Roadmap

PAM Administrator

The specialist who deploys, configures, operates, and maintains Privileged Access Management platforms. Protects the organization's most sensitive credentials and administrative access through vaulting, session recording, credential rotation, and just-in-time privilege provisioning using platforms like CyberArk, BeyondTrust, and Delinea.

OPTIMISTIC 2–3 yearsREALISTIC 3–4 years

Stage 00

IT Fundamentals

PAM protects privileged access to IT infrastructure. Administrators must understand what they are protecting.

Windows Administration — Required

Active Directory — user accounts, groups, OUs, GPOs, domain trusts
Windows Server — roles and features, local administrator accounts, service accounts
Windows authentication — NTLM, Kerberos, LDAP, local accounts
Registry — understanding service account configurations
Windows Event Log — authentication events (4624, 4625, 4648, 4776) for PAM audit context
WMI — Windows Management Instrumentation; used by CyberArk CPM for credential rotation on some platforms
IIS — CyberArk PVWA runs on IIS; basic IIS administration required
Remote Desktop (RDP) — primary protocol for PSM Windows session launch
PowerShell — required for CyberArk automation, bulk operations, and troubleshooting

Linux/Unix Administration — Required

SSH — public key authentication, known_hosts, sshd_config
Linux user management — /etc/passwd, /etc/shadow, sudo, sudoers file
Linux services — systemd, service management
SSH key management — key pairs, authorized_keys, key rotation concepts
Linux file permissions — chmod, chown, ACLs
PSMP (Privileged Session Manager for SSH Proxy) — runs on Linux; requires Linux administration

Network Fundamentals

TCP/IP — enough to troubleshoot vault connectivity failures
Firewall rules — understanding required ports for CyberArk component communication
DNS — resolving vault hostnames; split-horizon DNS considerations
LDAP/LDAPS — CyberArk LDAP integration with Active Directory; port 389 (LDAP) / 636 (LDAPS)

Database Basics

SQL Server — CyberArk Vault uses SQL Server for metadata; basic DBA awareness
Oracle, MySQL, PostgreSQL — common PAM-managed database platforms; understanding connection string structure for CPM integration
Database privileged accounts — SA account (SQL Server), SYS/SYSTEM (Oracle); the accounts PAM is protecting

Security Fundamentals

CIA Triad — confidentiality, integrity, availability applied to credential security
Least privilege — minimum access for minimum time; core PAM principle
Separation of duties — no single person controls all access steps; PAM enforces this
Audit logging — why session recording and vault audit logs exist; compliance context
CompTIA Security+ — recommended baseline security certification

Resources

Professor Messer Security+ (free)
Microsoft Learn Active Directory fundamentals (free)
TryHackMe Pre-Security (free)

Stage 01

PAM Concepts and Theory

Understanding privileged access management principles before platform-specific work.

What is Privileged Access?

Local administrator accounts — built-in Windows local admin; Linux root
Domain administrator accounts — full Active Directory control
Service accounts — running Windows services, scheduled tasks, IIS app pools; often overprivileged
Application accounts — used by applications to connect to databases or services
Emergency / break-glass accounts — high-privilege accounts for emergency recovery
Cloud privileged accounts — AWS root, Azure Global Administrator, GCP Organization Admin
Network device accounts — switches, routers, firewalls; often shared admin credentials
Database privileged accounts — SA, SYSDBA, root database user
Compromise of one privileged account can give attacker full domain control
Pass-the-Hash, Pass-the-Ticket, DCSync — all use privileged credential theft
Service accounts often have static passwords that never change
Shared credentials — multiple people use same password; no individual accountability
Discovery phase — attackers search for privileged accounts to target

PAM Core Capabilities

Encrypted storage of privileged account credentials
Access control — who can request which credentials
Audit trail — who accessed which credential, when, from where
Check-out / check-in model — user retrieves credential, uses it, returns it
Dual control — two-person approval required for sensitive credentials
One-time passwords — credential changes after every check-in (OTP mode)
CPM automatically changes passwords on a schedule or after check-in
Reconciliation — verifying the current password matches what CPM believes it is
Rotation failure handling — alerts, reconciliation accounts for locked-out scenarios
Safe zones — defining when rotation is allowed (maintenance windows)
PSM proxies sessions — user connects through PSM, not directly to target
Session recording — video recording + keylogging of privileged sessions
Session isolation — target system credentials never exposed to user's workstation
Keystroke logging — full audit of commands executed during session
Session termination — PSM can terminate suspicious sessions in real time
Forensic value — replaying sessions after incidents
No standing privileges — users have no permanent elevated access
On-demand elevation — request access → approval → temporary grant → automatic revocation
Zero Standing Privilege (ZSP) — the most mature JIT model; no persistent privileged accounts
Time-limited sessions — access automatically revoked after defined period
Ephemeral accounts — temporary accounts created for the task, then deleted
Applications retrieving credentials from vault at runtime — no hardcoded passwords
Application Credential Provider (CP) or Central Credential Provider (CCP) — CyberArk components
Eliminates hardcoded credentials in application configurations, scripts, source code

PAM Architecture Concepts

Vault server — the core encrypted credential store; must be highly available
Management components vs end-user components — admin interfaces vs session launch
Connectivity model — inbound vs outbound connections; firewall implications
High availability — active/passive vault clustering; DR considerations
Agent vs agentless rotation — CPM agent on target vs agentless via WMI/SSH
Multi-tenant vs dedicated — MSP model vs enterprise dedicated deployment

Compliance Drivers for PAM

SOX (Sarbanes-Oxley) — separation of duties for financial systems; access controls; audit trails
PCI-DSS — Requirement 7 (restrict access to system components), Requirement 10 (track access)
HIPAA Security Rule — access controls; audit controls (§164.312)
NIST SP 800-53 — AC-2 (Account Management), AC-6 (Least Privilege), AC-17 (Remote Access)
ISO 27001 — A.9 Access Control controls
CMMC — DoD contractor requirement; privileged access controls in practice 3.1.5, 3.1.6

Resources

CyberArk documentation intro (free)
NIST SP 800-53 (free)
Idenhaus PAM blog (free)
"Privileged Attack Vectors" by Morey Haber (book)

Stage 02

CyberArk Platform — Deep Mastery

CyberArk is the market leader, appearing in the majority of PAM administrator job postings. Deep CyberArk is the primary technical credential.

CyberArk Platform Architecture

The encrypted credential store; all credentials and recordings stored here
Vault server is the most protected component; typically air-gapped network segment
Vault database — SQL Server; metadata stored here; credentials stored in encrypted files
Vault firewall — CyberArk's own internal firewall layer; operates independently of OS firewall
Vault services — PrivateArk Server service; CyberArk Event Notification Engine
DR Vault — disaster recovery; replicates vault data; manual failover required
Web-based UI for end users and administrators
IIS-hosted; requires Windows Server + IIS
Functions: credential requests, account management, session launch, reports, policy configuration
PVWA high availability — load balanced; multiple PVWA servers pointing to same vault
Performs automated credential rotation on target systems
Runs as a Windows service; connects to vault to retrieve accounts to manage
Plugins — platform-specific rotation logic; Windows plugin, Linux/Unix plugin, Oracle plugin, etc.
CPM agents — deployed on some platforms for agentless-alternative rotation
Reconciliation accounts — privileged accounts CPM uses to reset other accounts if locked out
Safe configuration — CPM must have permissions on the safes it manages
Proxies Windows RDP and SSH sessions
All connections go through PSM; user sees session but connects to PSM, not target directly
Session recording stored on vault
Connection Components — XML configuration defining how to launch each session type (RDP, SSH, databases, web)
RDS (Remote Desktop Services) licensing required for PSM
PSM high availability — load balanced; NLB or hardware load balancer
Linux-based; handles SSH session proxying
Alternative to PSM for SSH sessions; required when PSM cannot be used
Deployed on Linux; communicates with vault via CyberArk SDK
Behavioral analytics on privileged session activity
Detects anomalous activity: suspicious commands, off-hours access, lateral movement
Integrates with SIEM for alerting
Risk scoring on privileged sessions
Endpoint least privilege — removing local admin rights; controlling application elevation
Application control — allowlisting/blocklisting at endpoint
Agent-based; Windows and macOS
Separate from core vault PAM; endpoint-focused
Machine identity and secrets management
CI/CD pipeline integration — Jenkins, GitLab, GitHub Actions retrieving credentials at runtime
API-first; REST API for credential retrieval
Policy-as-code — YAML-based access control policies
Conjur Cloud — SaaS version
Cloud-hosted vault — CyberArk manages the vault infrastructure
Customer manages: App Connectors (Connector Management), policies, safes, accounts
Connector Management — lightweight agent replacing on-prem CPM/PSM for outbound connectivity
SIA (Secure Infrastructure Access) — next-generation session access; replacing PSM for cloud-native workloads
Zero Standing Privilege (ZSP) — ephemeral access; no persistent accounts
Just-in-time provisioning — creating temporary accounts for the session duration
Native RDP/SSH without PSM proxy overhead
SCA (Secure Cloud Access) — ZSP access to AWS/Azure/GCP cloud consoles and CLI

CyberArk Core Concepts — Safes

Container for accounts and policies — equivalent to a folder with access control
Safe permissions — Read, List, Retrieve Password, Add Accounts, Update Account Properties, Update Account Content, Initiate CPM Management, Specify Next Password, Rename Accounts, Delete Accounts, Unlock Accounts, Manage Safe, Manage Safe Members, Authorize Account Requests
Safe naming conventions — critical for operational clarity; examples: WIN-ADMIN-PROD, LINUX-SVC-DEV
Master Policy — organization-wide default policies applied unless overridden at safe level

CyberArk Core Concepts — Platforms

Platform = template defining how CPM manages and how users access a class of accounts
Built-in platforms — Windows Server Local, Windows Domain, Unix via SSH, Oracle Database, etc.
Duplicate and customize — never modify built-in platforms; duplicate and customize
Automatic Password Management — enable/disable CPM rotation; rotation frequency
Password properties — complexity requirements; history
Session management — which PSM connection component to use
Exclusive access — one user at a time; prevents concurrent checkout
Dual control — require approval workflow before credential retrieval
One-Time Password — change password after each check-in

CyberArk Core Concepts — Account Onboarding

Manual onboarding — PVWA → Accounts → Add Account; specify platform, safe, address, username
Bulk onboarding — CSV import via PVWA or REST API
Automatic discovery — CyberArk DNA (account discovery tool) scans for unmanaged accounts
Account properties — address (target system), username, platform, safe, account description
Dependency management — linking service accounts to the services they run; CPM restarts services after rotation

CyberArk Core Concepts — Password Reconciliation

What reconciliation means — CPM verifies the password it stored matches the actual password on the target
Password changed outside CyberArk (manually)
Account locked due to failed reconciliation
Target system unavailable
CPM connectivity issue
Reconciliation accounts — separate highly privileged account CPM uses to force-reset a reconciliation failure
Viewing reconciliation failures — PVWA → Reports → Pending Accounts; or CPM logs
Troubleshooting rotation failures — CPM logs in CyberArk Event Viewer; error codes; platform debugging

CyberArk Core Concepts — Session Launch Troubleshooting

Check PSM service is running; RDS licensing; PSM Windows firewall rules
PVWA connectivity to PSM (443 from PVWA to PSM)
Connection Component configuration — correct RDP settings; credential injection method
Target RDP port (3389) open from PSM to target; firewall rule
PSMP service running on Linux
SSH connectivity from PSMP to target (port 22)
PSMP firewall rules (50022 from user to PSMP)
Vault connectivity from PSMP

CyberArk REST API

Base URL: `https://PVWA/PasswordVault/API/`
Authentication: curl -X POST /auth/CyberArk/Logon with username/password returns session token
`GET /API/Accounts` — list accounts with filtering
`POST /API/Accounts` — create new account
`GET /API/Accounts/{id}/Password/Retrieve` — retrieve password
`POST /API/Accounts/{id}/Change` — trigger immediate password change
`GET /API/Safes` — list safes
`POST /API/Safes` — create safe
`GET /API/Safes/{safeName}/Members` — list safe members
`POST /API/Safes/{safeName}/Members` — add safe member
Bulk operations with PowerShell — Invoke-RestMethod for logon, Import-Csv for accounts, loop creating accounts via POST /API/Accounts

CyberArk Certifications

Trustee — conceptual overview; entry-level; not a technical certification
Defender — most recognized; validates operational administration of CyberArk PAM; required for most admin roles
Sentry — advanced administration; troubleshooting; CPM plugin development; implementation
Guardian — highest level; architecture; enterprise design; rarely required outside of architects
Certification pathway: Defender → Sentry for PAM administrators; Guardian for architects

Resources

CyberArk documentation portal (free)
CyberArk education center (some free, some paid)
CyberArk community forums (free, best troubleshooting resource)
YuenX CyberArk blog (free, excellent technical depth)

Stage 03

BeyondTrust and Delinea Platforms

Alternative PAM platforms frequently listed in job postings alongside CyberArk.

BeyondTrust

Credential vaulting and session recording — similar function to CyberArk EPV + PSM
Smart Rules — automated onboarding of accounts based on AD scan
Requestor/approver workflow — JIT access request and approval
Session recording — video + keystroke; audit replay
Secure remote access for vendors and third parties — no VPN required
Session recording and monitoring for external parties
Injection of credentials without exposing them to the vendor
Web-based; no agent required for vendor
Least privilege for Windows, Linux, macOS endpoints
Application control; privilege elevation rules
Competing with CyberArk EPM
Cloud IAM visibility; unused permission identification
JIT cloud access

Delinea (formerly Thycotic + Centrify)

Credential vaulting and session recording — direct competitor to CyberArk
Launcher feature — session launch via browser-based proxy; lower infrastructure overhead than PSM
Discovery — auto-discovery of local accounts and service accounts
Workflow — request/approval/checkout model
REST API — similar to CyberArk API; PowerShell module available
Endpoint least privilege — Windows and macOS
Application control
Identity bridging — joining Linux/Unix into Active Directory for centralized identity
Zone-based privilege management — AD groups controlling sudo and SSH access

HashiCorp Vault

Secrets management — primarily for DevOps and application secrets; not traditional PAM
Secret engines — KV (key-value), database (dynamic credentials), AWS/Azure (dynamic cloud credentials), PKI (certificate issuance)
Dynamic secrets — credentials generated on demand with TTL; automatically revoked
Auth methods — AppRole (CI/CD pipelines), Kubernetes, AWS IAM, LDAP/AD
Lease and renewal — all secrets have leases; automatic revocation on expiry
Policies — HCL-based; controlling access to secret paths
Seal/unseal — Vault starts sealed; must be unsealed with key shares (Shamir's Secret Sharing)
Vault Enterprise features — HSM auto-unseal, replication, namespaces, DR
Vault is not a replacement for CyberArk in human privileged access; it specializes in machine identity and application secrets

Resources

BeyondTrust documentation (free)
Delinea documentation (free)
HashiCorp Vault documentation (free)
Vault tutorials on developer.hashicorp.com (free)

Stage 04

Cloud PAM and Non-Human Identity

Modern PAM extends beyond on-premises infrastructure to cloud and DevOps environments.

Cloud PAM Concepts

Cloud privileged accounts — AWS root, IAM admin, Azure Global Admin, GCP Organization Admin
Shared responsibility — cloud providers secure the infrastructure; customers secure access to it
No network boundary — cloud console accessible from anywhere; requires strong identity controls
CLI credentials — AWS access keys, Azure service principals, GCP service accounts; often long-lived
Cloud console access — browser-based; session recording harder than RDP/SSH
Federated cloud access — using on-premises identity (Entra ID) to access cloud console

CyberArk Cloud Capabilities

ZSP access to AWS, Azure, GCP cloud consoles and CLI
Ephemeral IAM credentials issued for session duration
Session recording of cloud console activity
No long-lived cloud admin credentials
Analyzing and right-sizing cloud IAM permissions
Identifying unused and excessive permissions
CyberArk for AWS — vaulting AWS IAM access keys; rotation via CPM; session-based console access

Non-Human Identity and Secrets Management

The explosion of non-human identities — service accounts, API keys, certificates, tokens, SSH keys; these outnumber human identities in most organizations
Why non-human identities are risky: long-lived, often shared, rarely rotated, not monitored
Service account vaulting — traditional CyberArk approach; vault the password; CPM rotates
Managed identities — Azure Managed Identity, AWS IAM Role for EC2; no credentials to manage
Workload identity federation — OIDC-based; no static credentials; AWS Web Identity, GCP Workload Identity Federation
Application Integration — CyberArk Conjur or CCP (Central Credential Provider) for app-to-vault integration
Secrets sprawl — unmanaged secrets in code repos, config files, CI/CD variables; GitLeaks, truffleHog for detection

Just-In-Time Cloud Access Pattern

Azure PIM (Privileged Identity Management) — eligible role assignment; activate → MFA → time-limited
AWS IAM Identity Center — permission sets; time-bound access; no persistent elevated IAM users
GCP IAM Conditions — time-based conditions on IAM bindings
CyberArk SIA ZSP — ephemeral accounts created at session time; deleted after

Resources

CyberArk Cloud documentation (free)
Azure PIM documentation (free)
AWS IAM Identity Center documentation (free)

Stage 05

PAM Operations and Program Management

Beyond platform administration: running a PAM program at operational maturity.

PAM Governance

Account discovery program — continuously discovering unmanaged privileged accounts; CyberArk DNA; BeyondTrust Smart Rules
Onboarding SLA — all discovered privileged accounts onboarded within 30/60/90 days
Access review — periodic review of who has access to which safes; removing unused access
Exception process — accounts that cannot be onboarded to rotation (legacy system compatibility); documented risk acceptance; compensating controls
Break-glass procedure — emergency access when vault is unavailable; stored offline; dual control; logged

PAM Metrics

Privileged account inventory — total count; percentage managed by PAM
Rotation health — percentage of accounts rotating successfully; reconciliation failures
Session recording coverage — percentage of privileged sessions recorded
JIT adoption — percentage of privileged access using JIT vs standing privilege
Audit compliance — SOX/PCI evidence generation; response time to audit requests
Vault availability — uptime SLA for vault and PVWA

Audit Support

SOX audit — providing evidence of segregation of duties; who had access to financial systems; session recordings for specific periods
PCI-DSS audit — demonstrating Requirement 7 and 10 compliance; cardholder data environment privileged access controls
Internal audit — responding to access review findings; demonstrating remediation
Evidence collection — PVWA reports; vault audit logs; session recordings for specific accounts/dates

Incident Response Integration

Responding to credential compromise — disabling compromised vault accounts; forcing immediate rotation; reviewing session recordings
Investigating privileged session activity — replaying recordings; exporting keystroke logs; timeline reconstruction
Integrating PAM with SIEM — forwarding PTA alerts; vault audit logs; correlating with endpoint and network events
Post-incident privileged access hardening — removing unnecessary standing privileges; enforcing JIT

Resources

CyberArk community (free)
Idenhaus consulting blog (free, operational PAM guidance)

Stage 06

Hands-On Practice & Portfolio

Lab Setup

CyberArk Privilege Cloud trial — request sandbox from CyberArk; full SaaS deployment to practice
CyberArk community (community.cyberark.com) — lab environments; demo scenarios; troubleshooting guides
Home lab VMs — Windows Server VM as target; configure local admin vaulting in trial environment
API practice — PowerShell scripts for bulk account operations; REST API calls with Postman
BeyondTrust trial — 30-day trial available; Password Safe and PRA

What to Document on LabList

PAM implementation write-ups — onboarding process, policy design decisions, rotation configuration
Troubleshooting case studies — rotation failures diagnosed and resolved; PSM connectivity issues
API automation examples — PowerShell or Python scripts for bulk operations
Audit report examples — what evidence you generated and how
Cert progression — CyberArk Defender and Sentry documented with context

FAQ

Common questions

How long does it take to become a PAM Administrator?

2–3 years optimistic at 20–25 hours/week, 3–4 years realistic. PAM administration is a specialized identity track that rewards platform depth (CyberArk, BeyondTrust, Delinea) over breadth. The fastest paths run from sysadmin or IAM analyst roles into PAM specialization. Pure self-taught paths exist but enterprise PAM platforms aren't easily accessible without employer investment.

Which certifications matter for PAM?

CyberArk Defender + Sentry are the most-listed PAM credentials, given CyberArk's market leadership. BeyondTrust Privileged Access Engineer for BT shops. Delinea Certified Engineer for Delinea environments. SC-300 (Microsoft Identity) provides identity foundations. PAM is listed in the top security investment priorities for 2025–2026 (43% of CISOs).

Do I need a CS degree?

No. PAM administration rewards demonstrated platform configuration and operational depth over academic credentials. Career-changers from sysadmin, IAM analyst, and security operations backgrounds transition successfully. The technical bar is platform-specific — vault configuration, credential rotation policies, session monitoring, just-in-time provisioning — and is largely learned through hands-on lab work and on-the-job experience.

What separates a hired PAM Administrator?

Documented CyberArk or equivalent platform configuration. PAM administrator salaries reach $130K+ for senior roles because qualified practitioners are scarce. Other differentiators: credential rotation troubleshooting depth, session recording review experience, and integration work with SIEM/SOAR platforms. Credential-based attacks drive sustained PAM demand — organizations that have suffered identity-based breaches invest heavily in PAM.

PAM Administrator

Common questions

Related roles