ARR milestone 01
>$400M USD [CO032] Diligence report
Delinea
Delinea — Identity Security Diligence Report
Delinea is a scaled identity-security platform with >$400M ARR, a broad product surface, and credible customer proof, but valuation and capital-structure opacity keep the name in track territory until a real pricing and disclosure event emerges.
Cover facts
Recurring revenue mix 02
95% of GAAP revenue [CO031] Organizations disclosed 03
8,500+ worldwide [CO041] Fortune 100 penetration 04
>50% of Fortune 100 [CU009] Platform uptime 05
99.995% [CO002] Integrations 06
500+ [CO003] Historical sponsor benchmark 07
$1.4B 2021 transaction [CO023] FedRAMP status 08
Under Assessment High authorization [CR027] Company profile
Delinea is a sponsor-backed identity-security platform created from the 2021 Thycotic/Centrify combination and relaunched under the Delinea brand in 2022. Public materials show a broad product surface spanning privileged access management, authorization, remote access, governance, and secrets workflows, anchored by products such as Secret Server, Privilege Manager, Fastpath, and newer AI-driven authorization capabilities. As of 2025, the company publicly described ARR above $400 million, a SaaS-majority mix, more than 8,500 organizations disclosed in prior milestone materials, and continued platform expansion through channel investment and acquisitions. What remains private are the most important underwriting details: current valuation, capital structure, retention quality, and audited unit economics.
- Website
- delinea.com
- Founded
- 2021-04-01
- Founding location
- Sponsor-led Thycotic/Centrify combination
- Headquarters
- San Francisco, California, USA
- Product
- Identity-security platform covering privileged access management, endpoint and server privilege, remote access, identity threat protection, governance controls, secrets management, and AI-driven authorization across human and machine identities.
- Customers
- Enterprise and upper-midmarket organizations with privileged-access, audit, compliance, and hybrid-infrastructure needs; public proof spans manufacturing, retail, utilities, telecom, media, and finance-control environments.
- Business model
- Predominantly recurring enterprise software sold through direct and partner channels; public evidence points to a SaaS-majority mix with quote-led packaging and module cross-sell across PAM, authorization, governance, and adjacent controls.
- Stage
- Sponsor-backed private company with IPO-registration-style signals but no current public price
- Funding status
- Historical public benchmark: TPG acquisition at $1.4B in 2021. Current valuation, debt, and preference stack remain undisclosed in reviewed public sources.
Executive summary
Top strengths
- >$400M ARR and a SaaS-majority mix indicate Delinea has reached real recurring-revenue scale in identity security.
- The product surface now spans PAM, authorization, governance, secrets, remote access, and identity-threat workflows rather than a single vault product.
- Public customer proof is materially better than a logo wall, with named case studies and a dated but meaningful 8,500+ organization footprint disclosure.
- Relevant public identity/security comparables still support meaningful valuation bands for scaled assets in the category.
- Sponsor backing and platform-expanding acquisitions create strategic optionality for a future IPO or sponsor exit process.
Top risks
- No current public valuation mark, debt picture, preference stack, or exit-waterfall detail exists, so investors cannot judge today’s price.
- Security-process risk remains real after the 2024 disclosure controversy, public CVEs, and visible advisory / status activity.
- NRR, gross margin, cash generation, and concentration are undisclosed, preventing clean calibration inside the public comp set.
- Public-sector upside should be treated cautiously because FedRAMP remains under assessment rather than fully authorized.
- Third-party market-data profiles conflict materially on valuation, revenue, and other basics, increasing diligence friction.
Open gaps
- Current valuation mark, cap table, debt schedule, and preference / waterfall economics.
- Audited ARR, NRR, GRR, gross margin, and services-mix bridge.
- Customer concentration, cohort retention, and expansion behavior by product family.
- Clear evidence of IPO readiness, banker engagement, or sponsor exit timing.
- Management-confirmed headcount, board composition, and current ownership percentages.
Contents
01Company Overview
1.1 Identity, origin, and product scope
Delinea’s current official story is broader than traditional privileged access management. The about page, platform pages, and 2025-2026 releases describe an identity security control plane built around centralized authorization, Delinea Iris AI, and continuous governance across human, machine, and AI identities. That broader platform claim matters because the company still monetizes a recognizable PAM portfolio underneath it: Secret Server, Privilege Manager, Cloud Suite/Server PAM, DevOps Secrets Vault, Identity Threat Protection, and related control modules are all still live products or transition-era offerings. The company’s origin story also needs precision. Official launch materials say Delinea was formed in April 2021 from the Thycotic/Centrify merger and then publicly launched the Delinea brand in February 2022. Older dates such as 1999 or 2004 appear in third-party databases, but those look more like predecessor or legal-lineage artifacts than the clean commercial start date for the merged Delinea brand.[CO001, CO002, CO003, CO004, CO005, CO006]
| Metric | Value / status | As of | Confidence | Gap / diligence note |
|---|---|---|---|---|
| Commercial formation narrative | Formed via Thycotic/Centrify combination; Delinea brand launched in 2022 | 2021-2022 | high | 1999/2004 dates in databases look like predecessor lineage rather than the clean Delinea brand start |
| Current category | Identity security control plane / centralized authorization platform | 2025-2026 | high | Narrative still rests on underlying PAM products and modules |
| Best-supported headquarters | San Francisco current profiles; earlier official releases used Redwood City and Washington, DC datelines | 2025-2026 / historical | medium | Needs management-confirmed HQ/legal-entity map |
| Ownership / stage | Private-equity-backed with IPO-registration signal in PitchBook preview | 2025 | medium | No public filing package or new post-2021 valuation disclosed |
| Historical public transaction benchmark | $1.4B TPG acquisition benchmark on Crunchbase | 2021-03 | medium | Historical control event, not evidence of a fresh growth round |
| ARR scale | Approaching $400M at FY2024 close; above $400M by Aug. 2025 | 2025 | high | Company-issued figures; no audited public financials reviewed |
| Recurring revenue mix | 95% of GAAP revenue recurring | 2025-03 | high | Supported by the March 2025 official year-end release |
| Customer disclosure | 8,500+ organizations as of Q2 2024; later pages say thousands worldwide and >50% of Fortune 100 | 2024-2026 | medium | No exact 2025/2026 customer count or 17,000+ corroboration found |
| Headcount disclosure | 501-1000 Crunchbase; 1,136 PitchBook; ~1.2K GetLatka | 2025-2026 | medium | Third-party directory estimates conflict materially |
| Platform operating signals | 99.995% uptime, 500+ integrations, 1M+ identities secured daily | 2025-2026 | medium | All are company-claimed operating metrics |
This table mixes official operating claims with third-party ownership, headcount, and location profiles; public metrics are directionally strong, but customer count, valuation, and HQ data still need management reconciliation.
[CO012, CO013, CO001, CO020, CO021, CO025]The merged-company story links legacy PAM assets to a broader identity-security platform, then uses sponsor backing and enterprise traction to fund further AI and authorization expansion.
[CO005, CO006, CO007, CO008, CO009, CO010]Current public data shows robust platform scale and ARR momentum, but exact customer and valuation disclosure still lag operational maturity.
[CO032, CO031, CO030, CO004, CO003]1.2 Leadership, governance, and operating footprint
The leadership record supports continuity at the top but also shows meaningful GTM and finance evolution. Art Gilliland has remained the clearest public face of the company from the merger period through the 2025-2026 growth releases, while James Legg initially served as president of the merged business before handing the role to Rick Hanson in 2022 and then to Chris Kelly in 2025 for go-to-market leadership. Stephanie Reiter emerges as the public financial voice in the 2025 ARR releases, and the reviewed company announcements also identify legal, product, channel, and regional expansion leaders across the post-merger bench. Governance visibility is weaker. Public materials name Pascal Van Dooren as a board member in 2021, but the current board roster and any observer or sponsor-control terms are not disclosed in reviewed public sources. Physical-footprint evidence is also imperfect: current directory-style profiles point to San Francisco, while earlier official releases used Redwood City and Washington, DC datelines. The practical conclusion is that San Francisco is the best-supported current HQ, but location history should be treated as a moving target rather than a single timeless fact.[CO014, CO015, CO016, CO017, CO018, CO019]
| Person | Role | Public background / relevance | Functional coverage | Key-person / diligence note |
|---|---|---|---|---|
| Art Gilliland | CEO | Centrify-era leader who became CEO of the merged business and remains Delinea’s principal public voice in 2025-2026 releases | Overall strategy, platform narrative, sponsor interface | High key-person dependence at overview level |
| Chris Kelly | President, GTM | Joined in Jan. 2025 after senior revenue leadership at CyberArk, Adobe, and Cisco | Global sales, channels, solution engineering, customer success | Signals continued enterprise go-to-market scaling |
| Rick Hanson | President (2022 handoff) | Took GTM leadership from James Legg in Aug. 2022 after roles at Onapsis and Brightcove | Historical GTM transition marker | Role appears historical after Chris Kelly appointment |
| Stephanie Reiter | Chief Financial Officer | Quoted as CFO in 2025 ARR releases and speaks to growth, margins, and demand | Financial planning, disclosure, margin narrative | Need audited disclosure depth beyond press releases |
| Suzanne Tom | Chief Legal Officer | Joined in 2021 during post-merger bench buildout | Legal, compliance, governance process | Important for regulated-sector growth and disclosure discipline |
| Pascal Van Dooren | Board member (publicly named) | Only board member explicitly identified in reviewed current-era public sources | Board oversight / external governance signal | Full current board roster still not public |
| Spence Young | SVP Sales, EMEA & APAC | Promoted in 2025 and quoted in 2026 regional expansion release | International revenue execution and regional scale | Supports growth story but not a substitute for full org-chart transparency |
The merged-company history does not map neatly to a single founder narrative; this table instead covers the publicly visible leadership bench and the only public board name identified in reviewed sources.
[CO014, CO015, CO016, CO017, CO018, CO019]1.3 Ownership, capital history, and valuation visibility
Overview-level ownership evidence points first to TPG, not to a broad late-stage venture syndicate. The 2021 combination release says TPG acquired Thycotic from Insight Partners, had already completed the Centrify acquisition, and combined the two businesses with minority support from Thoma Bravo and PSP Investments. Third-party profiles reinforce that story. Crunchbase records a $1.4 billion TPG acquisition benchmark in March 2021, Mergr separately logs a January 2021 acquisition from Thoma Bravo and Golub Capital, and PitchBook’s preview now labels Delinea private-equity-backed and in IPO registration. What public sources do not provide is equally important: the reviewed materials do not substantiate the prompt’s asserted 2024 TPG strategic growth investment, nor do they verify a current Francisco Partners stake in Delinea. Market-data sources also disagree on capital history and valuation, ranging from private-equity ownership narratives to legacy venture-round artifacts and low-confidence valuation estimates. The safest underwriting stance is that Delinea is a sponsor-backed private company with a strong historical control benchmark and current IPO signaling, but without a newly disclosed post-2024 public valuation mark.[CO022, CO023, CO024, CO025, CO026, CO027]
| Stakeholder | Role / relationship | Control or economic importance | Current public signal | Diligence ask |
|---|---|---|---|---|
| TPG | Controlling sponsor / owner | Central owner behind the 2021 formation and current PE-backed status | 2021 combination release, Crunchbase acquisition record, PitchBook ownership status | Confirm current ownership %, leverage, and exit timing |
| Thoma Bravo | Former Centrify owner; 2021 minority backer | Historical seller and possible residual economic participant after the combination | Official combination release, Mergr seller record, Crunchbase investor listing | Clarify whether any residual stake or governance rights remain |
| PSP Investments | 2021 minority investor | Institutional backer that may still influence governance if it retained a stake | Official combination release and Crunchbase investor listing | Request current ownership % and board/observer rights |
| Insight Partners | Seller of Thycotic into the TPG-led combination | Important to lineage reconstruction and rollover questions | Official combination release and SiliconANGLE coverage | Confirm whether any rollover economics survived close |
| Fortune 100 customer cohort | Marquee customer base | Key proof point for enterprise credibility and economic durability | Company says it serves thousands of customers including over half of the Fortune 100 | Request logo list, concentration, and renewal economics |
| StrongDM | 2026 acquired strategic asset | Adds runtime authorization and AI/DevOps relevance to the platform | Official acquisition release and Tracxn acquisition summary | Track integration milestones, retention, and any earn-out structure |
This map focuses on publicly visible sponsors, former owners, and a small number of economically relevant stakeholders; current cap-table percentages and any hidden rollover stakes are not publicly disclosed.
[CO022, CO023, CO024, CO025, CO026, CO027]1.4 Scale, momentum, and milestone trajectory
The public operating arc is strong even though not every metric is disclosed with current precision. Delinea closed 2022 with $250 million in ARR and 1,300+ new customers added, then a January 2025 leadership release said the business had passed $350 million in ARR as of Q2 2024 while supporting more than 8,500 organizations worldwide. Two later 2025 releases pushed the picture further: fiscal 2024 ARR was said to be approaching $400 million with 95% recurring revenue, and by August 2025 ARR had surpassed $400 million with SaaS still the majority of the mix. The company paired those financial milestones with operating signals such as 99.995% uptime, 500+ integrations, and 1M+ identities secured daily. Milestones since 2024 also show Delinea expanding on several fronts at once: a global partner program, Mexico City expansion, the FedRAMP High process for Secret Server, new regional leaders in EMEA/APAC, and the StrongDM acquisition to bring runtime authorization into the Delinea Platform. Together those milestones support a company that is scaling beyond legacy PAM toward a broader identity-security platform story.[CO029, CO030, CO031, CO032, CO033, CO034]
| Date | Event | Type | Amount / valuation / status | Participants | Implication |
|---|---|---|---|---|---|
| 2021-03-02 | TPG announces combination of Thycotic and Centrify | governance | Financial terms undisclosed | TPG, Thycotic, Centrify, Insight, Thoma Bravo, PSP | Creates the merged company that becomes Delinea |
| 2021-12-01 | Post-merger executive bench expanded and Pascal Van Dooren added to board | governance | Leadership buildout | Delinea | Early signal of operating professionalization |
| 2022-02-01 | Delinea brand debuts publicly | governance | Brand launch | Delinea, TPG | Merged company gets a single market identity |
| 2022-08-10 | Rick Hanson joins as President | governance | James Legg transition | Delinea | Go-to-market leadership evolves after formation |
| 2023-02-28 | FY2022 closes with $250M ARR and 1,300+ new customers | scale | $250M ARR; 25%+ growth | Delinea | Confirms meaningful post-merger operating scale |
| 2024-01-17 | Global partner program launches | partnership | Four-tier channel framework | Delinea and ecosystem partners | Expands indirect go-to-market capacity |
| 2024-04-16 | Secret Server SOAP API disclosure controversy becomes public | adverse | Critical flaw / urgent patching | Delinea, researchers, CERT media | Elevates product-security diligence priority |
| 2025-01-13 | Chris Kelly hired as President, GTM | governance | 2024 milestones cited: $350M ARR by Q2 2024 and 8,500+ organizations | Delinea | Adds scale evidence and GTM leadership depth |
| 2025-03-18 | FY2024 closes with ARR approaching $400M and 95% recurring revenue | scale | ~$400M ARR; 95% recurring revenue | Delinea | Improves financial-maturity narrative |
| 2025-05-13 | FedRAMP High process begins for Secret Server | regulatory | Authorization process launched | Delinea, UberEther | Supports public-sector/compliance expansion |
| 2025-08-12 | ARR surpasses $400M and Iris AI-led growth narrative is reinforced | scale | > $400M ARR | Delinea | Strengthens enterprise and AI positioning |
| 2026-02-18 | Three senior leaders appointed across EMEA and APAC | governance | Regional hiring | Delinea | Signals continued international investment |
| 2026-03-05 | StrongDM acquisition closes | product | Terms undisclosed | Delinea, StrongDM | Adds runtime authorization to the platform and secure-AI narrative |
This chronology is the chapter’s single public milestone record for 2021-2026; it favors externally visible company, ownership, scale, regulatory, and adverse events rather than every product release.
[CO012, CO017, CO013, CO016, CO029, CO036]Delinea’s public arc runs from the 2021 sponsor-led combination to 2025 ARR scale and 2026 platform/M&A expansion, with the 2024 disclosure controversy as the main overview-level setback.
[CO012, CO017, CO013, CO016, CO029, CO036]1.5 Adverse signals and remaining diligence questions
The clearest overview-level adverse signal is product-security process risk. SecurityWeek and Dark Reading both reported that Delinea appeared to ignore or inadequately handle weeks of responsible-disclosure outreach before a critical Secret Server SOAP API flaw became public in April 2024. NVD later documented CVE-2024-33891 as an authentication-bypass issue with high CNA severity, and Delinea’s own advisory page shows that Secret Server and Cloud Suite continued to accumulate additional CVEs in 2025 and 2026. That does not negate the business momentum described above; the company has also been public about advisories and has pursued FedRAMP High for Secret Server. But it does mean the downside case is not just theoretical. Public evidence still leaves major overview questions unresolved: exact current customer count, current board composition, post-2021 ownership percentages, and whether any 2024 sponsor recapitalization occurred. Those are material because they affect valuation confidence, exit-readiness assessment, and how much operational strength should be discounted for disclosure opacity.[CO044, CO045, CO046, CO047, CO048, CO049]
02Market Analysis
2.1 Market boundary, adjacencies, and what Delinea is really selling
The first analytical task is not picking a TAM number but defining the right market. Delinea’s own platform story is no longer a simple password-vault story. Current product pages and platform collateral frame the company as an identity-security platform spanning human, machine, and AI identities, with centralized authorization and platformization as the strategic wedge. That creates a layered market position. Delinea still competes in classic privileged access management, but it also reaches into broader identity governance, non-human identity, and workflow-control budgets. Competitor framing supports that interpretation: CyberArk and Okta both position identity more broadly than vaulting, and Microsoft Entra places hybrid identity and governance in the same decision set. The practical implication is that the relevant market is narrower than the full IAM universe yet broader than legacy PAM alone. Buyers can also substitute native identity tools, scattered MFA and password controls, or governance suites before they buy a dedicated Delinea-like platform.[CM001, CM002, CM013, CM014, CM015, CM016]
| Market layer | Included spend | Excluded spend | Primary buyer or payer | Relevance to Delinea |
|---|---|---|---|---|
| Broad IAM | Authentication, governance, access control, CIAM, PAM, analytics, and some services | Unrelated security categories without identity-control content | CISO, CIO, IAM leadership | Useful outer ceiling but too broad for direct underwriting |
| Privileged access management | Vaulting, privileged sessions, least privilege, credential rotation, admin workflows | General workforce identity that does not touch privileged or sensitive access | Security, infrastructure, audit | Still Delinea’s clearest historical core |
| Identity-security platform | PAM plus discovery, authorization, posture, analytics, workflow control across identities | Consumer-only identity or generic access without control depth | Security architecture, IAM, platform teams | Best strategic frame for current Delinea narrative |
| Non-human identity and AI control | Service accounts, machine identities, AI agents, runtime authorization, verification | Human-only SSO and basic directory administration | Platform engineering, security engineering, cloud teams | Fast-growing adjacency that can expand the story above classic PAM |
| Status quo and bundled substitutes | Native directory controls, basic MFA, manual audit, broader-suite governance | Dedicated specialized controls not already owned by the buyer | Existing IT and identity budgets | Real competition for new-spend conversion |
This table preserves layered market definitions because Delinea sits across more than one identity-control budget line; using only the broadest IAM figure would overstate the immediate wedge.
[CM001, CM013, CM015, CM016, CM031, CM040]Delinea sits inside nested market layers: broad IAM at the top, classic PAM at the core, and non-human identity plus platform governance as the growth edge around its current story.
[CM001, CM013, CM031, CM040]2.2 Sizing lenses: bullish demand, messy denominators
Public market estimates are directionally supportive but methodologically inconsistent. MarketsandMarkets puts IAM at roughly $26 billion in 2025 and $42.6 billion by 2030, while The Business Research Company shows $21.8 billion in 2025 and $25.2 billion in 2026 before reaching $45.2 billion by 2030. Identity Management Institute offers a separate more-than-$24 billion 2025 framing, and ISMG cites a much larger $61.7 billion figure by 2032. Research and Markets broadens the lens further with explicit TAM work, supply-chain analysis, and privileged access governance. None of those numbers is necessarily wrong, but they are not interchangeable. Some describe broad IAM, some emphasize software plus governance, and some lean heavily into future-adjacent categories such as non-human identity and AI-driven access. For Delinea, the clean conclusion is to preserve the range and resist false precision. The company clearly sits in a growing identity-control market, but open sources do not isolate a defensible Delinea-specific SAM or SOM.[CM020, CM021, CM022, CM023, CM024, CM025]
| Publisher or lens | Year anchor | Scope | Value | Growth or trend | Why it matters | Main limitation |
|---|---|---|---|---|---|---|
| MarketsandMarkets IAM | 2025→2030 | Broad IAM incl. PAM, IGA, CIAM, non-human IAM | $25.96B → $42.61B | 10.4% CAGR | Shows a large enterprise identity-control denominator and strong PAM/NHI tailwinds | Still too broad to use as Delinea SAM |
| The Business Research Company IAM | 2025→2026→2030 | Broad IAM with PAM inside “other components” | $21.81B → $25.23B → $45.22B | 15.7% CAGR | Useful near-term 2026 anchor for current run date | Different segmentation and methodology from other publishers |
| Identity Management Institute | 2025 | Broad IAM market commentary | >$24B | ~13% growth | Confirms demand direction and recurring drivers such as remote work and regulation | Commentary-style surface, not a deeply granular model |
| ISMG IAM Market Guide | 2025→2032 | IAM plus market and vendor landscape | $61.7B by 2032 | Long-dated growth narrative | Useful for future-upside framing and vendor-context breadth | Longer time horizon and guide-style methodology |
| Research and Markets outline | 2026 report | IAM with TAM, legal, supply-chain, and privileged-access-governance framing | Not cleanly exposed on public summary page | Broad-scope 2026 research package | Confirms boundary complexity beyond classic PAM | Readable summary does not provide a simple one-line size figure |
| Evidence-constrained Delinea SAM | 2026 | Delinea-specific wedge across PAM, platform, and AI identity | Not isolatable from open sources | n/a | Prevents false precision in valuation work | Needs product-line revenue mix and attach-rate disclosure |
The numbers are intentionally preserved side by side rather than collapsed into one headline TAM because the publishers measure different scopes and years.
[CM020, CM021, CM022, CM024, CM025, CM023]Headline market numbers point in the same direction but vary materially because they measure different scopes and forecast windows.
[CM020, CM022, CM025, CM027]2.3 Buyer, user, payer, and adoption path
The category’s buying motion is structurally cross-functional. Security leadership often owns the problem statement because privileged access and identity compromise are clearly security issues, yet the operational owners are often IAM architects, infrastructure teams, cloud teams, and auditors. Users include administrators, developers, service-account owners, and governance staff. Payers can sit in security, IAM, cloud, or compliance budgets depending on the trigger: zero-trust mandates, audit findings, cloud migration, AI-agent control, or passwordless modernization. Regulated verticals such as financial services, healthcare, government, and large IT environments appear repeatedly in market segmentations and vendor positioning because they have both higher audit pressure and more complex hybrid estates. Adoption usually starts with a pain point — unmanaged privileged access, machine-identity sprawl, or fragmented controls — then moves into a broader platform decision once the buyer realizes that point tools do not provide sufficient visibility, least privilege, or consistent policy enforcement across identities and environments.[CM028, CM029, CM030, CM031, CM038, CM001]
| Segment or workflow | Primary buyer | Operational user | Budget owner | Adoption trigger |
|---|---|---|---|---|
| Privileged IT administration | CISO or infrastructure security leader | Administrators and IAM team | Security or infrastructure | Audit findings, standing privilege, session monitoring needs |
| Hybrid identity modernization | IAM architect or CIO delegate | IAM engineers and help-desk leads | IAM / IT | Cloud migration, passwordless, directory consolidation |
| Non-human identity governance | Security engineering or platform security | Developers, service owners, machine-account owners | Security engineering or platform | Service-account sprawl, AI-agent growth, runtime authorization |
| Regulated vertical compliance | Security and compliance leadership | Auditors, app owners, privileged operators | Security, risk, or compliance | Evidence of least privilege, logging, and access certification |
| Platformization or control-plane consolidation | Security architecture leadership | Cross-functional identity and cloud teams | Transformation or security stack rationalization | Too many fragmented tools and inconsistent policies |
The buyer map is deliberately cross-functional because Delinea-like projects often need both security sponsorship and platform-team execution to clear the budget hurdle.
[CM028, CM029, CM030, CM031, CM033, CM034]Budget ownership and user workflows vary by identity problem; Delinea wins when the buyer needs one control layer to satisfy both operators and governance owners.
[CM028, CM029, CM030, CM031, CM043]The market usually converts from risk recognition to control sprawl, then to zero-trust or platformization programs and finally to a unified purchase only if buyers believe deployment friction is manageable.
[CM031, CM038, CM033, CM035, CM042]2.4 Growth drivers and adoption constraints
The market tailwinds are real. Zero-trust guidance from NIST and CISA continues to push identity and authorization toward the center of enterprise security architecture. Market-research pages repeatedly cite cloud adoption, hybrid work, and rising identity-driven attacks as reasons IAM and privileged-access spending keeps expanding. AI and non-human identity add another growth layer, because machine and AI identities multiply much faster than human accounts and often operate with poor visibility or standing privileges. But the adoption story is not frictionless. Delinea’s own passwordless survey shows how legacy systems and compliance obligations slow even widely discussed modernization efforts, while market commentary from Identity Management Institute and ISMG points to budget constraints, skills gaps, and integration complexity. That means category expansion alone is not enough. Delinea still needs to win by making governance, authorization, and operational simplicity credible enough that buyers fund one more control layer instead of defaulting to bundled or status-quo alternatives.[CM011, CM012, CM019, CM032, CM033, CM034]
| Driver or constraint | Direction | Time horizon | Transmission to Delinea | Diligence ask |
|---|---|---|---|---|
| Zero-trust adoption | Positive | Current | Raises the value of continuous authorization and identity-centric controls | Check how often zero-trust mandates explicitly fund Delinea-like projects |
| Cloud and hybrid complexity | Positive | Current | Expands the need for cross-environment access governance | Request customer mix by hybrid vs. cloud-native estates |
| AI and machine identity growth | Positive | Current | Creates new demand for NHI discovery, runtime authorization, and explainability | Validate attach rates for non-human identity modules |
| Credential abuse and breach risk | Positive | Current | Sustains the core privileged-access control rationale | Quantify how much pipeline starts from incidents vs. compliance |
| Legacy system dependence | Negative | Current | Slows passwordless and policy modernization even when need is clear | Review deployment timelines by legacy intensity |
| Skills and operational complexity | Negative | Current | Can delay deployments and make platformization promises hard to realize | Request implementation staffing profiles and partner utilization |
| Budget constraints | Negative | Current | Makes buyers favor bundled IAM or status-quo tools over a new specialist platform | Test win rates versus Microsoft and Okta bundles |
| Weak independent benchmarks | Negative | Current | Limits confidence in Delinea’s faster-deployment narrative | Collect third-party implementation benchmarks and references |
The same market can be structurally attractive and operationally hard to monetize; the right diligence question is which constraints matter enough to slow actual paid conversion.
[CM033, CM032, CM034, CM019, CM035, CM036]2.5 Implications for Delinea and the remaining market gaps
For diligence purposes, the market conclusion should be intentionally constrained. Delinea operates in a good market, but not a cleanly measurable one. Public evidence supports a large and expanding identity-security opportunity, a durable PAM core, and a new adjacency around machine and AI identity control. What remains missing is the bridge from those top-down narratives to a company-specific revenue wedge. Public sources do not show product-line revenue mix, attach rates across platform modules, or independently benchmark Delinea’s deployment-speed claims against the strongest alternatives. That matters because valuation work can become distorted when a company with real execution momentum is matched against an overly generous TAM. The underwriting posture should therefore preserve multiple lenses: classic PAM for lower-bound realism, broader IAM and governance for strategic upside, and explicit evidence gaps around Delinea-specific market capture. That framing is strong enough for research-more conviction, but not for a precise public-SAM claim.[CM027, CM040, CM041, CM042, CM043, CM026]
03Competitors
3.1 Landscape: direct incumbents, adjacent suites, and flank entrants
Delinea’s competitive landscape is broader than a simple three-vendor PAM fight, but it still has a recognizable center of gravity. CyberArk and BeyondTrust are the clearest direct incumbents because they sell privileged-access depth as a primary enterprise control category. Around that core sit broader-suite competitors such as Microsoft, Okta, SailPoint, and Saviynt, which can absorb parts of the buying criteria through identity, governance, and threat tooling already present in enterprise estates. A third ring contains flank entrants: CrowdStrike and SentinelOne from endpoint-driven identity security, Teleport and StrongDM from infrastructure access and runtime authorization, Silverfort from agentless identity security, and 1Password from extended-access-management style workforce access. Delinea’s own StrongDM acquisition confirms that management also sees those flank categories as strategically real. The competitive question is therefore not whether Delinea has rivals, but which layer of rival it faces in each buying motion.[CP001, CP002, CP004, CP005, CP008, CP009]
| Vendor | Category | Primary motion | Best-fit buyer | Main limitation versus Delinea |
|---|---|---|---|---|
| CyberArk | Direct PAM incumbent | Vault-first privileged access platform | Large enterprises prioritizing privileged depth and heritage | Can look heavier and more traditional than Delinea’s newer platform story |
| BeyondTrust | Direct PAM incumbent | Broad PAM platform with integrated positioning | Buyers wanting all-in-one PAM breadth | Faces the same “why this platform versus another platform” question as Delinea |
| Microsoft | Bundle competitor | Identity, hybrid IAM, and defender tooling inside existing estate | Accounts already standardized on M365 and Microsoft security | Dedicated privileged depth may be less explicit than Delinea’s |
| Okta / SailPoint / Saviynt | Suite competitor | Governance-led identity platform | Governance-heavy buyers and transformation programs | Less centered on classical PAM depth |
| StrongDM / Teleport / Silverfort / 1Password | Flank entrants | Runtime access, infrastructure access, agentless identity, or XAM | Engineering-led or architecture-led wedge deals | Usually narrower than Delinea on overall PAM depth or platform scope |
The profile table groups some adjacent players together because they compete for different slices of the budget even when they are not full one-for-one Delinea replacements.
[CP004, CP005, CP008, CP009, CP010, CP015]Ordinal view of Delinea versus direct incumbents, broader suites, and flank entrants across two axes: privileged-depth and bundle breadth.
Axis values are ordinal 1-5 scores derived from public positioning pages and review surfaces rather than audited market data.
[CP004, CP005, CP008, CP009, CP016, CP011]3.2 Competitor profiles: who wins which type of account
The most useful competitor split is by account type and buyer framing rather than by vendor logo alone. CyberArk is strongest when the buyer wants a mature vault-first privileged-access stack with enterprise heritage. BeyondTrust competes when buyers want an equally broad PAM platform and trust its integrated positioning. Microsoft becomes most dangerous when the buyer already has enough Entra and Defender capability inside existing contracts, especially if the project is framed as identity protection or hybrid access rather than specialized PAM. Okta, SailPoint, and Saviynt matter more when governance and lifecycle control dominate the discussion. StrongDM and Teleport matter most in engineering-led access decisions, while Silverfort attacks with an agentless architectural story. Delinea’s best fit is the buyer who still values PAM depth but increasingly wants a wider identity-security platform without defaulting entirely to bundle-heavy suites.[CP006, CP007, CP008, CP009, CP010, CP015]
| Buying criterion | Delinea | CyberArk | BeyondTrust | Microsoft | Runtime / agentless flanks |
|---|---|---|---|---|---|
| Classical PAM depth | Strong | Very strong | Very strong | Moderate | Low to moderate |
| Broader identity-platform story | Strong | Strong | Strong | Very strong | Varies by vendor |
| Runtime authorization / infra access | Improving via StrongDM | Moderate | Moderate | Low | Strong |
| Bundle advantage | Low | Low | Low | Very strong | Moderate |
| Agentless or novel architecture angle | Moderate | Low | Low | Low | Strong for selected flanks |
| Governance / broader IAM adjacency | Moderate | Moderate | Moderate | Strong | Low to moderate |
This matrix is directional rather than numerical. It distinguishes Delinea’s platform-plus-PAM middle position from direct incumbents, bundled suites, and narrower flank entrants.
[CP006, CP007, CP008, CP025, CP026, CP035]The heatmap separates vault-first incumbents, broader suites, and engineering-led flank products on the buying criteria most relevant to Delinea.
[CP006, CP007, CP023, CP025, CP035]3.3 Capability, distribution, and trust posture
Capability alone does not decide the winner in this category. Distribution and trust matter just as much. Microsoft has the strongest installed-base advantage because many target customers already run Entra and Defender for Identity. Endpoint players such as CrowdStrike and SentinelOne can also use existing platform relationships to insert identity controls without a separate greenfield buying motion. Direct incumbents such as CyberArk and BeyondTrust benefit from long-standing enterprise trust and analyst visibility. Delinea remains visible in that top tier of consideration, as shown by review and analyst surfaces, but its moat is not unassailable. It wins when a buyer needs more than a bundled suite and more coherence than a point tool. It loses when the customer can accept “good enough” adjacent capability or prefers a pure engineering-access solution. In other words, Delinea is still a credible category contender, but the field around it has become more heterogeneous, more bundle-sensitive, and more dependent on execution quality in demos, integrations, policy migration, implementation pacing, and channel strength during enterprise evaluations.[CP020, CP021, CP022, CP023, CP024, CP031]
| Vendor set | Packaging posture | What buyer likely gets | Competitive implication |
|---|---|---|---|
| Delinea | Platform packaging with custom enterprise scope | PAM depth plus broader platform narrative | Works best when buyer values dedicated control and platform coherence |
| CyberArk / BeyondTrust | Enterprise platform contracts | Mature PAM depth, services, and enterprise trust | Can win when buyer prioritizes incumbent depth over newer platform positioning |
| Microsoft / Okta / SailPoint | Broader suite or bundle economics | Identity and governance capabilities across existing stack | Raises the hurdle for any new dedicated spend |
| StrongDM / Teleport / Silverfort / 1Password | Use-case or architecture-led packaging | A sharper wedge around infra access, agentless identity, or workforce access | Can win entry points even if not full Delinea replacements |
Most enterprise pricing is negotiated and not cleanly public, so this table focuses on contract posture and likely buyer perception rather than list-price precision.
[CP028, CP023, CP027, CP016, CP017]Compact competitive summary for underwriting: where Delinea is clearly viable, where it is pressured, and what evidence is still missing.
[CP020, CP034, CP002, CP028, CP036, CP037]3.4 Switching costs, multi-homing, and moat durability
The durable part of Delinea’s competitive position is not raw branding; it is the cost of replacing policies, privileged-account discovery, integrations, and governance processes once they are embedded. That creates meaningful but not impregnable switching costs. Buyers can and likely do multi-home Delinea with Microsoft, endpoint ITDR, or engineering-access tools, which means Delinea often competes as one control layer inside a larger stack rather than as the whole stack. That pattern cuts both ways: it helps Delinea coexist, but it also means some value can be squeezed by bundled platforms over time. Public sources do not yet show reliable win-rate or pricing evidence, so the safest conclusion is moderate moat durability. Delinea’s strongest defense is to stay clearly better than bundles on privileged-depth and clearly broader than point tools on identity-security platform value. Execution discipline in migrations, partner enablement, and customer expansion likely matters too. If it fails on either front, the middle layer becomes easier to commoditize.[CP028, CP029, CP030, CP033, CP034, CP035]
| Moat or risk | Why it matters | Threat source | Severity | Diligence ask |
|---|---|---|---|---|
| Delinea remains a top PAM shortlist vendor | Keeps it in the enterprise consideration set | Shortlists can still collapse toward CyberArk or bundles | Medium | Measure current shortlist-to-win conversion |
| Platform breadth beyond vaulting | Can distinguish Delinea from point tools | Could blur with BeyondTrust or suite narratives | Medium | Validate buyer willingness to pay for the broader story |
| StrongDM runtime extension | Adds engineering-led access relevance | Integration execution could lag promise | Medium | Track product integration milestones and attach rate |
| Bundle competition from Microsoft | Can compress the need for new spend | Installed-base economics are hard to fight | High | Quantify losses where bundles were decisive |
| Flank entrants from runtime or agentless vendors | Can win the first workflow and narrow Delinea’s wedge | Budget gets spent before Delinea is evaluated fully | Medium | Review replacement and coexistence patterns in customer stacks |
The risk register separates durable competitive strengths from the structural forces that can compress them over time.
[CP020, CP026, CP002, CP034, CP035, CP037]04Financials
4.1 Revenue model, packaging, and monetization posture
Delinea’s public commercial surface looks like a recurring enterprise-software model built around multiple sellable control layers rather than one monolithic password-vault product. The company markets a platform, packaged bundles, and distinct module families such as Server Suite, Privileged Remote Access, Fastpath Access Control, and AI-driven authorization. That matters financially because it creates several credible ways to grow recurring revenue: land on core PAM, add adjacent authorization or governance modules, and expand accounts as cloud, compliance, and machine-identity requirements widen. Public pages do not publish usable list prices, which strongly suggests Delinea still sells primarily through quote-led enterprise contracts, demos, trials, partners, and negotiated scopes. That is common for upper-midmarket and enterprise cybersecurity, but it means the open web is not enough to derive ASP or discount behavior. The best public conclusion is therefore structural rather than precise: Delinea likely enjoys subscription-heavy revenue quality and cross-sell potential, but realized pricing remains a diligence item rather than a solved public fact.[CI001, CI002, CI003, CI004, CI005, CI006]
| Stream | Mechanism | Unit | Current status | Quality | Diligence ask |
|---|---|---|---|---|---|
| Platform subscriptions / bundles | Recurring subscription sold as Delinea Platform or bundled control layers | Contracted annual or multi-year software subscription | Confirmed product and bundle surface; no public pricing | High if renewal-heavy; exact mix undisclosed | Request module attach-rate and renewal breakdown |
| Server PAM and privileged access modules | Recurring subscriptions for server privilege, remote access, and related controls | Per-contract enterprise scope | Confirmed via Server Suite and RPAM product pages | High recurring quality; realized pricing unknown | Request booked ARR by product family |
| Governance / business application controls | Fastpath access-control subscriptions and governance upsell | Per-application / enterprise scope | Confirmed after 2024 acquisition | Medium to high; integration progress matters | Request Fastpath ARR and services attach |
| AI-driven authorization and platform add-ons | Upsell for newer authorization and analytics capabilities | Add-on platform subscription | Emerging and merchandised publicly | Medium; monetization maturity still forming | Request attach rate, paid-vs-included packaging, and pipeline |
| Professional services / implementation | Deployment, integration, onboarding, and customer enablement | Project or scoped services | Operationally implied but unquantified | Lower quality than software ARR; size unknown | Request services revenue and services gross margin |
| Channel-sourced bookings | Bookings transacted or influenced through resellers, GSIs, MSPs, and distributors | Partner-led enterprise contract | Confirmed as an explicit GTM route | Varies with discounts and incentives | Request channel mix, MDF spend, and margin impact |
Because Delinea does not publish price sheets or revenue mix, this table emphasizes publicly visible mechanisms and leaves exact contract economics as diligence items.
[CI001, CI002, CI003, CI004, CI005, CI006]| Offer | Public price / unit | List vs realized pricing | Sales posture | Source note |
|---|---|---|---|---|
| Delinea Platform / bundles | No public list price | Realized pricing unknown | Demo / contact-sales led enterprise packaging | Bundle pages describe scope but not commercial terms |
| Server Suite | No public list price | Realized pricing unknown | Quote-led server PAM sale | Product page emphasizes capabilities, not price |
| Privileged Remote Access | No public list price | Realized pricing unknown | Quote-led access product | Page focuses on browser-based secure access and auditing |
| Fastpath Access Control | No public list price | Realized pricing unknown | Quote-led governance sale | Page highlights SoD and audit use cases but no commercial schedule |
| Partner / distributor route | Margin economics undisclosed | Discounting unknown | Partner- and incentive-supported selling | Partner program references financial incentives without publishing rates |
Open sources support only the conclusion that Delinea sells through negotiated enterprise contracts and partner channels; they do not support realized ASP modeling.
[CI007, CI008, CI010, CI035]Public evidence suggests a recurring revenue bridge from modular identity-security products into broader platform subscriptions and expansion.
[CI001, CI002, CI009, CI029]4.2 GTM motion and growth-capacity investment
Delinea’s disclosures point to a growth engine that mixes direct enterprise selling with a meaningful channel and distributor layer. The 2024 partner-program launch explicitly offered tiered rewards, financial incentives, marketing support, and enablement across resellers, GSIs, and managed-service providers. The 2026 Climb expansion then extended that channel logic deeper into Europe, showing Delinea is still investing in geography expansion rather than only harvesting an installed base. Leadership changes reinforce the same story: Chris Kelly was hired to oversee global sales, channels, solution engineering, and customer success; the 2025 performance update also highlighted additional hires in channels, services, customer success, and regional sales. Publicly disclosed traction is notable. Delinea said ARR surpassed $350 million by Q2 2024 and $400 million by the first half of fiscal 2025, with SaaS making up the majority of ARR. Those are company claims rather than audited filings, but they are directionally stronger than the inconsistent values shown by third-party databases. The takeaway is that Delinea appears to be scaling as a sizeable recurring-revenue identity-security vendor, yet open sources still do not reveal CAC, payback, or quota-carrying productivity.[CI009, CI010, CI011, CI012, CI013, CI014]
| Metric | Value / status | Confidence | Why it matters | Diligence ask |
|---|---|---|---|---|
| ARR milestone | >$350M by Q2 2024; >$400M by 1H 2025 | Medium | Best public scale signal available for the business | Request audited ARR bridge by quarter and by product family |
| SaaS share of ARR | Majority of ARR footprint (company-claimed) | Medium | Indicates recurring, cloud-heavy revenue quality | Request SaaS vs self-hosted subscription split |
| Gross margin | Not disclosed; proxy only from public peers | Low | Core profitability and valuation driver | Request audited gross-margin bridge including services and hosting |
| CAC / payback | Not disclosed | Unknown | Tests whether GTM expansion is efficient | Request fully loaded CAC, payback, and segment-level productivity |
| NRR / GRR | Not disclosed | Unknown | Determines durability of subscription base and expansion quality | Request cohort retention and renewal data |
| Services gross margin | Not disclosed | Unknown | Separates software economics from implementation burden | Request services revenue, utilization, and margin by delivery model |
The table deliberately separates disclosed traction from undisclosed unit economics. ARR milestones are public company claims; the rest require management materials.
[CI014, CI015, CI016, CI017, CI032, CI038]The public-only unit-economics view is a bridge from disclosed ARR milestones to mostly undisclosed retention, CAC, and margin mechanics.
[CI014, CI015, CI016, CI026, CI038]Only a small set of financially relevant figures can be placed into defensible ranges from public evidence.
Only the ARR milestone range is company-specific. Margin and recurring-share values are proxy ranges used to bound diligence, not management-reported Delinea metrics.
[CI014, CI015, CI016, CI023, CI027]4.3 Cost structure, margin path, and capital allocation
Delinea does not publish an audited cost structure, so the public view has to triangulate from its own operating footprint and from mature identity-software peers. Delinea’s cloud-delivery footprint includes region-specific hosting such as the UK data centre for Secret Server Cloud, which implies ongoing infrastructure, compliance, and support expense. Its public GTM buildout and acquisition cadence imply continued spend on sales capacity, services, and integration work as well. SecurityWeek’s reporting on the April 2024 Secret Server incident is also financially relevant: incident response, patching, customer communications, and trust repair are real cost centers even when no tenant compromise is ultimately confirmed. CyberArk’s SEC filing offers the clearest public benchmark for what mature identity-security SaaS economics tend to look like. CyberArk says more than 90% of revenue is recurring, that subscription revenue has become the majority driver, and that cost of subscription revenue is driven by support personnel, cloud operations, infrastructure, and amortization. It also warns that subscription transition can improve long-term durability while still changing cash timing and near-term profitability. That benchmark does not prove Delinea’s exact gross margin, but it does support a sensible range in which recurring software quality is high while cloud, services, and support still matter materially.[CI019, CI020, CI021, CI022, CI023, CI024]
| Item | Public status | Implication | Confidence | Diligence ask |
|---|---|---|---|---|
| Sponsor backing | Private-equity sponsorship visible from public ownership history | Likely strategic support exists, but economics are opaque | Medium | Request ownership structure, board support, and capital-allocation priorities |
| Cash balance | Not publicly disclosed | Cannot model runway directly | Low | Request latest balance sheet and unrestricted cash |
| Debt / leverage | Not publicly disclosed | Potential covenant or refinancing risk unknown | Low | Request debt schedule, maturities, and covenant package |
| Capital uses | Visible uses include acquisitions, channel expansion, cloud footprint, and growth hiring | Capital is being deployed for both organic and inorganic scale | Medium | Request annual budget by R&D, S&M, cloud ops, and M&A integration |
| Next financing trigger | No public event or timeline disclosed | External investors cannot infer when a new capital decision is needed | Low | Request runway model and sponsor decision framework |
This chapter intentionally avoids re-stating the full funding chronology from Company Overview. The focus here is current adequacy and opacity, not historical rounds.
[CI031, CI019, CI037, CI032]Public evidence points to several visible uses of capital, but not to the cash balances that fund them.
[CI031, CI019, CI037, CI032]4.4 Capital adequacy and underwriting blockers
The hardest public limitation is not growth visibility; it is financing visibility. Delinea’s ownership history clearly points to sponsor backing, and that probably lowers immediate external-financing risk relative to a venture-backed company scrambling for a new round. But the same ownership structure means public cash, debt, covenant, and runway disclosure are essentially absent. Third-party databases add noise rather than clarity because they disagree on funding, valuation, founding history, and employee footprint. The strongest public facts are therefore milestone facts: revenue was already above $100 million before the 2021 merger era, ARR moved above $350 million by Q2 2024 and above $400 million in the first half of 2025, and management continues to fund acquisitions, channel expansion, and cloud delivery. The most defensible verdict is that Delinea probably has attractive recurring-revenue quality and meaningful scale, but investors still need direct access to retention, CAC, gross-margin bridge, debt schedule, and runway planning before underwriting a clean margin path or capital-intensity view. Public evidence alone supports momentum; it does not support precision.[CI031, CI032, CI033, CI034, CI038]
| Missing metric | Impact | Why it matters | Exact diligence path |
|---|---|---|---|
| Audited ARR and revenue bridge | Blocking | Needed to reconcile company milestones with external databases and to anchor valuation work | Request quarterly ARR / revenue bridge by product, region, and deployment model |
| NRR, GRR, and renewal rates | Blocking | Without retention quality, ARR scale alone may overstate underlying health | Request cohort retention tables and renewal by segment |
| Gross-margin bridge | Material | Public margin language is qualitative only | Request audited gross-margin detail across subscription, services, and support |
| Cash, debt, and runway | Blocking | Capital adequacy cannot be modeled from sponsor ownership alone | Request latest balance sheet, debt schedule, and operating cash forecast |
| CAC, payback, and sales efficiency | Material | Growth investment may be productive or expensive; public evidence cannot tell | Request pipeline conversion, CAC, payback, and quota attainment by segment |
| Services revenue and margin | Material | Implementation load can distort software economics and deployment scalability | Request services P&L, utilization, and attach rate by product family |
These are the main blockers to underwriting Delinea as a private identity-security software investment on public information alone.
[CI008, CI030, CI032, CI033, CI038]05Product & Technology
5.1 Product definition and core module map
Delinea no longer presents itself as a single privileged-password vault vendor. Its public product surface is now clearly a platform-plus-modules story: identity threat protection, secret discovery and vaulting, session management, server privilege, endpoint privilege, governance controls, remote access, and AI-driven authorization all sit inside the same commercial frame. The product value proposition centers on discovering identities and privileged accounts, applying least privilege, monitoring activity, and responding to threats across cloud and traditional infrastructure. At the module level, the pages are fairly concrete. Identity Threat Protection focuses on continuous monitoring, context building, anomaly detection, and response. Secret Server materials emphasize discovery, dependency mapping, and vaulted access. Privilege Control for Servers and Privilege Manager extend control over operating-system privilege and endpoint applications. The result is a credible module map for customers who want both traditional PAM depth and newer identity-security coverage. What remains less public is the exact commercial boundary between these modules: the pages show what exists, but not how much of it is standard, add-on, or deeply integrated at the control-plane level.[CE001, CE002, CE003, CE004, CE005, CE006]
| Module / asset | Primary user | Status / maturity | Differentiation | Diligence gap |
|---|---|---|---|---|
| Identity Threat Protection | Security operations / identity teams | Publicly merchandised | Continuous identity monitoring plus remediation guidance | Need real deployment references and false-positive data |
| Secret Server Discovery | PAM admins | Publicly documented | Privileged-account and dependency discovery with scriptable extensions | Need architecture details for scan scale and performance |
| Secret Server Session Management | PAM admins / auditors | Publicly documented | RDP and SSH proxying with recording, monitoring, and playback | Need storage, retention, and performance detail at scale |
| Privilege Control for Servers | Server / platform admins | Publicly merchandised | Least privilege across Windows, Linux, and Unix | Need deployment detail for mixed-hybrid estates |
| Privilege Manager | Endpoint / EUC admins | Publicly documented | Endpoint least privilege, integrations, public API, HA patterns | Need customer proof on rollout friction and policy tuning |
| FedRAMP High Secret Server path | Public-sector buyers | In process, not authorized yet | Signals public-sector ambition and control hardening | Need authorization milestone status and scope |
Maturity here means “publicly evidenced and merchandised,” not independently audited adoption depth.
[CE002, CE003, CE006, CE010, CE005, CE027]| User job | Current workflow challenge | Delinea solution | Measurable benefit | Limitation |
|---|---|---|---|---|
| Find unknown privileged accounts | Blind spots and unmanaged admin/service accounts | Secret Server Discovery and continuous discovery | Better account visibility and policy coverage | Scale and connector depth not fully public |
| Watch risky privileged sessions | Admins and vendors can act with limited oversight | Session proxying, monitoring, recording, and playback | More accountability and faster audit review | Performance and storage economics are undisclosed |
| Enforce least privilege on servers | Standing admin rights increase lateral-movement risk | Privilege Control for Servers and Server PAM controls | Reduced standing privilege and better policy consistency | Exact deployment effort by environment is unclear |
| Streamline endpoint approvals | Help-desk and security teams struggle with app elevation exceptions | Privilege Manager with ticketing and directory integrations | Faster approvals with less manual policy drift | Per-integration support depth not fully public |
| Bring secrets into CI/CD | Secrets leak into repo or pipeline configuration | Python SDK, Terraform provider, GitHub Action, and DSV tooling | More automatable secret retrieval and IaC workflows | Core product remains proprietary; repo adoption detail is limited |
Benefits are directional and workflow-based because public pages describe capabilities more precisely than outcome metrics.
[CE007, CE011, CE005, CE015, CE037, CE040]Public-facing stack of Delinea’s identity-security platform from discovery and control layers through trust and automation surfaces.
[CE002, CE003, CE018, CE037, CE022, CE025]5.2 Workflow, automation, and integration architecture
The most useful way to read Delinea’s technology is as an operating workflow rather than as a marketing feature list. Discovery finds privileged accounts, service accounts, and cloud identities; policy and least-privilege layers constrain what those identities can do; session controls proxy, monitor, and record risky activity; integrations connect Delinea into directory services, ticketing, SIEM, malware scanning, and other enterprise systems; and automation hooks let practitioners operationalize those controls in scripts and infrastructure pipelines. The technical-docs pages are strong on these workflow outcomes. Secret Server documents multicloud discovery and scriptable PowerShell extensions. Session-management pages document RDP and SSH proxying, real-time intervention, and searchable recording. Privilege Manager documents integration with Active Directory, ServiceNow, Secret Server, VirusTotal, SIEM, and SCCM, while enterprise-readiness materials add a public API, high availability, reverse proxying, and mobile administration. Still, the architecture stops short of a true deep dive. Public materials say enough to understand the workflow and dependency shape, but not enough to map internal services, event buses, or data-plane boundaries with precision.[CE008, CE009, CE010, CE011, CE012, CE013]
| Layer / component | Role | Dependency | Risk |
|---|---|---|---|
| Discovery connectors and scripts | Find privileged accounts and dependencies | AD, cloud providers, PowerShell, scanners | Connector depth and scaling detail are only partially public |
| Vault and session-control layer | Broker access, record sessions, and manage credentials | Secret Server, network/firewall rules, storage for recordings | Session-storage, proxy scale, and retention cost are not deeply public |
| Endpoint / server policy layer | Apply least privilege and application control | AD, endpoint agents, reverse proxy, HA web tier | Agent behavior and failure modes are not deeply documented |
| Integration and API layer | Connect ticketing, SIEM, malware analysis, and workflow automation | ServiceNow, VirusTotal, Syslog, SDKs, APIs | Named integrations do not equal fully understood implementation depth |
| Cloud platform operations | Deliver multi-tenant SaaS with regional availability commitments | Regional hosting footprint and status page | Internal service topology and tenant isolation detail remain thin publicly |
This is a public-evidence operating model, not an internal engineering diagram.
[CE008, CE019, CE018, CE041, CE042]Publicly documented operator workflow from discovery to enforcement and audit.
[CE006, CE007, CE010, CE012, CE003, CE040]The public materials reveal meaningful dependence on directories, cloud services, ticketing, and automation interfaces.
[CE014, CE015, CE017, CE033, CE034, CE041]5.3 Trust, reliability, and compliance posture
Delinea’s public trust posture is stronger than its public architecture depth. The platform SLA explicitly describes the Delinea Platform as a multi-tenant SaaS service and commits it to 99.995% availability across the regions where it is offered. The same document sets out service-credit remedies and references a public status page, which is consistent with a mature SaaS operating model. On certifications, Delinea says it is SOC 2 Type 2 recertified across six products and that Secret Server has entered the FedRAMP High authorization process for the public sector. Those signals matter commercially because they are often part of enterprise security procurement, but they are still summary-level signals rather than full audit transparency. The adversarial view is also real: SecurityWeek reported the April 2024 incident and NVD lists CVE-2024-33891 against Secret Server’s SOAP API. Together, those sources show a company with meaningful trust infrastructure and a visible disclosure surface, but not an absence of risk. For diligence, that means Delinea looks credible on compliance posture while still requiring deeper review of post-incident remediation, control exceptions, and certification scope.[CE022, CE023, CE024, CE025, CE026, CE027]
| Control / certification | Status | Scope | Gap |
|---|---|---|---|
| Platform SLA | Publicly documented | 99.995% availability commitment across offered regions | Need customer-specific availability history and remedy outcomes |
| SOC 2 Type 2 recertification | Publicly claimed | Six Delinea products named | Underlying audit report is not public |
| FedRAMP High process | Publicly announced | Secret Server in partnership with UberEther | Authorization is in process, not complete |
| Security advisories surface | Publicly visible | Trust and vulnerability communication | Advisory-process depth and SLAs are not fully public |
| CVE-2024-33891 remediation | Publicly evidenced | Secret Server SOAP API auth bypass issue | Need full postmortem and control-change history |
This table separates visible trust signals from the audit and remediation depth that remains private.
[CE022, CE025, CE027, CE029, CE030, CE043]Capability maturity across the major public surfaces is strongest where Delinea publishes detailed feature and operator workflow docs.
These ratings are evidence-based ordinal judgments from public documentation depth, not internal product telemetry.
[CE003, CE008, CE012, CE018, CE042, CE043]5.4 Developer signal, maturity, and technical risk
One of the more positive surprises in Delinea’s public evidence set is the amount of practitioner-facing tooling it exposes in GitHub. The repos are not the core product, but they do show a real automation layer around the platform: a public platform examples repo, a Python SDK for Secret Server and Platform APIs, a Terraform provider for DevOps Secrets Vault, a GitHub Action for CI/CD retrieval, and a network-requirements CLI that exports Terraform, Ansible, and firewall formats. That is meaningful developer signal for a security vendor whose commercial product is proprietary, because it lowers the credibility gap between “we have APIs” and “practitioners can actually automate this.” It also supports the view that Delinea’s technical differentiation is not only in vaulting but in operationalizing identity controls across workflows and environments. The trade-off is that the repos and feature pages surface the outer interfaces of the platform more clearly than the inner architecture. Public maturity looks solid; public internals still look selectively opaque.[CE032, CE033, CE034, CE035, CE036, CE037]
| Signal | Date / stage | Status | Implication | Source |
|---|---|---|---|---|
| Public GitHub platform resources | Ongoing public repo | Active public tooling surface | Shows practitioner enablement around the platform | GitHub Delinea platform repo |
| Python SDK for Secret Server / Platform APIs | Public repo | Available to install and test | Supports API automation rather than UI-only adoption | GitHub python-tss-sdk |
| Terraform provider for DSV | Public repo | Available | Supports infrastructure-as-code workflows | GitHub terraform-provider-dsv |
| GitHub Action for DSV | Public repo | Available | Supports CI/CD secret retrieval | GitHub dsv-github-action |
| Network requirements CLI | Public repo | Available | Shows ongoing operator tooling around deployment and connectivity | GitHub delinea-netconfig |
These signals are best read as developer-signal and operator-tooling evidence, not a full formal roadmap.
[CE032, CE033, CE034, CE035, CE036, CE037]06Customers
6.1 Customer footprint and segment visibility
Delinea’s public customer evidence is much stronger than a bare logo wall, but it is still shaped by what the company chooses to showcase. The strongest pattern is segment quality, not precise cohort math. Public case studies and customer materials repeatedly place Delinea inside environments where privileged access, auditability, and compliance are material operating concerns: manufacturing IT operations at Robert Weed, retail and third-party access control at Boyner, Oracle Cloud SOX controls at The Trade Desk, J-SOX and critical infrastructure at TEPCO Systems, and public-company SOX reporting at SBA Communications. The broader case-study library extends that picture into telecom, mobility, media, travel, channel, and housing. That mix suggests Delinea wins where privileged-access control is tied to business continuity, audit defense, or regulated operations rather than where a buyer is simply shopping for a basic password vault. The open web therefore supports a diversified enterprise and upper-midmarket footprint, but it does not yet support a precise mix between SMB, mid-market, and enterprise revenue. Delinea’s dated public count of more than 8,500 organizations gives a floor for installed-base scale, yet the absence of a fresher count means the customer chapter has to focus more on proof quality and segment pattern than on current raw-account volume.[CU008, CU009, CU010, CU011, CU035, CU038]
| Segment | Buyer / user / payer | Representative proof | Scale / operating context | Strategic value | Gap |
|---|---|---|---|---|---|
| Manufacturing operations | IT/security operations / administrators / industrial business owner | Robert Weed using Secret Server for systems, workstations, and third-party access | Nearly 200 systems and 100+ workstations in a family-owned distributor/manufacturer | Shows Delinea fits mid-market operational environments where privileged access is tied to business continuity | No contract size, renewal term, or module attach disclosed |
| Retail and consumer operations | CISO / security team / enterprise operations budget | Boyner using Secret Server plus Privileged Remote Access | 6 brands, 250+ stores, 8,000+ employees, third-party access and compliance requirements | Validates regulated retail and third-party remote-access workflows | No ACV, rollout duration, or renewal history disclosed |
| Technology and finance-control teams | SOX/compliance leaders / finance users / enterprise IT budget | The Trade Desk using Fastpath around Oracle Cloud ERP | 1,200 global users and 100+ finance users across three geographies | Shows Delinea can cross-sell beyond PAM into finance-compliance controls | Public proof is strong on audit workflow but thin on commercial terms |
| Critical infrastructure and utilities | Security leadership / operations admins / enterprise security budget | TEPCO Systems using Secret Server for J-SOX and zero trust | Power-group system integrator supporting critical infrastructure | Supports mission-critical regulated use cases where traceability matters | No long-term expansion economics disclosed |
| Public-company telecom / infrastructure | CIO / auditors / IT admins / public-company compliance budget | SBA Communications using Fastpath for SOX reporting | Public operator with multiple legal entities and Dynamics GP complexity | Useful proof for audit-heavy buyers that need ongoing control reporting | No evidence of customer concentration or replication rate across similar accounts |
| Broader enterprise case-study library | Security, audit, and operations buyers across sectors | Graebel, Hearst, Norwegian Cruise Line Holdings, Softcat, Clayton Homes, and others in the public library | Mobility, media, travel, channel, and housing verticals visible in official resources | Suggests Delinea’s reference set spans multiple verticals instead of one niche | Library breadth is visible, but many entries are not deep enough on outcomes without full PDF review |
Segment mapping is anchored in named case studies and public customer program materials rather than a disclosed company segmentation table. Public proof skews toward referenceable enterprise and compliance-heavy examples; the true SMB/mid-market mix remains undisclosed.
[CU010, CU011, CU012, CU016, CU020, CU022]| Signal | Value / status | As of | Confidence | Implication | Missing denominator |
|---|---|---|---|---|---|
| Official disclosed customer floor | 8,500+ organizations worldwide | 2025-01-13 (disclosure references Q2 2024) | Medium | Shows meaningful installed-base scale, but only as a dated floor rather than a current live count | No updated current customer count or active tenant count |
| Large-enterprise penetration signal | Over half of Fortune 100 | 2022-02-01 | Medium | Supports real enterprise reach beyond SMB-only positioning | No current named roster or segment revenue mix |
| Customer journey process | Pre-purchase, onboarding, use, expand, renew stages documented publicly | 2026-05-20 | High | Suggests deliberate lifecycle management instead of ad hoc post-sale support | No conversion or renewal rates by stage |
| Renewal outreach timing | Up to 120 days before renewal | 2026-05-20 | High | Visible evidence of formal renewal motion | No public renewal-rate metric |
| Community and enablement surfaces | Secret Society, office hours, newsletter, roadmap updates | 2026-05-20 | High | Supports ongoing customer engagement and expansion scaffolding | Participation rates and cohort effects undisclosed |
| Flagship customer event | Delinea Edge announced for March 2027 | 2026-04-14 | High | Signals continued investment in customer education and practitioner community | Attendance targets and customer mix not disclosed |
| Customer success leadership investment | VP Customer Success and Global Services leadership added | 2025-08-12 | Medium | Suggests customer retention and enablement remain active priorities as Delinea scales | No disclosed retention KPI tied to these hires |
This table mixes dated count disclosures with process signals because Delinea does not publish a clean time series of customer adds, churn, or deployment growth. The most precise public customer-count evidence remains historical.
[CU001, CU004, CU005, CU006, CU007, CU008]Publicly documented customer path from evaluation through renewal and peer engagement.
[CU001, CU002, CU003, CU004, CU005]6.2 Named production proof and measurable customer outcomes
The best part of Delinea’s public customer record is that several references go beyond generic testimonials and describe live workflows with measurable outcomes. Robert Weed is using Secret Server across nearly 200 systems and more than 100 workstations, and the customer estimates the work of finding and managing credentials now takes about one-tenth of the prior effort. Boyner presents a broader platform story: Secret Server plus Privileged Remote Access on the Delinea Platform, with outcome claims that include more than 40 percent lower time and cost for privileged-account management and a 60 percent reduction in compliance-support effort. The Trade Desk proves a different buyer motion altogether: Fastpath as a control layer for SOX, segregation of duties, and change tracking inside Oracle Cloud ERP. TEPCO Systems and SBA Communications reinforce the same pattern from another angle. In both cases, Delinea’s value proposition is not abstract cybersecurity branding; it is making audits, traceability, and privileged controls more manageable inside mission-critical environments. That is strong adoption proof because it shows Delinea deployed in production workflows tied to finance, utilities, remote access, and governance—not only in lab demos or aspirational roadmap language.[CU012, CU013, CU014, CU015, CU016, CU017]
| Customer | Segment | Deployment / use case | Production vs pilot | Outcome / evidence | Limitation |
|---|---|---|---|---|---|
| Robert Weed | Manufacturing | Secret Server for privileged credentials across systems, workstations, and third-party access | Production | Nearly 200 systems, 100+ workstations, and estimated 90% reduction in password-management effort | No commercial terms, renewal status, or broader module usage disclosed |
| Boyner | Retail | Secret Server plus Privileged Remote Access on the Delinea Platform for account security and third-party access | Production | 40%+ reduction in time/cost for privileged-account management and 60% lower compliance-support effort | Company-issued case study; no ACV or deployment timeline disclosed |
| The Trade Desk | Technology / finance controls | Fastpath for SoD and change tracking in Oracle Cloud ERP | Production | Used across 1,200+ global users with auditor-facing reporting value | No contract size, renewal data, or multi-product scope disclosed |
| TEPCO Systems | Utilities / critical infrastructure | Secret Server for zero-trust privileged controls and J-SOX compliance | Production | 40% lower privileged-ID management workload and 48 hours saved per audit | Operational depth is strong, but revenue relevance to Delinea is undisclosed |
| SBA Communications | Wireless infrastructure / public company | Fastpath for SOX reporting, SoD analysis, and Dynamics GP change tracking | Production | Reporting moved from days/weeks to hours and became part of daily process | No information on seat count, spend, or renewal quality |
Rows reflect the strongest publicly visible case studies reviewed for this chapter. Coverage is partial because Delinea’s total installed base is undisclosed and only a subset of reference customers publish usable details.
[CU010, CU012, CU013, CU015, CU017, CU018]How public customer examples progress from a control problem to measurable operational value.
[CU013, CU017, CU021, CU023, CU025, CU036]Public evidence quality is strongest where Delinea publishes detailed case studies with both deployment context and outcome specificity.
These are evidence-quality judgments from the public record, not direct customer-health metrics. Retention visibility remains low because Delinea does not publish cohort or renewal data for named references.
[CU012, CU015, CU019, CU022, CU024, CU033]6.3 Durability, expansion, and public review signal
Public durability evidence for Delinea is real but incomplete. On the positive side, the company does not behave like a vendor that disappears after the initial sale: the customers page describes onboarding resources, dedicated technical and customer-success roles, community programs, roadmap communication, and renewal engagement that can begin 120 days before contract end. The newly announced Delinea Edge conference extends that same pattern into a customer-education and peer-learning surface. Public reviews also support durability in a narrower sense. PeerSpot and TrustRadius repeatedly describe Secret Server as valuable for secure vaulting, password rotation, access approvals, audit trails, and operational control. Those are core workflow benefits that tend to embed deeply inside IT and security operations once deployed. But the same reviews also explain why retention and expansion cannot be assumed blindly. Setup, reporting, integration, API flexibility, pricing, and UX issues recur often enough to matter. The result is a picture of a vendor with credible stickiness in its core PAM workflows, yet still exposed to deployment friction that could slow broader rollout or create buyer frustration in complex environments. Without public NRR, GRR, or churn data, those qualitative signals are directionally helpful but not conclusive.[CU001, CU002, CU003, CU004, CU005, CU006]
| Metric / signal | Value | Segment / scope | Confidence | Interpretation | Diligence ask |
|---|---|---|---|---|---|
| NRR | Company-wide | Low | Not publicly disclosed | Request NRR by product and segment for 2024, 2025, and YTD 2026 | |
| GRR / logo churn | Company-wide | Low | Not publicly disclosed | Request gross retention and logo churn by cohort | |
| Renewal management process | Visible; outreach can begin 120 days before renewal | Existing customers | High | Shows deliberate renewal motion but not outcomes | Request renewal-rate conversion and save-rate metrics |
| Customer success and enablement surfaces | Visible; support roles, community, office hours, newsletters, roadmap updates, customer conference | Post-sale lifecycle | High | Positive procedural retention signal | Request usage and participation data tied to renewals and expansion |
| Review-surface satisfaction | Mixed-positive; strong on vaulting/auditability, weaker on setup/reporting/integration | Secret Server user reviews | Medium | Suggests core stickiness with non-trivial deployment friction | Request reference calls across smooth and difficult deployments |
| Contract length / cohort durability | By segment | Low | No public contract-duration or cohort data | Request average term, renewal cadence, and early-churn patterns |
The public record gives process and review signals but not actual retention economics. Null cells are intentional and should be closed in management diligence rather than guessed from SaaS averages.
[CU004, CU005, CU006, CU032, CU033, CU030]Public customer evidence is strongest on lifecycle process and named proof, but weakest on quantitative durability disclosure.
Ordinal 1-5 visibility scores based on public disclosure quality, where 5 means robust public evidence and 1 means little or no quantitative disclosure. This is a disclosure-quality view, not a health score.
[CU032, CU033, CU034, CU036]6.4 Customer risks and remaining underwriting gaps
The customer chapter still leaves three underwriting gaps unresolved. First, concentration remains opaque. Public named references prove that Delinea can win and retain serious customers, but they do not reveal whether revenue is broadly distributed or concentrated in a handful of large enterprise accounts. Second, the visible customer base likely skews more enterprise and compliance-heavy than the company’s total account count, which means public proof may overrepresent high-value reference customers. Third, customer trust risk is no longer purely theoretical. The 2024 Secret Server disclosure controversy and CVE do not prove broad churn, but they are exactly the sort of vendor-response issue that security buyers, auditors, and procurement teams scrutinize at renewal. Taken together, the public record supports the idea that Delinea has real production adoption and meaningful customer-success infrastructure, but it does not yet support a clean conclusion on retention quality, concentration risk, or the exact mix of expansion versus replacement revenue. Investors should treat the customer story as materially positive on proof of use, yet still incomplete on durability economics.[CU034, CU035, CU037]
| Driver / risk | Public signal | Impact | Current read | Diligence path |
|---|---|---|---|---|
| Land-and-expand through adjacent modules | Case studies show Secret Server expanding into PRA and Fastpath use cases | Higher ACV and deeper workflow lock-in | Positive but unquantified | Request module attach rates and expansion ARR by cohort |
| Customer-success operating investment | Customer success, global services, community, newsletters, and conference surfaces are visible | Can support renewal and broader deployment | Positive procedural signal | Request retention impact and upsell conversion tied to these programs |
| Enterprise / regulated-customer skew | Named public proof leans heavily toward enterprise and compliance-heavy buyers | Can raise ACV but may overstate broader base quality | Meaningful interpretive risk | Request customer mix by ACV, employee size, and vertical |
| Top-customer concentration | No public concentration disclosure | Could amplify renewal or procurement shocks | Unknown / unresolved | Request top-10 customer ARR share and renewal calendar |
| Customer trust / security-response risk | 2024 Secret Server disclosure controversy and CVE remain visible on the open web | Could slow procurement or weigh on renewals for risk-sensitive buyers | Real but not quantified | Request churn analysis, renewal objections, and incident-postmortem customer communications |
| Price and implementation sensitivity | Review sites cite pricing, integration, setup, and UX friction | Can limit rollout pace or shrink deal size in budget-sensitive accounts | Moderate risk | Request competitive loss reasons and time-to-value distribution |
Expansion appears credible from public case studies, but concentration and retention economics remain unresolved. This table mixes visible positive drivers with explicit underwriting gaps rather than forcing unsupported precision.
[CU036, CU007, CU035, CU034, CU037, CU031]07Risks
7.1 Regulatory, privacy, and contract risk
Delinea’s public legal and privacy surfaces show a real compliance burden, not a generic cybersecurity boilerplate. The privacy policy says the company processes personal information across marketing, events, customer support, community forums, billing, and cloud-service delivery, and it explicitly references GDPR, CCPA, international transfers, and a processor role governed by the DPA. California and EU guidance raise the stakes further: CCPA creates deletion, correction, opt-out, and certain breach-liability rights, while EU data-protection guidance emphasizes binding GDPR obligations and cross-border transfer safeguards. Delinea’s public contracts are also materially relevant to risk. The terms of use choose California venue and broadly disclaim warranties and consequential damages for site-related materials. The MSLA is more operationally important: annual prepayment, auto-renewals, usage reporting, audit rights, and channel-partner purchase mechanics all create potential friction around renewals, billing, and disputes. None of this proves Delinea has suffered material enforcement or litigation, but it does prove the company operates inside a meaningful privacy-and-contract risk envelope. The correct underwriting conclusion is not that Delinea has a known legal problem; it is that the legal and regulatory obligations are visible while actual enforcement history remains incompletely disclosed.[CR001, CR002, CR003, CR004, CR005, CR006]
| Rule / framework / obligation | Jurisdiction | Current status | Likelihood | Severity | Mitigation | Residual exposure | Diligence path |
|---|---|---|---|---|---|---|---|
| GDPR and international transfer obligations | EU / EEA | Applies where Delinea processes EU personal data or transfers it internationally | Medium | High | Privacy policy, DPA, SCC/BCR guidance context, processor role | Medium | Request transfer-impact assessments, subprocessor map, and EU complaint history |
| CCPA / CPRA consumer privacy obligations | California | Applies if Delinea meets business thresholds and processes California personal information | Medium | High | Privacy notices, consumer-rights handling, processor framing | Medium | Request DSAR metrics, consumer complaints, and breach-response playbooks |
| FedRAMP High authorization gap | US federal | Under Assessment, not publicly shown as fully authorized | Medium | Medium-High | Partnership with UberEther and ongoing 3PAO assessment | Medium | Request full authorization timeline, blockers, and federal pipeline dependence |
| Customer contract, renewal, and usage-audit obligations | Contractual / global | MSLA imposes annual prepay, usage reporting, and audit rights | Medium | Medium | Standardized contract framework and ordering-document overrides | Medium | Review negotiated deviations, dispute history, and renewal friction by segment |
| Warranty and liability limitation posture | Contractual / California venue | Terms and site materials disclaim broad warranties and damages subject to law | Low-Medium | Medium | Standard vendor risk allocation language | Medium | Review enterprise MSA carve-outs, indemnities, and cyber-liability caps |
| Privacy enforcement / litigation history | Unknown / multi-jurisdiction | No clear public action identified in reviewed sources | Unknown | Medium-High if present | No visible evidence in reviewed public record | Unknown | Request litigation, enforcement, and complaint schedule |
Coverage is partial because the public record does not show litigation history, regulator correspondence, or all customer-specific contractual commitments.
[CR003, CR004, CR005, CR006, CR007, CR008]Highest residual risk clusters are security-process quality, cloud availability dependence, and execution under opacity.
Ordinal ratings reflect the public evidence reviewed in this chapter and should be recalibrated with internal diligence data on incidents, renewals, and integration progress.
[CR021, CR025, CR003, CR027, CR034, CR037]7.2 Operational, security, and availability risk
Operationally, Delinea’s own surfaces show a more nuanced picture than its marketing posture alone. The DPA, trust center, and status center collectively show a mature control stack, but also a business exposed to the standard failure modes of modern identity-security SaaS. The DPA lays out multitenancy, annual assessments, third-party pentests, shared responsibility, and heavy use of AWS and Azure. Those are real mitigants. But the trust center also lists multiple recent Cloud Suite and Privileged Access Service vulnerabilities, including a 2026 SQL injection issue scored at CVSS 9.3, and it reminds on-prem customers that host-level compromise can expose both application data and encryption keys. Independent reporting and NVD preserve the memory of the 2024 Secret Server disclosure controversy, which matters because vendor-response quality is part of the product promise in security software. The status center proves the availability side is also real: emergency certificate rotation, EU secret-launch failures tied to a cloud provider outage, and US login timeouts tied to an upstream network-provider disruption all happened in May 2026. Delinea has meaningful mitigations—regional hosting, uptime commitments, trust-center notices, and formal maintenance communication—but the open-web record still supports security-process and availability risk as top-tier residual exposures.[CR011, CR012, CR013, CR014, CR016, CR017]
| Failure mode | Likelihood | Severity | Mitigation maturity | Residual exposure | Unresolved gap |
|---|---|---|---|---|---|
| Recurring product-vulnerability cadence in Cloud Suite / PAS / Secret Server | Medium | High | Medium — trust center, patches, annual testing, SOC 2 / ISO narratives | High | Need full vulnerability trend, MTTR, and exploitability history |
| Incident response or disclosure-process misstep damages trust | Medium | High | Medium — public advisories and trust center exist | High | Need formal postmortems, disclosure policy metrics, and customer comms history |
| Cloud or network-provider outage impacts Secret Server Cloud or Platform login | Medium | High | Medium — regional hosting, status updates, alternate infrastructure, SLA | Medium-High | Need provider concentration, failover tests, and incident-cost history |
| Emergency maintenance disrupts AD authentication, MFA, or connector workflows | Medium | Medium-High | Medium — maintenance windows and support guidance exist | Medium | Need connector dependency mapping and recovery statistics |
| On-prem customer misconfiguration or host compromise exposes secrets | Medium | High | Low-Medium — hardening guidance and shared-responsibility language | High | Need install-base split on-prem vs cloud and support burden by deployment model |
| Geopolitical cyber-threat escalation indirectly affects third-party infrastructure | Low-Medium | Medium | Medium — trust center monitoring and provider resilience | Medium | Need regional cloud-dependency map and customer exposure by geography |
Residual ratings are based on the combination of public vulnerability disclosures, official status history, and shared-responsibility language. They should be refined with internal incident and SLA-credit data.
[CR012, CR014, CR016, CR017, CR018, CR021]Key risks propagate into customer trust, support costs, growth timing, and valuation confidence rather than staying isolated inside engineering or legal teams.
[CR021, CR025, CR005, CR027, CR047]Delinea’s main dependencies sit across cloud providers, channel partners, public-sector execution partners, and acquired platforms.
[CR012, CR031, CR028, CR032, CR033]7.3 Partner, platform, and public-sector dependence
Delinea’s risk is not only technical; it is also architectural and commercial. The company’s DPA says AWS and Azure host the cloud services, and the status center shows that upstream provider issues can propagate into customer-facing disruptions. The partner and public-sector motions add another layer. Delinea’s partner program is not cosmetic: it spans resellers, GSIs, and MSPs with incentives, enablement, and tiering, and the Climb expansion extends that model deeper into Europe. That gives Delinea leverage, but it also makes execution partially dependent on distributor throughput and partner quality. The FedRAMP path highlights a sharper dependency. Both public announcements place UberEther at the center of the deployment model, which implies Delinea’s government motion depends on more than its own product readiness. On the product side, Fastpath and StrongDM each expand Delinea’s surface area and opportunity, but they also increase integration and roadmap complexity at the same time the company is scaling channels, services, and regional presence. These are manageable risks for a sponsor-backed growth platform, yet they are exactly the kind of interdependent execution risks that can turn into delayed launches, confused positioning, or integration drag if leadership focus slips.[CR027, CR028, CR029, CR030, CR031, CR032]
| Dependency | Counterparty / layer | Role | Concentration | Failure scenario | Severity | Mitigation | Residual exposure |
|---|---|---|---|---|---|---|---|
| Cloud infrastructure hosting | AWS and Azure | Core cloud-service hosting and resilience | High | Provider outage, pricing pressure, or control failure affects service availability or margins | High | Multi-region operations, shared responsibility, provider compliance programs | Medium-High |
| Upstream network providers | Regional datacenter / routing vendors | Traffic routing and service availability | Medium | Regional network disruption causes login or secret-launch failures | Medium-High | Status response process and provider remediation | Medium |
| European distribution expansion | Climb Channel Solutions | Distributor-led GTM into UK, Ireland, and DACH | Medium | Weak distributor execution slows pipeline, onboarding, or partner quality | Medium | Broader partner program and multi-partner model | Medium |
| Federal deployment execution | UberEther | FedRAMP High-ready deployment partner | Medium | Partner slippage delays authorization or public-sector deals | High | Shared incentives and explicit joint motion | Medium-High |
| Acquired governance platform | Fastpath | IGA / SoD / access-review expansion layer | Medium | Integration delays or product sprawl slow delivery and messaging | Medium-High | Common platform narrative and existing productized controls | Medium |
| Acquired runtime-access platform | StrongDM | JIT runtime authorization for modern infrastructure and AI use cases | Medium | Integration missteps slow roadmap or confuse customers | High | Strategic rationale is strong but execution not yet externally proven | High |
Dependency severity reflects not just concentration but also how quickly a failure could propagate into customer trust, federal posture, or growth execution.
[CR012, CR013, CR028, CR030, CR031, CR032]| Role / function | Dependency or gap | Likelihood | Severity | Mitigation | Diligence path |
|---|---|---|---|---|---|
| GTM leadership | Leadership transitioned from James Legg to Rick Hanson to Chris Kelly while the company kept scaling | Medium | Medium-High | Experienced external hires and continuing executive buildout | Request succession plans, quota productivity, and churn by GTM layer |
| Services and customer success | Ongoing hiring indicates scale investment but also organizational load | Medium | Medium | Dedicated global-services and customer-success leadership added | Request service gross margin, backlog, and support staffing trends |
| Product integration leadership | Fastpath and StrongDM integration requires coordination across product, engineering, and GTM | Medium | High | Strategic narrative and product-specific teams exist | Request integration scorecards, release milestones, and acquired-team retention |
| Channel operations | Expanding partner ecosystem and Europe distribution increases enablement and governance burden | Medium | Medium | Formal partner program with tiering and incentives | Request partner-sourced pipeline quality and churn |
| Bench depth / succession | Public visibility is concentrated in a handful of executives | Medium | Medium | No major public instability signal, but limited succession detail | Request org charts, successors, and regretted attrition data |
These are execution risks rather than accusations of dysfunction. Public evidence shows movement and growth, but not enough detail to fully underwrite bench depth and integration cadence.
[CR034, CR035, CR036]7.4 People, execution, and financial-model risk
The final risk bucket is execution under opacity. Delinea’s public releases show significant momentum—ARR above $400 million, continued service and customer-success investment, acquisitions, channel growth, and public-sector ambition—but none of that comes with the disclosure depth public investors would expect from a listed peer. CyberArk’s SEC filing is a useful benchmark because it shows how much more transparently a public identity-security vendor discusses recurring revenue, support and cloud cost drivers, and risk factors. Delinea does not provide that level of detail publicly. The company has also moved through meaningful GTM leadership transitions: James Legg to Rick Hanson, then later to Chris Kelly, alongside continuing hires in channels, services, and customer success. That can be healthy scaling, but it is still operating change. The key risk is therefore less about one single broken metric and more about cumulative execution load: integrating acquisitions, scaling partners, managing availability, satisfying privacy obligations, and preserving customer trust while disclosure remains partial. If that bundle of tasks goes well, the same changes can deepen Delinea’s moat; if it goes poorly, the downside will likely appear first in support burden, slower renewals, or delayed public-sector and cross-sell execution rather than in one dramatic headline event.[CR035, CR036, CR037, CR038, CR039, CR040]
| Risk | Monitorable trigger | Threshold / event | Action implication |
|---|---|---|---|
| Security-process risk | High-severity vulnerability cadence | Another externally reported disclosure breakdown or exploitable high-severity CVE cluster without convincing postmortem | Escalate diligence; downgrade confidence until process repair is evidenced |
| Cloud availability risk | Customer-facing outage frequency | Repeated regional outages or connector disruptions within a short window | Reassess uptime claims and support-cost assumptions |
| FedRAMP / public-sector execution risk | Authorization milestone slippage | FedRAMP stalls without clear next milestone or UberEther execution issues emerge | Reduce public-sector upside and treat government motion as option value only |
| Acquisition integration risk | Missed product-integration milestones | Fastpath or StrongDM integration slips materially or cross-sell remains weak | Lower platform-thesis confidence and adjust valuation for product sprawl |
| Channel dependence risk | Partner-sourced pipeline quality | Distributor expansion adds low-conversion pipeline or partner churn | Demand direct-sales productivity proof before crediting channel growth |
| Model-opacity risk | Disclosure remains thin in diligence | Management cannot produce audited retention, margin, debt, and incident-cost data | Treat opacity itself as a thesis break for aggressive underwriting |
These kill criteria are designed for diligence use: each trigger is something management can either satisfy with data or fail with continuing opacity.
[CR021, CR025, CR027, CR034, CR031, CR037]08Valuation
8.1 Valuation context and price visibility
The public valuation problem for Delinea is not lack of evidence on business quality; it is lack of evidence on today's price. The cleanest transaction benchmark still appears to be historical. Crunchbase records TPG's 2021 acquisition at $1.4 billion, and Mergr frames that deal as a secondary buyout rather than a conventional growth round. Since then, Delinea has disclosed operating momentum—most notably ARR above $400 million and a SaaS-majority mix—but it has not published a fresh valuation mark, a new round, or an IPO range. That gap matters because sponsor-backed software businesses can create value without giving outside observers any visibility into debt, preference stack, or recapitalization dynamics. Third-party databases do not solve the problem; they worsen it. GetLatka posts a dramatically lower valuation and revenue estimate that conflicts with both Delinea's own ARR claim and the sponsor-backed ownership history. The safest public conclusion is therefore straightforward: Delinea may be more valuable than the 2021 benchmark, but the market still does not know the current price well enough to call it attractive or expensive with confidence.[CV002, CV003, CV001, CV004, CV005, CV015]
| Dimension | Assessment | Rationale |
|---|---|---|
| Recommendation | Track | Company quality appears credible, but public sources do not reveal the price or capital structure well enough for a buy call. |
| Confidence | Medium | ARR scale and comps are directionally useful, but today's valuation, leverage, and retention quality remain private. |
| Risk Rating | High | The core risk is information asymmetry around valuation, debt, preferences, and quality-of-revenue metrics. |
| Valuation Stance | Unknown | No new post-2021 price is publicly visible, so the call cannot be attractive, fair, or stretched with precision. |
| Decision Implication | Re-engage only on a disclosure event | The right trigger is an IPO filing, financing, secondary process, or management data room that reveals valuation and unit-economics inputs. |
Because Delinea lacks a current public valuation mark, the recommendation is explicitly evidence-sensitive rather than a claim that the company lacks quality.
[CV016, CV020, CV022]Logic chain from Delinea’s visible scale and peer framing to the final Track recommendation.
[CV001, CV010, CV016, CV020]8.2 Public comparable framework
Public comparables do offer a usable framework, just not a precise answer. The most relevant public anchors sit inside identity and security software rather than broad horizontal SaaS. Using May 2026 public market data, CyberArk trades near the high end of the relevant band, Okta sits much lower, and SailPoint lands between them. A sector view from Multiples.vc fills in the middle by showing cybersecurity and GRC software multiples that are still materially above generic software categories. That creates a sensible interpretation for Delinea. It should not be valued like the highest-disclosure, best-in-class public benchmark automatically, but neither should it be valued as if it were a weak generalist SaaS asset. The comp set therefore supports a wide but real zone of reasonableness rather than a single point estimate. In practical terms, Delinea looks more like a company that deserves identity-security peer framing, while still suffering a private-company and disclosure discount.[CV006, CV007, CV008, CV009, CV010, CV013]
| Comparable / reference | Revenue or ARR basis | Valuation / multiple | Relevance | Limitation |
|---|---|---|---|---|
| CyberArk | $1.30B TTM revenue; public identity-security leader | ~15.9x revenue | High-end public benchmark for identity/security scarcity and premium security multiples. | Best-in-class disclosure and strategic position; likely a generous anchor for Delinea. |
| Okta | $2.91B TTM revenue; public identity platform | ~5.2x revenue | Useful lower-end identity-platform benchmark for scale with more mature public scrutiny. | Broader identity category and different growth/margin profile; not a PAM-pure comp. |
| SailPoint | $1.07B TTM revenue; identity-governance specialist | ~7.7x revenue | Middle reference for identity-governance exposure and a listed peer closer to compliance workflows. | Still not a clean Delinea analog across product mix, ownership history, or margins. |
| Sector medians (Multiples.vc) | Public cybersecurity ~13.8x; GRC ~9.3x | Category revenue multiples | Helps place Delinea between cybersecurity premium and governance/compliance software bands. | Sector medians are not company-specific and cannot replace direct comps. |
| Delinea 2021 TPG transaction benchmark | Historical transaction value | $1.4B (historical) | Useful floor-like milestone for how far value may have moved since sponsor consolidation. | Stale sponsor transaction; not a current market-clearing price and not directly comparable to a 2026 liquidity event. |
Coverage is partial because public data does not expose every relevant private sponsor or M&A identity-security benchmark with enough transparency to use confidently.
[CV002, CV006, CV007, CV008, CV009, CV010]Sensitivity of Delinea’s implied enterprise value to different revenue multiples using the public >$400M ARR milestone as the base.
[CV001, CV010, CV011, CV012]8.3 Scenario analysis and valuation range
If Delinea's public >$400 million ARR milestone is used as the base input, the peer band produces a valuation range that is directionally useful but intentionally wide. The bear case assumes the market ultimately values Delinea closer to lower-multiple identity platforms or that hidden leverage and weaker retention compress the effective multiple into the 4x–5.5x area. That yields a roughly $1.6 billion to $2.2 billion range and would mean surprisingly little value creation since the 2021 sponsor transaction. The base case assumes a 7x–10x band, which implies roughly $2.8 billion to $4.0 billion and roughly fits a business with real scale and category relevance, but still notable opacity. The bull case assumes Delinea can earn something closer to premium cybersecurity multiples if its ARR quality, margin profile, and exit readiness prove strong, pointing to roughly $5.0 billion to $6.4 billion. Public evidence is strong enough to justify the three-scenario structure, but not strong enough to weight those scenarios precisely. The model should therefore be treated as a screening tool for price discipline, not as a substitute for a data room.[CV001, CV010, CV011, CV012, CV019]
| Scenario | ARR assumption | Multiple band | Implied valuation range | Key assumptions | Probability signal |
|---|---|---|---|---|---|
| Bear | ≈$400M ARR treated as lower-quality or more burdened than peers | 4.0x–5.5x | $1.6B–$2.2B | NRR weak, gross margin underwhelming, leverage or preferences heavy, and market applies a lower identity-platform multiple. | Real downside case if disclosure reveals materially worse quality than the public story implies. |
| Base | ≈$400M ARR with quality roughly in line with mid-tier identity/security peers | 7.0x–10.0x | $2.8B–$4.0B | Recurring mix is solid, margin profile acceptable, and exit readiness exists but still carries private-company discount. | Most plausible public-only range, but still low confidence without a data room. |
| Bull | >$400M ARR plus premium retention, strong margins, and credible IPO readiness | 12.5x–16.0x | $5.0B–$6.4B | Delinea proves closer to premium cybersecurity comps and the market rewards identity-security scarcity plus scale. | Possible, but only if future disclosure materially upgrades confidence in quality and exit readiness. |
Ranges are illustrative enterprise-value scenarios, not equity values. Capital-structure adjustments could move realized equity outcomes materially.
[CV011, CV012, CV019]Historical benchmark and future scenario ranges for Delinea based on public-only valuation framing.
[CV002, CV011, CV012]8.4 Investment thesis, anti-thesis, and decision
The positive investment case is not hard to articulate. Delinea appears to have meaningful identity-security scale, a recurring SaaS-heavy revenue base, and a category context where public comps can still support mid- to high-single-digit or better revenue multiples. The negative case is also unusually clear: valuation visibility is poor, third-party databases are contradictory, public peers disclose far more than Delinea does, and the sponsor structure hides exactly the economics that matter most to outside investors. That combination blocks a buy recommendation. A disciplined investor can reasonably keep Delinea on a watchlist and be prepared to engage if a financing, IPO filing, or secondary process creates real price visibility. But until then, the correct posture is Track rather than Buy. The next step is not creative modeling; it is evidence collection on valuation mark, leverage, retention, margins, and exit readiness.[CV017, CV018, CV016, CV020, CV021, CV022]
| Argument | Evidence Base | What Changes the View |
|---|---|---|
| THESIS: Delinea has reached real identity-security scale | Official ARR above $400M with SaaS-majority mix suggests material recurring revenue and strategic relevance. | View strengthens if audited ARR, NRR, and margin data confirm durable expansion rather than one-time milestone optics. |
| THESIS: Public identity-security comps can support meaningful valuation upside from the 2021 benchmark | CyberArk, SailPoint, Okta, and sector median data support mid- to high-single-digit or better revenue multiples for credible identity/security assets. | View strengthens if Delinea proves closer to premium cybersecurity economics than to lower-multiple platform peers. |
| ANTI-THESIS: The current price is effectively unknown | No fresh valuation mark, financing round, or IPO range is public; third-party databases conflict materially. | View improves only when a real price and cap-structure package are disclosed. |
| ANTI-THESIS: Sponsor structure can hide downside even if the business is good | Debt, preferences, recap terms, and waterfall economics are not visible in public sources. | View improves if leverage is modest and exit proceeds are not structurally impaired by sponsor economics. |
Each row states what would materially change the view rather than treating the thesis as static.
[CV017, CV018, CV015, CV020]| Trigger | Threshold | Transmission to thesis | Action implication |
|---|---|---|---|
| Net revenue retention | Below 100% | Would imply the installed base is not expanding enough to support premium identity-security multiples. | Downgrade from Track toward Avoid absent a much lower entry price. |
| Gross margin quality | Materially below public identity peers after adjusting for services | Would suggest weaker software economics and lower long-term valuation support. | Re-cut valuation toward bear case or lower. |
| Debt / preference overhang | Meaningful leverage or waterfall terms that absorb exit proceeds | Would weaken the equity value available to new investors even if enterprise value looks sound. | Require major discount or avoid the process. |
| New pricing event | Above ~12x ARR without much better disclosure | Would ask investors to pay a premium multiple while still underwriting blind. | Pass unless the disclosure package improves materially. |
| Disclosure behavior | No audited metrics shared in a serious process | Would confirm that price opacity is structural rather than temporary. | Do not advance beyond watchlist status. |
Thresholds are public-comparable-informed heuristics intended to force discipline before any future process.
[CV021, CV020]| Topic | Missing Evidence | Why It Matters | Diligence Path |
|---|---|---|---|
| Current valuation mark | Latest board-approved valuation, financing memo, or sponsor sale range | Without a current price there is no way to classify the opportunity as attractive, fair, or stretched. | Request the latest financing or valuation materials under NDA. |
| Cap table, debt, and preference stack | Ownership %, leverage, maturities, covenants, and waterfall terms | Enterprise-value scenarios do not equal equity value when sponsor structures are complex. | Request capitalization table, debt schedule, and waterfall summary. |
| ARR / NRR / GRR / gross-margin bridge | Audited recurring-revenue quality metrics and cost structure | These are the main drivers of where Delinea should sit inside the 5x–16x peer band. | Request audited historical metrics by year and by product or deployment mix. |
| Customer concentration and cohort retention | Segment mix, top-account concentration, renewal history, and expansion behavior | Validates whether customer proof translates into durable value rather than isolated reference logos. | Request customer cohort files and concentration analysis. |
| Exit readiness | IPO workstreams, banker engagement, public-company readiness, or sponsor exit timing | The route to liquidity affects both valuation multiple and timing assumptions. | Request board materials or formal process updates on strategic options. |
These asks are deliberately practical and focused on the missing inputs that determine value, not generic curiosity questions.
[CV022, CV015, CV020]IC-style scoring of Delinea’s investability based on public information only.
[CV017, CV018, CV020, CV022]Disclaimer
This report is a public-evidence diligence snapshot, not investment advice. Important financial, legal, technical, and contractual facts remain non-public and should be verified directly with management and primary documents before any investment decision.
Evidence index
| ID | Statement | Confidence | Sources |
|---|---|---|---|
| CO001 | Delinea now presents itself as an identity security control plane built around centralized authorization for human, machine, and AI identities. | High | SO001, SO015 |
| CO002 | Delinea publicly claims a 99.995% uptime commitment for its platform. | High | SO001, SO008 |
| CO003 | Delinea’s about page says the company has 500+ integrations. | Medium | SO001 |
| CO004 | Delinea’s about page says the platform secures more than 1 million identities daily. | Medium | SO001 |
| CO005 | Delinea’s current product catalog includes Secret Server, DevOps Secrets Vault, Privilege Manager, Cloud Suite/Server PAM, Identity Threat Protection, Privilege Control products, and Fastpath governance modules. | High | SO002, SO001 |
| CO006 | Secret Server is Delinea’s flagship enterprise-grade PAM vault with discovery, password rotation, session monitoring, and audit capabilities. | Medium | SO003 |
| CO007 | Privilege Manager focuses on least-privilege endpoint controls, just-in-time access, application control, and reporting for workstations. | Medium | SO004 |
| CO008 | Cloud Suite is positioned as a multi-cloud/server PAM offering that centralizes identities, enforces just-in-time privilege, MFA, and session auditing. | Medium | SO005 |
| CO009 | Identity Threat Protection is Delinea’s current analytics-led product for continuous identity monitoring, anomaly detection, and remediation guidance. | Medium | SO006 |
| CO010 | Delinea Authorization, powered by Iris AI, is marketed as a real-time, risk-based authorization layer inside the cloud-native platform. | High | SO007, SO016 |
| CO011 | The Thycotic transition page still routes visitors to legacy Delinea offerings such as DevOps Secrets Vault, Privileged Behavior Analytics, Privilege Manager, and Secret Server. | High | SO030, SO002 |
| CO012 | Official launch materials say Delinea was formed in April 2021 through the merger of Thycotic and Centrify. | High | SO009, SO010, SO019, SO020 |
| CO013 | Delinea publicly debuted the Delinea brand on February 1, 2022. | High | SO009, SO019, SO020 |
| CO014 | The 2021 combination announcement made Art Gilliland CEO of the merged business and James Legg president. | High | SO010, SO020, SO012 |
| CO015 | Art Gilliland remained Delinea’s CEO in the 2025 and 2026 official releases reviewed for this chapter. | High | SO015, SO016, SO017 |
| CO016 | Rick Hanson joined Delinea as president in August 2022 and took over global go-to-market responsibilities from James Legg. | Medium | SO012 |
| CO017 | Delinea’s December 2021 post-merger leadership buildout added Suzanne Tom, Jon Kuhn, Ram Venkatachalam, Josh DeLong, and publicly named Pascal Van Dooren as a board member. | Medium | SO011 |
| CO018 | By 2025-2026 Delinea’s public leadership bench included CFO Stephanie Reiter, President GTM Chris Kelly, SVP Spence Young, and new regional leaders across EMEA and APAC. | High | SO035, SO016, SO031, SO034 |
| CO019 | Governance disclosure remains partial because reviewed public sources named only one current-era board member and did not provide a full current board roster or control-rights breakdown. | Medium | SO011, SO024, SO025 |
| CO020 | The best-supported current headquarters location is San Francisco, with PitchBook, GetLatka, and IncFact all pointing to San Francisco addresses. | High | SO025, SO028, SO029 |
| CO021 | Earlier official Delinea releases used Redwood City and Washington, DC datelines, so headquarters history should be treated as an evolution rather than a single static location across all years. | Medium | SO009, SO011, SO012, SO013 |
| CO022 | The 2021 combination release says TPG acquired Thycotic from Insight Partners, had already closed the Centrify acquisition, and received minority support from Thoma Bravo and PSP Investments for the merged company. | Medium | SO010 |
| CO023 | Crunchbase lists Delinea as acquired by TPG for $1.4 billion on March 2, 2021. | Medium | SO024 |
| CO024 | Mergr separately records TPG’s January 2021 acquisition of Delinea/Centrify from Thoma Bravo and Golub Capital. | Medium | SO026 |
| CO025 | Current profile sources characterize Delinea as private, private-equity-backed, and in IPO registration rather than publicly listed. | High | SO024, SO025 |
| CO026 | Reviewed public sources did not corroborate a separate 2024 TPG strategic growth investment in Delinea, instead showing continuing TPG control and IPO-registration style exit signals. | Medium | SO024, SO025, SO026 |
| CO027 | Reviewed public sources did not corroborate an active Francisco Partners stake in Delinea’s current cap table. | Medium | SO024, SO025, SO026, SO027 |
| CO028 | Third-party market-data sources conflict on Delinea’s capital history, with GetLatka showing no outside funding, Tracxn showing legacy venture rounds, and Crunchbase/PitchBook emphasizing private-equity ownership. | Medium | SO024, SO025, SO027, SO028 |
| CO029 | Delinea closed 2022 with $250 million in ARR, more than 25% ARR growth, 85% recurring revenue, and 1,300+ new customers added during the year. | Medium | SO013 |
| CO030 | A January 2025 Delinea release said 2024 milestones included ARR above $350 million as of Q2 2024 and a customer base of over 8,500 organizations worldwide. | Medium | SO035 |
| CO031 | Delinea’s March 2025 year-end release said fiscal 2024 ARR was approaching $400 million and 95% of total GAAP revenue was recurring. | High | SO015, SO032 |
| CO032 | Delinea’s August 2025 update said ARR had surpassed $400 million and that SaaS remained the majority of ARR. | High | SO016, SO031 |
| CO033 | Delinea described its 2025 operating profile as durable, profitable, and margin-healthy, but the company still did not publish audited public financial statements or a new public valuation. | Medium | SO016, SO031 |
| CO034 | By 2025-2026 Delinea was publicly positioning itself as a cloud-native identity security platform for human, machine, and AI identities, not just a classic PAM vendor. | High | SO001, SO015, SO016, SO033, SO034 |
| CO035 | Delinea Iris AI is presented as the engine behind authorization, auditing, and secure-AI controls in the Delinea Platform. | High | SO007, SO015, SO016, SO033, SO034 |
| CO036 | The 2024 partner-program launch showed Delinea investing in a four-tier global ecosystem across resellers, GSIs, and MSP/MSSPs. | Medium | SO014 |
| CO037 | The March 2025 release tied Delinea’s Mexico City expansion to scaling centralized teams and sustaining growth after fiscal 2024 performance. | High | SO015, SO032 |
| CO038 | In May 2025 Delinea began the FedRAMP High authorization process for Secret Server in partnership with UberEther. | Medium | SO017 |
| CO039 | In February 2026 Delinea added three leaders across EMEA and APAC and tied the move to expanding customer adoption and channel scale. | Medium | SO034 |
| CO040 | In March 2026 Delinea completed the StrongDM acquisition to bring just-in-time runtime authorization into the Delinea Platform for AI-driven environments; financial terms were not disclosed. | Medium | SO033 |
| CO041 | The latest exact customer-scale figure found in reviewed public materials was over 8,500 organizations worldwide, while later sources reverted to the less precise claim of thousands of customers and over half of the Fortune 100. | Medium | SO035, SO009, SO019, SO024 |
| CO042 | Public headcount signals cluster in the low-thousands but remain inconsistent: Crunchbase shows 501-1000 employees, PitchBook 1,136, and GetLatka about 1.2K. | Medium | SO024, SO025, SO028 |
| CO043 | IncFact places Delinea in a broad $100 million to $500 million revenue band as of May 2026, which is directionally consistent with the company’s 2025 ARR disclosures but too wide for exact modeling. | Medium | SO029, SO015, SO016 |
| CO044 | In April 2024 Delinea rushed to patch a critical Secret Server SOAP API flaw after the issue became public. | High | SO021, SO022, SO023 |
| CO045 | SecurityWeek and Dark Reading both reported that Delinea appeared to ignore or mishandle weeks of responsible-disclosure attempts before patching the flaw. | High | SO021, SO022 |
| CO046 | NVD CVE-2024-33891 says Secret Server before version 11.7.000001 allowed authentication bypass via a hardcoded key and related SOAP API weaknesses, with a CNA severity of 8.8 high. | High | SO023, SO021, SO022 |
| CO047 | Delinea’s security advisories page lists additional 2025-2026 CVEs affecting Secret Server and Cloud Suite, showing that vulnerability-management remains an active workload. | Medium | SO018 |
| CO048 | Delineia’s public advisory practice and FedRAMP effort show remediation and compliance progress, but recurring advisories keep product security squarely in diligence scope. | Medium | SO018, SO017, SO021, SO022 |
| CO049 | Exact current board composition, post-2021 ownership percentages, and any post-2021 valuation changes remain publicly underdisclosed despite IPO-registration signals. | Medium | SO024, SO025, SO026 |
| CO050 | Current Delinea materials claim the platform deploys in weeks rather than months and needs 90% fewer resources than the nearest competitor. | High | SO001, SO008, SO015 |
| CO051 | Taken together, the reviewed 2025-2026 sources support a PE-backed company with strong operating momentum but no newly disclosed post-2024 valuation benchmark. | Medium | SO015, SO016, SO025, SO028 |
| CM001 | Delinea’s current product surface presents the company as an identity-security platform for human, machine, and AI identities rather than a vault-only PAM vendor. | High | SM001, SM005, SM002 |
| CM002 | Delinea publicly claims 99.995% uptime, deployment in weeks rather than months, and 90% fewer resources to manage than the nearest competitor. | High | SM001, SM002 |
| CM003 | Delinea’s March 2026 AI-risk survey says 90% of organizations pressure security teams to loosen identity controls to enable AI initiatives. | High | SM003, SM006 |
| CM004 | The same Delinea survey says nearly 90% of organizations report at least one identity visibility gap, with the largest gaps around machine and other non-human identities. | Medium | SM003, SM006 |
| CM005 | Forty-two percent of surveyed organizations said AI expansion was a top factor increasing non-human identity risk in the prior 12 months. | Medium | SM003 |
| CM006 | Fifty-nine percent of respondents in Delinea’s AI-risk survey reported lacking viable alternatives to standing privileged access for non-human identities and AI agents. | Medium | SM003 |
| CM007 | Eighty percent of organizations in Delinea’s AI-risk survey said they cannot always explain why a non-human identity performed a privileged action. | Medium | SM003 |
| CM008 | Delinea’s 2023 workplace-authentication survey found that 68% of respondents do not think passwords are dead, with only 30% having started a passwordless transition and 36% still one to two years away. | Medium | SM004 |
| CM009 | Delinea’s passwordless survey said 43% of organizations were blocked by legacy platforms and apps that still require passwords or MFA, while 95% had to satisfy at least one compliance regime. | Medium | SM004 |
| CM010 | Nearly 60% of organizations in Delinea’s passwordless survey said they already use a PAM solution to manage workplace passwords and privileged workflows. | Medium | SM004 |
| CM011 | NIST SP 800-207 defines zero trust as removing implicit trust based on network location and requiring authentication and authorization before access to enterprise resources is established. | High | SM008, SM007 |
| CM012 | CISA’s Zero Trust Maturity Model organizes adoption around five pillars and three cross-cutting capabilities, making identity one of several interlocking budget and architecture domains. | High | SM007, SM008 |
| CM013 | CyberArk’s current positioning also frames identity security as protecting both human and machine identities, showing that the buyer conversation is broader than classic vaulting alone. | Medium | SM009, SM010 |
| CM014 | BeyondTrust’s PAM positioning emphasizes centralized control, session monitoring, privileged workflows, and hybrid or cloud integration, reinforcing that Delinea competes in a mature enterprise-control category. | Medium | SM011 |
| CM015 | Microsoft Entra ID is positioned as a hybrid-cloud identity and access management suite with built-in security, showing that some Delinea budgets overlap with broader IAM rather than pure PAM. | Medium | SM012 |
| CM016 | Okta positions workforce identity and identity governance around least-standing privilege, threat response, and lifecycle control, which confirms that Delinea buyers also evaluate adjacent governance platforms. | Medium | SM013, SM014 |
| CM017 | IBM’s PAM materials highlight centralized privileged access, session monitoring, and detailed audit logs, reinforcing that compliance and control — not only credential vaulting — drive PAM demand. | Medium | SM015 |
| CM018 | IBM’s machine-verification documentation shows that machine identity verification is now a distinct technical control area adjacent to workforce IAM and privileged access. | Medium | SM016 |
| CM019 | Verizon’s 2026 DBIR summary says the human element, stolen credentials, and exploited vulnerabilities remain common breach drivers, supporting continued identity-control spending. | Medium | SM017 |
| CM020 | MarketsandMarkets projects the global IAM market to grow from $25.96 billion in 2025 to $42.61 billion by 2030, a 10.4% CAGR. | Medium | SM018 |
| CM021 | MarketsandMarkets says privileged access management is the fastest-growing IAM technology segment and non-human IAM identities are growing faster than human identity segments. | Medium | SM018 |
| CM022 | The Business Research Company pegs IAM at $21.81 billion in 2025 and $25.23 billion in 2026, then $45.22 billion by 2030. | Medium | SM019 |
| CM023 | Research and Markets’ 2026 IAM report outline includes TAM analysis, supply-chain analysis, privileged access governance, and legal or regulatory factors, indicating a denominator broader than software-only PAM. | Medium | SM020 |
| CM024 | Identity Management Institute describes the IAM market as reaching more than $24 billion in 2025 with roughly 13% growth, while also highlighting remote work, cloud adoption, and regulation as core demand drivers. | Medium | SM022 |
| CM025 | ISMG’s 2025 IAM market guide cites a projected $61.7 billion IAM market by 2032 and highlights zero trust, passwordless, identity sprawl, and skills gaps as defining themes. | Medium | SM023 |
| CM026 | Grand View Research offers an IAM market page, but the fetched summary surface is mostly promotional and does not provide clean headline numbers in readable text, limiting its usefulness for precise modeling. | Low | SM021 |
| CM027 | Public IAM and identity-security estimates are directionally bullish but numerically inconsistent because publishers use different category boundaries, forecast years, and TAM methodologies. | Medium | SM018, SM019, SM022, SM023, SM020 |
| CM028 | The buyer set for Delinea-like projects typically spans security leadership, IAM architects, infrastructure or cloud teams, and compliance owners rather than a single end-user budget. | Medium | SM007, SM012, SM013, SM015 |
| CM029 | Operational users of the category include IT administrators, identity teams, developers, machine-identity owners, and auditors reviewing privileged activity. | Medium | SM001, SM009, SM014, SM016 |
| CM030 | BFSI, healthcare, government, manufacturing, and large IT environments appear repeatedly in IAM market segmentations and vendor positioning as priority verticals for privileged-access and governance spend. | Medium | SM019, SM018, SM015 |
| CM031 | Before buyers purchase a dedicated platform, they can rely on native directory controls, scattered password and MFA tools, manual audit processes, or broader IAM suites from Microsoft and Okta. | Medium | SM012, SM014, SM004, SM015 |
| CM032 | Across market and vendor sources, cloud adoption, hybrid environments, and remote access consistently expand IAM and PAM demand. | Medium | SM018, SM019, SM022, SM012 |
| CM033 | Zero trust is now a common demand driver across market summaries and official guidance, which favors vendors able to combine identity, authorization, and continuous control rather than static trust rules. | High | SM008, SM007, SM018, SM023 |
| CM034 | AI agents and machine identities are becoming meaningful growth adjacencies because both vendor materials and market research emphasize non-human identity governance, machine verification, and privileged AI actions. | Medium | SM003, SM010, SM018, SM016 |
| CM035 | Legacy systems and integration complexity remain live adoption constraints for IAM and passwordless programs, not just a historical issue. | Medium | SM004, SM022, SM023 |
| CM036 | Skills gaps and operational complexity still slow identity-modernization efforts, according to ISMG and Identity Management Institute market commentary. | Medium | SM022, SM023 |
| CM037 | Budget constraints remain a real IAM adoption brake even in a growing market, especially when organizations need to integrate new controls with legacy environments. | Medium | SM022, SM004 |
| CM038 | Gartner Peer Insights and PeerSpot both show that buyers still compare Delinea, CyberArk, and BeyondTrust directly in PAM procurement decisions. | Medium | SM024, SM025 |
| CM039 | Delinea’s and BeyondTrust’s Gartner-related pages reinforce that privileged access management remains a recognized, mature category with a concentrated peer set. | Medium | SM026, SM027 |
| CM040 | The cleanest market framing for Delinea is a layered identity-security wedge: narrower than total IAM, broader than classic vault-only PAM, and increasingly exposed to non-human identity and AI-governance budgets. | Medium | SM001, SM009, SM018, SM003 |
| CM041 | Public evidence is still too coarse to isolate a Delinea-specific SAM or SOM with high confidence because open sources do not break out paid mix across PAM, platform governance, AI identity, and adjacent workflows. | Medium | SM020, SM018, SM001, SM021 |
| CM042 | Delinea’s deployment-speed and resource-efficiency claims are useful go-to-market signals, but the reviewed public record did not produce a strong independent benchmark validating them. | Medium | SM002, SM024, SM025 |
| CM043 | The overall market setup is attractive for Delinea because demand drivers are real and the category is expanding, but adoption still depends on integration tolerance, governance maturity, and buyer willingness to fund one more control layer. | Medium | SM018, SM022, SM023, SM004 |
| CP001 | Delinea now presents itself as a platform for human, machine, and AI identity security rather than as a standalone secret vault product. | High | SP001, SP002 |
| CP002 | Delinea’s 2026 StrongDM acquisition shows that management sees runtime authorization and infrastructure access as strategically important adjacent territory. | Medium | SP003 |
| CP003 | Delinea’s Gartner resource shows the company still frames itself inside the recognized PAM leadership set rather than outside the category. | Medium | SP004 |
| CP004 | CyberArk remains a direct Delinea incumbent because it sells privileged-access management as a core enterprise control plane rather than as an adjacent feature. | Medium | SP008 |
| CP005 | BeyondTrust is also a direct Delinea incumbent because its PAM positioning centers on privileged access, session control, and enterprise platform breadth. | Medium | SP005, SP006 |
| CP006 | CyberArk’s product PAM surface is more explicitly vault-first and privileged-account-centric than Delinea’s newer platform narrative. | Medium | SP008, SP001 |
| CP007 | BeyondTrust markets itself as a broader platform, which means Delinea faces a direct comparison on whether its own platform story is sufficiently differentiated from another all-in-one PAM vendor. | Medium | SP006, SP005, SP001 |
| CP008 | Microsoft is a major bundle competitor because Entra ID and Defender for Identity sit inside many enterprise environments before Delinea is even considered. | High | SP013, SP012 |
| CP009 | Okta competes less as a direct PAM clone and more as a broader workforce-identity and governance suite that can absorb adjacent buying criteria. | Medium | SP015, SP016 |
| CP010 | SailPoint represents a governance-led competitive threat where buyers prioritize identity governance and lifecycle control over pure PAM depth. | Medium | SP014 |
| CP011 | CrowdStrike competes as an identity-security flank threat by extending endpoint distribution into identity protection and next-generation ITDR. | Medium | SP009 |
| CP012 | SentinelOne similarly competes from the endpoint and identity direction rather than from the traditional vault-first PAM direction. | Medium | SP010 |
| CP013 | Silverfort positions itself around unified identity security and agentless control, creating a different architectural flank than Delinea’s core PAM heritage. | Medium | SP018 |
| CP014 | Semperis Purple Knight shows that free or low-friction identity-assessment tools can shape buyer expectations before a full platform purchase. | Medium | SP011 |
| CP015 | Teleport competes from the infrastructure-access and zero-trust side, which makes it more relevant in engineering-led infrastructure workflows than in classic audit-led vault deals. | Medium | SP017 |
| CP016 | StrongDM competes from the runtime and infrastructure-access side rather than from the legacy PAM-vault center, which helps explain why Delinea chose to buy it. | Medium | SP021, SP003 |
| CP017 | 1Password’s enterprise positioning makes it an adjacent extended-access-management competitor focused on workforce and device access more than on traditional privileged-admin vaulting. | Medium | SP019, SP020 |
| CP018 | Saviynt represents a suite-style enterprise-identity competitor whose relevance rises when a buyer frames the project around governance and cloud identity more than around PAM depth. | Medium | SP022 |
| CP019 | The practical direct-peer set for Delinea in PAM remains concentrated around CyberArk and BeyondTrust even as the wider identity-security landscape expands. | Medium | SP008, SP005, SP023, SP024 |
| CP020 | Gartner Peer Insights and PeerSpot both keep Delinea visible in active PAM comparison surfaces, which suggests it still belongs on buyer shortlists. | Medium | SP023, SP024 |
| CP021 | QKS Group’s 2025 SPARK Matrix for PAM reinforces that the category is crowded enough that buyers can credibly force comparison on feature breadth and execution. | Medium | SP025 |
| CP022 | Solutions Review’s identity-security list shows that buyers increasingly evaluate Delinea inside a wider identity-security field rather than in a siloed PAM-only lane. | Medium | SP026 |
| CP023 | Among adjacent rivals, Microsoft has the strongest installed-base and bundling advantage because identity and identity-threat tooling are already embedded in many enterprise estates. | Medium | SP013, SP012, SP016 |
| CP024 | Endpoint vendors such as CrowdStrike and SentinelOne have a distribution edge in accounts that prefer to add identity controls to an existing endpoint relationship. | Medium | SP009, SP010 |
| CP025 | The runtime-authorization versus vault-centric distinction matters because engineering-led buyers may prioritize ephemeral infrastructure access over classical credential storage workflows. | Medium | SP021, SP017, SP008, SP003 |
| CP026 | Delinea looks stronger against point or narrow entrants when the buyer wants one platform spanning PAM, governance, and AI-identity control rather than a single engineering-access use case. | Medium | SP001, SP002, SP017, SP021 |
| CP027 | Delinea is weaker when a buyer already gets enough value from Microsoft or Okta bundles and does not need dedicated privileged-depth or runtime authorization. | Medium | SP013, SP012, SP015, SP016 |
| CP028 | Public pricing and packaging are not cleanly disclosed across most PAM incumbents, so outside buyers mostly infer pricing posture from contract model, bundling, and implementation scope rather than list prices. | Medium | SP002, SP008, SP005, SP015 |
| CP029 | Switching costs in PAM and identity-security platforms come primarily from policy design, privileged-account discovery, integrations, and audit process change rather than from commodity software installation alone. | Medium | SP001, SP008, SP005, SP013 |
| CP030 | Multi-homing is likely common because buyers can run Delinea alongside Microsoft identity tooling, endpoint ITDR, or adjacent infrastructure-access tools rather than replacing everything at once. | Medium | SP013, SP012, SP009, SP001 |
| CP031 | Analyst reports and review ecosystems matter because they shape shortlists and enterprise trust in a market where direct feature evaluation is costly and slow. | Medium | SP004, SP007, SP023, SP025 |
| CP032 | Analyst visibility and enterprise reputation act as trust proxies in PAM because buyers are selecting a control plane for sensitive access, not a disposable peripheral tool. | Medium | SP004, SP007, SP023 |
| CP033 | Public competitor materials do not show a single supplier choke point, but they do show dependence on integrations, ecosystem trust, and platform compatibility as meaningful competitive variables. | Medium | SP001, SP015, SP013, SP017 |
| CP034 | Bundle pressure from Microsoft and broader identity suites is a real moat-compression risk because some buyers can satisfy enough requirements without buying a dedicated PAM expansion. | Medium | SP013, SP016, SP014, SP023 |
| CP035 | Agentless identity-security and runtime-access entrants create genuine flank risk even if they are not full Delinea replacements, because they can win the first budget and narrow Delinea’s eventual wedge. | Medium | SP018, SP017, SP021, SP003 |
| CP036 | Delinea’s moat looks moderate rather than dominant: strong enough to remain in the enterprise PAM consideration set, but not so strong that bundle rivals or adjacent specialists can be dismissed. | Medium | SP001, SP008, SP005, SP013, SP021 |
| CP037 | Public sources do not provide reliable win-rate, displacement-rate, or price-to-value data across Delinea and its main rivals, which limits competitive-underwriting precision. | Medium | SP023, SP024, SP025 |
| CP038 | The competitive takeaway is that Delinea sits between direct PAM incumbents above it, broader identity suites beside it, and runtime or agentless entrants below and around it. | Medium | SP001, SP008, SP005, SP013, SP021, SP018 |
| CI001 | Delinea’s public product surface shows a multi-module selling model spanning platform bundles, server PAM, remote privileged access, business-application access control, and AI-driven authorization rather than a single-product vault motion. | High | SI001, SI002, SI010, SI011, SI012, SI013 |
| CI002 | The Delinea Platform bundles narrative implies that customers can land on one control plane and expand across adjacent modules, which is structurally supportive of upsell-led recurring revenue. | High | SI002, SI006, SI013 |
| CI003 | Server Suite is a separately merchandised Delinea SKU focused on just-in-time and just-enough privilege for Linux, Unix, and Windows servers. | Medium | SI010 |
| CI004 | Privileged Remote Access is a separately merchandised Delinea SKU focused on browser-based, VPN-less privileged access for remote admins and vendors. | Medium | SI011 |
| CI005 | Fastpath Access Control gives Delinea a monetizable governance and segregation-of-duties SKU beyond classical PAM. | Medium | SI012, SI006 |
| CI006 | Delinea’s AI-driven authorization positioning adds a newer authorization-oriented upsell layer to the platform story. | Medium | SI013 |
| CI007 | Delinea’s public product pages emphasize demos, trials, and contact-led conversion rather than publishing list prices, indicating a quote-led enterprise sales motion. | High | SI001, SI010, SI011, SI012 |
| CI008 | Open sources do not provide a reliable Delinea list-price, realized-price, or average-contract-value series that would support underwriting ASP directly. | Medium | SI001, SI023, SI024 |
| CI009 | Delinea’s 2024 partner program and 2026 Climb expansion both indicate that channel, reseller, and distributor routes are a material part of go-to-market rather than a minor adjunct. | High | SI007, SI008 |
| CI010 | The Delinea partner program explicitly offers financial incentives, marketing support, training, and tiered rewards, which implies spend on channel enablement as part of sales efficiency. | Medium | SI007 |
| CI011 | The 2026 Climb partnership expansion shows Delinea is still investing in EMEA distribution rather than treating Europe as a maintenance-only territory. | Medium | SI008 |
| CI012 | Recent leadership announcements show Delinea investing in global sales, channels, solution engineering, customer success, and services leadership to support growth execution. | Medium | SI003, SI007, SI005 |
| CI013 | Delinea disclosed that the legacy Thycotic business had grown to over $100 million in revenue by the time the combined company was scaling its go-to-market leadership in 2022. | Medium | SI004 |
| CI014 | Delinea said it had surpassed a $350 million ARR milestone as of Q2 2024. | Medium | SI003 |
| CI015 | Delinea said its ARR had surpassed $400 million by the first half of fiscal 2025. | Medium | SI005 |
| CI016 | Delinea’s August 2025 performance update said SaaS made up the majority of its ARR footprint. | Medium | SI005 |
| CI017 | Delinea’s CFO described the company as operating with healthy margins in the August 2025 performance update, but without publishing audited margin percentages. | Medium | SI005 |
| CI018 | Delinea’s August 2025 update said the first half closed with several record-breaking transactions, indicating enterprise-deal contribution to ARR growth. | Medium | SI005 |
| CI019 | Fastpath, Authomize, and later StrongDM show Delinea has been deploying capital into adjacent acquisitions instead of relying only on internal product expansion. | Medium | SI006, SI003, SI020 |
| CI020 | Delinea’s UK data-centre launch confirms a cloud-delivery footprint with regional data-residency and capacity commitments rather than a purely centralized hosting model. | Medium | SI009 |
| CI021 | Regional data centres and locally hosted Secret Server Cloud instances imply ongoing infrastructure, compliance, and support costs that scale with cloud adoption. | Medium | SI009, SI010 |
| CI022 | SecurityWeek reported that Delinea had to investigate a security incident, block affected SOAP endpoints, and ship patches after a failed disclosure process, underscoring trust and engineering-response cost risk. | Medium | SI014 |
| CI023 | CyberArk’s SEC filing shows that more than 90% of its 2023 revenue was recurring, illustrating the kind of recurring-revenue mix mature identity-security vendors target after subscription transition. | Medium | SI021 |
| CI024 | CyberArk disclosed 2023 ARR of $774 million and subscription revenue of $472.0 million, providing a public benchmark for scale and mix in a mature identity-security peer. | Medium | SI021 |
| CI025 | CyberArk disclosed total revenue of $751.9 million in 2023 after growing from $502.9 million in 2021 and $591.7 million in 2022. | Medium | SI021 |
| CI026 | CyberArk’s filing says subscription cost of revenue is driven primarily by customer-support personnel, cloud operations, cloud infrastructure, and amortization, which is a useful proxy for Delinea’s likely SaaS cost stack. | Medium | SI021 |
| CI027 | CyberArk’s filing says gross margin depends on revenue mix, cloud infrastructure cost, and personnel cost, underscoring why Delinea’s undisclosed margin cannot be inferred from ARR alone. | Medium | SI021 |
| CI028 | CyberArk’s filing says the shift to subscription contracts can reduce upfront multi-year cash collection and pressure near-term profitability even while improving long-term visibility. | Medium | SI021 |
| CI029 | Delinea’s quote-led platform selling, SaaS-majority ARR disclosure, and multi-module control surface together suggest revenue quality is likely recurring and subscription-heavy rather than transaction-led. | Medium | SI002, SI005, SI010, SI011 |
| CI030 | Public sources imply implementation, services, and customer-success activity, but they do not quantify professional-services revenue as a separate line item for Delinea. | Medium | SI005, SI003 |
| CI031 | Public ownership history shows Delinea has operated under private-equity sponsorship, which likely provides strategic financing support but also obscures cash balances and leverage from outside investors. | Medium | SI019, SI020, SI016 |
| CI032 | Public sources do not disclose Delinea’s cash balance, monthly burn, debt load, or explicit runway, so capital adequacy cannot be underwritten directly from open evidence. | Medium | SI005, SI016, SI017, SI018 |
| CI033 | Third-party company databases disagree materially on Delinea’s funding, valuation, founding date, and employee footprint, which makes those databases unsuitable as primary underwriting anchors. | Medium | SI015, SI016, SI017, SI018 |
| CI034 | Delinea’s own ARR milestones are more reliable than third-party database revenue or valuation snapshots because the databases are visibly inconsistent with one another. | Medium | SI015, SI003, SI005, SI017, SI018 |
| CI035 | Public review surfaces show buyers evaluate Delinea-like PAM products on implementation and pricing, but they do not publish enough detail to model discounting or sales efficiency precisely. | Medium | SI023, SI024 |
| CI036 | Okta’s public SEC-filings index illustrates how much richer benchmark disclosure is for public identity-software peers than for Delinea, highlighting the private-company information gap. | Medium | SI022 |
| CI037 | Recent disclosures imply Delinea is allocating capital not only to product R&D but also to cloud footprint, channel expansion, and customer-facing leadership capacity. | Medium | SI009, SI007, SI008, SI003, SI005 |
| CI038 | The most defensible public-only verdict is that Delinea has high-quality recurring revenue momentum and active growth investment, but margin path and capital adequacy remain only partially observable because cash, debt, CAC, NRR, and audited gross margin are undisclosed. | Medium | SI005, SI003, SI021, SI016, SI017 |
| CE001 | Delinea currently positions the Delinea Platform around end-to-end visibility, dynamic privilege, and adaptive security across multiple identity types. | High | SE001, SE016 |
| CE002 | Delinea’s current public surface spans platform bundles, identity threat protection, secret discovery and vaulting, server privilege, endpoint privilege, governance controls, remote access, and AI-driven authorization. | High | SE001, SE002, SE003, SE005, SE004, SE008 |
| CE003 | Identity Threat Protection is publicly described as continuously monitoring identities, access, and anomalous behavior, then recommending or automating remediation. | Medium | SE003 |
| CE004 | Identity Threat Protection publicly claims to visualize identity access pathways across SaaS, cloud, and traditional infrastructure and to integrate those insights into existing security operations signals. | Medium | SE003 |
| CE005 | Privilege Control for Servers is marketed as applying least privilege across Windows, Linux, and Unix environments. | Medium | SE004, SE001 |
| CE006 | Secret Server Discovery is publicly documented as finding local privileged accounts and Active Directory privileged accounts and importing them into Secret Server for management. | Medium | SE005 |
| CE007 | Secret Server Discovery is also documented as mapping service-account dependencies and related services so that credential rotation does not break downstream business processes. | Medium | SE005 |
| CE008 | Secret Server Discovery can be extended with PowerShell when out-of-the-box connectors are insufficient, indicating a scriptable discovery model rather than a closed wizard-only system. | Medium | SE005 |
| CE009 | Secret Server Discovery is publicly documented as scanning AWS, Google Cloud, and Microsoft-connected environments for privileged accounts and shadow administrators. | Medium | SE005 |
| CE010 | Secret Server’s privileged-session controls include proxying both RDP and SSH sessions through the vault for greater control and logging. | Medium | SE006 |
| CE011 | Secret Server publicly documents real-time session monitoring with the ability to message users or terminate risky sessions. | Medium | SE006 |
| CE012 | Secret Server publicly documents session recording, keystroke logging, activity heat maps, and searchable playback for audit review. | Medium | SE006 |
| CE013 | Secret Server’s session-management materials also reference Delinea Connection Manager for managing multiple RDP and SSH sessions in a unified interface. | Medium | SE006 |
| CE014 | Privilege Manager publicly documents integration with Active Directory for synchronizing domain objects and enforcing least-privilege policies against AD structures. | Medium | SE007 |
| CE015 | Privilege Manager publicly documents ServiceNow integration so support requests and responses can be managed and reported within the ticketing system. | Medium | SE007 |
| CE016 | Privilege Manager publicly documents working in tandem with Secret Server, including Secret Server as an authentication source and as a store for local credentials. | Medium | SE007 |
| CE017 | Privilege Manager publicly documents integrations with VirusTotal, Syslog or SIEM targets, SCCM, and other endpoint-management tooling. | Medium | SE007 |
| CE018 | Privilege Manager’s enterprise-readiness documentation says it exposes a public API for automating bulk and repeatable policy operations. | Medium | SE008 |
| CE019 | Privilege Manager publicly documents high availability, load balancing, and reverse-proxy deployment patterns for resilience and safer network exposure. | Medium | SE008 |
| CE020 | Privilege Manager publicly documents a mobile app for endpoint administration, approvals, and event alerts. | Medium | SE008 |
| CE021 | Delinea operates a public integrations marketplace, indicating that integration breadth is part of the platform value proposition rather than an undocumented side feature. | Medium | SE009, SE007 |
| CE022 | Delinea’s public Service Level Addendum commits the multi-tenant Delinea Platform to 99.995% monthly availability in the geographies where the service is offered. | Medium | SE010 |
| CE023 | The public SLA lists availability commitments across US, EU, UK, SEA, AU, CA, and UAE regions, reinforcing that Delinea is operating a regionalized platform footprint. | Medium | SE010 |
| CE024 | Delinea’s public SLA limits remedies to service credits or conversion to a substantially similar product offering, showing enterprise-grade commitments but bounded customer recourse. | Medium | SE010 |
| CE025 | Delinea says it is SOC 2 Type 2 recertified for six products: Secret Server Cloud, DevOps Secrets Vault, Privilege Manager Cloud, Privileged Behavior Analytics, Access Controller Suite, and Account Life Cycle Manager. | Medium | SE011 |
| CE026 | Delinea’s SOC 2 recertification article explicitly frames SOC 2 as a frequent deal requirement and competitive trust signal for customers. | Medium | SE011 |
| CE027 | Delinea said in May 2025 that it had initiated the FedRAMP High authorization process for Secret Server with UberEther as a deployment partner. | Medium | SE012 |
| CE028 | The FedRAMP announcement ties Secret Server to centralized vaulting, privileged-account discovery, automated provisioning and rotation, RBAC workflows, and session monitoring and recording. | Medium | SE012 |
| CE029 | Delinea maintains a public security-advisories surface, which suggests a visible vulnerability-communication process even though underlying engineering details are limited. | Medium | SE013 |
| CE030 | NVD lists CVE-2024-33891 as an authentication-bypass issue in Delinea Secret Server before version 11.7.000001 related to the SOAP API. | High | SE015, SE014 |
| CE031 | SecurityWeek reported that Delinea had to investigate a security incident, block affected SOAP endpoints, and ship patches after a failed disclosure process. | Medium | SE014 |
| CE032 | Delinea maintains a public GitHub repository devoted to platform tools, examples, and resources rather than limiting developers to closed support channels. | Medium | SE016 |
| CE033 | Delinea’s public Python SDK supports both Secret Server and Platform authentication and documents REST API usage for secret retrieval. | Medium | SE017 |
| CE034 | Delinea publishes a Terraform provider for DevOps Secrets Vault, showing infrastructure-as-code support rather than only console-driven workflows. | Medium | SE018 |
| CE035 | Delinea publishes a GitHub Action for DevOps Secrets Vault, exposing a direct CI/CD retrieval workflow for secrets. | Medium | SE019 |
| CE036 | Delinea publishes a CLI that converts platform network requirements into Terraform, Ansible, AWS security-group, and other infrastructure formats. | Medium | SE020 |
| CE037 | Across public GitHub repos, Delinea exposes examples, SDKs, CI integrations, Terraform support, and operational tooling, which is meaningful developer signal for a security vendor whose core product is not open source. | High | SE016, SE017, SE018, SE019, SE020 |
| CE038 | Delinea’s public platform materials and SLA language both support a cloud-native, multi-tenant delivery model for the Delinea Platform. | High | SE002, SE010 |
| CE039 | Delinea’s publicly documented emphasis on least privilege, session control, discovery, and identity context aligns closely with the identity pillar of CISA’s zero-trust maturity model. | Medium | SE026, SE004, SE006, SE003 |
| CE040 | Delinea’s documented workflows are designed to help administrators discover unknown privileged accounts, proxy and record high-risk sessions, and enforce least privilege without handing out raw credentials. | Medium | SE005, SE006, SE004 |
| CE041 | Public product materials show Delinea depends materially on external systems such as Active Directory, cloud providers, ticketing systems, and endpoint tooling to deliver its full workflow value. | Medium | SE007, SE005, SE010 |
| CE042 | Despite detailed feature pages, Delinea’s public materials do not deeply document the core platform’s internal service architecture, data stores, or processing topology. | Medium | SE001, SE002, SE016 |
| CE043 | Delinea’s public trust content summarizes certification and audit posture, but it does not publish underlying SOC 2 reports or the detailed FedRAMP package publicly. | Medium | SE011, SE012 |
| CE044 | Delinea publicly names many integrations, but the open web still gives only partial visibility into deployment effort, support boundaries, and configuration depth for each connector. | Medium | SE009, SE007 |
| CE045 | Relative to broader identity suites from Microsoft and Okta, Delinea’s public differentiation is deeper emphasis on privileged discovery, session control, vaulting, least privilege, and integrated remediation. | Medium | SE001, SE003, SE005, SE006, SE022, SE023 |
| CU001 | Delinea’s public customers page lays out a structured customer journey that starts before purchase and extends through deployment, ongoing use, expansion, and renewal. | Medium | SU001 |
| CU002 | Delinea says new customers receive support-portal access, documentation, community access, and e-learning resources at no additional cost during onboarding. | Medium | SU001 |
| CU003 | Delinea publicly describes introductions to Professional Services, Technical Account Managers, and Customer Success Managers as part of customer onboarding for appropriate accounts. | Medium | SU001 |
| CU004 | Delinea says a renewal representative may contact customers as early as 120 days before renewal, which is a visible signal of formal renewal management rather than purely reactive support. | Medium | SU001 |
| CU005 | The customers page advertises Secret Society, weekly office hours, a monthly customer newsletter, and quarterly roadmap updates, showing Delinea invests in post-sale community and enablement surfaces. | High | SU001, SU013 |
| CU006 | Delinea Edge, announced for 2027, is positioned as a customer conference focused on product, engineering, peer exchange, and hands-on identity-security practice, reinforcing a deliberate customer-education motion. | High | SU013, SU001 |
| CU007 | Delinea’s August 2025 performance update highlighted new leadership across global services and customer success, suggesting customer retention and expansion are active operating priorities. | Medium | SU016 |
| CU008 | As of the January 2025 Chris Kelly announcement, Delinea publicly anchored its customer footprint at more than 8,500 organizations worldwide, but that disclosure point is dated rather than a current live count. | Medium | SU015 |
| CU009 | Delinea’s 2022 brand-launch materials claimed customers included more than half of the Fortune 100, which supports large-enterprise penetration even though the company does not publish a current named roster. | Medium | SU017 |
| CU010 | Delinea maintains a visible public case-study library with named customer examples spanning utilities, telecom, mobility, media, travel, retail, housing, manufacturing, and technology workflows. | High | SU002, SU006, SU007, SU008, SU009, SU010, SU011, SU012, SU004, SU003, SU005 |
| CU011 | The most detailed public customer proof leans toward regulated, audit-heavy, or operationally critical environments rather than lightweight self-serve SMB deployments. | Medium | SU004, SU005, SU006, SU007, SU026 |
| CU012 | Robert Weed says it uses Secret Server to manage privileged credentials for nearly 200 systems and more than 100 workstations. | High | SU001, SU003 |
| CU013 | Robert Weed estimated that, after implementing Secret Server, password-management work takes about 10% of the prior time and effort. | High | SU001, SU003 |
| CU014 | Robert Weed planned to onboard managed-service and network-service providers into Secret Server with check-in, check-out, and rotation workflows, indicating post-deployment expansion rather than a one-and-done vault project. | Medium | SU003 |
| CU015 | Boyner deployed both Delinea Secret Server and Delinea Privileged Remote Access on the Delinea Platform, tying vaulting and third-party remote-access controls into one customer deployment. | High | SU001, SU004 |
| CU016 | Boyner’s case study frames the retailer as a six-brand organization with more than 250 department stores and more than 8,000 employees. | Medium | SU004 |
| CU017 | Boyner said Delinea reduced the time and cost associated with managing privileged accounts by more than 40 percent. | High | SU001, SU004 |
| CU018 | Boyner also said Delinea reduced the effort required to support compliance by 60 percent while improving audit readiness. | High | SU001, SU004 |
| CU019 | The Trade Desk used Fastpath to support segregation-of-duties and change-tracking controls around its Oracle Cloud ERP environment. | High | SU001, SU005 |
| CU020 | The Trade Desk case study cites more than 1,200 global users and over 100 accounting and finance users across three geographies on Fastpath-supported controls. | Medium | SU005 |
| CU021 | The Trade Desk said Fastpath helped supply audit and change-tracking reports Oracle could not provide natively, which is strong proof of fit for audit-driven finance teams. | Medium | SU005 |
| CU022 | TEPCO Systems implemented Secret Server as part of a shift toward zero trust and J-SOX-compliant privileged-access controls for systems supporting power operations. | Medium | SU006 |
| CU023 | TEPCO Systems reported a 40 percent reduction in privileged-ID management workload and 48 hours saved per audit after implementing Secret Server. | Medium | SU006 |
| CU024 | SBA Communications used Fastpath to improve segregation-of-duties analysis, password control, and change tracking for Microsoft Dynamics GP in a public-company SOX context. | Medium | SU007 |
| CU025 | SBA said Fastpath reduced the time required to generate meaningful compliance reports from days or weeks to hours and made audit reporting a continuous process. | Medium | SU007 |
| CU026 | PeerSpot reviewers consistently praise Delinea Secret Server for password rotation, session monitoring, access control, auditability, and overall stability. | Medium | SU018 |
| CU027 | PeerSpot reviewers also point to friction around API flexibility, reporting, setup complexity, integration, pricing, and some session-management details. | Medium | SU018 |
| CU028 | TrustRadius reviews emphasize secure vaulting, scheduled privileged access, audit trails, Active Directory integration, password rotation, and broad role-based control. | Medium | SU019 |
| CU029 | TrustRadius users also report clunky workflows, slower adoption for new users, weak mobile experience, manual onboarding effort, and integration limitations. | Medium | SU019 |
| CU030 | Across public review surfaces, Delinea appears strongest where buyers need secure vaulting, auditability, and approval workflows for privileged access. | High | SU018, SU019, SU026 |
| CU031 | Across public review surfaces, the main adoption drag appears to be implementation, reporting, and integration friction rather than disbelief in the underlying security use case. | High | SU018, SU019 |
| CU032 | Delinea’s public retention evidence is procedural rather than numerical: the company documents renewal workflows, training, support, community, newsletters, and customer events, but not NRR or churn. | High | SU001, SU013, SU016 |
| CU033 | No public Delinea source reviewed in this run disclosed NRR, GRR, logo churn, renewal rate, or contract length by segment. | Medium | SU001, SU016, SU015 |
| CU034 | No public source reviewed in this run disclosed top-customer ARR concentration, top-10 revenue share, or any equivalent customer concentration metric for Delinea. | Medium | SU001, SU016, SU015 |
| CU035 | Publicly named customer proof is much richer for enterprise and upper-midmarket environments than for small-business deployments, even though Delinea markets to organizations of all sizes. | Medium | SU017, SU003, SU004, SU005, SU006, SU007 |
| CU036 | Public customer stories show Delinea selling beyond a single core vault product into adjacent modules such as Privileged Remote Access and Fastpath compliance controls, which supports a land-and-expand motion. | Medium | SU004, SU005, SU007 |
| CU037 | The 2024 Secret Server disclosure controversy and resulting CVE create a plausible customer-trust and renewal risk, especially for regulated buyers who underwrite vendor response discipline. | High | SU024, SU025 |
| CU038 | The Trade Desk’s own public site confirms it is an omnichannel advertising platform, which corroborates Delinea’s public proof in a technology and digital-advertising buyer segment. | High | SU005, SU021 |
| CU039 | SBA Communications’ investor site corroborates that the customer is a public wireless-infrastructure operator, reinforcing Delinea’s public proof in regulated telecom and infrastructure environments. | High | SU007, SU022 |
| CU040 | Norwegian Cruise Line Holdings’ public site corroborates the travel-and-hospitality context visible in Delinea’s customer case-study library. | High | SU010, SU023 |
| CU041 | Even though the open web gives limited corporate-detail text, Boyner’s public storefront corroborates the retailer context presented in Delinea’s case study. | Medium | SU004, SU020 |
| CR001 | Delinea’s privacy policy says the company processes personal information across website interactions, community forums, events, support, professional services, billing, and cloud operations. | Medium | SR001 |
| CR002 | Delinea’s privacy policy explicitly contemplates sharing personal information with partner-program participants, CRM and marketing platforms, webinar providers, email platforms, hosting providers, and customer-success tooling. | Medium | SR001 |
| CR003 | Delinea’s privacy policy explicitly references GDPR and CCPA concepts, privacy rights, international transfers, and a processor role governed by the DPA for cloud services. | High | SR001, SR004 |
| CR004 | The European Commission describes GDPR as part of the EU’s binding data-protection framework and notes that cross-border transfers require safeguards such as adequacy decisions, SCCs, or BCRs. | Medium | SR024 |
| CR005 | California’s CCPA guidance says consumers have rights to know, delete, correct, limit sharing, and in some breach circumstances sue for statutory damages of up to $750 per incident. | Medium | SR025 |
| CR006 | Delinea’s website terms select California law and venue in Santa Clara County for site-related disputes. | Medium | SR002 |
| CR007 | Delinea’s website terms broadly disclaim warranties and consequential-damage liability for site materials and services, subject to applicable law. | Medium | SR002 |
| CR008 | Delinea’s MSLA provides one-, two-, or three-year initial terms, annual advance payment, and one-year renewal terms unless otherwise agreed. | Medium | SR003 |
| CR009 | The MSLA gives Delinea usage-reporting and audit rights for usage-based solutions and permits list-pricing true-ups for materially delinquent reporting. | Medium | SR003 |
| CR010 | The MSLA says purchases through authorized channel partners are managed commercially through those partners even while Delinea governs product use, adding channel-process complexity to customer relationships. | High | SR003, SR012 |
| CR011 | Delinea’s DPA says its cloud services operate in a multitenant architecture with customer data kept logically and-or physically separated from other customers. | Medium | SR004 |
| CR012 | Delinea’s DPA explicitly describes a shared-responsibility model in which cloud providers secure infrastructure, Delinea secures the application portfolio, and customers remain responsible for operating the services within their own policies. | High | SR004, SR028, SR029 |
| CR013 | The DPA says Delinea uses both AWS and Microsoft Azure to host cloud services and their associated customer data. | Medium | SR004 |
| CR014 | Delinea says its cloud-service security measures are subject to annual ISO 27001 and SOC 2 assessments and annual third-party penetration testing. | High | SR004, SR020 |
| CR015 | The DPA says Delinea will not use customer data to train or improve AI models without prior written agreement from the customer. | Medium | SR004 |
| CR016 | Delinea’s trust center lists CVE-2026-2409, an SQL injection issue in Cloud Suite with a CVSS v4 score of 9.3. | Medium | SR005 |
| CR017 | Delinea’s trust center also lists Cloud Suite and Privileged Access Service vulnerabilities from 2025, including request-smuggling and SQL-injection issues. | Medium | SR005 |
| CR018 | Delinea’s trust center says Secret Server on-premises customers remain responsible for protecting the application server and underlying environment, and warns that admin-level host control can expose both database data and the encryption key. | Medium | SR005 |
| CR019 | SecurityWeek reported that Delinea had to scramble to patch a critical Secret Server flaw after a failed responsible-disclosure attempt. | Medium | SR021 |
| CR020 | NVD documents CVE-2024-33891 as an authentication-bypass issue in Delinea Secret Server before version 11.7.000001 related to the SOAP API. | Medium | SR022 |
| CR021 | Taken together, the trust-center CVEs, the 2024 NVD record, and SecurityWeek’s reporting establish product-security and disclosure-process risk as a real, not hypothetical, operating concern for Delinea. | High | SR005, SR022, SR021 |
| CR022 | Delinea’s status center shows emergency maintenance in May 2026 to rotate TLS certificates on connector relay infrastructure that could briefly disrupt Active Directory authentication and MFA for endpoint agents. | Medium | SR006 |
| CR023 | The status center shows an EU-region Secret Server Cloud incident in May 2026 where some users could not launch secrets because of an outage affecting a cloud infrastructure service used by Delinea. | Medium | SR006 |
| CR024 | The status center also reports May 2026 US login timeout errors caused by a disruption at an upstream network-provider datacenter. | Medium | SR006 |
| CR025 | Delinea’s own status history shows that even with strong uptime claims, customers still face emergency maintenance, degraded performance, and upstream-cloud or network incidents. | High | SR006, SR019 |
| CR026 | Delinea’s UK data-centre launch shows active investment in regional hosting to mitigate latency and data-residency concerns for customers with local regulatory requirements. | Medium | SR014 |
| CR027 | Delinea started the FedRAMP High process in May 2025 and reached Under Assessment in September 2025, but the public sources reviewed do not show a completed authorization. | High | SR007, SR008 |
| CR028 | Both FedRAMP announcements position UberEther as Delinea’s deployment partner, making the public-sector motion at least partially dependent on partner execution. | High | SR007, SR008, SR027 |
| CR029 | CISA’s Zero Trust Maturity Model and Delinea’s own zero-trust materials both emphasize explicit verification, least privilege, and just-in-time access, showing that Delinea’s product direction is aligned with an active federal control paradigm. | High | SR023, SR009 |
| CR030 | Delinea’s 2024 partner program introduced tiering, incentives, enablement, and support across resellers, GSIs, and MSPs, indicating that channels are a material GTM dependency rather than a side route. | Medium | SR012 |
| CR031 | The 2026 Climb expansion into the UK, Ireland, and DACH extends Delinea’s distributor-led reach and increases dependence on external channel execution in Europe. | High | SR013, SR026 |
| CR032 | The Fastpath acquisition broadened Delinea into identity governance, segregation-of-duties, and audit-control workflows after regulatory review. | High | SR011, SR015, SR016 |
| CR033 | The StrongDM acquisition broadens Delinea into runtime authorization across databases, containers, CI/CD pipelines, and AI-driven environments, with transaction terms undisclosed. | Medium | SR010 |
| CR034 | Back-to-back platform-expanding acquisitions raise integration, roadmap, and go-to-market complexity even if the strategic logic is sound. | High | SR011, SR010, SR018 |
| CR035 | Delinea’s GTM leadership has transitioned from James Legg to Rick Hanson and then to Chris Kelly across the post-merger growth period. | High | SR030, SR017 |
| CR036 | The company’s 2025 releases show continuing additions in channels, services, and customer-success leadership, which is positive for scale but also evidence of organizational change load. | High | SR017, SR018, SR012 |
| CR037 | Despite public ARR claims above $400 million, Delinea still does not publish audited public filings with debt, cash, burn, NRR, or detailed risk-factor disclosure. | Medium | SR018, SR017 |
| CR038 | CyberArk’s SEC filing illustrates how much richer public cyber-vendor disclosure can be on recurring revenue, cost drivers, and risk factors than Delinea’s private-company narrative. | Medium | SR031, SR018 |
| CR039 | The DPA’s cloud-hosting architecture and CyberArk’s public filing both support the idea that cloud infrastructure, support, and compliance operations are meaningful cost and risk drivers in identity-security SaaS. | High | SR004, SR031, SR006 |
| CR040 | Fastpath Access Control and Access Review are explicitly positioned to analyze segregation-of-duties conflicts, certify access, automate follow-up, and produce auditor-facing evidence. | High | SR015, SR016 |
| CR041 | Delinea’s trust center includes active monitoring notes about heightened cyber-threat conditions in the Middle East and possible indirect impact through third-party cloud infrastructure providers. | Medium | SR005 |
| CR042 | Delinea’s SLA and status surfaces show a broad regional footprint and formal uptime commitments, but also clarify that maintenance windows, emergency work, and bounded remedies remain part of the operating reality. | High | SR019, SR006 |
| CR043 | Although partners matter materially, Delinea’s channel model is not visibly tied to a single reseller because the public program spans multiple partner types and the Climb expansion is presented as an extension, not the only route. | High | SR012, SR013, SR026 |
| CR044 | The public sources reviewed for this run did not surface privacy-enforcement actions, lawsuits, or equivalent legal proceedings against Delinea, leaving legal-exposure assessment incomplete rather than cleanly low-risk. | Medium | SR001, SR002, SR025, SR024 |
| CR045 | Public sources show public-sector ambition through FedRAMP, but do not disclose public-sector revenue share or dependence on government bookings. | Medium | SR007, SR008, SR018 |
| CR046 | The public record reviewed in this run does not disclose top-customer concentration or revenue dependency on any single customer or cohort. | Medium | SR018, SR017 |
| CR047 | The most important thesis-break cluster visible from public evidence is security and reliability failure propagating into customer trust, renewal friction, support costs, and delayed public-sector expansion. | High | SR005, SR006, SR021, SR008 |
| CV001 | Delinea said in August 2025 that ARR had surpassed $400 million, that SaaS remained the majority of ARR, and that the company was operating with healthy margins. | Medium | SV001 |
| CV002 | Crunchbase lists Delinea as acquired by TPG for $1.4 billion on March 2, 2021, which is the clearest public transaction-value benchmark in the current source set. | Medium | SV002 |
| CV003 | Mergr separately frames the 2021 Delinea transaction as a secondary buyout from Thoma Bravo and Golub Capital, reinforcing sponsor ownership continuity rather than a new venture-style funding round. | Medium | SV003 |
| CV004 | None of the reviewed public sources provides a new post-2021 valuation mark, financing price, or IPO range for Delinea. | Medium | SV001, SV002, SV003 |
| CV005 | Third-party market-data providers materially disagree on Delinea’s profile: GetLatka reports $132.4 million revenue and a $397.3 million valuation, which conflicts with Delinea’s own >$400 million ARR claim and the sponsor-backed transaction history visible in Crunchbase and Mergr. | Medium | SV004, SV001, SV002, SV003 |
| CV006 | CyberArk’s May 2026 market cap of about $20.63 billion and TTM revenue of about $1.30 billion imply an approximately 15.9x revenue multiple. | Medium | SV005, SV006 |
| CV007 | Okta’s May 2026 market cap of about $15.10 billion and TTM revenue of about $2.91 billion imply an approximately 5.2x revenue multiple. | Medium | SV008, SV009 |
| CV008 | SailPoint’s May 2026 market cap of about $8.29 billion and TTM revenue of about $1.07 billion imply an approximately 7.7x revenue multiple. | Medium | SV011, SV012 |
| CV009 | Multiples.vc’s May 2026 sector data shows public cybersecurity software around 13.8x revenue and governance, risk, and compliance software around 9.3x revenue. | Medium | SV013 |
| CV010 | Taken together, the reviewed public comp set places relevant identity and security software in roughly a 5x to 16x revenue band in May 2026, with the lower end closer to Okta-scale identity-platform pricing and the upper end closer to CyberArk-grade security multiples. | Medium | SV005, SV006, SV008, SV009, SV011, SV012, SV013 |
| CV011 | Applying that roughly 5x to 16x peer band to Delinea’s publicly claimed >$400 million ARR implies a broad scenario range of about $2.0 billion to $6.4 billion before debt, cash, and sponsor-structure adjustments. | Low | SV001, SV005, SV006, SV008, SV009, SV011, SV012, SV013 |
| CV012 | A more disciplined base underwriting band of roughly 7x to 10x ARR would imply about $2.8 billion to $4.0 billion for Delinea if retention, gross margin, and disclosure quality prove closer to mid-tier public identity peers than to the best-in-class CyberArk case. | Low | SV001, SV008, SV009, SV011, SV012, SV013 |
| CV013 | Public peers disclose materially more detail than Delinea: CyberArk’s 2025 results include revenue, ARR, subscription mix, and cash, while Okta’s annual report represents the standardized public-company disclosure package absent from Delinea’s record. | Medium | SV007, SV010 |
| CV014 | CyberArk disclosed full-year 2025 revenue of $1.361 billion, subscription ARR of $1.267 billion, and cash plus marketable securities of $2.095 billion, illustrating the precision public investors receive from a listed identity-security peer. | Medium | SV007 |
| CV015 | Sponsor ownership likely lowers immediate external-financing risk for Delinea relative to an unfunded startup, but it leaves leverage, dividend recap potential, and preference or waterfall economics largely opaque in public sources. | Medium | SV002, SV003 |
| CV016 | Because current entry price, leverage, and preference-stack economics are not public, the open-web record does not support a price-sensitive buy recommendation even though the business appears strategically credible. | Medium | SV001, SV002, SV003, SV004 |
| CV017 | A constructive Delinea thesis is still visible in public sources: ARR scale above $400 million, SaaS-majority mix, sponsor backing, and a relevant public comp set that values identity/security software materially above generic SaaS averages. | Medium | SV001, SV002, SV005, SV006, SV013 |
| CV018 | The anti-thesis is primarily valuation opacity rather than category weakness: Delinea lacks a current public mark, third-party databases conflict, and the real multiple could compress sharply if NRR, gross margin, or leverage prove worse than peer assumptions. | Medium | SV004, SV001, SV008, SV009, SV011, SV012 |
| CV019 | Bull, base, and bear scenarios are directionally useful for Delinea, but precise probability weighting cannot be supported from public data alone because retention, margin, debt, and exit-timing inputs remain undisclosed. | Medium | SV001, SV010, SV007 |
| CV020 | The most defensible public-only call is Track rather than Buy: the company appears worth monitoring for an IPO, sponsor exit, or new financing, but valuation cannot be underwritten cleanly without management-grade financial and capital-structure data. | Medium | SV001, SV007, SV010, SV013 |
| CV021 | The Delinea thesis would weaken materially if diligence showed NRR below 100%, gross margin structurally below public identity peers, heavy debt or preference overhang, or a new financing/IPO price above about 12x ARR without substantially better disclosure. | Medium | SV008, SV009, SV011, SV012, SV005, SV006, SV013 |
| CV022 | The highest-value diligence asks are the current valuation mark, cap table and debt stack, audited ARR/NRR/gross-margin bridge, concentration and cohort retention data, and evidence of exit-process readiness. | Medium | SV002, SV003, SV010, SV007 |
| CV023 | PitchBook’s public preview continues to frame Delinea as a private-equity-backed company and references IPO-style status rather than a fresh priced round. | Medium | SV014 |
| CV024 | Tracxn adds another conflicting market-data layer, reinforcing that third-party profile databases are not reliable valuation anchors for Delinea by themselves. | Medium | SV015, SV004, SV002 |
| CV025 | SecurityWeek reported a failed responsible-disclosure episode around a critical Secret Server flaw, which is the kind of trust event that can justify a valuation discount in security software. | Medium | SV016 |
| CV026 | NVD documented CVE-2024-33891 as an authentication-bypass issue in Secret Server, reinforcing that the 2024 incident was not merely a media artifact. | Medium | SV017 |
| CV027 | Delinea’s trust center publicly lists security advisories and vulnerability notices, showing that product-security maintenance is an ongoing cost and diligence topic. | Medium | SV018 |
| CV028 | Delinea’s status center shows incidents and maintenance events, confirming that operational reliability should be treated as a valuation input rather than an assumed constant. | Medium | SV019 |
| CV029 | Delinea’s global partner program indicates an explicit channel and distribution strategy that could support valuation if it scales efficiently, but it also adds execution dependence on partners. | Medium | SV020 |
| CV030 | The strongDM acquisition broadens Delinea’s authorization and infrastructure-access scope, which can support a broader platform valuation story if integration succeeds. | Medium | SV021 |
| CV031 | The Fastpath acquisition broadened Delinea into governance and access-review workflows, supporting a more diversified identity-security platform narrative. | Medium | SV022 |
| CV032 | Delinea’s FedRAMP motion was still under assessment rather than authorized, so public-sector upside should be treated as optionality rather than fully banked valuation support. | Medium | SV023 |
| CV033 | CISA’s zero-trust guidance reinforces the strategic relevance of least privilege and identity control, helping explain why the category can sustain premium valuation multiples. | Medium | SV024 |
| CV034 | European data-protection requirements increase compliance burden for identity vendors even while supporting demand for stronger access governance. | Medium | SV025 |
| CV035 | California privacy rules create additional rights and potential exposure that identity vendors must manage, adding compliance burden alongside category demand. | Medium | SV026 |
| CV036 | Thoma Bravo’s 2022 rebrand announcement confirms that Delinea emerged as the combined, sponsor-backed platform identity after the earlier consolidation period. | Medium | SV027 |
| CV037 | CyberArk’s SEC filing archive provides a public filing benchmark with formal risk-factor and disclosure depth that private Delinea does not yet match. | Medium | SV028 |
| CV038 | Okta maintains an investor-facing SEC filings index, illustrating the recurring disclosure cadence public peers provide to outside investors. | Medium | SV029 |
| CV039 | Delinea’s 2025 GTM leadership hire shows the company is still investing in sales, channels, and customer-success capacity rather than operating as a static asset. | Medium | SV030 |
| CV040 | Any future positive Delinea recommendation would still need to be highly price-sensitive because security-response risk, operational incidents, and sponsor opacity are all still part of the story. | Medium | SV016, SV017, SV019, SV002, SV003 |