CyberArk Integration
What It Is
The CyberArk integration connects Hydden Discovery to the CyberArk Identity Security Platform. Hydden collects account, group, and vault data from CyberArk, then combines it with identity data from all other connected systems. This gives your security team a single view of every privileged account, whether it is vaulted or not.
Why It Matters
Privileged accounts are a top target for attackers. Organizations that use CyberArk protect credentials through vaulting, but gaps remain when accounts exist outside the vault. Hydden closes those gaps by discovering all accounts across your environment and showing which ones CyberArk already manages and which ones still need protection.
Without this integration, security teams must manually compare account lists across systems. With it, Hydden automates that comparison and provides clear actions to close coverage gaps.
How It Works
The integration operates in three layers: data collection, identity correlation, and vault onboarding.
Data collection — The CyberArk collector connects to your CyberArk instance and retrieves user accounts, service accounts, vaulted accounts, groups, group memberships, MFA status, and account status. Hydden supports both cloud and on-premises CyberArk deployments.
Identity correlation — Hydden maps CyberArk accounts to identities discovered from other platforms such as Active Directory, Azure, AWS, and Linux hosts. This mapping reveals which people and services have privileged access and where that access overlaps.
Vault onboarding — When Hydden finds unvaulted accounts, you can add them to a CyberArk safe or the CyberArk discovery pipeline. This action is available directly from the Hydden interface, turning a manual process into a streamlined workflow.
What You Can Do
After you set up the integration, you can:
- View vault coverage — Open the Vaulted Account Management report in the Search Library to see which accounts are vaulted, which are discovered, and which need attention.
- Search by platform — Use Global Search to filter accounts and groups by the CyberArk platform, review account types, and check identity mappings.
- Onboard accounts — Add unvaulted accounts to a CyberArk safe or the CyberArk discovery pipeline with a few clicks, directly from search results.
- Use vaulted credentials — Store credentials for other Hydden data sources inside CyberArk safes and retrieve them securely during collection runs.
- Sign in with CyberArk — Use CyberArk as your OpenID Connect provider for single sign-on to the Hydden platform.
- Detect threats — Apply Hydden threat detection rules to privileged accounts. Identify unusual access patterns, dormant service accounts, and accounts with excessive permissions.
Key Capabilities
| Capability | Description |
|---|---|
| Account discovery | Collects user, service, and vaulted accounts with MFA and status details |
| Group visibility | Discovers groups and group memberships from the CyberArk platform |
| Vault status tracking | Shows which discovered accounts are vaulted and which are not |
| Safe onboarding | Adds accounts to a CyberArk safe directly from Hydden |
| Discovery pipeline | Adds accounts to the CyberArk discovered accounts list |
| Credential provider | Retrieves credentials from CyberArk safes for use in Hydden collections |
| SSO via OIDC | Authenticates Hydden users through the CyberArk identity platform |
Set Up the Integration
The following steps outline the full CyberArk integration setup. Complete them in order.
Single Sign-On (Recommended)
Set up single sign-on to Hydden from CyberArk using OpenID Connect. Refer to How to Configure a CyberArk OpenID Provider.
Data Collector
The CyberArk collector discovers internal and external user accounts, service accounts, vaulted accounts, groups, group memberships, MFA settings, and account status.
- Create a CyberArk credential in Hydden. Refer to Creating a CyberArk Credential.
- For on-premises deployments only: Configure the CyberArk service account. Refer to On-Prem PAM Service Account.
- Add the CyberArk collector module to a client. Refer to Adding the CyberArk Module.
- Create a CyberArk data source. Refer to How to Configure a CyberArk Data Source.
CyberArk Credential Provider
- Set up the CyberArk Central Credential Provider (CCP). Refer to Configure a CCP with SSL.
- Create a vaulted credential in Hydden. Refer to Adding a Vaulted Credential.
Next Steps
After the integration is configured and a collection has run:
- View the discovered CyberArk data in the Search Library and Global Search.
- Onboard discovered accounts to CyberArk via the discovery pipeline or directly into a safe.