Interview: Why identity is the nucleus for cyber security

We’ve seen significant mergers and acquisitions in the identity market, such as CyberArk being sold to Palo Alto Networks for $25bn. Is identity security becoming commoditised as some might say, and how do you view this consolidation?

Darren Guccione: I don’t think the space is being commoditised, especially with the rapid proliferation of NHIs, machines and agentic AI. We are already seeing NHIs outnumber human identities in the enterprise by ratios between 25:1 and 100:1. From our perspective, identity security is going to be the nucleus of cyber security. Whether you’re a human, a machine, an NHI or an AI agent, every one of those needs to have an identity, which makes identity the natural security perimeter for the enterprise.

What you are going to see over the next 12 to 24 months is the accelerated consolidation of platforms. Security platforms are going to have to merge to deliver unified visibility, control, compliance and reporting. We view moves like Palo Alto Networks’ acquisition activity as a strong signal of this. The reality is that standalone, serialised applications cannot solve modern attack vectors because attackers know these products traditionally do not talk to each other.

To defend against insider and external threats – and the invasion of AI in the enterprise – you will see privileged access management (PAM), cloud-native application protection platforms (CNAPP), and identity governance and administration (IGA) solutions continue to consolidate. It is not just a defensive strategy; it is a functional necessity required to handle workflows in a distributed, multicloud environment.

Keeper started in the PAM space. Are you looking at expanding capabilities beyond that? Do customers have concerns about giving up best-of-breed capabilities in favour of a platform approach?

Guccione: We focus on identity security as a whole. While traditional PAM products were designed primarily for IT departments to mitigate insider threats, KeeperPAM is an all-encompassing, enterprise-wide solution. We are broadening identity security to act as a control plane for brokering and governing all assets – humans, machines, NHIs and AI agents.

The idea that suppliers have to create complex solutions to solve complex problems is a major problem in our industry. We work incredibly hard – often 18 to 20 hour days – to build elegant, easy-to-use security platforms that assimilate into any existing identity stack. Our platform includes hundreds of integrations, whether for CNAPP, IGA, SSO [single-sign-on], or MFA [multifactor authentication], without forcing customers to radically change their technology or buy new hardware.

If you’re going to be successful in this industry and have the growth that Keeper has, it’s important that you build products that integrate quickly and mitigate friction in deployment and provisioning to close critical visibility gaps and vulnerabilities across the entire enterprise.

Could you provide some colour on the growth Keeper is seeing, particularly in the Asia-Pacific region? What is your go-to-market strategy?

Guccione: We are in our Tokyo office, which is our headquarters for Asia-Pacific. Since launching here roughly three years ago, we’ve grown from zero to a dozen channel partners. Globally, we are a channel-first organisation selling in 150 countries. Our growth has been somewhat meteoric – essentially doubling revenue on our B2B [business-to-business] platform almost every year since inception, maintaining record gross profits and record Ebita [earnings before interest, tax and amortisation].

Uniquely, we do not rely on cold calling or dedicated teams doing prospecting. Instead, we operate a sophisticated, high-velocity demand generation engine. Our marketing organisation generates leads for each segment – Soho [small office home office], SME[small and medium-sized enterprises], mid-market, enterprise and public sector – using a combination of PPC [pay-per-click] advertising, TV, radio, affiliates, influencers and event sponsorships like our partnership with Williams F1 Racing.

What you are going to see over the next 12 to 24 months is the accelerated consolidation of platforms. Security platforms are going to have to merge in order to deliver unified visibility, control, compliance and reporting. We view moves like Palo Alto Networks’ acquisition activity as a strong signal of this

We are a debt-free organisation; we have no bank loans or capital lease obligations. We operate on a capital-efficient basis, redeploying profits to drive growth. For example, we recently hired more people in four months than in all of the previous year.

In terms of market segments, our sweet spot is any organisation targeted by cyber criminals. We also have a multi-tenant version for managed service providers and managed security service providers. We are currently adding between 800 and 900 new B2B customer accounts per month.

Do you provide on-premise deployments, particularly for customers in regulated industries that require it?

Craig Lurey: Our platform utilises zero-knowledge encryption, meaning we cannot decrypt our customers’ data. This is a major differentiator. We do not provide a self-hosted solution – that’s not where the market is going. It is about providing a cloud solution where the customer controls the entire encryption process on their side.

However, we do have on-premise components that act as proxies for tasks like privileged session management, rotating service accounts, or infrastructure management. But the core platform remains cloud based. Customers can choose their specific geographic datacentre location to hold their encrypted ciphertext.

Do you use hyperscalers for this, and are there plans for Microsoft Azure or Google Cloud in the future?

Guccione: We are on AWS [Amazon Web Services] all the way. While we might consider Microsoft Azure or Google Cloud for specific government opportunities in the future, the hosting provider doesn’t change the product’s functionality. Our product helps customers manage their infrastructure across AWS, Azure, Google and on-premise. Because we are an AWS-based platform, we roll out automated updates every 30 days globally across all interfaces, ensuring no customer is stuck on an old version. We use a strictly automated deployment process – from development to production – that ensures updates reach all regions simultaneously.

How are you applying AI in identity management, and how do you govern the AI agents themselves?

Guccione: We were the first to launch KeeperAI, an agentic threat detection and response layer. It tracks privileged user behaviour in real time. If a user acts outside certain parameters, the system can automatically lock them down or terminate the session in seconds. This replaces the need to wait weeks to analyse SIEM [security information and event management] data after a breach.

Lurey: Our platform manages human, machine, and AI identities in one interface through Keeper Secrets Manager. We provide APIs [application programming interfaces] and SDKs [software development kits] that allow customers to build AI agents, CI/CD [continuous integration and deployment] pipelines or Terraform infrastructure while maintaining full governance. All event logs – whether from a human or an agent – are centralised and can be sent to a SIEM provider or used to run reports.

On top of that, customers can hook Keeper into their selected LLM [large language model] to do threat detection and classification in real-time for things like privilege sessions, remote connections or any sort of user access that’s taking place. We’re expanding that to include AI agents and providing access to the underlying infrastructure through our MCP [model context protocol] services to those AI agents.

Given your strong financial position, are you looking to build these capabilities on your own or consider acquisitions?

Guccione: It is a matter of the coefficient of time. If it would take two to five years to build a technology, we look at acquisitions. For example, we acquired Glyptodon – creators of the Apache Guacamole remote display protocol – a few years ago, which became the foundation for Keeper Connection Management that supports tunnelling and other capabilities like remote browser isolation. We are launching a major new component of that very soon. Our goal is to be the single pane of glass across the entire organisation, with identity security for all assets and layering governance on top of that.

Ultimately, Keeper’s progression is such where it decides if AI is allowed to transact inside the environment. When we decide that it’s able to transact, we are the control plane which allows AI to convert from knowledge to embedded infrastructure. A human is no longer going to go into your machine and install an upgrade; it’s going to be an agent that’s doing that, and that agent needs an identity, a role, access control policies, and be monitored, verified and reported against the whole nine yards.

You still have a consumer business. Typically, B2B tech companies focus just on the enterprise. What is the role of the consumer business for you?

Guccione: We believe personal and professional lives should be kept private and separate. When we sell to an enterprise, every user gets a free family plan for their household. This protects the enterprise by encouraging good habits at home and prevents the commingling of corporate and personal data.

This creates a flywheel effect: individuals who love using Keeper at home often introduce it to their employers. Conversely, if someone leaves a company, they can take their personal vault with them. We don’t believe in only selling to large enterprises – we protect the world. If you have bad habits as an individual with respect to password hygiene, you’re going to bring that into the enterprise, and we can’t allow that.

We have to be able to educate you on what’s healthy by virtue of creating software that enforces positive behaviours, and at the same time – believe it or not – enhances your productivity. You are more productive when you use Keeper because you’re not fumbling around with passwords.