CyberArk Conjur: Pricing, Limitations & Top Alternatives (2026)

If you're evaluating CyberArk Conjur, you've probably already discovered two things: it's one of the most established names in enterprise secrets management, and finding a price for it is nearly impossible without talking to sales.

Both of those things are true, and both matter. Conjur is a serious, battle-tested tool that large enterprises rely on to secure non-human identities at scale. It is also, for many teams, more machinery than they need — with a procurement process and operational footprint to match.

This guide explains what CyberArk Conjur actually is in 2026 (including the open source vs commercial split, which confuses almost everyone), how its pricing works, where it falls short, and which alternatives make sense depending on your team's size and requirements. We'll be upfront: we build EnvManager, one of the alternatives listed below. We'll tell you honestly when Conjur is the right call — because for some organizations, it genuinely is.

What Is CyberArk Conjur?

Conjur is a secrets management platform built to "securely authenticate, control and audit non-human access across tools, applications, containers and cloud environments." In plain terms: it stores credentials that machines use — database passwords, API keys, certificates — and controls which applications, containers, and CI/CD jobs can retrieve them.

Conjur was acquired by CyberArk in 2017 and folded into its Privileged Access Management (PAM) ecosystem. As of February 2026, CyberArk itself is part of Palo Alto Networks, following the completed ~$25 billion acquisition. That deal underscores what Conjur is today: a component of a very large enterprise security platform, not a standalone developer tool.

If you're new to this category, our primer on what secrets management is covers the fundamentals before you dive into vendor comparisons.

Conjur Open Source vs. CyberArk's Commercial Editions

This is where most confusion lives, partly because CyberArk has renamed things over the years. The current lineup:

• Conjur Open Source — The free, self-hosted version, available on GitHub. The server is licensed under LGPL v3.0 (API clients under Apache 2.0), written primarily in Ruby, and still actively maintained — v1.24.0 shipped in November 2025. It gives you the core: a YAML policy language for defining roles and permissions, a REST API for secrets storage and retrieval, and authenticators for Kubernetes, AWS, Jenkins, Ansible, and other platforms.
• CyberArk Secrets Manager, Self-Hosted — Formerly called Conjur Secrets Manager Enterprise. The commercial self-hosted edition, adding "distributed, high-availability architecture," certified integrations, vendor support, and connectivity to the broader CyberArk PAM platform.
• CyberArk Secrets Manager, SaaS — The cloud-hosted commercial edition with a managed backend and richer UI.
• Secrets Hub — A newer CyberArk product that centrally manages secrets that live in AWS Secrets Manager and Azure Key Vault, for organizations dealing with vault sprawl.

The practical takeaway: Conjur Open Source is real and free, but it's the entry point, not the full product. High availability, disaster recovery, vendor support, and deep CyberArk PAM integration live in the paid editions. CyberArk's own documentation describes a migration path from open source to the commercial Secrets Manager — that's the intended journey.

What Conjur Is Genuinely Good At

An honest assessment has to start with Conjur's strengths:

• Machine identity at enterprise scale. Conjur's authenticators verify workload identity using native platform attributes (Kubernetes service accounts, AWS IAM roles, etc.) rather than passing around API keys. For thousands of ephemeral workloads, this is the right architecture.
• Policy as code. Access control is defined in declarative YAML policy files that can be version-controlled and reviewed — a genuinely good pattern for compliance-heavy environments.
• PAM integration. If your organization already runs CyberArk for privileged access management, Secrets Manager extends those controls, rotation policies, and audit trails to application secrets. No other tool integrates with the CyberArk ecosystem as deeply, for obvious reasons.
• Compliance and audit. Tamper-resistant audit records, policy-based rotation, and segregation of duties map cleanly onto frameworks like PCI DSS, SOC 2, and ISO 27001.

If you're a bank with 40,000 employees and an existing CyberArk deployment, Conjur-based Secrets Manager is a defensible, often correct choice.

CyberArk Conjur Pricing: What to Expect

Here's the part most pricing articles dance around, so let's be direct: CyberArk does not publish list pricing for its Secrets Manager products. There is no pricing page with tiers and dollar amounts. Every commercial deployment is quote-based, negotiated through CyberArk's sales team or channel partners.

You'll find third-party blogs quoting specific per-identity dollar figures. Treat those numbers with skepticism — they're estimates from outside the company, they vary widely between sources, and enterprise discounting means no two contracts look alike. We're not going to repeat numbers we can't verify.

What we can tell you is what drives the quote:

1. Number of non-human identities. CyberArk's licensing scales primarily with the workloads that consume secrets — applications, containers, service accounts, CI/CD jobs. In a Kubernetes-heavy environment, this count grows fast.
2. Edition and deployment model. SaaS vs Self-Hosted, and whether you're buying Secrets Manager standalone or as part of a broader CyberArk Identity Security platform agreement.
3. Bundled modules. Credential Providers, Secrets Hub, and PAM components are often packaged together, which changes the math considerably.
4. Contract length and support tier. Multi-year commitments and premium support affect the rate.
5. Professional services. This is the cost that surprises teams. Conjur deployments at enterprise scale frequently involve implementation services, and self-hosted editions carry real ongoing infrastructure and operations costs on top of licensing.

Budget reality check: CyberArk sells to enterprises, and its pricing reflects enterprise procurement. If your team is 5–50 engineers and you're hoping to put secrets management on a credit card this week, this is probably not your product — and CyberArk would likely agree.

Conjur Open Source is the exception: it's free. But "free license" isn't "free to run" — you're taking on deployment, scaling, upgrades, and on-call for a Ruby-based service with no vendor support and no built-in HA. Our breakdown of self-hosted secrets managers goes deeper on that total-cost-of-ownership question.

CyberArk Conjur Limitations

No tool is wrong in the abstract — it's wrong for a context. Here's where Conjur creates friction:

1. Operational complexity

Conjur is infrastructure. You define access through YAML policy files loaded via CLI or API, manage authenticator configuration per platform, and (for self-hosted editions) operate the cluster yourself. The policy-as-code model is powerful, but the learning curve is steep, and day-to-day tasks that take two clicks in lighter tools require policy changes in Conjur.

2. Opaque, enterprise-scale cost

Quote-based pricing means weeks of sales conversations before you know what you'll pay, and identity-based licensing means costs grow with your container count. For organizations without a procurement department, the buying process alone is a blocker.

3. Open source feature gaps

Conjur OSS lacks the high-availability architecture, disaster recovery tooling, certified integrations, and support that the commercial editions provide. It's a credible way to evaluate the technology, but running it as your production secrets backbone means accepting those gaps or building around them yourself.

4. Developer experience is not the priority

Conjur was designed for security teams securing machine identities, not for developers managing DATABASE_URL across dev, staging, and production. There's no concept of environment-variable workflows, no .env-style sync for local development, and the UI (in editions that have one) is administrative rather than developer-facing. Teams often end up building glue scripts for everyday tasks.

5. Overkill for small and mid-sized teams

This is the honest core of it. Conjur solves problems — rotation across thousands of workloads, PAM-grade segregation of duties, regulator-ready audit — that most 10-person engineering teams don't have yet. Adopting it early means paying enterprise complexity costs for capabilities you won't use.

Who should still choose Conjur: large enterprises with dedicated security teams, existing CyberArk (now Palo Alto Networks) investments, heavy compliance requirements, and thousands of non-human identities. In that context, the complexity is the point.

Top CyberArk Conjur Alternatives in 2026

HashiCorp Vault

The most common Conjur comparison. Vault offers dynamic secrets, an extensive secrets-engine ecosystem, and enormous flexibility — with operational complexity in the same league as Conjur. Note the 2026 landscape: Vault moved to the Business Source License in 2023 (the community fork OpenBao continues under open governance), and HashiCorp is now part of IBM. Best for: platform teams with the capacity to run serious infrastructure. We've written a detailed HashiCorp Vault vs EnvManager comparison if you're weighing that path.

Akeyless

A SaaS-delivered secrets management platform pitched directly at Vault and Conjur replacements, using its Distributed Fragments Cryptography approach so the vendor never holds complete keys. Enterprise-oriented with quote-based pricing — you're trading self-hosted control for operational simplicity at a similar market tier. Best for: enterprises that need Conjur-class capabilities but don't want to operate the cluster.

Doppler

A developer-first SaaS for secrets and app configuration with strong CLI tooling and many platform integrations. Closed source and cloud-only, with per-seat pricing that scales with team size. Best for: product teams that want a polished, low-ops experience and are comfortable with a SaaS-only model.

Infisical

An open-source secrets management platform with a permissively licensed core you can self-host, plus a managed cloud and paid enterprise tiers. Modern developer experience, secret scanning, and Kubernetes tooling. Best for: teams with an open-source-first policy who may eventually want enterprise features on the same platform.

AWS Secrets Manager

If everything you run lives in AWS, the native option is hard to beat on simplicity: published pay-as-you-go pricing at $0.40 per secret per month plus $0.05 per 10,000 API calls, IAM-native access control, and built-in rotation for RDS. The trade-offs: AWS-only, per-secret costs add up across many environments, and the developer workflow (local dev, multi-environment sync) is bare-bones. Best for: AWS-centric stacks with modest cross-platform needs.

EnvManager

Our tool, so judge this entry accordingly. EnvManager is built for the problem most smaller dev teams actually have: managing environment variables and secrets across dev, staging, and production without spreading .env files around. It offers client-side AES-256-GCM encryption, role-based access control with project- and environment-level roles, audit logs, approval workflows for production changes, a CLI with real-time sync, and integrations with GitHub Actions, Vercel, Railway, Render, Dokploy, and Coolify. Pricing is public and flat: a 14-day free trial, then $9/month with no per-seat fees; self-hosted deployment is available on the Enterprise plan.

To be equally clear about what EnvManager is not: it doesn't do dynamic database credentials, PAM integration, or machine-identity management at Conjur's scale. If you need those, look at Conjur, Vault, or Akeyless. Best for: small-to-mid-sized dev teams that want strong security fundamentals and a fast workflow without enterprise procurement or a dedicated ops burden.

How to Choose

Three questions cut through most of the noise:

1. What are you actually securing? Thousands of machine identities with rotation and compliance mandates → Conjur, Vault, or Akeyless. Application config and secrets across a handful of environments → a developer-focused tool (Doppler, Infisical, EnvManager) will get you secure faster.
2. Who operates it? Self-hosted Conjur OSS or Vault assumes a team that owns uptime, upgrades, and incident response for the secrets layer. No such team? Choose managed, or choose something with a small operational footprint.
3. What does the all-in cost look like? Compare license + infrastructure + engineering time, not just license. A free OSS license that consumes a week of engineering per quarter is not free; a quote-based enterprise contract is rarely cheaper than it first appears once services are included.

Whichever direction you go, the fundamentals matter more than the vendor — our guide to secrets management best practices applies to every tool on this list.

If your team's reality is "we have .env files in Slack and we know that's bad," you don't need a PAM platform to fix it — you can start a free 14-day EnvManager trial and have encrypted, access-controlled secrets synced to your stack in a few minutes, or explore the features first.

FAQ

Is CyberArk Conjur free?

Conjur Open Source is free — the server is LGPL v3.0 licensed and available on GitHub. However, CyberArk's commercial editions (Secrets Manager, Self-Hosted and Secrets Manager, SaaS) are paid, quote-based products, and capabilities like high-availability architecture, certified integrations, and vendor support are part of the commercial offering, not the open source version.

How much does CyberArk Conjur cost?

CyberArk does not publish pricing for its Secrets Manager products; all commercial deployments are quoted individually. Costs are driven primarily by the number of non-human identities (apps, containers, service accounts) consuming secrets, plus edition, bundled modules, contract length, and professional services. Third-party per-identity estimates exist online but aren't verifiable, so budget through a direct quote.

What is the difference between Conjur Open Source and CyberArk Secrets Manager?

Conjur Open Source provides the core secrets engine: YAML-based policy, a REST API, and platform authenticators. CyberArk Secrets Manager (the commercial line, formerly Conjur Enterprise) builds on it with high-availability clustering, disaster recovery, certified integrations, vendor support, and integration with CyberArk's broader PAM platform — now part of Palo Alto Networks.

What is the best alternative to CyberArk Conjur?

It depends on scale. Enterprises wanting comparable capability typically evaluate HashiCorp Vault or Akeyless. AWS-only teams often use AWS Secrets Manager. Small and mid-sized development teams that mainly need environment-variable and secrets management across environments are usually better served by lighter developer-focused tools like Doppler, Infisical, or EnvManager.

Is Conjur still maintained after the Palo Alto Networks acquisition?

Yes. Palo Alto Networks completed its acquisition of CyberArk in February 2026, and as of mid-2026 the Conjur open source project remains actively maintained (v1.24.0 released November 2025), with CyberArk's Secrets Manager products continuing under the combined company. Long-term roadmap decisions are worth asking about directly during any enterprise evaluation.