Overview
At Applied IAM, we treat identity as the control plane for modern security. As a CyberArk Engineer, you'll own hands-on delivery work across on-premises Privileged Access Management implementations, helping clients reduce risk by securing, rotating, and monitoring privileged credentials at scale. You'll work directly with enterprise stakeholders to onboard accounts, harden PAM configurations, and build automation that makes privileged access both secure and operationally sustainable.
Core Responsibilities
- Administer and maintain core CyberArk on-premises components including the Digital Vault, CPM, PSM, PVWA, and CCP across client environments, ensuring availability, performance, and security alignment
- Lead service account and privileged account onboarding efforts, including bulk imports via REST API and PACLI, safe structure design, platform assignments, and least-privilege permission modeling
- Configure and customize CPM platforms and plugins for automated credential rotation across Windows, Unix/Linux, database, and application service accounts, and troubleshoot rotation failures end to end
- Deploy and manage PSM and PSMP components for session isolation and recording, configure connection components for RDP and SSH targets, and resolve session launch and connector issues
- Install and maintain the Central Credential Provider (CCP) and Credential Provider (CP/AIM) for application-to-application credential management, including AppID configuration, certificate authentication, and IIS-level troubleshooting
- Manage PVWA administration including platform policies, safe configurations, user provisioning, LDAP/LDAPS directory mappings, and authentication method configurations (SAML, RADIUS, PKI)
- Build and maintain PowerShell and Python automation scripts for account onboarding, compliance reporting, and operational workflows to reduce manual effort across large-scale deployments
- Generate and maintain privileged access compliance reports tracking rotation status, safe membership, and session activity to support SOX, PCI-DSS, and NIST audit requirements
- Enrich operational workflows by integrating CyberArk telemetry with SIEM platforms via syslog and contribute to detection tuning for privileged access abuse, service account misuse, and anomalous vault activity
- Support Vault upgrade and patching cycles across all on-premises components following CyberArk's recommended sequencing, and validate system integrity pre and post upgrade
- Contribute to internal runbooks, platform documentation, and knowledge base articles so that common PAM tasks and response procedures are consistent and repeatable across the team
Minimum Qualifications
- 3 to 5 years of hands-on experience with CyberArk PAM in on-premises enterprise environments
- Demonstrated proficiency across core CyberArk components: Vault, CPM, PSM, PVWA, CCP, and CP/AIM
- Strong fundamentals in Windows Server administration, Active Directory, LDAP/LDAPS, and network basics (DNS, TCP/IP, firewall rules)
- Experience with CyberArk REST API and PACLI for safe and account management at scale
- Proficiency in PowerShell for automation, reporting, and system integration tasks
- Working knowledge of IIS administration for PVWA and CCP web tier configurations
- Solid understanding of SSL/TLS certificate management and PKI concepts as they apply to CyberArk component communications
- Clear written communication and comfort working in a client-facing, team-oriented delivery environment
- Authorization to work in the United States
Preferred Qualifications
- CyberArk Defender or Sentry certification
- Experience with CPM plugin development using INI-based frameworks for non-standard or legacy platforms
- Familiarity with PSM for Web and HTML5 gateway configurations
- Python scripting experience for automation, account categorization, and data enrichment workflows
- Exposure to DR Vault configuration, PrivateArk replication, and high availability design
- Understanding of common privileged access attack paths (credential stuffing, pass-the-hash, privilege escalation, service account abuse) and where CyberArk controls intersect with detection
- Experience integrating CyberArk syslog feeds with SIEM platforms such as Splunk, QRadar, or Microsoft Sentinel
- Familiarity with Git/GitHub for script versioning and team collaboration
- Prior consulting or managed services background supporting multiple concurrent client environments
What You’ll Get
- High-impact client work centered on privileged access management and credential security
- Hands-on ownership of CyberArk implementations across enterprise environments
- Remote/hybrid flexibility depending on client needs and project phase
- Professional growth through certifications, training, and exposure to modern PAM ecosystems
- A collaborative team that values clean implementations, documentation, and operational excellence
- Competitive compensation aligned to the role and location