Skip to main content
Modern 42 Logo
Engineering & Delivery

Modern PAM-as-a-Servicefor Australian enterprises, delivered by the country's leading BeyondTrust Advanced delivery partner.

Modern PAM eliminates standing privilege, brokers every privileged session, and proves it to auditors. Modern 42 implements and operates BeyondTrust Password Safe, EPM, and PRA as a managed service, the same team designs, builds, runs, and migrates from CyberArk and Delinea. Australia's only BeyondTrust Advanced Delivery Partner and 2024 Technical Excellence Award winner.

Talk to our team All engineering services
The category

What is modern PAM?

Modern PAM is a privileged access management approach built around least-privilege by default, just-in-time elevation, recorded session brokering, and continuous discovery of privileged accounts across cloud and on-premises systems. It replaces the legacy password-vault mindset, where credentials are stored and reused, with a model that eliminates standing privilege, rotates secrets automatically, and grants elevation only when justified.

The shift matters because the threat surface has changed. Hybrid identities, service accounts, agentic AI identities, third-party vendor access, and a steady accumulation of local administrators have made unmanaged privilege the single largest unaddressed risk on most networks. Modern PAM platforms address this by combining four capabilities into one operating model:

  • Credential vaulting and automated rotation for human, service, and agentic identities
  • Just-in-time access with time-bound, approval-driven elevation
  • Session brokering with full keystroke and screen recording for audit evidence
  • Endpoint privilege management to remove local admin rights without breaking productivity

Delivered as-a-service, modern PAM also removes the most common reason PAM programmes fail: under-resourced internal teams. The platform vendor provides the product; a specialist partner provides the engineering, configuration management, and operational ownership.

Migration expertise

We migrate CyberArk and Delinea to BeyondTrust.

BeyondTrust, CyberArk, and Delinea are all recognised in Gartner's Magic Quadrant for PAM. We have made our choice. Modern 42 is Australia's only BeyondTrust Advanced Delivery Partner, and we have a repeatable practice for moving stalled or over-complex CyberArk and Delinea deployments onto a platform that fits modern operations.

BeyondTrust, our target platform

Why we partnered: integrated EPM, vaulting, and session brokering in one platform.

Password Safe, Endpoint Privilege Management (EPM), and Privileged Remote Access (PRA) under a single operating model, with the strongest endpoint controls of the three vendors. As Australia's only Advanced Delivery Partner, we have the engineering depth and product engineering access to design BeyondTrust deployments that survive contact with production.

Migrating from CyberArk

Typical trigger: operational cost and complexity have outgrown the value.

CyberArk has the deepest market share and the most mature vaulting platform, but is often the most operationally complex and the highest total cost of ownership. We migrate organisations from CyberArk Privileged Access Manager and Endpoint Privilege Manager to BeyondTrust, carrying across vault content, policies, session workflows, and integrations without breaking audit continuity.

Migrating from Delinea

Typical trigger: scope has outgrown the platform.

Delinea, formed from the Thycotic and Centrify merger, is easy to deploy initially but typically lacks the depth in EPM and session brokering that enterprise programmes need. We migrate Secret Server and Privilege Manager deployments to BeyondTrust when the scope has grown beyond mid-market simplicity, preserving secret history and access entitlements through the cutover.

Want a structured view before committing to a migration? Our BeyondTrust assessment scopes the move, or our IAM & PAM strategy engagement sets the wider direction.

Checklist

The modern PAM platform checklist.

Use this as a baseline when evaluating a new PAM solution, or as a maturity check against an existing deployment. If your current platform misses more than three of these, it is operating as a legacy password vault rather than a modern PAM solution.

  • Discovery, continuous scanning to find new privileged accounts, service accounts, and local admins across cloud and on-premises systems
  • Vaulting, automated credential rotation with no shared or hard-coded secrets remaining in scripts, configuration, or runbooks
  • Just-in-time elevation, time-bound, approval-driven access with no standing administrative privilege on day-to-day accounts
  • Session brokering, every privileged session proxied through a recorded gateway with keystroke and screen capture for audit
  • Endpoint privilege management, policy-based local admin removal that does not break legitimate productivity
  • Vendor and third-party access, privileged remote access for contractors without VPN or shared credentials
  • Service and agent identities, vaulting and rotation for service accounts, application identities, and agentic AI identities
  • Identity governance integration, PAM access reviews, segregation of duties, and access expiry linked to your IGA platform
  • Audit evidence, exportable session recordings, access request approvals, and policy violation logs that satisfy IRAP, APRA CPS 234, and SOCI
  • Operating model, defined runbook for onboarding, certification, incident response, and the team that owns each control
Request a walkthrough of your current PAM against this checklist
Scope

What we deliver

BeyondTrust implementation from discovery through to steady-state operations.

BeyondTrust Password Safe

Credential vaulting, automated rotation, privileged session management, and privileged account discovery across your entire estate.

Endpoint Privilege Management (EPM)

Remove local administrator rights from endpoints without affecting user productivity. Policy-based elevation where required.

Privileged Remote Access (PRA)

Secure remote access for vendors, contractors, and remote workers without VPN. Full session recording and audit trail.

PAM Policy Definition

Account discovery, onboarding policies, and access request workflow design aligned to your security framework and ASD Essential Eight requirements.

Migration off CyberArk and Delinea to BeyondTrust

Migrate from CyberArk and Delinea to BeyondTrust with minimal operational disruption.

On-Prem to Cloud Migration

Move your existing on-premises BeyondTrust deployment to a cloud-hosted model, including data migration, integration reconfiguration, and validation.

Current State Assessment

Assess your existing PAM environment to identify gaps, misconfigurations, and opportunities to improve coverage and operational efficiency.

Managed Service Offering

Ongoing operational support for your BeyondTrust platform. Monitoring, patching, configuration management, and incident response delivered by the team that built it.

Partnership

Why Modern 42 for BeyondTrust.

Modern 42 is the only Australian Advanced Delivery Partner for BeyondTrust and won the 2024 Technical Excellence Award at the BeyondTrust PartnerTrust Live event in Melbourne. This reflects depth of product knowledge, access to BeyondTrust engineering support, and a track record of complex implementations.

Our engineers hold current BeyondTrust certifications across Password Safe, EPM, and PRA. When complex issues arise, we have direct access to BeyondTrust product engineering, not just a support queue.

BeyondTrust Technical Excellence Partner of the Year 2024
Modern 42 PAM engineers implementing BeyondTrust privileged access management solutions
Industry Research
75%

of Critical Microsoft vulnerabilities between 2015 and 2020 could have been mitigated by removing admin rights, the core value proposition of endpoint privilege management.

Microsoft Vulnerabilities Report 2025 // BeyondTrust

Start your PAM Maturity Uplift
Partner comparison

Why organisations choose Modern 42 for PAM

Not all BeyondTrust partners have the same depth of experience, product access, or delivery model.

Modern 42
Typical PAM partner
BeyondTrust expertise
Advanced Partner, 2024 Technical Excellence Award
Standard partner tier
Engineering access
Direct access to BeyondTrust product engineering
Standard support queue
Australian delivery
100% sovereign, Canberra-based team
Offshore or mixed delivery
Post-deployment
Managed monitoring and quarterly health checks
Handover and walk away
Problems we address

Where PAM engagements typically start

Most organisations come to us with one of these situations.

  • Large unmanaged privileged account estates with no inventory
  • Vendor and contractor privileged access with no audit trail
  • Service accounts with shared or hard-coded credentials
  • Local administrator proliferation on Windows endpoints
  • A PAM tool that was purchased but never fully deployed
  • Migrating from a legacy PAM platform to BeyondTrust
BeyondTrust Advanced Delivery Partner
FAQ

Common questions

Everything you need to know about securing privileged access with Modern 42 and BeyondTrust.

Modern PAM is a privileged access management approach built around least-privilege by default, just-in-time elevation, session monitoring, and continuous discovery of privileged accounts across cloud and on-premises systems. Unlike legacy password vaults that simply store credentials, modern PAM eliminates standing privilege, automates credential rotation, brokers every privileged session through a recorded gateway, and integrates with identity governance so access expires when it is no longer needed. The goal is to remove admin rights as a default, grant elevation only when justified, and prove it to auditors.
PAM-as-a-Service is a delivery model where a specialist partner operates the privileged access management platform on your behalf. Modern 42 implements BeyondTrust Password Safe, EPM, and PRA, then provides the engineering, monitoring, configuration management, and incident response to keep it running. Your team retains policy authority and approval workflows; we own the platform operations. This avoids the common failure mode where a PAM tool is purchased, partially deployed, and then stalls because the internal team lacks the bandwidth or product depth to operate it.
All three are recognised PAM solutions in Gartner's Magic Quadrant. BeyondTrust leads on endpoint privilege management (EPM) and integrated session management (PRA), with a single platform covering Password Safe, EPM, and PRA. CyberArk has the deepest market share and the strongest brand for enterprise vaulting but is often the most operationally complex and expensive. Delinea (formed from the Thycotic/Centrify merger) is positioned for fast deployment and mid-market simplicity. Modern 42 is Australia's only BeyondTrust Advanced Delivery Partner and the 2024 Technical Excellence Award winner, we specialise in BeyondTrust deployments and migrations from CyberArk and Delinea.
For a focused initial scope, typically six to eight weeks. Full enterprise-wide deployments including all privileged account types are usually three to six months.
Yes. We have migrated organisations from CyberArk and Delinea to BeyondTrust. Migration scope and complexity depends on how the current platform is configured.
Yes. Our engineers work alongside your team and transfer knowledge throughout the engagement. Your team should be able to operate the platform independently after go-live.
This is common. We pick up existing deployments, assess what is already in place, and complete the implementation.
Yes. We regularly work with organisations where an existing PAM deployment has stalled, is underutilised, or is not meeting operational requirements. We start with a current state assessment to understand what is in place, identify gaps, and recommend a path forward. That might mean optimising what you have or migrating to a platform that better fits your environment.
We have migrated organisations from CyberArk and Delinea (Secret Server, Privilege Manager) to BeyondTrust. Each migration is scoped based on the source platform configuration, the number of privileged accounts, and integration dependencies.
We don't like to reinvent the wheel. If we have existing IP that covers your requirements, we will use it and the price will reflect that. We would rather spend time tailoring a proven approach to your environment than building the same document from scratch.

Where do you need help with identity?

Conditional Access review

Independent review of your Entra ID Conditional Access policies. Gaps, misconfigurations, and a remediated framework.

Learn more

SSO application migration

Migrate legacy authentication to Entra ID single sign-on. Reduce credential sprawl and strengthen your posture.

Learn more

Identity observability

Single pane of glass insights across HR, AD, Entra ID, and disconnected systems. Know what’s actually happening.

Learn more

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.