CyberArk Endpoint Privilege Manager Reviews

The primary use case for CyberArk Endpoint Privilege Manager (EPM) is to control applications on work sessions, particularly in environments where users are not supposed to have open rights. It can be utilized to remove local admin rights from work sessions and protect the local admin group from unauthorized modifications. By deploying policies on these work sessions, organizations can restrict users' privileges and prevent them from adding users to the local admin group, reducing administrative privilege risks on endpoints.

Furthermore, it enables the deployment of policies that allow users to elevate application permissions without granting additional user rights. These application policies benefit specific applications without affecting users' overall rights. For instance, developers may require elevated permissions for certain software applications without needing broader administrative rights. However, EPM does not directly improve an organization's response to endpoint threats. Instead, it depends on other policies, such as those designed to prevent ransomware attacks. These policies focus on different aspects of endpoint security, while application policies specifically address the elevation of application permissions for user tasks, such as development activities.

CyberArk Endpoint Privilege Manager (EPM) 's most valuable feature is its ability to manage user application privileges and protect against ransomware attacks by controlling access to specific files and applications. Additionally, EPM effectively oversees the local admin group, preventing unauthorized users from adding themselves to it and ensuring tighter security. Moreover, the capability to remove users from the local admin group and rotate passwords for built-in admin groups enhances security measures significantly.

The product's threat protection and defense capabilities need enhancement. While there have been significant improvements in recent months, there's still a need for better identification and handling of real threats versus false alarms. It would be beneficial if the product could accurately detect and respond to genuine threats without generating false positives. This would allow organizations to rely more confidently on the product as a complete tool for application control and endpoint protection.

We have been using CyberArk Endpoint Privilege Manager for four years.

The technical support services are good. Despite occasional delays, the team has consistently provided effective assistance and support.

Positive

The initial setup of CyberArk APM was relatively straightforward, and the platform offers flexibility in deployment methods. Depending on the organization's preference, deployment could be done through various means, including deployment tools or the APM console. The platform provides administrators options for choosing the most suitable approach for their environment, contributing to ease of deployment.

However, there are areas for improvement. One aspect that could be enhanced is moving endpoints between sets within the EPM console. While the capability exists, there can be delays in endpoint movement, which could be addressed to streamline the process and improve efficiency.

Additionally, I recall considering adjustments in the advanced settings of the APM console. Specifically, there's a feature for creating custom advanced settings and targeting specific computers or endpoints. However, it's currently limited to targeting only one computer at a time, which can be cumbersome when dealing with multiple endpoints. The process could be easier.

EPM is not specifically designed for threat protection. While it does a decent job in this area, it generates many false positives. As a result, the primary function of EPM in terms of threat detection is to send events to the security team for further investigation.

As a consultant working with organizations, I've deployed application control features like those offered by CyberArk Endpoint Privilege Manager (EPM) across various environments. Without such controls, organizations would face increased vulnerability to attacks, as granting local admin rights exposes systems to potential security breaches.

I rate it an eight. However, there are areas where improvements could be made. For example, addressing the issue of false positives in events, especially concerning ransomware events, would enhance the platform's usability. Additionally, it requires EPM and PAM solutions to reset passwords for local accounts on workstations. Other products allow this with just the EPM component, whereas CyberArk requires integrating two separate products.

Previously, the enterprise EPM was on-premises. Now, it has gone to the SaaS model. So, we have used CyberArk professional services, wherein CyberArk deployed all the agents into our different Unix machines. This deployment is currently underway. The policy changes and the reconfigurations part are pending. In the coming quarter, or by the end of it,  the overall EPM deployment will be completed with this customer.

The kind of services they provide in the vaulting of both the password as well as the SSH keys in their Password Vault is great. The alert mechanism that they have is also provided by their different tools, called PTA, Privileged Threat Analytics. It's a key feature of CyberArk that they have provided.

Now they have also ventured into identity services, where they are also moving ahead from their legacy privileged access management to identity and access management. Therefore, apart from the core component, like the vault, you get privileged access management using the PSM and the password rotation through the CPMs.

There are other core features that they are working at. For example, they have introduced a new feature with a new core overall functionality using the DAP. DAP is a combination of AIM as well as Conjur. And then, you have got an HTML5 gateway with the flexibility to onboard some external partners for a limited period of time, depending upon their usage and availability. When they no longer need it, those aspects can be automatically removed, depending on the policies and approvals. 

The solution is scalable. 

It's stable and reliable. 

A major factor for improvement would be the PAS, although they are improving on that part. Basically, the ease of installation and the configurations could be improved upon and are being adjusted. First of all, with a Windows machine, we have to follow very strict procedures for the installation of different components, specifically for Vault. And then you must just keep in mind all the policies that need to be there. In case there is any kind of limitation with respect to any kind of GPO policy being applied, then you have got different issues that you have to deal with it. You have to be very careful and intelligent. Otherwise, the whole platform might come down. They need to add more automation when it comes to onboarding and configurations so that the process is more practical. 

The installation process is pretty difficult. 

It's an expensive product. 

I'm well versed in the solution. I've used it for four years or so. 

The solution is stable. I'd rate it eight out of ten in terms of reliability. It doesn't crash or freeze and there are no bugs or glitches. 

I'd rate the scalability from eight to nine out of ten. It can expand easily. 

In our company, we have around 500 resources trained on the solution. It's deployed with various customers. 

We usually have support along with the licenses that we purchase. That way, whenever there is any kind of an issue that our technical team is not able to resolve the problem, we raise a ticket, and we have a call with the relevant support.

Neutral

It's a bit difficult to install the solution. I'd rate it three out of ten in terms of ease of installation. I'd rate it just below really difficult. Prior to version 11, it was very difficult. The process has gotten better.

After the 9.6 version, they introduced their own CyberArk Cluster Manager, which eased out the cluster deployment, where we have to install the Microsoft Server Cluster. That was a difficult scenario beforehand, apart from the standalone one. So it has gotten easier.

How long the deployment takes depends on the environment you are working in. If you're doing a bare, fresh installation, which has the installation of the basic core component, it should not take more than two to a maximum of four hours.

We have trained resources in-house and were able to deploy everything on our own without outside assistance. 

While the solution is excellent and highly rated on both Forrester and Gartner, it comes at a cost. 

I can't speak to the cost of the exact license. However, the professional services for one eight-hour day would be $1,800.

I'm on the Partner Portal. I'm Defender-certified and using CyberArk's various services for the installation as well as the managed services. I work with a system integrator. 

I have not used the C3M Cloud Control, Enterprise Password Vault yet.

We have deployed to multiple customers.

With CyberArk, there are different certifications, including, Trustee, Defender, Sentry, CCD, and Guardian. Right now, we have around two hundred who are Guardian-certified and around 150 resources who are CCD-certified, CyberArk Certified Delivery Managers. The rest are the operational resources who are certified on Defender.

For those considering the solution, I'd advise them first to consider what their use case will be. However, CyberArk is a great deployment option and the first I'd recommend, depending on the budget.

Holistically, if you have a big enterprise, such as a financial enterprise or healthcare system, where you have got a vast amount of host machines with a combination of Windows, Unix, and your firewall, CyberArk would be the best-suited product that you should deploy in your enterprise to secure your endpoints.

I'd rate the solution nine out of ten. The core testing they perform is great. They also regularly release patches to help enhance security. The ease of communication with the customer is great, and the alerts and notifications they have on offer are very helpful.

I use the solution in my company since its PAM features are used for privileged accounts.

The most valuable feature of the solution is its performance. I would describe it as a seamless solution.

The price of the product is an area of concern where improvements are required. The product's price should be made more flexible.

The tool's UI could be better and more user-friendly.

I have been using CyberArk Endpoint Privilege Manager for a year. My company has a partnership with CyberArk.

Stability-wise, I rate the solution an eight out of ten.

Scalability is fine since many people can use it even with a minimum number of licenses.

Around five people in my company use the tool.

My company has not contacted the product's technical support since our internal team took care of the deployment process.

The product's initial setup phase is fine. The on-premises architecture is a bit tough.

The product's deployment phase focuses on consolidating everything in a single platform.

Around two people are required to deploy and maintain the product.

The value or the benefits derived from the use of the product revolve around the fact that it is a reliable tool. Though it may come across as a complex product, its customers can rely on its efficiency.

The product's license is easy to procure.

I am aware of CyberArk's PAM part and CyberArk Identity.

I find the solution to be more effective since it is better than its competitors. The brand value offered by the product is very good.

There are no application control capabilities offered by the tool, but I know that enforcing privilege access control is pretty fast.

The product is reliable and stable. The solution's brand value is good. The solution is better than the products offered by its competitors.

My company is aware of the fact that CyberArk offers integration with other security tools in the market, but we have not dealt with such a complex implementation yet.

I rate the tool an eight out of ten.

I work with CyberArk Endpoint Privilege Manager for my partners. It is mainly for compliance, managing credentials securely, and monitoring what's going on with those credentials. Also, there's this thing about limiting privileges for certain users in production environments. But it seems like it's not just for big setups, it's also used across all kinds of workplaces.

The feature called PTA, which stands for Privileged Threat Analytics keeps track of what admins are doing and works with Centimeters. If something fishy is going on with a user's credentials, it alerts the security team so they can act fast. Plus, it automates stuff like resetting credentials or blocking users. So, if there's a potential hack, CyberArk can change passwords and lock out users in a snap. It also gives you a heads-up if anything unusual is going on with server activities, like someone creating new users with uncontrolled credentials. 

CyberArk meets clients' need very spot-on. It covers everything customers ask for.

As for improvements, honestly, the feedback's been really positive. I haven't heard any specific areas that need work.

It's designed to be highly available and resilient, so you can always access your targets no matter what.

As for scalability, it's totally on point. With the SaaS option, it's fully scalable. And if you're running components on-premise, you can easily add more to boost performance as your user base grows. They're usually virtual, so it's a breeze to scale up by adding more virtual machines.

I don’t deal directly with customer support, but I've heard good things from my colleagues who do. They usually handle it through certified partners, and the feedback is pretty positive.

Positive

There are two choices, one is the software service option, which is super easy to install and get running. The other is a self-hosted route, which has a more structured setup for better security and performance, though it's a bit more complex.As for deployment time, it varies depending on the project, but on average, you can get it up and running in just a day.

Maintenance is not a headache. We usually offer manager services to keep everything updated and running smoothly. It's a simple process that keeps things effective.

It's not at the lower end of the market. I think the price is reasonable considering the quality it delivers. It is a top-notch solution at a fair price point.

Once you start integrating this solution with your existing technologies and implementing new processes for accessing targets by administrators, you can see significant progress within two to three months, covering around eighty to ninety percent of your technology integration. With strong engagement, you can expect a substantial return on investment in that timeframe.As for rating the solution, I would give a solid ten.

I'm using it in my company. It helps us manage our endpoints and keep things secure.

The solution is doing what we expect it to do. 

It integrates well with our CI/CD pipeline and Amazon Cloud, which is useful.

We can do both server and endpoint protection. 

It's a stable product. 

The interface has been fine.

It is scalable. 

Technical support is helpful and responsive.

We've sent requests to CyberArk for improvement. We've had issues around migration surrounding legacy to cloud ADs. The implementation process wasn't as straightforward as we had hoped. 

They need much better integration with Azure AD. 

It is expensive; however, it does offer good value compared to the competition. 

I've been using the solution since 2020. 

It is stable. There are no bugs or glitches. I've found the solution to be reliable. It doesn't crash or freeze. 

It's scalable. We can extend the product very easily.

It's great for enterprises.

Technical support is very good. They are helpful. We have no complaints about the level of support we receive.  

We did not use any other solution. 

The initial setup was difficult. We had trouble with legacy migrations and Azure AD. 

The deployment took two years across two phases.

They are not the cheapest. However, what they provide, compared to competitors, it is reasonable. 

We evaluated a different option previously and decided not to go ahead. We went with this solution instead. 

Just make sure all applications and services that need to be migrated can move over. A lot of planning is required.

I'd rate the solution eight out of ten. 

My primary use case for CyberArk Endpoint Privilege Manager is malware prevention. The solution enables malware detonation, which helps you solve ransomware problems. For example, suppose an unknown application comes into your environment, and you have installed a CyberArk Endpoint Privilege Manager agent. In that case, the solution will filter the unknown traffic from an unknown publisher and stop it from infiltrating. The solution dashboard also lets you know that specific software is suspicious. Still, it depends on the category, but malware prevention is one use case of CyberArk Endpoint Privilege Manager.

Classifying a trusted or whitelisted application is also a use case of the solution.

Another use case of CyberArk Endpoint Privilege Manager is stopping credential theft. For example, you have credential stores all around, whether you know it or not. You have credential stores in web browsers like Chrome and Microsoft Edge. The solution protects you against an attacker that has already gained access to your environment, an internal person that leverages your system and wants to go to your web browser, or probably there's a browser path attack where the person has access to your browser. He can check your credential store, but if CyberArk Endpoint Privilege Manager is in place, that situation will be prevented.

Just-In-Time Access is another use case of the solution. For example, there's no administrator privilege on the system, but let's say a database administrator or application administrator wants to use the credential. You can provide that person with Just-In-Time Access so he can use the credential for thirty minutes, then that credential expires once the time is up.

CyberArk Endpoint Privilege Manager also separates the privileges. For example, a team of application managers receives access to specific software that the network team can't access.

CyberArk Endpoint Privilege Manager is very easy to manage, which I like.

I also found credential detection the most valuable feature of the solution. For example, if I put a credential on my desktop and name the file administrator credential, and a person has access to my system and clicks the file under the history section of the system to steal the credential, CyberArk Endpoint Privilege Manager will flag that activity.

The solution also has a dashboard where you can see which software is suspicious, which I find valuable.

Other valuable features of CyberArk Endpoint Privilege Manager include application whitelisting and Just-In-Time Access.

CyberArk Endpoint Privilege Manager is a perfect solution, but CyberArk Endpoint Privilege Manager for Linux has many issues. One issue I observed while using it is that it needs to synchronize from an agent to a cloud because the agent does not update configurations or settings from the cloud. When I change some settings on the cloud, the changes don't synchronize into the system, and the policies won't come back unless I reinstall all the services. This is an area for improvement in CyberArk Endpoint Privilege Manager.

Another area for improvement in CyberArk Endpoint Privilege Manager, specifically for Windows, is that there's no way for you to check credential theft from a text file, such as a notepad file. Suppose I have a text file that contains passwords, for instance. In that case, I'm doing an application configuration that needs a password. CyberArk Endpoint Privilege Manager won't be able to help you locate that file, which means there's still an opportunity for an attacker to look into that text file and steal the passwords.

You can leverage the CyberArk Application Access Manager with CyberArk Endpoint Privilege Manager, but that aspect also needs improvement.

An additional feature I want to see in CyberArk Endpoint Privilege Manager is XDR, where you can trace how an attack can happen on an endpoint, how traffic was initiated, or if a person tried to access your computer and whether he was denied or allowed. CyberArk Endpoint Privilege Manager should be able to track such activities. The solution should allow you to see a specific event ID and use it to correlate whatever activity the malicious person was trying to do.

I've been familiar with CyberArk Endpoint Privilege Manager for nearly two years, but I haven't been steadily working on it. For example, I've not worked with the solution for three months, then I'll work on it for two months, then I'll stop working with it again, but I'm very familiar with CyberArk Endpoint Privilege Manager.

I last worked with CyberArk Endpoint Privilege Manager three months ago.

CyberArk Endpoint Privilege Manager is stable, particularly for the Windows version, not the Linux version. The solution is an eight out of ten for me, stability-wise.

I've contacted CyberArk Endpoint Privilege Manager technical support, and I'd rate support as seven out of ten.

Response time is three out of five.

Regarding how knowledgeable the level one support of CyberArk Endpoint Privilege Manager is, it always seems like the support person doesn't know what he's doing. I've already done what he was asking me to do. I'm not a CyberArk Endpoint Privilege Manager novice, so support is frustrating and a waste of time. Though the issue will be resolved eventually, CyberArk Endpoint Privilege Manager has already wasted my time, and that's uncool.

Neutral

CyberArk Endpoint Privilege Manager is the best solution. However, One Identity Safeguard is trying as a solution, and it has special features which make it almost equal to CyberArk Endpoint Privilege Manager. Still, CyberArk Endpoint Privilege Manager is the best.

CyberArk has been in the market for a long time and keeps improving. CyberArk Endpoint Privilege Manager has a hundred percent effectiveness against ransomware, which you can't get anywhere. The CyberArk team researched and knows the angle, the flaws, and the central point of attack. An attacker usually infiltrates or compromises your system by elevating the credentials or permissions and then leveraging that elevation to compromise the system. CyberArk Endpoint Privilege Manager removes User Access Control on the endpoint, so it takes away the attacker's means to elevate permissions, so CyberArk Endpoint Privilege Manager is simply the best.

Setting up CyberArk Endpoint Privilege Manager was pretty straightforward.

CyberArk Endpoint Privilege Manager has a very high price, so it's a one out of ten for me in terms of pricing.

I've used CyberArk Privileged Access Manager and One Identity Safeguard. I also have experience with CyberArk Endpoint Privilege Manager, One Identity Safeguard for Privileged Passwords, and One Identity Safeguard for Privileged Sessions.

CyberArk Endpoint Privilege Manager is cloud-based, but its agent is on-premises. The on-premise version is no longer supported, but it will still be supported if you're an old customer with an on-premise version. However, by 2024, CyberArk will no longer support the on-premises version of CyberArk Endpoint Privilege Manager.

Right now, there's no CyberArk Endpoint Privilege Manager within my company. I created quotes for customers to try the solution, but it's expensive. I just gathered my colleagues to simulate my use cases, and that's it.

What I'd tell others about CyberArk Endpoint Privilege Manager is that if you have the budget, you definitely should get it. The solution is excellent, and it's as if you're insured because CyberArk Endpoint Privilege Manager provides security. This is the advice I'd give anyone trying to implement CyberArk Endpoint Privilege Manager.

I'm rating the solution as seven out of ten because there's room for improvement in the Linux version, and the pricing needs to be more flexible.

My company is a CyberArk partner.

CyberArk Endpoint Privilege Manager can be deployed across all platforms, such as AWS, GCP, and Ali Baba. 

The solution is used for management, multi-site failover, satellite vaulting, distributed architecture, custom CPM, PSM deployment, custom CCP, and CCP deployment.

The most valuable features of CyberArk Endpoint Privilege Manager are password management, session management, onboarding rules, platform customization, and safety management.

CyberArk Endpoint Privilege Manager was presently revised, which included a new interface, rebranding, improve documentation, and an excellent user panel that supports multiple integrations.

The price of the solution should improve.

I have been using CyberArk Endpoint Privilege Manager for approximately three years.

The stability of CyberArk Endpoint Privilege Manager is excellent. It has an uptime of 99.99 percent.

My clients have scaled CyberArk Endpoint Privilege Manager. They have a distributed architecture and satellite vaulting, which allows scalability to be flexible.

I rate the scalability of CyberArk Endpoint Privilege Manager five out of five.

We have approximately 30 people using the solution.

The support from CyberArk Endpoint Privilege Manager is excellent. We have good support in our SLAs, it is for five days.

I work with the competitor of CyberArk Endpoint Privilege Manager, Beyond Trust. If I was to change something it wouldn't be CyberArk Endpoint Privilege Manager, it would just be Beyond Trust. There's a reason why there are features in CyberArk Endpoint Privilege Manager, it works in CyberArk Endpoint Privilege Manager. The same goes with Beyond Trust, there are features that only work in Beyond Trust and wouldn't work in CyberArk Endpoint Privilege Manager. For example, the introduction of smart rules, wouldn't make sense because CyberArk Endpoint Privilege Manager,  doesn't work with smart rules.

I rate the initial setup of CyberArk Endpoint Privilege Manager as straightforward. However, I use the solution every day. The process of implementation took approximately one day.

The implementation strategy was reviewing architecture, deploying architecture, installing components, deploying components, configuring components, onboarding accounts, managing accounts, configuring platforms, managing platforms, configuring safes, and onboarding safes. 

We had a company-wide deployment of this solution.

We did the implementation of the solution in-house, but the SaaS-based part of the solution is done by the vendor. We had approximately five people who did the implementation.

The price of CyberArk Endpoint Privilege Manager is expensive. The solution is priced based on the number of accounts onboarded and the number of concurrent sessions. Everyone else is included in the price, such as support.

I rate the price of CyberArk Endpoint Privilege Manager a one out of five.

I rate CyberArk Endpoint Privilege Manager an eight out of ten.

I have been working with the product for five years. 

The tool is an endpoint management system. It monitors everything a standard user does and helps elevate privileges when necessary for advanced users. It keeps an auditable trail of all activities. Practically, it stops and blocks potentially hazardous user behavior, whether intentional or unintentional. Certain companies must use endpoint management software because of national or international rules or ISO norms.

The product is expensive.

One of the product's strengths is the large international user community. Often, you don't need to speak directly to the vendor because you can find solutions on the community site, where there are discussions or officially closed cases with solutions provided by the vendor. You can usually solve most issues on your own this way. However, if you can't find a solution, you can open a case through their ticketing system. If the issue is relevant, tech support will connect with you to solve it, especially if you are the first to encounter a specific bug. Once resolved, they anonymize the case and make it available to others so that the same question doesn't have to be answered repeatedly.

I'm quite happy with the support. The documentation and guides are generally okay, although you might find some minor mistakes. Still, you can accomplish a lot on your own. Compared to smaller competitors, they have a quite extensive e-learning platform with self-paced courses, which is very helpful. They also offer paid live courses and labs. 

There have been some issues, like delayed responses or the time it takes for your case to be considered important enough for direct tech support. Additionally, to speak with high-level tech experts, you often need specific certifications, which can be frustrating for those with extensive hands-on experience but without the required certifications. This might mean they get support later than someone like me, who has taken the exams and can access support more quickly.

Positive

Regarding return on investment, it's hard to put a number on it since it's in security. You might be able to calculate if a company has been successfully attacked a couple of times, then installs EPM and stops being attacked. But you don't know if there would have been attacks without it. It's hard to estimate, and I'm not calculating these things.

The tool is a bit pricey compared to its competitors. My company does work with competitors, but I don't have hands-on experience with other software. I've just done some comparisons.

Overall, I'm very satisfied with the product. It's almost perfect. It's a heavy solution but has all the functionalities you need practically or administratively. It might be a bit more expensive than its competitors, but function-wise, it's the best you can get from what we've seen.

It is the best option on the market, especially for companies already using other CyberArk products. You can have identity, privileged access, and endpoint management from one vendor, which can be more cost-effective and allow the products to communicate.

CyberArk Endpoint Privilege Manager integrates well with third-party solutions. Its marketplace offers plugins, connectors, and documentation for connecting to various third-party solutions, operating systems, servers, platforms, and network devices.

CyberArk is quite popular in our region. One competitor, BeyondTrust, is similar in size and functionality. But in this region, and I'd say mainly in all of Europe, CyberArk beats BeyondTrust. There's no technical reason for this; BeyondTrust has no history here. CyberArk is quite dominant in this area.

I rate the overall solution an eight out of ten. Technically and functionally, it has everything, but it's very heavy on hardware and virtual machines. I think it could be lighter on deployment and hardware requirements.

I'm satisfied with the security part and detection capabilities. The functionality is great, although it can be heavy to deploy.