How to Implement Privileged Access Management with CyberArk or BeyondTrust

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Privileged accounts: domain admins, service accounts, root users, database credentials: are in 80% of data breaches according to consistent industry reporting. PAM systems like CyberArk and BeyondTrust solve this by eliminating standing privilege: credentials are stored in an encrypted vault, injected into sessions without user exposure, rotated automatically, and all sessions are recorded. This guide covers the implementation mechanics for security engineers deploying PAM in an enterprise environment.
Understand the PAM Architecture
CyberArk PAM consists of four core components: (1) Digital Vault: the encrypted credential store, runs as a hardened Windows Server with no internet access and restricted network connectivity; (2) Central Policy Manager (CPM): rotates passwords on a schedule or after checkout, communicates with managed systems directly; (3) Privileged Session Manager (PSM): acts as a proxy for RDP and SSH sessions, injects credentials, records sessions; (4) Password Vault Web Access (PVWA): the web portal where users request access, view sessions, and administrators manage policies. BeyondTrust's equivalent architecture: Password Safe (vault + rotation), Privileged Remote Access (session proxy + recording), and the BeyondInsight management console. In both systems, users never see plaintext credentials: they launch sessions through the PAM portal and the system handles authentication. This credential injection model is the core security control.
Plan Your Onboarding Scope
Start with a privileged account discovery scan before configuring anything. In CyberArk, the Discovery and Audit (DNA) tool scans Active Directory and Windows hosts to inventory: local administrator accounts, domain admin group members, service accounts, scheduled task credentials, and IIS application pool identities. In BeyondTrust, use the Smart Rules discovery feature with Active Directory connector to enumerate privileged accounts. Prioritize onboarding in this order: (1) Domain admin accounts: highest impact if compromised; (2) Local administrator accounts with identical passwords across servers (PtH attack surface); (3) Service accounts with interactive logon rights; (4) Application database credentials hard-coded in config files. Do not attempt to onboard everything at once. Start with 50-100 accounts, validate the rotation and session proxy workflow, then expand. Service account onboarding is the most complex because you must update every service, scheduled task, and application using that credential before rotating.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Configure Credential Vaulting and Rotation
In CyberArk, create a Platform that defines rotation policy: password complexity (minimum 20 characters, mixed case, numbers, symbols), rotation interval (every 90 days or after each checkout), and the verification command (CyberArk attempts to authenticate with the new password after rotation to confirm success). For Windows local admin accounts, use the built-in 'WinDesktopLocalAccounts' platform. For domain service accounts, use 'WinDomain'. Configure the CPM connection component to reach the target systems: the CPM server needs network access to managed hosts on the appropriate port (445 for Windows, 22 for SSH). Create a Safe with a naming convention like SA-[Environment]-[Team] (e.g., SA-PROD-INFRA). Add the CPM as a Safe member with 'Access Safe without confirmation' enabled. Add the PSM as a member with 'Connect' permission. Add approver groups with 'Retrieve accounts' requiring dual control for high-privilege Safes.
Deploy Session Recording via PSM
CyberArk PSM acts as an RDP gateway: users connect to the PSM host, and PSM proxies the connection to the target server. Configure in PVWA: Administration > Configuration Options > Privileged Session Management. Set 'RecordAllConnections' to Yes. Session recordings are stored in the Vault and accessible via PVWA for audit playback. For SSH session recording, PSM for SSH (formerly known as OPM) installs as a bastion host that intercepts SSH connections. Configure AllowedTargetAddresses to restrict which hosts the PSM can proxy to: do not leave this unrestricted. In BeyondTrust Privileged Remote Access, configure the session recording storage location (on-premises storage or BeyondTrust Cloud) and enable 'Record All Sessions' in the Group Policy applied to privileged account connections. Test recording by connecting to a test account through the portal and verifying the recording appears in the session audit log within 60 seconds of session termination.
Implement Just-in-Time Access
Just-in-time access eliminates standing membership in privileged groups. In CyberArk with Conjur or Privilege Cloud, configure JIT via the Access Request workflow: users submit a request for a specific account with business justification, approvers (on-call security, manager) receive email/Teams notification, approved requests grant time-limited checkout (30 min to 8 hours), and the account is automatically checked back in and rotated after the window expires. In BeyondTrust, configure Smart Rules to add users to privileged groups temporarily: create a Smart Rule with condition 'User is in [requestor group]' and action 'Add to domain group [DomainAdmins]' with a time-limited session policy. For Entra ID JIT, use Microsoft Entra Privileged Identity Management (PIM): assign eligible (not permanent) role assignments for Global Admin and privileged roles, require MFA and justification for activation, set maximum activation duration to 8 hours, and configure alerts for standing permanent assignments.
Onboard Service Accounts Safely
Service account onboarding requires a dependency mapping step first. Before rotating a service account password, identify every service, scheduled task, IIS app pool, COM+ application, and database connection string using that credential. PowerShell for Windows services: Get-WmiObject Win32_Service | Where-Object {$_.StartName -like '*svc_accountname*'} | Select Name, StartName, State. For scheduled tasks: Get-ScheduledTask | Where-Object {$_.Principal.UserId -like '*svc_accountname*'}. Create a rotation runbook: (1) Notify application team 48 hours before rotation; (2) CPM rotates the password in the vault; (3) PSM-based automation or a custom CPM plugin updates the service credential; (4) Services restart in dependency order; (5) Verify all dependent services are running; (6) If any service fails, CPM reconciles back to the previous password. The reconcile capability is why you should test service account rotation in a non-production environment first: a failed rotation without reconcile means manual password reset and potential outage.
Monitor PAM Usage and Alert on Anomalies
CyberArk generates audit events for every vault operation. Forward to your SIEM via syslog or the CyberArk Syslog Integration. Key alert rules: (1) Direct logon to managed account bypassing PAM: if Event ID 4624 shows a privileged account logging in from a non-PSM IP, someone used the credential outside the vault (CPM should have rotated it, making this impossible unless the account was never properly onboarded); (2) Excessive checkout requests: a single user requesting 10+ accounts per hour; (3) Failed checkout attempts on high-privilege Safes; (4) CPM rotation failures: if CPM cannot rotate a credential, the password is potentially known to the last user who checked it out; (5) Session recording upload failures: gaps in session audit coverage. In BeyondTrust, configure BeyondInsight SIEM integration to forward all credential access events. Set up a weekly review of accounts where CPM reconciliation was triggered (password mismatch between vault and target system): these indicate out-of-band password changes that bypass PAM.
The bottom line
PAM implementation success depends on three mechanics working correctly: credential vaulting with automatic rotation (CPM/Password Safe), session proxying that injects credentials without user exposure (PSM/PRA), and just-in-time access that eliminates standing privilege. Start with domain admin accounts and local administrator accounts across servers, validate the full checkout-session-rotation cycle in non-production, then expand. Service account onboarding requires dependency mapping before any rotation attempt.
Frequently asked questions
What is the difference between CyberArk CPM and PSM?
CPM (Central Policy Manager) handles credential rotation: it connects to managed systems and changes passwords on a schedule or after each checkout, then verifies the new credential works. PSM (Privileged Session Manager) handles session proxying: it acts as a jump server that injects credentials into RDP or SSH sessions without revealing the password to the user and records all session activity for audit. Both are required for a complete PAM deployment; CPM manages credentials and PSM manages sessions.
How do I onboard service accounts to CyberArk without causing outages?
Before onboarding a service account to CyberArk, map all dependencies using PowerShell to enumerate every Windows service, scheduled task, IIS app pool, and application using that credential. Create a rotation runbook that notifies the application team 48 hours in advance, configures CyberArk's CPM plugin to update each dependent service after rotation, and verifies all services restart successfully. Test the full rotation cycle in a non-production environment first. Configure CPM reconciliation so that if a rotation fails partway through, the vault automatically reverts to the previous known-good password.
How does BeyondTrust Password Safe differ from CyberArk PAM?
BeyondTrust Password Safe and CyberArk PAM are both enterprise PAM platforms covering the same core functions (credential vaulting, rotation, session recording), but with architectural differences. CyberArk is generally considered the market leader for very large enterprises and has deeper Active Directory integration and more mature plugin ecosystem. BeyondTrust Password Safe has a reputation for simpler deployment and more flexible licensing. BeyondTrust also bundles Privileged Remote Access (secure vendor access portal) as an integrated product. Key evaluation criteria: total cost of ownership (CyberArk licensing is typically higher), deployment complexity (both require significant professional services engagement), and whether you need vendor remote access capabilities built in.
What is just-in-time (JIT) privileged access and how does it work in PAM?
Just-in-time privileged access means accounts only have elevated permissions for the duration of an approved task — there are no standing privileged accounts with permanent admin rights. Implementation in PAM: an analyst requests access to a specific account (e.g., a local admin account on server XYZ) via the PAM portal, provides a reason and estimated duration, the request is approved (automatically or by a manager), the PAM system grants time-limited checkout of the credential (or grants group membership temporarily), the session is recorded, and privileges are revoked when the checkout expires or the session ends. JIT eliminates the primary attack surface for lateral movement: if no accounts have standing admin rights, stolen credentials give attackers no elevation.
How do I size a CyberArk deployment for my organization?
CyberArk deployment sizing factors: number of managed accounts (the primary licensing metric — count all privileged user accounts, service accounts, local admin accounts, and cloud credentials that will be vaulted); number of concurrent sessions (PSM session recording requires significant storage and CPU; plan 1 PSM server per 25-50 concurrent sessions); vault redundancy (production deployments require a primary and DR vault, typically in different data centers); and network topology (CPM must be able to reach managed systems for rotation, which may require network segments or jump hosts). For organizations under 500 managed accounts: a single vault, one CPM, and one PSM on reasonably spec'd VMs is sufficient. Engage CyberArk or a certified partner for formal sizing above 1,000 managed accounts.
How do you handle PAM credential rotation for accounts that are used by multiple applications or services simultaneously?
Shared credential rotation is one of the most operationally complex PAM scenarios and requires a dependency-aware rotation sequence. Before onboarding a shared service account, use a combination of `Get-WmiObject Win32_Service`, `Get-ScheduledTask`, IIS application pool enumeration, and application configuration file scanning to produce a complete dependency map: every consumer of that credential must be in the map before rotation is attempted. Configure the CPM plugin to execute a pre-rotation notification step that calls a webhook or sends a message to a change management queue, then pauses for a configurable window (typically 2-5 minutes) to allow consuming applications to enter a graceful degraded state. After rotation, the CPM plugin should invoke service restart commands in dependency order (databases first, then application servers, then web tiers) and run a health-check verification step: if any health check fails, CPM triggers reconciliation and reverts to the previous password automatically. For accounts where simultaneous consumers cannot tolerate rotation downtime at all, implement a dual-credential rotation pattern: maintain two vaulted passwords for the account and rotate them alternately, with a transition period where both are valid; this requires application support for credential reload without restart, which should be validated in a non-production environment before production rollout.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
