more enhancements, et cetera.

They could add more built-in connection components to support various other application platforms. The built-in connection components available are mostly not fit for our purpose. We need to do additional customization to make it work.

Report creation could be improved.

The policies could be more customized.

It should be easy to use for non-technical people. Its interface can be a bit difficult. Some parts of its interface are not very intuitive. Some of the controls are hidden, and instead of having a screen with all the controls for that account on it, you have to use menus and other similar things.

Its documentation could be better. Some of the documentation lacks details for people who aren't super technical.

I would like advanced RPA in the basic license. CyberArk has RPA, but we would need to buy additional licenses. It is not out-of-the-box.

I would like better support.

We're pretty excited about Alero, the third-party access management. As a small company we lean on vendors quite a bit and we do that in multiple areas. That's going to be a big one for us. It's just gone from beta to production. It's one of those things that's on our roadmap, but being so new to the toolset, we're just growing into the tool. We're not quite there yet.

The interface on version 9 looks old. I am excited for version 10 because of the interface and design are good, and it is easier to use.

I want some of the things which are glitching out there for me to be fixed. I have heard that there is something in the works, that they will be putting a feature in the help desk where they will have a message board now. So, I could communicate with other people who are having the same problems and pull their issues, this way I don't have to bother support all the time. Also, people can vote. They can vote on the most important issues, and CyberArk will prioritize them next, really listening to the customer. That is pretty cool.

One of our current issues is a publishing issue. If we whitelist Google Chrome, all the events of Google Chrome should be gone. It is not happening. However, they are coming close to a solution. It has been an issue for a while. I heard that this is one of the top priorities that they're working on.

I would like to see is the policy export and import. When we expend, we do not want to just hand do a policy. Even with exporting and importing, this will help.

The support services could act faster when people reach out to resolve issues. 

They can work on the pricing part. Its pricing is a big challenge here. When it started, the product came in at a very low cost. Now, they are the leaders in the market, so the cost has grown and is quite huge. 

It can be integrated with other systems, but it is not easy to integrate. It takes too long to integrate it. Its integration should be easier and simpler. 

CyberArk lacks the following functions for a better IAM like solution:

- Provision accounts for systems and directories.

- Create access to the systems.

- Monitor if any new account has been created into the system.

- Better GUI for the end-user and also for administrators. The learning curve is quite long and requires lots of training for good usage.

- More automated process for account provisioning into CyberArk. For example when a new DB is created.

- Better documentation with more examples for the configuration files and API/REST integration.

The Vault's disaster recovery features need improvement. There is no possibility to automatically manage Vault's roles and for some customers, it is not an easy topic to understand.

I noticed that CyberArk changed a little in terms of the documentation about disaster recovery failover and failback scenarios. Still, it is a big field for CyberArk developers. Logically it is an easy scenario to understand - yet not for everyone, surely.

The solution can be improved by including more connectors to other third-party systems for integration.

They should allow further customization as it's really hard to do any further customizations over CyberArk. We do have a wrapper of customization. However, it's very difficult, especially their web implementation. That's one thing I would say they can improve. With Angular and everything on the market, they still have their in-house web implementation tool, which is sort of a headache. 

I would love them to improve their UI customizing features. 

You simply cannot install the demo UI in every customer, basically. They would always ask for something to make their UI look a little different -  simple things like their logo or some sort of additional information pertaining to their particular customer. Even doing the smallest of changes takes a lot to do. 

There was a functionality of the solution that was missing. I had noticed it in BeyondTrust, but not in this solution. But, recently they have incorporated something similar.

The lead product has a slow process. There are some reports and requirements from CyberArk which are not readily available as an applicable solution. We have made consistent management requests in the logs.

Things that they were speaking about, here at the Impact 2018 conference, are things that we've already been looking it. They have been on our radar, things like OPM. We're beginning to use PSMP a little bit ourselves. We already have that implemented, but we haven't been using it a lot. The number one thing might be OPM, that we're looking at, that we think might help us in our business, but we haven't implemented them yet.

There are so many options that are currently available, and there are already efforts, projects within CyberArk, that they're working on right now, that I haven't really had time to think beyond what they're already offering. There are so many things that they have that we're not using yet, that we haven't licensed yet. There is a lot of stuff out there that we could take on that we haven't yet for various reasons, including budgeting.

It's always the need to do a cost-benefit and then doing a business case to management and convincing them that it's something that would be good for us and that it's worth spending the money on.

Right now, it's just trying to implement what's out there and use some of those tools that would give us the most bang for the buck.

We would like to expand the usage of the auto discovery accounts feed, then on our end, tie in the REST API for automation.

CyberArk's Privileged Access Management (PAM) stands out as an industry leader, and it is often considered at the top of its class. This comprehensive solution has consistently delivered robust features and innovative security measures that make it an essential component of any organization's cybersecurity strategy. While no system is without room for advancement, CyberArk has continuously demonstrated its commitment to innovation and improvement, and many of the potential areas of improvement are already being actively addressed.

More additional features as far as the REST is concerned, because we have something which was the predecessor to REST. A lot of the features which were in the predecessor have not necessarily been ported over to REST yet. I would like to see that to be more of a one-on-one transition, and be fully built.

The tool’s pricing and scalability can be better.

I would like to see the product enhancement with the Secure Connect feature. Today, there is no functionality to create "Accounts" using Secure Connect to permanently store a user's working tab. It is a tedious manual process of entering host IP information and user credentials into a privileged target system.

Currently, in Secure Connect, an end user is required to enter account information manually, and cannot save any of this information for future use. It’s a manual process of entering information all the time. Unless you are working with accounts already stored in “Safes”.

The continuous scanning of the assets is limited to Windows and Unix. We like to have the solution scan any databases, network devices, and security devices for privileged accounts. That would be very helpful. 

For least privilege management, we need a different level of certification from privileged management. Least privilege management comes under endpoint management. It takes time to get used to it, as it is not straightforward.

CyberArk has captured the individual privileged access space well. They've captured the application-to-application and DEVOPS space quite well.. They should continue to invest in optimizing the services, and help companies drive down risk associated with application based passwords, as this is an industry that is being closely watched by external regulators. 

CyberArk continues to stay close to the industry and are always looking for ways to improve  their products and service offerings accordingly.  There are 3 areas that I would call out, that CyberArk should continue to focus on:

1) Continue to help organizations understand how they align their strategies and roadmaps to industry trends and the overall cybersecurity threat landscape. 

2) Continue to help the industry innovate on talent , and position customers to be more successful in supporting their CyberArk implementations. 

3) Continue to help customers understand the Risk reduction capabilities and scorecards associated with their deployments.  Initiatives like the CyberArk Blueprint will help enable enable informed customers. 

We are aware that in 10.6, the "just in time" access has been created. I would like to see this developed further.

There is some stuff that we still have not fully integrated, which is our AIM solution. We are having all types of issues with it. I have been working with Level 3 support on it, but otherwise, from a functionality perspective, everything has been working except for the AIM solution.

The new PVWA is great. I actually saw some of the newer functionalities, and the look and feel looks great so far. It is just a matter of getting us there. We need to be able to upgrade the environment. They have been able to get the functionalities I was looking for on some of the latest releases.

We had an issue with the Copy feature. Of course when we do the password rotation we restrict users' ability to show a copy of their passwords for some cases, and in other cases they actually need that ability, but we would prefer them to copy to the clipboard and then paste it where it needs to go - as opposed to showing and it typing it somewhere and you have the whole pass the hash situation going. But apparently, in version 10, that Copy feature does not work. You actually have to click Show and then copy the password from within Show and then paste it. We've had a million tickets and we had to figure out a workaround to it. 

Then there is the failed authentication now. I don't know if that was a glitch or if that was an update, because I know sometimes you don't really want to tell a person when their account has been suspended because if I'm a hacker, maybe I'm just thinking I have the wrong password. When the account is locked you don't actually want them to know the account is suspended. However, since we are the CyberArk support within our organization, we need to know that the password is suspended and we won't know that unless we have the ITA log up.

So when a user calls and says, "Hey, I'm locked out of CyberArk, I can't get into CyberArk," we have to go through all of these other troubleshooting steps because the first thing we don't think of right now is, "The account is suspended," because normally we would be told that the account is suspended. They would take a screenshot of the error and it would say, 'Hey, user is suspended, station is suspended for user so-and-so." It doesn't say that anymore. So now it just says "Failed authentication." And that could be because they might not be in the right groups in Active Directory, they might not have RSA. It could be so many different things, where before, they would be able to say, "Yeah, I'm suspended." And we could say, "Okay, we can fix that in two minutes." We just log in to PrivateArk and enable your account and you're fine. Now we're saying, "Maybe we should check PrivateArk first, just in case," to make sure you're not suspended. It's going to be a whole rabbit hole that we fall into, simply because we're not given that information upfront.

In terms of future releases, I would love to be a partner again and get a temporary license that I can put back in my home lab because my license expired. I would like to play with 10.4. I want to see it and feel it out and see if I can break it because my rule of thumb is, if I can break it, I can fix it. That is one of the things I like about CyberArk, especially over CA PAM, because with CA PAM you get no view into the back-end on how it's configured and how it's built and how it works. With CyberArk, they literally give you everything you need and say, "Hey, this is your puppy. Raise it how you want." You get to see the programming and you get to configure and everything. I've broken several environments, but I'm pretty good at fixing them now because I know how I broke them.

Some of the additional features that we are looking at are in the Conjur product. So, CyberArk has some of the features we want covered either by utilizing Conjur's features or by integrating Conjur directing into the CyberArk tool. I am specifically discussing key management, API Keys, and things for connecting applications in the CI/CD pipelines.

The support could improve for CyberArk Privileged Access Manager.

PSM: I am going to go back to my company and push for it a little bit more within our groups, because I know that my counterpart has brought it up a number of times in the past. It has been getting blocked, but I have a couple of other paths that we can pursue so we can try to get it, at least, in our infrastructure and tested.

As a customer, I might need a plugin for a specific product, or an application, and CyberArk might have already worked with some other client on it. There has to be some platform where it is available for everybody else to go and grab it, instead of my having to reinvent the wheel.

One of the things that I have been wanting is that we use the Privileged Threat Analytics (PTA) solution, and it is a complete standalone solution, but they will be integrating it into the vault and into the PVWA. So, we will have that singular place to see everything, which for us is great because it's one less thing to log into and one less thing that you feel like you have to jump over to get a piece of information. Having a centralized place to manage the solution has been something that I have always wanted, and they are starting to understand that and bring things back together.

The web access piece needs improvement. We have version 9.5 or 9.9.5, and now we have to upgrade to version 10. 

One of the main things that could be improved would be filtering accounts on the main page and increasing the functionality of the filters. There are some filters on the side which are very specific, but I feel there could be more. For example, I want to look at accounts which are not working within a specific safe all at the same time.

Since this tool major utilizing modules are PAM and PSM, hence AIM and OPM are least considered by client. Client is somehow reluctant to use these features. Yes, i do agree that these Modules are not that friendly but also CyberArk do not providing proper training on these modules. Reports are also one of the major concern, as it gives a very basic kind of reports. CyberArk must provide some graphical reports which can be customized as per client requirement. After all presentation does matter.

Our DevOps team is looking in the direction of cloud, because we are not in it today. We are hoping to build it with Conjur from the ground up.

I like that they have continued with the RESTful API and the ability to leverage automation. I would like to see that continue. 

I would like easier integrations for creating an online dashboard that executives would look at or are able to run reports from the tool.

Allthough it's highly configurable, the user interface could use a do-over. The current interface doesn't scale that well, has some screens still in the old layout, while others are in the new ones and consistency in layout between pages sometimes is an issue. As I understand, this is scheduled for version 10.

Integration of this tool with SAML is a problem, as there is a bug. We’d like to be able to integrate AWS accounts in CyberArk.

The product’s pricing could be improved.

There is room for improvement in the availability of custom connectors on the marketplace for this solution. Additionally, their services for the CICD pipeline and ease of integration could be improved.

• We would like to have more flexibility in the RBAC model and have more options to define who should have access to what, not only based on safe membership. 
• In addition, the user interface could be improved. When a team manages thousands of accounts, advanced filters are very valuable to search the accounts.

Perhaps by design, but it manages creds based on Organizational Units. That is, a "safe" is limited to specific OUs. That makes for very elaborate OU structure, or you risk exposing too many devices by putting most of them in fewer OUs.

While in the past, administration required several tools and multiple screens/options in those products, v10 is moving towards a single pane of glass with common functions easily found and information regarding privileged accounts given to users in plain, easy to understand terms, now enhanced with graphics.

From what I can see, the Systems Integrator is useless. When I ask for the information, nothing is given to me. They need to provide better training for the System Integrator.

The user interface was a previous problem that has been overcome. 

CyberArk has a lot on the privileged access side but they have to concentrate more on the application side as well.

• The product documentation has to be more precise in certain aspects with explanations for functionality limitations along with reference material or screenshots. 
• New functionalities and discovered bugs take longer to patch. We would greatly appreciate quicker development of security patches and bug corrections.
• Online help also needs to be looked into with live agent support.

Areas the product could be improved are in some of the reporting capabilities and how the reports are configured.

An immediate improvement was the implementation of security controls to protect, control and monitor privileged accounts through CyberArk solution.

The web interface has come a long way, but the PrivateArk client seems clunky and not intuitive. It could use an update to be brought up to speed with the usability of PVWA.

Whilst the client is completely functional, it's been around for a long time and is reminiscent of XP, or even Windows 95. It could use an aesthetic update, with some of the wording and functions needing to be updated to be more representative of what is found in similar configuration from within the PVWA.

To go into more detail- The old PrivateArk client is simply that, old. Looking at the recently released Cluster Manager quickly reminds us of that. Also, the way in which objects are handled within the old client is similar to how objects were handled in older versions of Windows. The PrivateArk client could do with easier to follow links to configuration items and the ability to perform searches and data relevant tasks in an easier to follow process, there may even be room for inclusion of the server management component (lightweight even) and cluster manager components to be made available via the same client, should permissions permit such. As much as the client remains stable and functional, I believe it is time for an update, even if only aesthetically.

CyberArk Privileged Access Manager could improve the integration with other third-party secret managers, and vault solutions.

CyberArk Privileged Access Manager could improve the integration docking, it should have more layers. For example, integration with OpenShift.

Multi-tenancy vaults should really have the same release cycle as single tenancy vaults; this will enable us to meet even more customer demand. We are striving to be at least on the latest release minus 1 (n-1) and for us to run both Single and Multi-Tenant core systems the difference in release cycles will result in a wide gap. Considering the considerable changes including user interface we have seen recently, the one concern is that we may end up with users having different interfaces to deal with different customers. 

I think it pretty much covers a lot of the privileged identity space, things that other vendors are not thinking about. I think they are doing a very good job. I don't have any suggestions.

My list of enhancement requests on the portal is quite extensive.

My goal as a system administrator is to enable people to do their jobs more easily, more efficiently. So, I'm looking for ways to enable people to leverage the security posture in CyberArk, and still be able to do their jobs. Better yet, to be able to do their jobs more easily, and that's exactly what I've been finding. There are a lot of ways that CyberArk is able to be used to give people access to things that they normally wouldn't be able to access, in a secure fashion, but there are still some roadblocks in the way there. I would like to see better automation in granting access, better tools, more efficient tools, to be able to customize the solution that CyberArk provides.

Cost efficiency is the number one thing that can be improved in my mind. This would change lots of companies minds on purchasing the product.

The current user interface is a little dated. However, I hear there are changes coming in the next version. 

There is a learning curve when it comes to planning out the deployment strategy, but once it is defined, it runs itself.

The AIM providers registration process could be easier and could allow re-registration. Also, some sort of policies for assigning access rights and safe ownership would be useful for deployment automation. We're seeing difficulties with hosts requiring 2FA, and we need to better cover them with PSM and PSMP.

They can do a better job in the PSM space.

Session recording search capability has to be improved. It should include more platforms for password management. It should include more thick client integrations.

It is web-based, but other competitors have apps. We need to get there. It is just smoother to have an app. You don't have all the bugs from having a browser, and people like them better, since you can get to them via mobile. There are competitors that have mobile apps which do the same thing. Mobile browsing is just not there with CyberArk. 

This might be out of scope for CyberArk, but LastPass is an example of personal credential management. It would be cool if we could give personalized solutions to people, even if it is stored in the cloud. We have an enterprise solution, but we don't have a personalized one. It would be nice to have it all under one umbrella.

In every product, there is room for improvement. Within CyberArk, I would like to see more support for personal accounts. It can be done right now, but I can imagine changing a few aspects would make this easier and more foolproof.

Next to that, the REST API is not as capable as I would like. CyberArk is getting close, though.

Lastly, I would love to see a password filler that can provide raw input (like a keyboard). There are scenarios where administrators do not have the ability to copy and paste a password from the clipboard. As typing over a long random password is a tricky job, a raw password filler would be a solution that could overcome this issue.

I think that this product can be improved in all the areas. The details usually are important as the funcionallity. So I think that understanding the request from the customer CyberArk, as is already doing, can improve day by day his product.

Their post-sale support area requires a little more attention to our region ( ME/UAE. The current support model does not allow the end customers to open a ticket directly with CyberArk. Customers have to inform the distributor or bring in partners who have access to the support portal to open support cases. The support teams liability is limited to product issues and they usually do not get into configurations and integrations, unless estimated and paid for PS services.  This indirectly helps Service providers like us to make extra revenue. The default 24/7 support to our region, is effective when there is an emergency like a serious software issue, or if password vault is down etc, for such cases they provide immediate attention. For the rest of the low priority like migrations, upgradations, backups etc ( in some site it shall be considered high ), they take more time to respond.

Looking forward to new features line API security 

I think that the connectors, the integration pieces, the integration to ticketing system. This is something which is not meeting our requirements via out-of-the-box solutions, so we have to look for a customized solution, that could be improved.

Integration with the ticketing system should allow any number of fields to be used for validation before allowing a user to be evaluated and able to access a server.

Additional features: We are looking at the connectors. The connectors to be more robust and provide more flexibility for out-of-the-box implication.

As we have not yet moved to the core licensing model, we don't have the benefit of PSM and a few other things that were not previously included.

From what I see, like the out of the box password management features, or you can pay the tax forms, which I will write log, can become extensive. For example, we have right now 45 to 50 platforms to tell that were out of the box, like Cyber Optics 200 out of the box connectors, so if we can just put those also into out of the box so that the pros do not have to retell everything to what they think the comp manager of Cyber Optics representative. Apart from that, if we could have some kind of out-of-the box feature that you can simply say "no" so they don't have to go into a development mode, that would a really helpful feature.

Overall, I think it is a fantastic product, when used as designed and intended.

One of its biggest downfalls is also one of its biggest strengths. It is easily customized, and that customization makes it very easy to start trying to shoehorn the solution into roles it was never intended to fill.

With every version, I can see that the product wins on functionality and user experience. On the latter though, I hear from customers that on the UI level, things could be better. CyberArk continuously asks for feedback on the product (e.g., via support, yearly summits) from customers and partners, and hence, with version 10, they are addressing these remarks already.

The web portal (and hence the user interface) has some legacy behavior:

• Some pages are created for past-generation monitors. With current resolutions, filling the pages and resizing some elements on the pages could be handled better.
• They are not consistent with the layout of different pages. Some have, let’s say, a Windows 7 look and feel, while others have the Windows 8 look and feel.

Nevertheless, even with those remarks, it does what it is supposed to do.

• Authentication to the solution: Authentication to the PVWA utilises integration to IIS. Therefore, it is not as strong as desired.
• Reporting capability and customisation: Reporting utilises predefined templates with limited customisation capability.

It needs more plugin connectors for all devices. CyberArk currently can manage or make it easier to manage about 80% of our total devices. The rest still need R&D to develop the plugin. If CyberArk had more plugin connectors, the customer would not need to raise plugin development requests for several devices and CyberArk could easily connect to these devices.

What I mean with CyberArk needing to improve plugin connector is that currently CyberArk is able to manage almost all devices (server, network devices, security devices etc.) which are more than 80% of all devices. In my experience device such as IBM OS/390 and Cisco TACACS still need custom plugin connectors developed by CyberArk R&D.

If CyberArk IS able manage more than 95% from total devices it would help the customer to using it without raising a support ticket to create a plugin connector. CyberArk will more easier to manage all devices with no compromise

A greater number of out-of-the-box integrations with other vendors: They are working on it, but more is better!

Privileged Threat Analytics (PTA) that can function in more that one AD domain at a time. The recent enhancement that allows resilience in PTA is great, but operation in more than one domain is required as many organizations have multiple AD domains. Even if it’s just prod and test or PPE split, you still want to know what’s going on in it.

We have found with the recent upgrade a lot of issues we had with the connection have been resolved.

I'd like to see a more expansive SSH tunneling situation through PSMP. Right now you have an account that exists in the vault and you say, "I want to create a tunnel using this account." I'd like to see something that is not account-based where I could say, "I want to create a tunnel to this machine over here," and then authenticate through the PSMP and then your tunnel is set up. You wouldn't need to then authenticate to a machine. Then you could go back in through your native clients and connect to that machine. Also, to have that built out to include not just Unix targets but anything you'd want to connect to.

The performance of this product needs to be improved. When the number of privileged accounts increases, i.e., exceeds 2000, then the performance of the system reduces. The login slows down drastically and also the connection to the target system slows down. This is my observation and thus, the server sizing needs to be increased.

The DNA scan should be able to scan Unix machines for privileged accounts.

This product needs professional consulting services to onboard accounts effectively based user profiles.

Perhaps improve the user registry integration. It is already fine, but a bit atypical.

My experience with the product was with older versions, so this may not represent the actual case anymore. In essence, user registry integration is atypical in the sense that the product creates a copy of the user inside the product itself (to accommodate for license seat counting, I guess).

Depending upon the size of the user base and license model, it may not allow new users to log in to the platform. I doubt the vendor considers this an issue, though.

Perhaps improve the user registry integration. User registry integration is atypical in the sense that the product creates a copy of the user inside the product itself. This is done to accommodate for license seat counting.

Depending upon the size of the user base and license model, it may not allow new users to log in to the platform. I doubt that the vendor considers this an issue.

The native PSM components are really good, however, if you have to apply environmental tweaks to an application launch, custom AutoIt scripts are needed. 

Options for specifying drive mappings or script execution without the need for AutoIt based scripting in the native components would be good.

Functionality to enable drive mappings to platforms and default connectors without the need to use AutoIt.

More than the product itself, there is room for improvement in the documentation. The documentation should be very detailed and very structured. It has a lot of good information, on one level, but I feel that it could be more elaborate and more structured. That would make it easier when somebody is implementing it or referencing the documentation.

Performance of PIM could be better and intended for usability as well as security. Another point is that the free trials should be in place for all components so that PoC could be made easy.

The usual workload on the system is sometimes delayed by CyberArk. So, any major work is getting delayed, and may take twice the amount of time that it usually does. For instance, if there's a password change of an account it will take time because you have to log in, then  authenticate, and this is followed by delays. It becomes cumbersome and frustrating.

CyberArk has evolved a lot in the last 16 years and has nearly all the features required for effective operation. The only area for improvement is using a native client while connecting to the target device instead of the current method of using a web portal (PVWA). CyberArk seems to be working on this area and we expect these features in coming versions.

It would be great if in the future CyberArk considers launching an installer for Unix-based OSs.

The management console has a lot of functionalities, but is a little bit complex to use.

Customer support and technical support can be better, compared with the level of products.

One limitation is that we are not able to put this into a decentralized mode.

I would like to see better usability for non-technical people. If you use the PVWA interface, I noticed that the end user would need some extra training. The portal doesn't navigate so easily, if you don't know it.

With Facebook, for example, people find their way around easily. In PVWA, it takes some time to know how it works from an end-user point of view.

The product could be easier to use. More work needs to be done on this aspect; it is not good enough yet. It also takes up a lot of server space. Sometimes we need to use up to seven servers. 

The authentication port is available in CyberArk Alero but not Fortinet products.

Some areas of improvement are:

• PSM: It should be hosted on UNIX rather than on Windows. In such cases, no extra OS license needs to purchased at the client's end.
• PVWA: The admin console should be in the Windows installer instead of a web application for admin users. It makes the work faster for admins; otherwise, it seems slow for the web interface.
• PSMP: It looks a bit complex to deploy and maintain.
• OPM: This module should be integrated with PrivateArk app.

The user interface needs to be improved. It could be done by getting the GUI to work with other programs from within internet browsers out of box.

Over the past seven years, I have seen a lot of ups and downs with the product, but now I am happy with the version that we are using now. 

We found a lot of errors during the initial setup. They should work to improve the implementation experience and to remove errors from the process.

The solution could be more stable. 

 It should have more specific configurations. There are lots of types of servers and devices. The product should have a more detailed, specific configuration and integration with other products.

The product should be improved in order to support more platforms. It will be awesome if google cloud API keys are being supported like AWS and Azure.

For users to access a system via CyberArk Privileged Session Manager, a universal connector needs to be coded in a language called AutoIT and its support for web browsers is so-so. Other products like Centrify have browser plugins that can help automate the process when using their products.

I would like to see improvement in the custom connector for integration with different devices. Currently, it needs professional services and lots of time for out-of-the-box custom connectors.

There are always improvements that can be made, but nothing really stands out. It's hard for me to say as I am not a direct user.