EP25 – Identity is the attack vector w/ Udi Mokady

David: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

Hello and welcome to the show. This episode widens the lens on one of the biggest shifts underway in cybersecurity, a shift that’s reshaping how organizations think about identity, access, AI, and risk. And to help put this moment in perspective, our guest today is Udi Mokady, CyberArk’s founder and executive chairman and one of the most influential voices in identity security.

He’s also a friend of the podcast, and having him back on in this moment just feels right. This conversation was recorded in January, shortly before CyberArk officially joined Palo Alto Networks last week, and it captures Udi’s thinking in the lead-up to that moment in a wide-ranging and at times personal conversation.

We talk about why the old line that identity is the new perimeter no longer fits the moment, and why identity has become the attack vector, not in theory, but in practice and as a reflection of what’s happening right now. The surge of machine identities, the emergence of AI agents acting like a new kind of workforce, and the growing need for identity to be treated as frontline security rather than management or compliance.

We also talk about CyberArk’s acquisition by Palo Alto Networks and what it signals about where identity security is heading, why scale matters, and how consolidation can accelerate innovation when it’s driven by the right goals.

Here’s my conversation with Udi Mokady.

Udi Mokady, founder and executive chairman of CyberArk. Here we are. We’re back. Thanks for coming back onto the podcast. It’s been a while.

Udi: It’s been a while, and this one is especially exciting for me, to be honest. It feels historic and momentous.

David: It does feel historic. And we’ll talk a little bit about the Palo Alto Networks acquisition or pending acquisition as we go here.

First off, where are you today? I see there’s some green grass behind you today, so you’re not in Boston.

Udi: Right, exactly. I missed the snowstorm. I’m visiting the Israel office this week. It’s nice and green. There’s been a lot of rain but no snow, so it was good.

I heard there’s flu going around, so I dodged all of that, hopefully.

David: Yep. We got the flu, we got the snow, we’ve got the subarctic temperatures, whatever that may be, and a lot more coming this weekend. So if you’re headed back anytime soon, you may want to extend your stay.

Udi: Yeah, I had very good timing. And also it was good to be here. We did this big employee event and we kind of moved it earlier in terms of date to be just ahead of the closing with Palo Alto, still as an independent company.

And it was really, really fun and emotional to be with the employees. A lot of hugging.

David: Yeah. I’ve seen a lot of the hugging pictures up on LinkedIn.

Udi: Oh, right.

David: It looks like you’ve got a lot of arms around you, a lot of smiles.

Udi: Yeah. We built a real family-spirited CyberArk. I’m very, very proud of that.

David: To open things up, when you were last on this podcast in May 2024, it was called something different at the time, but same podcast.

Udi: Same podcast, same people.

David: Exactly. Trust Issues then, Security Matters now.

Back then in May 2024, and the occasion of CyberArk’s 25th anniversary, “built to last” was a through line. As we sit here now, what does durability look like in practice?

Udi: First of all, “built to last” was really my punchline, even to the point where I’m not sitting in my Boston room. If we were in my Boston room, you’d see behind me the Built to Last book signed by the author Jim Collins, because I always refer to CyberArk as built to last.

And it was all in this promise to the customers in the world that we’re going to be there for the long run.

And indeed, we marked 26 years as a company, but 11 years as a public company. And the acquisition by Palo Alto Networks actually came from a position of strength.

CyberArk was not sold. CyberArk was acquired because we were minding our business and were approached by a partner.

And Palo Alto basically said, identity is strategic for us. We want to enter identity and we want to enter identity with the best company in the space, and that’s CyberArk.

That’s how the discussions started this past summer, and that led to the announcement on July 30. And like you said, it’s pending but should close in the next few months.

Now I’m getting back to your question.

For me, built to last is kind of living a new version because I actually have this sense where built to last is also for what CyberArk did, this identity security layer, to now secure more organizations around the world, which is the CyberArk mission.

We were all about securing enterprises so that they can focus on their business and we protect them from cyber attackers.

And CyberArk probably has about 10,000 customers. Palo Alto has north of 70,000 customers, maybe 80,000 customers.

And we can take that identity security now to the next 80,000 customers out there.

So for me, CyberArk will live on. It will be the identity platform of Palo Alto Networks, and it’s just a new way to accomplish the mission.

Probably in my mind, it still lives on.

David: When to potentially merge or think about merging, what was your initial reaction? Was it an immediate yes?

Udi: Oh no, it was not immediate yes because we were, again, wired to be built to last. The plan was that 10 years later you’d still be talking about CyberArk.

So it started with a play date at the RSA show, I think it was April of 2025. Matt, our CEO, and I met with Nikesh and his team at the RSA show to talk about partnering.

And we were talking about how do we bring more value to customers where we can get network data into our identity data, and then we can feed identity data into their network-based decisions.

And then teams were tasked with working on some very smart integrations.

When Nikesh approached me in June of that year, June 25, my feeling was, wait a minute, aren’t we partnering? I mean, that’s the plan.

And that was my response. Let’s continue the partnering.

And of course, as a public company officer, you don’t say no to even hear out the biggest company in the most successful company in the cyber world.

But if you’re asking feeling and gut, my feeling and gut after this call was yeah, we’re going to remain partners. This is probably an advanced date to answer that.

From there you kind of go into this rhythm of having deeper discussion, but it was very clear that Palo Alto strategically wanted to enter identity for the right reasons.

They see the inflection that we’re seeing. They’ve done their homework. Some of it is through these partnering conversations, but of course they really understood what CyberArk does and why it would be a great fit for them.

And then it became a negotiation of a public company executive chairman negotiating what’s best for the shareholders and the customers.

David: What’s changed the most in the identity security landscape since that 25-year milestone when we last talked in May 2024, and what hasn’t changed?

Udi: I think the word we used in the past was a proliferation of identity, and I would just say the expansion of identity as the attack surface.

People used to say identity is the new perimeter. That looks a little outdated now. It seems mild.

Identity is the attack vector.

And then just that proliferation of identities is because you had human identities where most companies were thinking of identity security.

Of course we started with privileged access management, the most sensitive identities, expanding to secrets and secrets management and machine identities, so the non-human part.

I think that’s the biggest expansion.

We saw that there are 45 times more machine identities than human identities. I think we’re also quoting bigger numbers now when you add AI.

And I think that’s the biggest thing.

I think it was in the Palo Alto letter to their shareholders that they wait for inflection points to enter a space, and they saw an inflection point in identity with AI because AI agents and AI are an identity security problem.

These AI agents need identities and access management.

So it’s this continuum of expansion from human to machines to AI.

It creates an explosion of why you need to treat identity not as a management issue, which a couple of years back people referred to as management or compliance, but as a security issue.

And hence the importance.

We’re seeing it in how seriously customers view identity as a top priority. PAM was always a high priority, but identity in general became a security top priority.

David: Back in 2024 we were talking 45 to 1 machine identities to human identities. Then in 2025 it was 82 to 1.

Udi: Yeah.

David: And we look forward to seeing the identity security landscape report this year because it’s probably going to be even bigger.

Udi: And by the way, you’re seeing it.

I just met a startup that was telling me, yeah, I’m hiring this amount of employees, but each one of them is going to manage 100 agents.

David: Wow.

Udi: And I said, okay, so you mean each employee is going to be managing.

This was for development. They said, yeah, they’re going to be managers, they’re going to be R&D managers, but they’re going to manage AI agents.

David: Wow.

Udi: And so you just think about it. These AI agents need identity. They need to manage what they can access and what they can do.

They want to please the boss and they will go to no ends.

So this is really a proliferation.

David: Staying on the evolution theme here and zigzagging back to the acquisition, without getting into mechanics or approvals, what does this moment represent for CyberArk customers, partners, employees, and culture?

Udi: Well, it’s really big.

And we had this time from the announcement on July 30. And by the way, if we want to add some color, on July 29 we had a Wall Street Journal expose who kind of leaked it and came out and we had to put us all in frantic mode because we always want to be upfront.

David: I remember that moment. I got a text from our friend saying thanks for the update.

Udi: 4:00 PM on July 29.

But who remembers exactly? She kind of rocked our motion there with her article and we ended up expediting and making sure we’re announcing the next morning.

But I would say we had the last couple of months to further both digest and plan.

And so I think the word powerhouse comes to mind.

Bringing our 4,000 employees and our data security platform into Palo Alto, which has other platforms in place, not identity, and now is able to cover basically all aspects that customers worry about with smart integrations between these solutions.

It really creates a powerhouse.

And there are going to be things because of connectivity that you can do where identity becomes network aware and the network becomes identity aware.

We can correlate data and respond in real time.

We’re really elevating the security level that we can bring to customers, especially against automated attacks, which is the new world where you don’t need the coders attacking companies out there.

So I think it’s a powerhouse company in the unification, and it’s a powerhouse combination as a platform.

David: From a culture perspective?

Udi: From a culture perspective, it’s my first time.

I’m not a serial entrepreneur. I co-founded CyberArk in 1999. We called it CyberArk. People didn’t even refer to the space as cybersecurity then.

It evolved later on.

We were ahead of the curve on many things, and so I’ve never been acquired before. This is a first for me too.

Obviously there’s the team and it’s new land for them.

We’re assuring them that as you focus on the mission of securing customers, this is going to be good for everyone.

Customers that we talk to are excited because they love CyberArk.

Many of them have Palo Alto, and they’re just waiting for us to announce what the true roadmap integrations will be, which we can’t talk about yet.

But there’s going to be a lot of goodness that we will be able to announce and talk about later in the year, probably at our CyberArk slash Palo Alto event in Austin in May.

Probably by then we’ll be able to talk a lot about the future plans together.

David: You mentioned just a moment ago how you’re not a serial entrepreneur, and in a recent interview you said you’re a long-distance entrepreneur. What does that mean and what does long-distance entrepreneurship look like for you at an inflection point like this?

Udi: Yeah. Wow. Again, this has been a 26-year journey from being the guy who helped assemble the tables in the first office, hire the first employees. I moved to Boston as we expanded to the U.S. and kind of led this entire journey. I was the CEO for 18 years. Took the company public in 2014.

So I think long-distance is that you’re creating a company that has the option to be standalone for the long term.

I think for me, and we talked about it, I think in the past, for me the moment was listing on Nasdaq in 2014. And for me, that moment crystallized much more even when we rang the bell, celebrating five years as a public company, and even more when we were talking about the 10 years as a public company.

So that’s long-distance. Long-distance is keeping everything very real, going after the globe.

Companies who don’t run the long distance are just trying to show that they’re gaining momentum or traction, but they want to be sold and they usually focus on North America alone.

We were all over with Asia and EMEA and Latin America and employees all over. And our company events looked like the United Nations gathering, and I love that.

I think that’s the long distance, when you see these friendships that were formed between our Singapore team and our German team and our U.S. team and our Mexico team and et cetera.

And that in every decision that you make, you’re not thinking a quarter ahead. You’re thinking years ahead.

When we expanded for PAM from pure human PAM to secrets management, when we expanded into identity management, when in 2024 we acquired Venafi and expanded to machine identity management, in 2025 we acquired Zilla, expanded to IGA, identity governance.

And with all of those, the thinking was platform, long term.

I think that’s already set in stone. Twenty-six years, nobody can say you run short distances.

But I loved it. I love all the aspects of a large, global company.

I love that a customer, we had a German automobile manufacturer where the customer was in Singapore doing a proof of concept, the procurement negotiations were in, I think, Atlanta, it was southeast U.S., and the final decision-makers were in Germany.

And the CyberArk team was able to encompass that, coordinate amongst themselves, serve the customer in the best way in all of these regions with partners along the way and bring it to great success.

So I love that. That’s a sign of really understanding the globe.

David: You’ve been all around the globe and it seems like your traveling hasn’t slowed down much. Do you love to travel? How do you foresee travel fitting into your world moving forward?

Udi: I think I’ve seen so many examples, and if I can impart that to people watching or listening, it’s that the adage of half the work is showing up.

I’ve seen so many examples where being there just creates so many other sprinkles of opportunity that surround it.

So going to a CyberArk customer event in Japan or attending a conference in Israel or attending a conference in Germany, U.K., or a partner conference or going to meet customers, the impact of the in-person and almost the flywheel that is created is immeasurable.

I do not believe in running a company just via Zoom. And I really don’t think you can create those long-term partnerships like we created, even with the Big Four advisory firms and of course the customers, without that in-person that happens.

Now, I guess it became a way of life in the CyberArk journey, especially because we went after the globe.

You’re invited to speak to the Monetary Authority of Singapore. You fly to Singapore because you believe that’s the way to make an impact.

So it hasn’t slowed down even in the last two years as I moved to executive chairman because the team knows that I’m willing to go and be where it makes a difference.

And so I’ve been going. I think in the future within Palo Alto, CyberArk will continue to be the identity security platform. We’ll show up and be there with customers.

It’s a bigger scale, so you probably can’t fly as much, but events could just become bigger.

But I think the relationships I forged and that we forged are just going to continue to nurture them.

David: Any favorite flight hacks or things to do when you’re on long intercontinental or international flights?

Udi: Yeah, yeah, yeah, yeah. But we’ll lose some of the viewers here, or listeners here, however you want to phrase it.

But I’ve learned that alcohol and flying and trying to hit the ground running don’t mix.

David: Okay.

Udi: I’ve turned down lucrative suggestions on flights. But this is complimentary. You don’t want it? No, no. Just sparkling water.

And I just discovered that you’re flying, you’re already jet-lagged, you’re already tired. Adding alcohol is just going to slow you down.

So that’s one of my hacks.

The other thing is kind of really ignore the watch that you came from. Just plug into the time zone you’re in. Your body screeches and screams, ignore it for a day or two and it’s going to work out.

This is how I do it. It’s probably not fully scientific, but it worked for CyberArk.

David: Great tip on the beverage cart.

Udi: On the booze.

David: Yeah, exactly. And I guess that comes down to clarity.

Udi: And they want to serve because they always look a little disappointed when you say, no, just sparkling water.

David: So then from clarity on flights to mission clarity, how do you keep mission clarity and day-to-day execution steady when so much is happening at once inside the company and across the industry?

Udi: Yeah, there’s a lot of noise.

I think in a way it was easier in the days of creating a category because when we created privileged access management, it was in a way quiet.

And you’re trying to break out with this, guys, the attackers are going after privilege. And then leverage every momentous thing you have, like Edward Snowden going on tape and saying, I was able to hack into state secrets because I had privileged access, or the Anthem breach.

David: Right.

Udi: Where the headline was, a nation-state attacker achieved privileged access to a database.

So you’re plugging in and you’re creating the noise.

I think today there’s a lot of noise in the industry, a lot of global noise and news, much more elevated than anywhere.

But in a way, we kind of press this silencing button when we focus on the mission, like you said.

You’re like, okay, we’re here. We believe the attackers are going after privilege. It has proliferated, we’ve expanded. It’s no longer just about privileged access. We have to secure all identities, human and machine and agent, and we’re going to do that and focus on that with our customers.

And you tune out some of the irrelevant noise.

You have to be very, still very growth mindset like we were. We always listen to what is relevant for us, what is not relevant.

I gave this Snowden example. Always listen to those tidbits.

So while you’re turning off some of the noise, you still have to be very attentive because there could be a telco regulation in the U.K. that’s actually very relevant to why you need to do certificate lifecycle management with more urgency or why you have to secure identities with more urgency.

Stay tuned to things coming out around you while tuning out some of the noise.

And I think at scale, CyberArk is also able to say, well, there’s a lot of noise and we want to see what’s going on in the startup ecosystem. And we have actually a corporate ventures arm that engages with startups.

So it’s a way to say, okay, we want to be aware of what startups are doing, but we have an avenue in the business development. We’ll talk to them that way. If it’s a partnership opportunity, they’ll know to elevate it. If it’s just noise, we’ll turn it away.

And of course, different means to deal with different noises.

David: The pace and stakes of identity security, you’ve mentioned this already. The ground is shifting under identity at a speed that we haven’t really seen before.

So what are the biggest forces that have moved identity from an important control to the foundation of enterprise security over the last couple of years?

Udi: It starts with the changes in how companies work.

When perimeters started to dissolve and people working from anywhere and your firewall is no longer your barricade, that was the biggest first change.

Why it became no longer a situation of only an insider can do something wrong with privileged access. It became a target of attackers and just elevated it up to the highest priority.

And of course with the adoption of cloud and SaaS, what happened is it’s no longer that IT user only that has strong privileges, but even your cloud environment comes built in with strong, built-in privileged accounts.

And you’re not even aware. You’re deploying AWS or you’re deploying Google, you’re deploying Azure, and you’re not even aware of that enhanced access, and somebody needs to manage those systems.

And of course the proliferation of machine identities where every application requires an identity.

But I think the best way for an attacker to propagate, escalate, move around, and without having to create zero days, is to go after identity.

And of course, sophisticated attackers do the combination, leverage zero days to get some foothold if they’re a nation-state and move from there.

But if they’re not a nation-state, hey, in some of the major breaches, they just called the help desk and they got that first credential to get in as a help desk.

And they called the help desk, hey, I need to reset my two-factor, and they got in and from there escalated privileges and moved from it, and using a regular person’s identity, not only privileged access.

So I think it became the attack vector. Everybody understands it.

And when you sizzle on top of that AI agents, it really jumps to the top.

David: As those AI agents become more autonomous, which part of the identity ecosystem is shifting the fastest? Is it human access, machine credentials, or the space where the two interact?

Udi: I think if I had to choose one, I would say the proliferation of the machines, but in this case I would include the agents in them. I would say that’s happening the fastest.

I gave that example of people hiring AI agents and of course our cloud environments and our application environments. It’s just the proliferation of the machine side.

But still attackers are going after the humans. So while the amount of humans is not growing as fast, it’s the one that’s easier to social engineer or find that this is the same password they use for Marriott and pick that up on some cafe Wi-Fi network and pick that up and have that as the starting point.

So identity is the starting point, and it could be a human identity or an attacker.

So I would say the fastest-growing attack surface is on the machine and agent side, but it doesn’t mean it’s the attacker’s first choice. I think it’s all of the above, and I think it’s cyber.

And David, you know this, we talked about it so, so many times, and actually in the building I’m in, one of the floors is our labs. And I know you love interviewing them.

David: Love those guys.

Udi: It’s a department I love because they are thinking, what is the attacker doing?

And every time I stop on their floor, they’re just showing me, hey, we just discovered that you can go from here to this. You could trick this from that. You can go to an ATM from here.

And it’s interesting. They’re almost like digging this, or they’re doing their research, not necessarily looking for only identity-related attack vectors, looking what can happen in this new infrastructure.

And they’re always coming back to identity. It always comes back to it.

And at this point, I can steal this credential and it’s a system account and I can move from there.

And so I think they’re just continuously keeping us abreast that this is what attackers would also do and why identity is so important.

David: Please, if you see Lavi and team today, tell them we say hello and we want to make sure they’re getting enough rest. Are they well-rested?

Udi: Yeah. I gave them a big hug the other day. It’s a great team.

David: Yeah. Lavi is one of our favorite go-to guests, and we’ve had other members of the team on the podcast as well.

Udi: Wait a minute. If he is the favorite go-to guest, I’m out of here.

David: A favorite. The favorite. There you go, right there.

Udi: Okay.

David: Okay. Number one.

You’d mentioned PAM earlier, privileged access management. What did expanding beyond PAM unlock for customers that wasn’t possible before?

Udi: Wow. I love that.

I think there was this thing where you guys, CyberArk, we trust you to secure our crown jewels. That’s how we operated for many years. Crown jewels go to CyberArk.

This is a story I love. We did not lead the witness because we had somebody from CyberArk sitting in the crowd. We were not the presenter.

But there was a major bank conference and it was a major Manhattan bank. And the CIO was onstage and the moderator was asking the CIO, I kid you not, what are the events that you want your team to wake you up for in the middle of the night?

David: Hmm.

Udi: And this is a CIO in charge of the entire IT infrastructure and applications of a bank.

David: Right.

Udi: And the person said, and I’m not even disclosing gender here, the person said, if an attacker has a hold of one of our privileged accounts.

David: Okay.

Udi: And that was the end of the answer.

You’d think they would open up a paragraph, but that was it. Wake me up if there was ever privileged access into our environment, no matter where.

I’m back to the crown jewels. So crown jewels to CyberArk, and they still do that with our privilege cloud.

And we started there. When we expanded beyond privilege to securing regular identities, to securing third-party access into an environment, it was an opportunity for customers to say, okay, we trusted you with the keys to the kingdom. Now we’re trusting you with the rest of the kingdom.

And they didn’t just fall in love in CyberArk with the technology. Technology evolves. They fell in love with the people and how they’ve been supported and customer success and all of that, and again, all the things I’m so proud of.

And so it just gave them an opportunity to expand, I would say, the entire environment with a company that they trust, knowing that we were born in security.

That’s the biggest thing. You look at the DNA, CyberArk was born as a security company going into identity, not as an identity management company going into security.

And so that’s the big trust factor. The prior name of your podcast. It was the big trust factor and to secure really the whole gamut of the environment.

And we kept on adding capabilities because we didn’t have certificate lifecycle management before we acquired Venafi, which is mission-critical for customers. Now they can do that with CyberArk.

We didn’t have IGA before we acquired Zilla Security. Now you can do identity governance with CyberArk.

So now you can do all aspects of identity with a vendor that they trust.

David: Thank you for the shout-out to Trust Issues. If there’s one through line that we’ve heard over the history of this show, it is all comes back to trust, or it all comes down to trust.

Udi: So big.

David: And then along the lines of platformization and consolidation and customer simplicity, the idea of fewer tools, more outcomes really ties into innovation and how CyberArk thinks about it structurally.

Customers want fewer platforms and less sprawl. What outcomes should they demand in return?

Udi: First of all, the amount of tools out there became just non-realistic for CISOs.

And first of all, they’ve eaten too many steak dinners, which is not healthy for you, to go back to our alcohol conversation.

So, you know, there’s a limit to how many steak dinners a CISO can take. They can’t answer the phones anymore.

They have a bigger task to work on in their environment and to secure. They’re no longer securing just their on-premises environments. They’re relying on cloud environments.

And of course, SolarWinds taught them that their third parties can also be their source of worry.

So they have a lot on their plate. And it just became unmanageable to work with so many vendors.

So the CISOs and the CIOs have been pushing for consolidation.

On the other hand, and I love that balance and I love that you framed it this way, on the other hand, the attackers are innovating and there’s continuous attack paths that are born.

So I think the beauty of CyberArk and Palo Alto coming together, and I won’t name other companies, but it’s two companies that worry about the attacker coming together.

It’s not two companies that are security companies where one cared about the attacker or one was just happy with keeping its solutions.

They’ve been continuously acquiring companies. We’ve been continuously acquiring companies. They’ve been continuously innovating organically. We’ve been continuously innovating organically.

So we both share that paranoia that you have to continuously innovate.

And I used to say, even to our team, I would show up and speak in front of our research and development, who are lovely and driven, and I would always say as we’re speaking here, attackers are sitting in air-conditioned labs and they’re running software and they’re running simulations of our customers’ environments. They’re attacking it.

And so we have to always innovate and outsmart the attacker.

So that’s the way to balance it.

I would worry about consolidation that would slow innovation and that would choke that paranoia if I were a customer.

And I would be happy about consolidation if the vendor or the partner is paranoid about continuing to innovate, about researching what attackers are doing.

By the way, Palo Alto has Unit 42, which feeds them with a lot of info on breach remediation. So they also see real hands-on what is happening on customer sites.

David: Mm-hmm.

Udi: And I think that’s the way to go.

I would say it out here. Had we stayed independent, and in any case Palo Alto would have done it, and when you’re driven for innovation, you still think, okay, this is what our labs are discovering, this is what my researchers are discovering.

We’re going to either do this organically and keep innovating or we’re going to buy.

And I think that’s going to continue because our customers’ environments will continuously change and innovation has to be ahead of that.

David: Really interesting how you mentioned CISOs and the steak dinners and maybe how they’ve had too many of them, or there’s only so many they can have, which to me indicates that you’re putting yourself into the CISO’s shoes and you have an appreciation for what that role is.

How have you seen that role evolve over the years and what’s your take on where it stands now?

Udi: It’s such an important role in a company.

And I’ve had the privilege, no pun intended, I’ve had the privilege in this role as CEO and then as executive chairman to meet and sit across from so many CISOs over the years.

And to your point, see their role expand and, if they’re meant to see their hair loss increase because the responsibility.

And thankfully the industry has also elevated the role of the CISO to be somebody who presents to the board. And boards of directors are asking them and they need to present. And the questions get smarter and smarter, which I think is important.

David: Mm-hmm.

Udi: I preached everywhere, on every stage, that boards need to be cyber literate.

Hence their role has elevated, their environment has become more complex, and thankfully their budgets have also grown.

So they have to make business decisions. And so I have that empathy of truly understanding where they’re coming from.

And I think in CyberArk that’s the type of dialogue we like to have, is really understand their challenges and how we can help them, I would say, sleep better at night.

David: Hmm.

Udi: And I gave the example of that bank on that stage, but we had this deployment where I remember that we were beginning to deploy privileged access management.

And what I love about, of course, our space is that you can see progress, like accounts under management, and you can see the arrow move to the right and more accounts under management.

But the night where I would say root accounts and the most administrative, strong accounts were put and removed from human access and put behind and into CyberArk, a CISO, I remember the CISO succinctly telling me something like, I’m still not fully asleep, but I’m going to sleep better at night.

And so, yeah, with that empathy is how we go into market, and I have a lot of appreciation for that role.

David: How do you guard the capacity to innovate when the environment is noisy and shifting?

Udi: Well, thankfully, when you’re in a growth area, which thank goodness we’ve always been, we’ve always expanded our solutions and our markets, you are able to really pump back into the company.

And I’m also grateful for our board of directors. It was always the case where they know that we are going to be heavy investors in R&D.

So I think it’s, I feel like I’m on an analyst call on Wall Street, but I’ll answer it that way.

David: Okay.

Udi: We actually run it so that we can be a high investor in research and development.

Hence, you can continuously innovate, you can free up time and cycles to not only work on the solutions of yesterday, but also on research and then launching new solutions.

And even we have a whole arm that integrates with third parties. That’s security.

If we can make it so that if you’re running a robotic process automation software, kind of the precursor to AI in terms of using automation and using privileged accounts, and we make it out of the box so they don’t have privileged access but they can run their processes, that’s, by the way, research and development, and the customer can get it and run fast.

That’s enhancing their security.

But I think the biggest answer is just having the mindset that you always have to innovate and then make that decision to always reinvest in R&D through organic growth and through acquisitions.

We just really grew to, that team also became global. It used to be in one location, and now we have multiple R&D centers and they coordinate with each other and the support follows the sun and all of the goodness.

David: So then from the precursor to AI, to AI itself, where is AI most helpful to defenders today? And where does it still create new blind spots?

Udi: I think there are things that are already working for defenders in automating things that were a manual process.

We can see that in our endpoint privilege management solution, for example, where the customer had to define, choose a policy, let the system run, and choose a policy. Today, boom, boom, it’s going to write the policy for you.

This, we studied your environment, this is the recommended way to go, and you’re just deployed faster. You’re secured faster.

Of course leveraging AI for that quick interaction to make solutions friendly and require less tasks for the customer.

And then I think the future is where it’s really autonomously going to make decisions because you’re going to have more autonomous attackers, and we’re on the cusp of that.

What we’re also on the cusp of is companies really using AI agents in production and kind of moving from little experiments to really having AI agents in their environment.

And these can really wreak new havoc that they didn’t plan on.

I think that’s becoming a now part of the identity security coverage that CyberArk is actively going after.

David: So then resilience. Resilience also shows up in the values you’ve talked about for years, the cultural through lines that make CyberArk what it is.

The world has thrown a lot at us over the last couple of years, including geopolitical tensions. What have you learned about CyberArk’s operational resilience across regions and teams?

Udi: We’ve seen it all, by the way, historically, because all the way from when we started early on, we had the dot-com, we had the 2008-2009 financial crisis, we had, of course, COVID later on, and the geopolitical thing.

What we’ve seen is the global coverage as a strength in terms of areas covering for each other in times of need.

We really saw that in recent years, whether it’s a support function, whether it’s an R&D function, even somebody in finance from one region covering for another.

And then you amplify that because you have partners. We work with hundreds of partners around the world, and that becomes your ecosystem. That’s your resilience because you can support that customer locally in Malaysia or locally in Denmark, and it just adds to your resilience and strength.

But the other aspect is just the culture, I think, because we ran a marathon here. You really have the opportunity to not do a culture that’s just on your website.

Hey, we need a culture. Hey, Chad, give me a culture. We need a culture. What are our cultural values?

But actually build a culture that was built over time.

And part of it was people that come to CyberArk are in it for the mission and are very team-like in the hiring process, are very team-oriented, and they know that it’s a customer-first organization. Anything for the customer. And that’s going to drive decision-making.

And so when you put this combo of mission-focused, friendly people, good teammates, global coverage, and management that thinks this way, it really gave us that resilience over time.

Sprinkle something else that you can’t buy. Sprinkle two things.

Sprinkle productive paranoia on it.

David: Okay.

Udi: Which means you’re always thinking that things are waiting for you around the corner and you’re never asleep at the wheel.

But then combining that with this positivity of, you know, you’re productively paranoid, but you’re optimistic.

And then when you’re going through hard times, it feels like it’s raining and then for a second the windshield seems to not be handling the rain. For that split second, but you knew you already kept a distance from the truck in front of you because you were productively paranoid ahead of it, and you stay focused.

You stay in your lane, which is the mission-oriented, and then your windshield is clear again for you to see that you’re good.

David: Yeah.

Udi: Just came to me, by the way. Never used this analogy before.

David: No, I like it. It’s really interesting.

Udi: We’ve all seen this on highways.

David: Yeah.

Udi: And it’s almost a muscle. People come and they never, when I was CEO, and Matt as our CEO, you would never see us in a state of, uh-oh, he lost it.

And I don’t think anyone in the management team, oh, they lost it.

You would see us productively paranoid, like highly focused. You would see us asking good questions, but then you would also see this sense of optimism.

Okay, we’re going to figure this out, right? Because we figured out these 17,000 other things before.

David: How do you keep your heart rate down when you’re always in a state of productive paranoia?

Udi: I don’t know. There’s this internal voice that says, okay, we’ve seen stuff before. What is this? We’re going to handle it. Let’s figure out how. Let’s get to the facts and be very focused.

By the way, it’s almost the same way we started this conversation with, how did you handle this negotiation with Palo Alto Networks?

I kind of parked emotions, put an ice bucket, said, hey emotions, you go live over there. Right now we’re a public company being approached by a very successful public company. Let’s ride through this.

So the heart rate remained kind of low and very mission-oriented.

I don’t know. It’s kind of a nature I have and we have.

David: A lot of our guests, security leader guests we’ve had on recently seem to practice some form of martial arts or another to keep themselves grounded. Do you have any kind of practice like that to keep yourself calm, to keep yourself mentally fit?

Udi: It’s funny you bring up martial arts. I used to do Tae Kwon Do.

I never, he was a real serious instructor that came from Korea to the U.S. And you talk about my global travel, he wasn’t happy that I’m missing so many classes. He took his art very seriously.

That was our point of contention because he was like, Mr. Udi, you missed a lot of classes.

And I said, well, I’m traveling.

He said, but you.

So that’s the reason I didn’t stay all the way to black belt, by the way.

It’s really healthy for a leader to get punched and punch back in a controlled environment. It’s actually very good for you because you’re not afraid of the punch as you work on it.

So I did do that for a couple of years, and it was actually very critical.

Now that you bring it up, those were very critical years in CyberArk. We were just finally getting PAM as a category.

We had a lot of companies that were copy-pasting our messaging.

So you asked me about noise earlier on. This was a period where it was quiet until you figure out a space, you created it, we created the category, and suddenly it was noisy with competitors that copied your website.

And we stayed focused on the mission and on customers and just doing the best in the market.

But I think Tae Kwon Do was good for me at that point.

Today and in recent years, I would say augmenting my nature is also keeping fit and working out, trying to make sure there’s some, we do around the company, David, and you’ve seen that a lot. You know, there’s some meetings we take walking and you got some movement in you.

I think there’s a very strong correlation between staying fit and controlling the mental state.

David: Beyond walking, is there anything particular you’re enjoying to do these days? Like are you a pickleball guy, anything like that?

Udi: Pickleball is a new thing I picked up.

David: Okay.

Udi: Yeah.

David: Wow.

Udi: If I had an instructor, that instructor would also be angry with Udi, you’ve missed a lot. But it’s not an instructor-based thing. And I also like that it’s a team thing. I like that it’s a social thing.

David: How is your net game?

Udi: Next question.

David: All right. Well, let’s go back to culture, which I know is something that you’re passionate about and you’re particularly passionate about a particular CyberArk value, which is smart, bold, but humble.

What does that look like in action, especially when CyberArk has to make big consequential decisions?

Udi: Yeah. When I heard you phrase that question, I would say almost like, hey, you have all the CyberArk values. You’re in a rush. You have to pick one of them up and put that in your suitcase.

I would pick the smart, bold, and humble. I’ll take that as the anchor one because it embodies a lot of things, even in this big decision around the acquisition.

It’s bold. It’s definitely bold.

You’re dealing with this is one of the largest deals ever in software, in cybersecurity. One of the large deals ever in software.

David: Right. Many billions.

Udi: Yeah. I think just above us is Salesforce-Slack and Cisco-Splunk and Google.

David: Wow.

Udi: And that’s it. You get to the Palo Alto-CyberArk acquisition.

So definitely bold on both sides. Definitely bold as you’re willing to contradict the built to last we talked about at the earlier setting.

But there was a lot of humility in this whole thing where let’s weigh what’s good for shareholders, customers, employees as you go through this, as you execute through this.

And I would say another bold is you’re much stronger in negotiation, everybody knows that, when you don’t have to do it.

There’s a statement that bankers say: good companies are sold, great companies are bought.

You’re great. They come to you, they want you. And that’s what happened here.

And of course, at the beginning it’s Matt and I and Erica, our CFO, who are dealing with this. But at some point it becomes everybody’s business. And a lot of teams were working on this.

And you see the smart, bold, and humble throughout, combined with what’s best for CyberArk.

The other value we always talk about in how they interact with Palo Alto and how they interact internally and how they keep focused, it’s just amazing, by the way.

That’s probably also a case study for some MBAs, is how the CyberArk team remained focused throughout this period.

I think it really comes down to those cultural values I’m so proud of.

David: So with culture and identity both evolving, let’s look forward because the next chapter of identity security is unfolding fast. What should organizations prioritize next as identities multiply and boundaries blur?

Udi: I would say organizations have to look at identity as a holistic issue and try to look at de-risking and putting all identities under control.

It’s proliferating and therefore you want to take it as a security issue and a management issue, and you want to tie in with a system that both discovers, secures, and does that for all types of identities, humans and machines and AI agents.

I would also sprinkle into it for the organizations, I’m a big fan of red teaming, understanding your environment, understanding where you want to cover the full gamut, where do you want to start first.

Again, a lot of enterprises do that and it helps them discover.

I mean, we also do discovery and scanning, so kind of understanding the environment and where to do first.

But I think strategically is view this as a vector that sounds a little scary because it’s big, but it’s a vector where you can actually measure coverage. You can actually start.

You can start with your most sensitive identities and go throughout human and machine. You can start the other way around. You can start with machine and go into human.

And then they’ll sleep better at night because it’s something that you can truly track and monitor.

David: As AI becomes a routine part of business workflows and the identity landscape for that matter, what does success look like for customers over the next few years?

Udi: In my mind, success is that the CIO, the executive management team, whether it’s an airline, an automobile manufacturer, or government agency, a bank, you name it, success is that they were able to adopt AI tooling and internal AI tooling that they want to catapult their businesses, to automate things, to really embrace this revolution.

And success with CyberArk and with Palo Alto in a few months is that we allowed them to focus on the business and not worry, or reduce their worry, on the security aspects of this adoption.

They focus on their mission and we really give them this platform that puts that under control so that they can really adopt it fast at their speed.

And I think that really goes together. Achieving that, everybody’s a hero.

The CIO got their company embracing AI and outpacing their competitor.

The CISO was able to actually allow, while guardrailing, this shift.

And behind the scenes, identity as human, machine, and AI were under control, managed, and seamless and in a platform way where one effort is actually not replicated when you’re doing the next thing, but actually fast becomes something that goes all across.

David: As the industry shifts, your role has shifted too, and it continues to shift. Let’s talk about that evolution. What have you learned about transition and stewardship that you didn’t know eight months ago?

Udi: The biggest transition I did was from CEO to executive chairman in 2023.

David: Seems like just yesterday.

Udi: And I think it’s a case study, the way Matt and I have done this, Matt Cohen and I. And he’s been just a phenomenal CEO. And I think it comes down to trust. I kid you not.

David: I think we might have to switch the podcast name back to Trust Issues.

Udi: Open communication and both of us wanting the same thing. We just wanted CyberArk to succeed and this mission.

So I think we executed on that very successfully. And if I had a lesson for others in transition, it’s actually, kind of manage, back to how you asked me how you manage a crisis, you do control your breathing as you’re managing a transition.

So obviously I had to manage the control-freak element of CEO, who does everything or is involved in everything, to a chairman or active chairman who’s focused on strategic things but not everything.

And so manage that in yourself. Manage the pace. Manage the, I would say, the mental state of the transition.

It’s all about the people you surround yourself with because it was such a success because of Matt and I.

And I think the same thing goes into the next transition as we’re transitioning into Palo Alto Networks. What I’ve been encouraging our team is to bring their best self, to bring their optimistic best self too.

I keep on talking about the happiness advantage. Bring your optimistic best self into it and your eyes on the prize, eyes on the mission, and it’s going to help you navigate this transition.

David: And of course there are a lot of unknowns in transition, so it’s always good to have that optimistic mindset. But looking at where you may be a year from now, or six months from now, how does that long-distance entrepreneurship mentality that we talked about earlier guide your choices in the next chapter?

Udi: One of the things that I’ve been doing since I’ve transitioned to executive chairman that really prepared me for that next phase, which is kind of what you’re even supposed to do at my phase in life, is to more and more enable others.

I’ve been really doing that. I’ve been engaging with startups and entrepreneurs because what I want my claim to fame to be is that you can show that you can be a CEO that took it all the way from startup to a public company and ran it as a company, that you can do that.

When you say that to a founder and they just did their logo and they’re afraid and they just raised their first round and they’re going after something, they don’t have to translate this to, oh my God, I need to prepare to go public. No, they have miles ahead.

But this growth mindset of, yeah, you don’t know what you don’t know, but you can learn. And of course it applies to all roles in the company, this growth mindset.

And so what I’ve been doing in the last couple years, or the last two years, is more and more engaging with startups as long as they’re not in our space, of course. Those in our space, I say a friendly hello, and I refer them to our partnering team to see if there is something we want to do.

But those that are not in our space, I just love giving advice and tips and tricks and even helping newly born startups, whether in security or not.

And I think if we look into the future, I want to have this role, first of all, making the CyberArk-Palo Alto acquisition a super success. That’s my legacy. I want this to be in their book, in our book, a great success.

And in the customer book, by the way, we said customer first, in the customer book, a great success. Yeah, we love them. We love CyberArk. Yeah, we’re happy now. It’s very important for them to be happy.

And then in parallel, be that person who helps the next generation of founders and companies think not about an exit and short term, but think more about the joy of long-term building that we talked about earlier.

David: So that doesn’t necessarily sound like a recipe for rest and relaxation in your foreseeable future.

Udi: No. We already bounced the question that, yes, I play pickleball, but it’s not pro.

David: Uh-huh.

Udi: When you’ve been living at 200 miles an hour for the last 26 years, it’s not a lot of slowdown. I hope my wife doesn’t listen to this podcast. Sorry to lose a subscriber here maybe.

But yeah, no, I love engaging with the industry. I think we’re such a critical industry.

And by the way, when I talk about industry, it’s not just vendors. It’s also the various resellers and partners that we’ve worked with over the years. They became also like my non-biological brothers.

They could be in Singapore, they could be in Hong Kong, they could be in the Netherlands, France, it could be the U.K. It’s all partners that we’ve been running with for many years, and I want to stay in touch with that ecosystem as well.

David: Will the guitar be getting any more use anytime soon?

Udi: Yes. Okay, yeah, what’s going on there?

I’m glad you brought that up. That should have been my card in COVID. I brought the guitar closer to me and I thought it’s going to be like, okay, COVID, everybody’s working from home.

We went back to offices very quickly. Didn’t touch it enough.

David: Let’s get that going again.

Udi: Next time I’m on, you’re going to hold me accountable.

David: And I’ll bring my tambourine. It’s not back on the shelf. I can do percussion.

We’ve talked about Mark Knopfler in the past. Do you have any album recommendations, new album recommendations? Have you been to any shows recently? What’s the last show you’ve been to? I got so many questions for you in this last 30 seconds.

Udi: Let’s see. I went, and I’m going again, to the Eagles. They’re in their final run.

David: Wow. We still got Don Henley around.

Udi: Yeah, yeah. And, you know, great. Wish them great health. So that’s a great one upcoming.

But in terms of legendary guitarists, David Gilmour and Mark Knopfler are still my go-to.

David: What’s the best show you’ve ever been to?

Udi: Probably the one that touched me because I was also young and I was kind of close to the stage. It was Dire Straits.

David: Wow.

Udi: It dates me a little bit, but everything dates me here on this podcast.

David: Not with me, that’s for sure. Was it the phase when Knopfler was wearing the headband?

Udi: Yeah, yeah, yeah.

David: It was fantastic.

Udi: It was headband. It was just magical.

David: This has been fantastic. Thank you so much for your time.

One last question to wrap things up for now, because this is definitely a TBD, to be continued, so I guess that’s a TBC when you’re back next time on the podcast, of course. What do you hope we’ll be discussing?

Udi: Okay. Wow. Wow. This is therapy. You didn’t tell me. It’s a therapy podcast.

David: Oh yes, it is.

Udi: I love it. I love it. This is a healthy drill for me.

Okay. I’m hoping that we will reflect and talk about the transition and acquisition by Palo Alto as a great success, like the things that we talked about, but like in the books, a great success. That’s one.

And I’m hoping that we will be talking about the industry actually shifting a little bit where the industry took this advantage, the AI, to its advantage because we always talk about AI serving both sides, the defender and the attacker.

I’m hoping that we will be able to reflect, hey, we hit this point. Actually, AI is being used by the defenders deeply, whether it’s CyberArk, Palo Alto, or others, finally getting an advantage.

Because AI does give us a potential opportunity where maybe for once the defender will get an advantage, which we didn’t have up until now, where the attacker only had to be right once.

And so I’m hoping we’ll reflect on something shifting stronger to the defender.

With regards to me, improvement in pickleball, improvement in, because of our continuous improvement, improvement in guitar. I’m glad you brought that up and that I executed on this thing of engaging and helping the young startups make it and have bigger dreams and realizing bigger dreams and employing more people, creating more jobs.

I love that.

And of course securing more customers. And it doesn’t have to be just, of course, in cybersecurity.

David: All right, Udi. Thank you so much. Really appreciate it. This has been great.

Udi: Thank you. Real pleasure.

David: All right. There you have it. Thanks for listening to Security Matters.

If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop.

And if you feel so inclined, please leave us a review. We’d appreciate it very much, and so will the algorithmic winds.

What else? Drop us a line with questions, comments, and if you’re a cybersecurity professional and you have an idea for an episode, drop us a line.

Our email address is [email protected]

We hope to see you next time.