TTechclickAll lessons
CYBERARK · PAM MASTERY THE CAPSTONE Replay a realbreach. Blockevery stage. 10 / 10 ai.techclick.in · Techclick Infosec Read lesson
CyberArk · Cloud & Delivery · Privilege Cloud, ISP & Go-LiveInteractive · Capstone

CyberArk Privilege Cloud, Identity Security Platform & Going Live — The Capstone

This is blog 10 of 10. You know the Vault, CPM, PSM and PTA. Now the last mile: should you run PAM yourself or let CyberArk host it as Privilege Cloud? How do you onboard 5,000 endpoints without breaking production at 2am? And — the capstone — when a real breach runs phish → local admin → credential dump → lateral move → golden ticket → domain dominance, which exact CyberArk control breaks each stage? Pick a path, watch the kill chain replay live, and finish the series in 14 minutes.

📅 2026-05-31·⏱ 14 min · 5 SVG infographics + 1 animated kill-chain trace·🏷 10-Q Bloom-tiered assessment + AI Tutor

⚡ Quick Answer

CyberArk Privilege Cloud, the Identity Security Platform, and the go-live playbook — Connector, SRS vs CPM, break-glass, HA/DR, the Defender→Sentry→Guardian cert ladder, and a capstone that maps a real breach kill chain to the exact CyberArk control that stops each stage.

Pick your path — jump straight to it

1

Cloud vs Self-Hosted

Who runs the Vault, who runs the Connector — the responsibility split.

 2

Identity Security Platform

Shared Services, SSO/MFA, SRS, the unified admin plane.

 3

Go-Live Playbook

Discover, onboard, break-glass, HA/DR, and the pitfalls that bite.

 4

The Capstone

Replay a breach — which CyberArk control stops each kill-chain stage.

The interview question that trips up 70% of candidates

Final-round interview: "In CyberArk Privilege Cloud, what does CyberArk run and what do you run?"
Wrong answers: "CyberArk runs everything", "You install the Vault on AWS yourself". Right answer: CyberArk hosts the Digital Vault, the PVWA web portal, the backend, the encryption keys, the upgrades and the HA/DR on AWS across three availability zones. You run only one thing on-premises: the Connector — a server bundle holding CPM and PSM that reaches your target systems and talks outbound to CyberArk over TCP 443. Knowing that exact line lets you scope a migration, design firewall rules, and explain a 99.95% SLA to a nervous CISO who thinks SaaS means "we lost control".

💡 The piped city gas analogy

Self-hosted PAM is the LPG cylinder in your kitchen. You own it, you check the pressure, you call the dealer when it runs out, and if the regulator leaks at 2am, that is your problem. Privilege Cloud is piped city gas. The supply company (CyberArk) owns the plant, the pipeline and the pressure. You manage only the burner and the pipe inside your home — the Connector running CPM and PSM. No more midnight Vault patching. But you also cannot install a custom valve the company has not certified, and if the pipeline goes down, you depend on them to bring it back. That trade — less daily hassle for less raw control — is the whole story of this blog.

4 things you'll be tested on before we begin

🔌
Connector
tap to flip

The only on-prem box in Privilege Cloud. Holds CPM (rotation) + PSM (session proxy). Talks outbound to CyberArk over TCP 443 via the Secure Tunnel. So what: firewall rules and uptime here are entirely yours.

🔁
SRS vs CPM
tap to flip

Legacy CPM is active-passive, XML-configured, single-server. SRS (Secrets Rotation Service) is active-active, UI-driven, SaaS-hosted, auto-scaled. So what: SRS removes the single-CPM split-brain risk and centralizes logging.

🧯
Break-glass
tap to flip

Emergency admin account on a "No Change" platform, with an offline sealed copy under dual custody. Used only when the Vault is unreachable. So what: a rotated break-glass account is the #1 cause of being locked out during an outage.

🛡️
Cert ladder
tap to flip

Defender (PAM-DEF) = daily ops. Sentry (PAM-SEN) = install + advanced config. Guardian = strategic architecture. CDE = partner-only delivery track. So what: each maps to an interview round — screening, technical, architecture.

① Privilege Cloud vs Self-Hosted — the responsibility split

In self-hosted PAM you own everything: the Vault servers, the SAN, the cluster, the patching, the DR replication. In Privilege Cloud, CyberArk hosts the Vault, the PVWA portal (at <org>.privilegecloud.cyberark.cloud), the backend on AWS across 3 AZs, the per-customer encryption keys, the upgrades and the HA/DR. You keep only the Connector — and your target-side firewall rules, your network, and your break-glass offline copies.

Scenario · NeoFinance Bank, Bengaluru — 5,000 endpoints

Priya Sharma is CISO at NeoFinance Bank. They run CyberArk PAM Self-Hosted v12.1 on ageing DC1 hardware. Two engineers babysit a Vault cluster for 1,200 accounts — and burn 40% of their week on patching, Windows updates and HA maintenance. Twelve months brought three Vault incidents: a split-brain cluster event, a failed upgrade rollback, and a CPM sync break after a Windows patch.

The fix Priya signs off: migrate to Privilege Cloud, hand the Vault-ops burden to CyberArk, and keep her two engineers on onboarding and policy — not on SAN babysitting. RBI's 5-year audit-retention mandate is met by Privilege Cloud's built-in syslog-to-SIEM integration.

Self-hosted versus Privilege Cloud responsibility split Two columns. Left shows self-hosted PAM where the customer owns Vault, PVWA, CPM, PSM, SAN, patching and DR. Right shows Privilege Cloud where CyberArk owns Vault, PVWA, backend, keys and DR, and the customer owns only the Connector and target firewall rules. Who runs what — Self-Hosted vs Privilege Cloud Self-Hosted PAM You own the whole stack Digital Vault servers + HA cluster + quorum disk PVWA portal + SAN (SCSI-3) + DR replication CPM (active-passive) + PSM session proxy OS patching + quarterly Vault upgrades Encryption keys + backup + uptime SLA (yours) Air-gappable · full control · high ops load Privilege Cloud (SaaS) CyberArk runs the core · you run one box CyberArk: Digital Vault on AWS (3 AZs) CyberArk: PVWA + backend + keys (KMS) CyberArk: upgrades + patches + HA/DR (99.95%) You: Connector (CPM + PSM) on-prem You: target firewall rules + break-glass copy Outbound TCP 443 only · low ops load · needs internet
Figure 1 — Self-Hosted vs Privilege Cloud responsibility split. Self-hosted = you own the whole stack and can air-gap it. Privilege Cloud = CyberArk owns the Vault and HA/DR; you own only the Connector and your target-side rules.
Colour keyuntrusted / attackertrusted / vaultedpolicy / decision pointkey insightallowed
Pro tip — what you gain, what you give up

Gain: no Vault hardware, no SAN, no cluster nights, a CyberArk-managed 99.95% SLA, auto-upgrades, and SRS active-active rotation. Give up: the ability to air-gap the Vault (the Connector needs outbound internet), some custom-platform behaviours that differ on SaaS, and a hard dependency on CyberArk cloud uptime for any credential retrieval. For a two-engineer bank team, the trade is almost always worth it.

Pause & Predict: NeoFinance's security architect insists "we must be able to retrieve a credential even if our internet is down". Does Privilege Cloud satisfy that?

No — and that is exactly why break-glass exists. Privilege Cloud needs outbound TCP 443 for the Connector to reach the SaaS Vault. If the internet drops, normal retrieval stops. The designed answer is a "No Change" break-glass account with a sealed offline copy under dual custody. That is not a workaround — it is a mandatory part of every Privilege Cloud go-live.

Pause & Predict In Privilege Cloud, a CISO asks you to draw a single box around "everything CyberArk runs" and another box around "everything we run". What goes in each box?

CyberArk's box: the Digital Vault, the PVWA portal, the backend, the per-customer encryption keys, the upgrades and HA/DR — all on AWS across three availability zones. Your box: exactly one on-prem thing — the Connector (CPM + PSM) — plus your target-side firewall rules, your network, and your sealed break-glass copies. The only wire between the two boxes is one outbound channel: TCP 443.

② The Identity Security Platform — one admin plane

Privilege Cloud does not live alone. It sits inside the Identity Security Platform Shared Services (ISPSS) — a single SaaS layer that gives you unified Identity Administration, SSO/MFA via CyberArk Identity, centralized Audit, Identity Security Intelligence (UBA feed to your SIEM), and Secure Cloud Access. One admin console fronts Privilege Cloud, EPM, Conjur/Secrets Manager and CyberArk Identity together — so you stop logging into five disconnected portals.

Scenario · PharmaCorp India, Hyderabad — 15,000 endpoints

Arjun Mehta is a senior PAM engineer deploying CyberArk for PharmaCorp (FDA 21 CFR Part 11 + CDSCO regulated). Before ISPSS, his admins juggled separate consoles for vaulting, endpoint privilege and secrets. Now one Shared Services tenant gives a single sign-on, one MFA policy and one audit feed across all of it.

The lesson he teaches juniors: the Platform is not a marketing wrapper. The shared identity directory and unified audit are what let a regulator trace one user across Vault retrieval, endpoint elevation and secret access in a single timeline. That single timeline is the compliance win.

CyberArk Identity Security Platform map A central Shared Services band on top providing Identity Administration, SSO and MFA, Audit and Identity Security Intelligence. Below it, four product pillars: Privilege Cloud, Endpoint Privilege Manager, Secrets Manager Conjur, and Secure Cloud Access, all drawing from the shared identity layer. Identity Security Platform — one shared plane Shared Services (ISPSS) Identity Admin SSO + MFA Unified Audit Security Intelligence Privilege Cloud EPM Secrets Mgr (Conjur) Secure Cloud Access Vault + rotate+ session recordSaaS-hosted VaultConnector on-prem Remove localadmin rightsJIT elevationEndpoint agent Kill hardcodedcreds in codeDevOps secretsAPI-driven Zero-standingcloud accessAWS/Azure/GCPJIT console
Figure 2 — Identity Security Platform map. One Shared Services layer (identity, SSO/MFA, audit, intelligence) sits above four product pillars. Same identity, same audit trail, one console.

SRS — the rotation engine that replaces CPM

In self-hosted PAM, the CPM rotates passwords. It is active-passive and you cannot load-balance it — two CPMs hitting the same account rotate to two different values and the account becomes inaccessible. In Privilege Cloud the default engine is SRS: accounts bind to an SRS connector pool (not a single server), giving active-active HA for rotation with distributed locking, and centralized logging in the CyberArk dashboard instead of scattered per-server log files. Both can coexist during migration.

Authenticate to the Privilege Cloud tenant (PowerShell REST) 
$pvwa = "https://neofinancebank.privilegecloud.cyberark.cloud/PasswordVault"
$body = @{ username = "svc_api_admin"
           password = (Read-Host -AsSecureString "PAM API pwd" |
                       ConvertFrom-SecureString -AsPlainText) } | ConvertTo-Json

$token = Invoke-RestMethod -Uri "$pvwa/API/auth/Cyberark/Logon" `
           -Method POST -Body $body -ContentType "application/json"
$hdr = @{ Authorization = $token }
Write-Output "Authenticated. Token: $($token.Substring(0,20))..."
Expected output 
Authenticated. Token: eyJhbGciOiJSUzI1NiIs...
PS C:\> $hdr.Authorization.Length
612
Quick check · Q1 of 10

Arjun's team wants HA for credential rotation in Privilege Cloud. A junior suggests "just run two CPM servers behind a load balancer". Why is this wrong, and what is the right answer?

Correct: c. CPM is active-passive; load-balancing it causes a split-brain where each instance rotates the same account independently. SRS solves HA properly because the SaaS backend coordinates locking, so multiple SRS instances safely process accounts from one connector pool. (a) is false, (b) does not fix the collision, (d) breaks your whole rotation policy.

Recreated for clarity☁️ The exact screen you'll open every morning — ISP Portal → Dashboard. Your tenant matches this layout.

https://bank.privilegecloud.cyberark.cloud
CyberArk · Identity Security Platform/ Dashboard
Dashboard
Accounts
Policies
Connectors
Reports
Administration
Privilege Cloud — Health
Managed accounts4,182
CPM success (24h)99.4%1
Active PSM sessions37
Connectors online4 / 42
The Vault itself is SaaS — CyberArk runs and patches it. You operate accounts, policies and connectors; you never patch the Vault OS again.

③ The go-live playbook — discover, onboard, isolate, detect, optimize

A CyberArk go-live is not "install and switch on". The proven sequence is discover → onboard → isolate → detect → optimize, mapped to CyberArk's own Rapid Risk Reduction order: secure IT-admin credentials first, then stop credential theft (EPM), then protect DevOps secrets (Conjur), then detect threats (PTA). Discovery uses the accounts feed to populate the Pending Accounts list; onboarding rules auto-vault what matches and leave the rest for manual review.

Privilege Cloud implementation roadmap and timeline A five-phase horizontal roadmap: Discover, Onboard, Isolate, Detect, Optimize. Each phase lists its key action and a milestone, with a connecting timeline arrow. Go-Live roadmap — five phases 1 2 3 4 5 DiscoverOnboardIsolateDetectOptimize accounts feedPending listpopulated vault + depsdeps mapped200/wk cap PSM isolationno directtarget creds PTA ongolden ticketalerts live tune + EPMleastprivilege Break-glass onboarded LAST, on a "No Change" platform, offline copy sealed
Figure 3 — Implementation roadmap. Discover the accounts, onboard with dependencies mapped (throttled), isolate sessions through PSM, switch on PTA detection, then optimize with EPM. Break-glass goes last.
War story — onboarding too fast killed a production ERP

PharmaCorp onboarded 8,000 accounts over a single weekend because the CISO wanted "numbers for the board". Sixteen Oracle DB and 23 Windows service accounts went in with no dependency discovery. CPM rotated them immediately (default ChangeNotificationOnlyOnExpiry=No). By Day 3, seven overnight ETL jobs feeding the manufacturing execution system failed with Event ID 4625 logon failures — scheduled tasks and ODBC DSNs were still using the pre-rotation passwords. Production halted for 6 hours.

Fix: always run Dependency Discovery (PVWA → Account Details → Dependencies → Discover) before onboarding service accounts, set ChangeNotificationOnlyOnExpiry=Yes for a 30-day stabilization window, and cap go-live velocity at 200 accounts/week with an app-owner sign-off gate.

Onboard a service account to a safe — AFTER dependency discovery (PowerShell REST) 
$pvwa = "https://neofinancebank.privilegecloud.cyberark.cloud/PasswordVault"
$acct = @{
  name       = "prod-db01-sa_svc_oracle"
  address    = "10.10.5.25"
  userName   = "sa_svc_oracle"
  platformId = "OracleDatabase"
  safeName   = "PROD-DB-ServiceAccounts"
  secret     = (Read-Host -AsSecureString "Current pwd" |
                ConvertFrom-SecureString -AsPlainText)
  platformAccountProperties = @{ Port = "1521"; Database = "PRODDB" }
} | ConvertTo-Json

$r = Invoke-RestMethod -Uri "$pvwa/API/Accounts" -Method POST `
       -Headers $hdr -Body $acct -ContentType "application/json"
Write-Output "Account onboarded. ID: $($r.id)"
Expected output 
Account onboarded. ID: 453_6
Dependencies found: 3 Scheduled Tasks, 2 IIS App Pools
Rotation held: ChangeNotificationOnlyOnExpiry=Yes (30-day window)

Pause & Predict: NeoFinance onboards their break-glass firewall-admin account with the standard Windows platform to "keep it consistent". Two weeks later their tenant is unreachable in an ISP outage. What happens when they open the sealed envelope?

The offline copy is 14 days stale and they are locked out. The standard platform let CPM rotate the break-glass password overnight to a new random value stored only in the (now unreachable) Vault. The envelope holds the old one. A telecom hit this exact wall and lost domain access for 4 hours. Rule: break-glass accounts MUST use a "No Change" platform, and the offline copy must be refreshed before every scheduled change window.

HA, DR and the SLA you can promise

Privilege Cloud carries a 99.95% availability SLA. Within a region, HA spans 3 AWS availability zones, so most failovers are near-zero to ~20 minutes RTO. Cross-Region DR (CRDR) is an add-on license; without it, a full DR backup-restore has a 4–24 hour RTO. In self-hosted, you carry all of this yourself: a two-node Vault cluster on shared SAN (SCSI-3 Persistent Reservations), a Cluster Vault Manager watching health, a virtual IP for failover, and a quorum disk to stop split-brain.

War story — split-brain in a self-hosted cluster

An enterprise ran a two-node HA Vault with the quorum disk "temporarily" removed during a storage migration three months earlier — and never reinstalled. A 90-second heartbeat brownout at peak hours let both nodes declare themselves active, seize the virtual IP and write to shared SAN concurrently. Result: partial Safe corruption and a 6-hour DR restore. Lesson: never run a two-node cluster without a quorum disk, and drill failover quarterly. This is precisely the class of pain Privilege Cloud removes by hosting the Vault for you.

Quick check · Q2 of 10

PharmaCorp's PSM sessions establish from the portal but drop after exactly 30 seconds. The Connector sits behind a next-gen firewall with TLS inspection enabled, and firewall logs show "allow" on port 443. What is the cause and fix?

Correct: a. A DPI/SSL-inspection appliance re-signs every HTTPS flow with its own CA. The Connector's Secure Tunnel pins the CyberArk chain, so the re-signed cert fails and the tunnel silently drops after a timeout — while the firewall still logs "allow" because port 443 is open. The fix is a DPI bypass for the CyberArk cloud endpoints. (b/c/d) do not match the "exactly 30 seconds, allow logged" signature.

Recreated for clarity🔌 The exact screen you'll check when "PSM won't launch" — Administration → Connector Management. Your tenant matches this layout.

https://bank.privilegecloud.cyberark.cloud
CyberArk · Identity Security Platform/ Administration / Connector Management
Dashboard
Accounts
Policies
Connectors
Reports
Administration
Connector Management Add Connector
ConnectorComponentsVersionStatus
connector-mum-01PSM, CPM, Secure Tunnel14.2Connected
connector-mum-02PSM, CPM14.2Connected
connector-blr-01CPM14.0Connected
connector-blr-02PSM14.2Disconnected
Two connectors per region = HA; if one drops, sessions fail over to its pair. A Disconnected connector is the first thing to check when "PSM won't launch".

Pause & Predict NeoFinance runs the proven go-live sequence. A junior wants to onboard the break-glass firewall-admin account on day one "to get it out of the way". In the discover → onboard → isolate → detect → optimize order, when should break-glass actually go in, and why?

Break-glass is onboarded last, not first. It needs a "No Change" platform so SRS/CPM never rotates the password out from under the sealed offline copy, plus dual custody. Onboarding it early on a standard platform lets it rotate overnight, so the envelope goes stale — and you discover this only during a real outage when the tenant is unreachable. Secure the IT-admin credentials, isolate sessions and switch on detection first; seal break-glass at the very end.
Quick check · go-live ordering

During NeoFinance's go-live you onboard a Windows service account that drives 3 scheduled tasks and 2 IIS app pools. What is the correct sequence to avoid a production outage when CPM first rotates it?

Correct: b. Dependency discovery must precede management — CPM only updates dependent scheduled tasks and IIS app pools if they are registered as dependencies before rotation. The stabilization flag delays the first change so you can verify. (a) is exactly the PharmaCorp war story that killed ETL jobs with Event ID 4625; (c) breaks your rotation policy; (d) is the onboard-too-fast pitfall.

The certification ladder — and the interview round each one is

CyberArk's ladder is three public rungs plus a partner track. Defender (PAM-DEF) tests daily operations and Vault admin. Sentry (PAM-SEN) tests deployment, install, advanced config and troubleshooting. Guardian tests strategic, multi-solution architecture. CDE (Certified Delivery Engineer) is partner-only for implementation consultants. All public exams run via Pearson VUE, roughly $200, 90 minutes, multiple-choice plus scenarios.

Scenario · Karthik's interview ladder at a Pune system integrator

Karthik is interviewing for a CyberArk role. Round 1 (screening) is Defender-level: explain the Vault, CPM and PSM, name the Vault protocol port, describe what happens when a session launches. Round 2 (technical) is Sentry-level: troubleshoot a PSMSC036E AppLocker block, design an HA cluster, explain CPM split-brain. Round 3 (architecture) is Guardian-level: design a Privilege Cloud migration for a 5,000-account bank and map the Blueprint to a kill chain.

The takeaway he gives juniors: study to the rung you are interviewing for. Reading Guardian architecture before you can answer "what port does the Vault use?" wastes everyone's time.

CyberArk certification ladder Defender Sentry Guardian An ascending staircase of three rungs. Defender PAM-DEF at the bottom for daily operations mapped to a screening interview, Sentry PAM-SEN in the middle for deployment and troubleshooting mapped to a technical interview, Guardian at the top for strategic architecture mapped to an architecture interview, with CDE shown as a partner-only side track. Certification ladder → interview round Defender · PAM-DEF Daily ops · Vault/CPM/PSM basics Round 1 — Screening Sentry · PAM-SEN Install · advanced config · troubleshoot Round 2 — Technical Guardian · GUARD Strategic, multi-solution architecture Round 3 — Architecture CDE (partner only) Delivery + case study Final — Consulting All public exams: Pearson VUE · ~$200 · 90 min · MCQ + scenario
Figure 4 — Certification ladder. Defender → Sentry → Guardian climbs from daily ops to architecture, mirroring screening → technical → architecture interview rounds. CDE is a partner-only delivery track.
Quick check · Q3 of 10

In a Sentry-level (PAM-SEN) interview at a Mumbai SI, you are asked: after a PSM v14 upgrade, sessions to a legacy SCADA HMI fail with error PSMSC036E. What is the diagnosis and fix?

Correct: b. PSMSC036E is the AppLocker-block signature. PSM hardening whitelists known binaries; a custom connection component's executables get blocked after an upgrade reapplies policy. The fix is to read the AppLocker audit log and add the component binaries to the whitelist (hash rules for unsigned ones). (a/c/d) target unrelated subsystems.

④ The capstone — replay a breach, break each stage with CyberArk

Here is the whole series tied into one scenario. This kill chain is the canonical 2022 privileged-credential breach pattern: an attacker phishes an IT admin, drops on the endpoint as local admin, dumps cached credentials, finds hardcoded PAM admin creds in a script, moves laterally, forges a golden ticket, and reaches domain dominance. For each stage, one specific CyberArk control breaks the chain.

Scenario · the breach NeoFinance is determined not to have

Priya's board asks the only question that matters: "If we are breached like the headlines, where does CyberArk actually stop it?" She walks them stage by stage — phish, local admin, credential dump, hardcoded-secret discovery, lateral move, golden ticket — and names the control that breaks each one: Identity MFA, EPM, vaulting + rotation, Conjur, JIT/Zero Standing Privilege, and PTA.

Defense-in-depth means the attacker does not need to beat one control — they need to beat all six in sequence, which is why a layered CyberArk deployment turns a domain-dominance breach into a contained alert.

Capstone defense-in-depth — kill chain blocked by CyberArk controls Six vertical kill-chain stages from top to bottom: phishing and MFA reset, local admin on endpoint, credential dump, hardcoded PAM creds in a script, lateral movement, and golden ticket to domain dominance. Each stage has a red attacker arrow on the left and a green CyberArk control box on the right that breaks it: Identity MFA, EPM, Vault plus rotation, Conjur, JIT and Zero Standing Privilege, and PTA. Kill chain → CyberArk control that breaks it ATTACKER STAGE CYBERARK CONTROL 1 · Phish admin + MFA resetvishing → reset MFA 2 · Local admin on endpointmalware needs admin 3 · Dump cached credsMimikatz on LSASS 4 · Find hardcoded PAM credsPowerShell on share 5 · Lateral movementhop with admin creds 6 · Golden ticket → dominanceforge TGT, own domain Identity MFA + adaptive authblocks the MFA reset EPM — remove local adminno admin = no install EPM credential-theft blockLSASS dump blocked Conjur / Secrets Managerno creds in code JIT + Zero Standing Privilegetime-limited, scoped PTA — golden-ticket detectauto-suspend account
Figure 5 — Capstone defense-in-depth. Each kill-chain stage (left, red) is broken by one specific CyberArk control (right, blue). The attacker must beat all six in order — that is the whole point of layering.

▶ Watch the kill chain meet each control

Replay the breach against a fully-deployed CyberArk fleet. Each stage hits a wall. Press Play.

① Initial accessAttacker vishes an IT admin and tries to reset MFA. CyberArk Identity adaptive MFA flags the impossible-travel + new-device signal and blocks the reset.
② ExecutionMalware tries to install + gain local admin on the endpoint. EPM has already removed local admin rights, so the install fails.
③ Credential accessMimikatz attempts to dump LSASS for cached creds. EPM credential-theft blocking stops the read from OS stores and browsers.
④ DiscoveryAttacker finds a PowerShell script on a share — but it holds no secret. Conjur removed hardcoded PAM creds from all scripts; the script fetches at runtime, authenticated.
⑤ Lateral movementEven a stolen PAM-admin identity is useless standing. JIT + Zero Standing Privilege means access is time-limited, scoped and approval-gated.
⑥ Domain dominanceAttacker forges a golden ticket. PTA detects the forged TGT via DPI + behavioral profiling, assigns the highest risk score, and auto-suspends the account. Chain broken.
Press Play to watch each kill-chain stage hit its CyberArk wall, second by second.
Why this maps to a real breach

The 2022 Uber incident ran almost this exact chain: vishing → MFA fatigue/reset → a PowerShell script with hardcoded PAM-admin credentials on an internal share → full PAM access → every organizational secret. The five CyberArk controls that would have broken it: Conjur (no hardcoded creds), PSM session isolation (admins never see their own password), Identity MFA (blocks the vishing reset), JIT (time-limited admin), and PTA (mass-credential-access alert fires immediately).

Pause & Predict: a junior argues "if we just deploy EPM to kill local admin, we don't need vaulting or PTA". Where does that argument break?

EPM is necessary but not sufficient. EPM stops the endpoint stages (local admin, LSASS dump) — and CyberArk's testing showed 100% prevention across 150,000+ ransomware samples with local-admin removal + app control + greylisting. But EPM does nothing against an attacker who already holds valid network credentials or an API key. Server-credential rotation (SRS/CPM) limits blast radius, and PTA catches the golden ticket. The Blueprint prioritizes EPM for breadth (every workstation) and vaulting/PTA for depth on crown jewels — you need both lanes.

Pause & Predict In the capstone kill chain the attacker reaches the final stage — a forged golden ticket for domain dominance. Every earlier control (Identity MFA, EPM, Conjur, JIT) has already been beaten. Which single CyberArk control is purpose-built to catch this last stage, and what does it do?

PTA — Privileged Threat Analytics. PTA detects the forged TGT through deep packet inspection plus behavioral profiling, assigns the highest risk score, and auto-suspends the account — turning a domain-dominance breach into a contained alert. That is the whole point of defense-in-depth: the attacker had to beat all six controls in sequence, and PTA is the backstop that fires even when the chain reaches the end.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer.

Deeper questions → chat.techclick.in.

The classic go-live pitfalls — and the one-line fix for each

Pitfall 1 — onboarding too fast

8,000 accounts in a weekend, no dependency map, CPM rotates immediately, production scheduled jobs die. Cap velocity at 200/week, run Dependency Discovery first, hold rotation with ChangeNotificationOnlyOnExpiry=Yes.

Pitfall 2 — no break-glass (or a rotating one)

Tenant unreachable in an outage and the only admin credential is in the Vault — or the sealed copy is stale. Use a "No Change" platform + refreshed offline copy + dual custody.

Pitfall 3 — CPM dependency gaps

One service account runs three scheduled tasks and two IIS app pools; rotation breaks all five. Always map dependencies before enabling management so CPM updates them on rotation.

Pitfall 4 — PSM connection-component sprawl

Dozens of custom connection components, untested on SaaS PSM, break after an upgrade with PSMSC036E (AppLocker) or PSMSR037E (Vault comms). Re-validate every custom component in the SaaS tenant before cutover.

Pitfall 5 — DPI breaking the Connector tunnel

A TLS-inspection firewall re-signs the Secure Tunnel cert and silently drops the connection. Add the CyberArk cloud endpoints to the DPI bypass list.

One last security note — patch the CVEs

Even SaaS-adjacent components need patch hygiene. CVE-2024-54840 (CVSS 4.2) is a PVWA Host-header injection enabling open-redirect/phishing in PAM Self-Hosted before 14.4 — upgrade to 14.4+. The July 2025 Conjur/Secrets Manager set is more serious: CVE-2025-49827 and CVE-2025-49831 (both CVSS 9.1) are IAM authenticator bypasses, CVE-2025-49828 (CVSS 8.6) is an RCE, and CVE-2025-49830 (CVSS 7.1) is a path traversal. Patches are on the CyberArk Marketplace — apply within your KEV-aligned window.

📝 Check your understanding — 10 questions, 70% to pass

Q1–Q3 above already count. Below are Q4 to Q10.

Q4 of 10 · Remember

In CyberArk PAM Self-Hosted, which dedicated TCP port do all internal components (PVWA, CPM, PSM, PTA, PACLI) use to talk to the Digital Vault?

Correct: b. TCP 1858 is the dedicated Vault protocol port for every internal component. The Vault firewall permits only 1858 inbound by default. 443 is the Connector's outbound cloud channel, 3389 is PSM RDP, 389 is LDAP — none reach the Vault core.
Q5 of 10 · Apply

You are onboarding a Windows service account at NeoFinance that runs 3 scheduled tasks and 2 IIS app pools. What is the correct order to avoid a production outage?

Correct: b. Dependency discovery must precede management. CPM only updates dependent scheduled tasks and app pools if they are registered as dependencies before rotation. The stabilization flag delays rotation so you verify before the first change. (a/d) cause the exact outage we want to avoid; (c) misunderstands the dependency model.
Q6 of 10 · Evaluate

NeoFinance's Privilege Cloud tenant is unreachable in an ISP outage and the SOC needs a critical firewall-admin account. Judging the four options below, which one is the correct, audit-defensible break-glass procedure for a well-designed deployment?

Correct: b. A correctly designed break-glass account uses a "No Change" policy (so the offline copy stays valid), an offline sealed copy, and dual custody. The custodians use it, log it, then rotate and re-seal after recovery. (a) defeats the purpose, (c) skips audit and dual control, (d) is too slow for a critical outage.
Q7 of 10 · Analyze

A self-hosted HA Vault cluster's active node loses its PrivateArk Server service. Which condition would PREVENT automatic failover to the passive node?

Correct: a. The Cluster Vault Manager only triggers failover when it confirms quorum. With the quorum disk offline, neither node can claim majority, so the cluster deliberately locks to prevent split-brain — no failover happens. (b), (c) and (d) are healthy conditions that help failover, not block it.
Q8 of 10 · Analyze

In the capstone kill chain, the attacker finds a PowerShell script on a network share that previously held hardcoded PAM-admin credentials. Which CyberArk control specifically breaks this stage?

Correct: c. The "hardcoded creds in a script" stage is exactly what Conjur/Secrets Manager removes — secrets are fetched at runtime by an authenticated identity, never written into code. (a) records sessions but does not remove the static secret, (b) is unrelated, (d) shortens exposure but the credential is still in the file.
Q9 of 10 · Analyze

In the capstone, the attacker forges a golden ticket to reach domain dominance. Which control detects and contains this final stage, and how?

Correct: d. PTA (Privileged Threat Analytics) is purpose-built for golden-ticket detection via DPI + behavioral analytics, auto-assigning the top risk score and enabling suspension. EPM works upstream on endpoints (a), while KRBTGT rotation is good hygiene but SRS detecting a live forged ticket is not its job (b), and the Connector is just a transport (c).
Q10 of 10 · Evaluate

Priya's board asks whether the 5,000-endpoint migration from self-hosted to Privilege Cloud is the right call. What is the most complete senior-engineer evaluation?

Correct: c. The senior answer weighs both sides honestly: SaaS removes the ops burden that is overwhelming a two-person team, but you trade away air-gap, accept an internet dependency, and lean on CyberArk's uptime. A phased 90-day parallel run with break-glass onboarded last is the safe path. (a) and (b) are absolutist; (d) leaves the bulk ops burden untouched.
Series complete — score saved to your profile.
Score below 70%. Re-read the section you got wrong, then retake.
Teach a friend in one line

"Privilege Cloud is PAM as piped gas: CyberArk runs the Vault, you run just the Connector — and a real breach is broken stage by stage by MFA, EPM, vaulting, Conjur, JIT and PTA, not by any single magic control."

Self-explanation prompt — close the loop

Before you leave: in your own words, explain to an imaginary junior why a break-glass account must be on a "No Change" platform, and which two CyberArk controls break the endpoint stages of the kill chain. If you can say both without scrolling up, the series has landed. Want a spaced reminder? The end-of-lesson tracker will resurface these in 7 days when you revisit.

Glossary — the terms that came up

Privilege Cloud
SaaS-delivered CyberArk PAM. CyberArk hosts the Vault, PVWA and backend on AWS; you run only the on-prem Connector. Tenant URL: <org>.privilegecloud.cyberark.cloud.
Connector
The single on-prem box in Privilege Cloud, bundling CPM (rotation) and PSM (session proxy). Talks outbound to CyberArk over TCP 443 through the Secure Tunnel.
SRS (Secrets Rotation Service)
Cloud-native, active-active rotation engine replacing legacy CPM. UI-configured, auto-scaled, centrally logged; accounts bind to an SRS connector pool.
ISPSS / Identity Security Platform
The unified SaaS layer — Identity Admin, SSO/MFA, Audit, Security Intelligence, Secure Cloud Access — that sits above Privilege Cloud, EPM, Conjur and SCA.
Break-glass account
Emergency admin account on a "No Change" platform with an offline sealed copy under dual custody, used only when normal PAM access is unavailable.
PTA (Privileged Threat Analytics)
Behavioral + DPI engine that detects golden tickets, Pass-the-Hash and anomalous Vault access in real time, assigning risk scores and enabling auto-suspension.
EPM (Endpoint Privilege Manager)
Removes local admin rights from endpoints and blocks credential theft from OS stores and browsers; supports JIT elevation.
Quorum disk
The tiebreaker voter in a self-hosted HA Vault cluster that prevents split-brain when the heartbeat network partitions.

🎓 You've completed the CyberArk series — now prove it

Ten blogs done: from the Vault and CPM/PSM internals to Privilege Cloud, the Identity Security Platform, go-live, and the kill-chain capstone. The last step is the practice set — full Defender/Sentry-tier MCQs under exam conditions, scored.

Take the CyberArk practice set →Back to all lessons

Sources cited inline

  1. CyberArk Docs — Privilege Cloud Connector system requirements
  2. CyberArk Docs — Secrets Rotation Service (SRS) architecture
  3. CyberArk Community — Self-Hosted to Privilege Cloud migration checklist
  4. CyberArk Product Security — July 2025 Conjur/Secrets Manager CVEs
  5. GitHub Advisory — CVE-2024-54840 (PVWA Host header injection)
  6. Pearson VUE — CyberArk certification program (Defender/Sentry/Guardian)
  7. CyberArk — EPM credential-theft blocking