CyberArk Makes Identity Security Play With Zilla Acquisition

CyberArk acquired Boston-based startup Zilla, as part of its plans to identity and access governance (IGA) capabilities to its privilege access management (PAM) platform. The $165 million deal announced Thursday has already closed.

Zella is a small IAG provider that was led cofounded by Aveksa founder  and CEO Deepak Taneja.  CyberArk said it had $5 million in annual recurring revenue (ARR) last year, with 40 employees and 125 customers. During CyberArk's earnings call with investors, CEO Matt Cohen touted Zilla's "modern" IGA platform.

"In stark contrast to legacy IGA systems, Zilla's modern IGA SaaS platform was built from scratch to address today's digital environments characterized by an explosion of staff applications, decentralized management and identity-based security threats," Cohen said. "Leveraging AI-driven role management, Zilla automates the processes of identity, compliance and provisioning, making governance easy, intuitive and all-inclusive for the modern enterprise."

Cohen claimed that customers can deploy Zilla five times faster than traditional IGA offerings, which results in 60% fewer service tickets. "Legacy IGA are often slow to deploy, difficult to integrate, have limited integration with modern systems, and are reliant on manual processes," Cohen said.

Because CyberArk is integrating Zilla into its platform, Cohen said that it won't only manage entitlements, provisioning and compliance. From the same tool, it will grant access and provide controls. "That integrated nature then creates a much more secure footprint across these modern environments," he said.

CyberArk, whose annual revenues topped $1 billion for the first time last year, has been aggressively expanded its PAM and identity and access management (IAM) portfolio. Last year, CyberArk acquired non-human identity (NHI) provider Venafi for $1.6 billion.

Identity and Access Governance is Vital

CyberArk's announcement came on the same day that SailPoint returned to the public markets, two years after Thoma Bravo purchased it for $6.9 billion and took it private. Thoma Bravo spun out 60 million shares, roughly 12 percent of the company, to raise an estimated $1.38 billion in the first major tech IPO of 2025. SailPoint, the largest IGA provider, estimated in its prospectus recurring revenues of $875 million in the fiscal year that ended Jan. 31, a 41% increase over the prior year. While the company hasn't been profitable, SailPoint reported net loss improved to $235.7 million in the first nine months of 2024, a 23.5% improvement over the previous year.

Just as CyberArk is expanding its IGA offerings, SailPoint has been moving into CyberArk's space with its 2023 acquisition of PAM provider Osirium. In December 2024, SailPoint acquired Imprivata's identity governance and administration unit for $10.7 million plus up to $7.4 million in earnouts.

Alex Bovee, CEO of ConductorOne, another IGA startup that offers a SaaS-based offering to compete with SailPoint and Zilla, says IGA has become an increasingly vital component of cybersecurity posture.

"I think the bull view on this is that every single security company is recognizing that identity and identity governance are critical parts of the stack, and that's why CyberArk made this investment," Bovee said. "CyberArk is traditionally a privileged access management solution, but the future is these converged identity platforms."