Ping Identity Comprehensive Review
Viability and Financials
Financial History: Ping Identity, founded in 2002, has demonstrated steady revenue growth over the years. Annual revenues grew from approximately $172 million in 2017 to nearly $300 million in 2021 (Ping Identity Holding Corp. ( PING) stock earnings and revenue | Digrin). This growth reflects strong demand for its identity and access management (IAM) solutions. The company was briefly profitable around 2017, but has more recently operated at a net loss (–$64 million net income in 2021) as it invested heavily in cloud development and expansion (Ping Identity Holding Corp. ( PING) stock earnings and revenue | Digrin). Ping raised multiple rounds of venture funding in the 2000s and 2010s (including investments from DFJ Growth, W Capital, KKR, and others totaling over $100M) (Ping Identity - Wikipedia). In 2016, private equity firm Vista Equity Partners acquired Ping Identity for a reported $600 million (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition), providing an infusion of capital that helped Ping expand (for example, through acquiring UnboundID for directory services that year). Vista took Ping public in September 2019 with an IPO valuing the company at ~$1.2 billion (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition). By 2021, Ping’s full-year revenue reached $299.4 million (23% year-over-year growth) (Ping Identity Holding Corp. ( PING) stock earnings and revenue | Digrin), with Annual Recurring Revenue (ARR) climbing above $300M. However, increased R&D and cloud transition costs meant the company was not consistently profitable in its public years.
Post-Acquisition by Thoma Bravo: In August 2022, Ping Identity was acquired by Thoma Bravo for $2.8 billion and taken private (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition) (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition). This deal represented a 63% premium over Ping’s pre-announcement stock price, underscoring investor confidence in Ping’s technology (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition). Thoma Bravo’s purchase came on the heels of its acquisition of SailPoint and was followed by an agreement to acquire ForgeRock, signaling a strategy to consolidate leading identity vendors (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition). Ping’s leadership (including CEO Andre Durand) welcomed the deal as an opportunity to “turbocharge innovation and open new markets” with Thoma Bravo’s backing (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition). The move to private ownership is expected to give Ping more flexibility to invest in long-term product development (especially cloud services) without the pressure of quarterly earnings. Notably, Ping’s ARR was $341 million by mid-2022 with 92% of revenue coming from subscriptions – a positive indicator of recurring revenue stability. While Ping had seen slight revenue softening in early 2022 (Q2 2022 revenue of $72M, down ~9% YoY) (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition), the overall financial position under Thoma Bravo is strong. With a history of serving large enterprises and a robust ARR base, Ping is considered financially viable and well-positioned for future growth under its new ownership. Thoma Bravo’s investment, alongside sister IAM companies, suggests Ping will have opportunities to grow through cross-selling and continued expansion into cloud identity services.
Business Model
Revenue Model: Ping Identity operates primarily on a subscription-based revenue model, providing its software via SaaS subscriptions or term licenses to enterprises. As of 2022, about 92% of Ping’s revenue was subscription-based (annual or multi-year contracts) (file://C:\Docs\paycom.html), reflecting a shift away from one-time perpetual licenses to recurring SaaS and support agreements. Ping offers cloud-hosted identity services through its PingOne platform, which are typically sold as annual SaaS subscriptions (priced per user or per identity volume). It also licenses software for on-premises or private cloud deployments (e.g. PingFederate, PingDirectory) on a recurring term basis. The company’s pricing targets large deployments – for example, third-party analyses note Ping’s entry-level annual pricing around $20k+ for enterprise packages (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg), indicating an emphasis on medium-to-large enterprise clients. Many of Ping’s customers are in the Fortune 1000 and government sectors, often engaging in sizable contracts; in mid-2022 Ping had 331 customers each contributing over $250,000 in ARR (file://C:\Docs\paycom.html). This focus on big-ticket clients means Ping’s sales involve enterprise negotiations and long-term engagements, frequently via annual or multi-year enterprise license agreements.
Customer Base and Target Markets: Ping Identity’s primary customer base is large enterprises across industries such as finance, healthcare, government, retail, and tech. Over half of the Fortune 100 are Ping customers ( Ping Identity Leadership Team), using Ping to secure workforce logins and customer-facing applications. Ping’s solutions are designed for organizations with complex IAM needs – such as hybrid IT environments, diverse user populations (workforce, partners, and consumers), and high security requirements. Typical use cases include workforce single sign-on and MFA for tens or hundreds of thousands of employees, as well as customer identity and access management (CIAM) for millions of consumer accounts. Ping’s target markets include highly regulated sectors (government agencies, banks, etc.) that value its on-premises options and compliance, as well as global enterprises that require IAM solutions interoperable with legacy systems and custom applications. In addition, Ping offers PingOne for Customers as a CIAM solution to brands that need seamless but secure customer login experiences (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire), and PingOne for Workforce for employee identity in large organizations (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire).
Partnerships and Channels: Ping Identity has cultivated a broad ecosystem of technology and channel partnerships to extend its reach. Its Ping Nexus partner program includes global systems integrators and consulting firms that implement Ping solutions for clients (ProofID and Midships form a strategic collaboration to deliver world ...). Ping also partners with major cloud providers and ISVs: for example, PingOne for Workforce is available through the AWS Marketplace (AWS Marketplace: PingOne for Workforce), and Ping has strategic tech alliances with companies like Cloudflare and BeyondTrust to enable Zero Trust security architectures (Partners - Ping Identity). These integrations allow Ping to provide “identity as the center” of a broader security stack (e.g. integrating PingFederate SSO with Cloudflare’s network security for authenticated access, or with BeyondTrust for privileged access controls). Ping Identity frequently positions itself as complementary to Microsoft environments – many enterprises use Ping to extend Microsoft Azure AD/Entra with advanced capabilities or to replace legacy Active Directory Federation Services. In the public sector, Ping works with federal resellers (e.g. Carahsoft) and integrators, especially now that it offers FedRAMP-certified services. Overall, Ping’s business model relies on high-touch enterprise sales often through partners, selling IAM as mission-critical infrastructure with recurring subscriptions and strong customer success involvement.
Security Posture
Compliance and Certifications: Security is a cornerstone of Ping Identity’s offerings, and the company maintains rigorous internal controls and certifications. Ping operates a Trust Center and undergoes regular third-party audits – it is SOC 2 Type II certified and ISO 27001 certified (with ISO 27018 for protection of personal data in the cloud) ( Trust Center). These certifications demonstrate that Ping follows industry best practices for security management, data encryption, and privacy. Ping’s cloud services also adhere to regional data protection laws (with GDPR and CCPA compliance programs in place) and support SAML, OAuth, OIDC and other security standards to ensure secure interoperability. A major achievement for Ping is its compliance for U.S. government use: as of late 2023, Ping Identity’s Government Cloud obtained FedRAMP High authorization and even Department of Defense IL5 accreditation (Ping Identity Enhances FedRAMP and DoD Identity Offerings Amid Growing Cybersecurity Demands). FedRAMP High certifies that Ping’s cloud meets the stringent security requirements to handle the U.S. federal government’s most sensitive, unclassified data – a strong indicator of its security maturity. (Ping’s Government Identity Cloud uses a dedicated single-tenant SaaS model for each customer to maximize isolation and security (Ping Identity Enhances FedRAMP and DoD Identity Offerings Amid Growing Cybersecurity Demands).) These credentials make Ping one of the few IAM providers capable of securing highly regulated and sensitive environments.
Security Track Record: To date, Ping Identity has had no publicly disclosed major security breaches, and the company emphasizes a proactive security posture. Internally, Ping appointed a veteran CISO (Jason Kees in 2021) to spearhead its security programs, and it employs secure development lifecycle practices (including regular penetration testing and bug bounty programs) to harden its software. The reliability of Ping’s cloud service is enterprise-grade; it distributes services across AWS infrastructure for high availability. In the event of any security incident, Ping has stated it would promptly notify affected customers and work to mitigate (Security Exhibits - Ping Identity), though “no recent security news” of breaches has been reported (Ping Identity Security Rating, Vendor Risk Report, and Data Breaches) (Ping Identity Security Rating, Vendor Risk Report, and Data Breaches). The company also publishes trust and status pages to be transparent about uptime and incidents. Ping’s strong security record is partly why customers in banking and government trust its platform for identity management.
Threat Protection and Zero Trust: Ping Identity’s approach to security extends beyond compliance – it includes advanced threat mitigation and alignment with Zero Trust principles. The Ping platform incorporates risk-based authentication and anomaly detection features that continuously evaluate user context and behavior. For example, PingOne uses machine learning to assess login risk (e.g. unusual login locations or device changes) and can step up authentication when needed. Ping has also developed API-specific threat detection: its PingIntelligence service employs AI/ML to monitor API traffic and identify attacks or anomalies in real time (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg). These capabilities help organizations catch potential account takeovers or malicious API usage early, augmenting traditional access controls.
Ping is a strong proponent of Zero Trust security, advocating “identity as the new perimeter.” In a Zero Trust model, no access request is inherently trusted, even from authenticated users or internal networks – instead, continuous verification is required. Ping’s products are designed to enable this. For instance, PingFederate can enforce re-authentication or step-up MFA for sensitive transactions, and PingAuthorize can dynamically check policies for each data access. Ping has partnered with network security providers to integrate identity into Zero Trust architectures – for example, Ping federated SSO + MFA combined with Cloudflare Access yields a powerful solution where every application request is validated against Ping’s identity policies (Zero Trust security with Ping Identity and Cloudflare Access) (Zero Trust security with Ping Identity and Cloudflare Access). Loren Russon, Ping’s SVP of Product, underscores that a “cloud-native Zero Trust security model has become an absolute necessity” and that Ping’s integrations help organizations “increase alignment with zero trust best practices” (Zero Trust security with Ping Identity and Cloudflare Access). In practical terms, Ping enables continuous, context-based authentication and authorization at every access point, which is at the heart of Zero Trust. This stance, along with its compliance efforts, positions Ping as a security-first IAM provider.
Products and Capabilities
Ping Identity offers a comprehensive suite of IAM products that address authentication, access management, directory, and API security needs. These products can be deployed in the cloud (via the PingOne platform), on-premises, or hybrid, giving enterprises flexibility to meet their requirements. Below is an overview of Ping’s core products and their capabilities:
PingOne Platform (Cloud Identity)
PingOne is Ping Identity’s cloud identity platform, delivering IAM as a service. It provides a unified, multi-tenant cloud console to manage authentication, authorization, and user identities for both workforce and customer use cases (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire) (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire). Key capabilities of PingOne include single sign-on (SSO), multi-factor authentication, user directory services, account lifecycle management, and identity orchestration. PingOne is offered in tailored editions such as PingOne for Workforce (to connect employees/partners to corporate resources with one-click SSO and central auth in the cloud (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire)) and PingOne for Customers (CIAM solution for seamless customer login experiences with SSO, MFA, etc. (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire)).
The PingOne platform allows organizations to quickly adopt cloud identity without managing infrastructure – while still integrating with on-prem systems via connectors. Notably, PingOne now includes no-code orchestration (PingOne DaVinci) from Ping’s 2021 Singular Key acquisition, letting admins visually design identity verification and authentication flows across multiple services. PingOne also supports private tenant deployments for organizations needing isolated environments (as seen in Ping’s Government Cloud offering) (Ping Identity Enhances FedRAMP and DoD Identity Offerings Amid Growing Cybersecurity Demands). In summary, PingOne provides a full-featured Identity-as-a-Service solution, with the ability to handle SSO, adaptive authentication, directory storage, and user journeys from a single cloud platform.
PingID (Multi-Factor Authentication)
PingID is Ping Identity’s multi-factor authentication (MFA) solution, designed to ensure only authorized users gain access by requiring additional proof of identity. It supports a broad range of authentication methods – including push notifications to the PingID mobile app, one-time passcodes (OTP) via SMS or email, voice authentication, OTP hardware tokens, biometrics (fingerprint/face unlock on devices), and FIDO2 security keys (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg). PingID can prompt users for a second factor based on policies (e.g. always for remote logins, or adaptively only when risk is detected). It offers adaptive risk-based authentication, meaning the system can adjust the level of authentication required according to the context and perceived risk of each login attempt (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg). For instance, a login from a new device or location might trigger an MFA challenge, whereas a routine login from a known device might not – balancing security and user convenience.
Administrators manage PingID through a console that allows them to enforce MFA enrollment, configure policies, and monitor authentication events. PingID integrates seamlessly with PingFederate and PingOne for adding MFA to SSO flows, and it can also work alongside other identity providers via standards. End-users experience PingID through the PingID mobile app (available for iOS/Android) which delivers push approvals (“Accept/Deny” prompts) or one-tap biometric verification for a quick login experience (PingOne MFA - Cloud Multi-factor Authentication for Customers) (PingOne MFA - Cloud Multi-factor Authentication for Customers). PingID’s flexibility (support for many factor types and offline modes) and its contextual authentication features make it a strong MFA solution for enterprises looking to enhance account security and align with Zero Trust (by verifying user identity at each access).
PingFederate (Single Sign-On & Federation Server)
PingFederate is a robust enterprise single sign-on (SSO) and identity federation server. It allows users to authenticate once and gain access to multiple applications without repeated logins, using standards-based federation. PingFederate supports protocols like SAML, OAuth2, OIDC, and WS-Federation, enabling it to act as an Identity Provider (IdP) that issues tokens assertions trusted by various applications (Ping Identity - Wikipedia). With PingFederate, organizations can integrate authentication across heterogeneous systems: for example, it can accept credentials from an on-prem Active Directory or LDAP, and then provide SSO tokens to cloud apps (Office 365, Salesforce, etc.), custom web applications, VPNs, and more (Ping Identity - Wikipedia). This gives users a one set of credentials experience across many services (Ping Identity - Wikipedia).
A key strength of PingFederate is its flexibility in deployment and integration. It can connect to multiple identity stores (AD, databases, social login providers), apply customizable authentication policies, and federate identities across organizational boundaries. Many enterprises use PingFederate to replace or enhance Microsoft ADFS, because PingFederate offers broader protocol support and advanced features (such as identity bridge, delegated admin, and passwordless integration). It also plays a critical role in customer IAM scenarios, enabling SSO and identity brokering for customer-facing sites. PingFederate often works in tandem with PingAccess; PingFederate authenticates the user and PingAccess then enforces what that user can access. Overall, PingFederate is the central authentication “hub” of Ping’s platform – providing scalable SSO, secure federation, and identity token services for thousands of applications and APIs in large environments.
PingAccess (Access Security & API Gateway)
PingAccess is an identity-aware access management gateway that protects applications and APIs by enforcing fine-grained authorization policies. It acts as a policy decision point and enforcement point, controlling what authenticated users are allowed to do or see. PingAccess can secure both web applications (HTTP/S) and RESTful APIs. In practice, PingAccess is often deployed as a reverse proxy or an agent-based solution in front of applications – once a user is authenticated (by PingFederate or another IdP), PingAccess evaluates rules to determine if the user’s request to a specific URL or API resource should be permitted. This fills the gap beyond SSO: SSO verifies who the user is, while PingAccess governs what they can access.
Originally introduced as a “next-generation identity gateway,” PingAccess combines traditional Web Access Management (WAM) with modern API security capabilities (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire). It supports context-aware policies that consider user attributes, request attributes, HTTP headers, etc. For example, PingAccess can require that a user has a certain role to access an admin URL, or it can filter API calls by scopes or IP ranges. Under the hood, PingAccess leverages open standards – it can accept OAuth access tokens to secure APIs and use JSON web tokens (JWT) for session management (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire). PingAccess integrates closely with PingFederate (sharing token and session info) to provide a seamless SSO + access control solution (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire). Once PingFederate issues an identity token, PingAccess uses it to grant or deny specific resource requests and can log/track user activity for auditing (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire).
Enterprises often choose PingAccess to modernize legacy WAM systems (like CA SiteMinder or Oracle OAM). It provides centralized, externalized authorization without requiring code changes to applications. Notably, PingAccess can secure legacy apps that don’t natively support modern auth – for instance, it can front an older web app and use header-based authorization (where PingAccess injects identity headers) to give that app federated SSO (). This capability is a differentiator (Microsoft’s native solutions don’t support header-based apps, whereas PingAccess can fill that need ()). In summary, PingAccess delivers a unified way to grant privileges, enforce security policies, and handle access control for web and API resources, across on-prem and cloud environments (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire) (Ping Identity Introduces PingAccess, A New Generation of Access Control | Business Wire).
PingDirectory (Identity Data Store)
PingDirectory is a high-performance directory server for storing and managing identity data at scale. It serves as an identity repository – essentially an LDAP v3-compatible directory (originally based on technology acquired from UnboundID) that can hold millions of user entries, credentials, and profile attributes. Organizations deploy PingDirectory to support both workforce and customer identity data, especially in scenarios requiring very fast read/write throughput and flexible data modeling. For example, a large consumer-facing service might use PingDirectory to store profiles for tens of millions of users and to handle thousands of concurrent authentication lookups per second.
Key features of PingDirectory include data replication for high availability, horizontal scalability, and secure storage (encryption and fine-grained access control to directory data). It supports schema customization and can store not just basic credentials but also richer identity attributes, preferences, consents, etc. PingDirectory often augments or replaces traditional directories like Microsoft AD when organizations need a more internet-scale or customizable directory. It’s a critical component for Customer IAM solutions because it can handle very large identity datasets and complex relationship mappings. PingDirectory integrates with the rest of Ping’s suite – PingFederate and PingOne can use PingDirectory as a user store for authentication and profile data. By offering an integrated directory, Ping gives customers a one-stop IAM platform (authentication + directory). In Ping’s product lineup, PingDirectory is referred to as the product for “identity storage” (Ping Identity - Wikipedia), underscoring its role in holding the identities that other Ping services authenticate and authorize. Deployment can be on-premises or in private clouds (Ping also offers managed services for Directory). Overall, PingDirectory’s capability to provide low-latency, scalable identity data management is essential for enterprises needing a robust identity backbone beyond what general-purpose databases or AD can handle.
PingAuthorize (Fine-Grained Authorization)
PingAuthorize is a dynamic authorization engine that provides fine-grained, attribute-based access control (ABAC). It enables enterprises to externalize complex authorization logic from applications and manage it centrally via policies. PingAuthorize was born from Ping’s acquisition of Symphonic Software in 2020 and was previously known as PingDataGovernance (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire). With PingAuthorize, organizations can create and enforce policies that determine whether a given user (or service) is allowed to perform a certain action on a certain resource, taking into account a variety of data points in real time.
Policies in PingAuthorize can incorporate any contextual attribute – identity attributes (roles, group memberships, consent status), resource attributes (data sensitivity labels), environment attributes (time of day, geolocation), and more (PingAuthorize | Ping Identity). For example, in a healthcare scenario, PingAuthorize could enforce a rule that only a physician who is assigned to a patient and is on-duty can access that patient’s record, and even then, only if the patient has given consent. At runtime, PingAuthorize’s engine pulls in relevant data (from directories, APIs, databases) and evaluates the policy logic at the moment of the access request (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire). This dynamic approach allows very granular decisions (down to specific record fields or transaction types) and adapts to real-time conditions.
PingAuthorize provides a centralized policy administration UI and API, so that security teams can manage authorization rules globally rather than scattering logic in individual apps. Common use cases include enforcing privacy regulations (only show data that a user is permitted to see per GDPR/CCPA consent), preventing fraud (extra checks on high-value transactions), and implementing Zero Trust data protection (never assume access is OK without checking attributes each time). According to Ping, this solution is particularly valuable in industries like finance, healthcare, and retail where sensitive transactions need strict control (Ping Identity Announces Enhanced PingOne Cloud Platform and Dynamic Authorization Solution at Identiverse 2021 | Business Wire). PingAuthorize works alongside PingFederate/PingOne – after a user is authenticated, PingAuthorize can be called (via API or policy enforcement points) to authorize what that user can actually do or view. By adding fine-grained, context-aware authorization, PingAuthorize extends Ping’s IAM from “Who are you?” to “What are you allowed to do right now?” in a unified way. This dynamic authorization capability is a key differentiator, as not all IAM suites include an out-of-the-box ABAC engine.
API Security Solutions (PingIntelligence)
Beyond user access to applications, Ping Identity also offers solutions specifically to secure API traffic. The centerpiece here is PingIntelligence for APIs, an AI-powered API threat protection product. PingIntelligence (originating from Ping’s Elastic Beam acquisition in 2018) monitors API activity to detect and block malicious usage, such as bots, API abuse, data exfiltration, and unknown attacks. It uses machine learning models to learn normal API usage patterns and then identify anomalies – for instance, an OAuth token being used from many IP addresses, a spike in requests that suggests a scraping bot, or subtle data probing techniques. By catching these patterns, PingIntelligence can alert or automatically stop suspicious API calls, adding a layer of security beyond standard authentication/authorization.
In practice, PingIntelligence is often deployed as an agent or via integration with API gateways to analyze API traffic in real time. It can work with PingAccess or other API gateways: PingAccess would handle validating tokens and basic access control, while PingIntelligence examines traffic for threats that comply with auth but are still malicious (like an authenticated user trying to enumerate large amounts of data). According to Ping, this kind of behavioral API security is crucial as businesses expose more APIs – it helps mitigate API-specific vulnerabilities and complement traditional app security. PingIntelligence is part of Ping’s broader “Threat Protection” capabilities within PingOne, now sometimes branded under PingOne for API Intelligence or PingOne Protect.
Together with PingAuthorize and PingAccess, Ping’s API security offerings provide end-to-end protection: authentication (ensure API calls are from known identities), authorization (ensure the identity can access that specific data/action), and behavioral analysis (ensure the usage patterns aren’t malicious). This multi-layered approach is an important differentiator for Ping in an era where APIs are a common attack vector. Industry analysts note that Ping’s platform leverages AI/ML to identify anomalies early, especially for APIs (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg), which strengthens an organization’s security posture against API abuse that traditional IAM might miss.
Competitive Analysis
Ping Identity operates in a competitive IAM market. Its main competitors include Okta (a leading IDaaS provider), ForgeRock (another enterprise IAM platform provider), and Microsoft Entra ID (formerly Azure AD, part of Microsoft’s Entra suite). Each competitor has different strengths, and Ping positions itself with unique differentiators in technology, deployment flexibility, and security features:
Ping Identity vs. Okta
Okta is often seen as the closest competitor to Ping Identity in access management. Both are recognized leaders in IAM and offer SSO, MFA, and directory services. The key differences often come down to deployment model and enterprise focus:
In summary, Okta excels with cloud-first simplicity and a massive integration ecosystem, while Ping Identity differentiates itself with hybrid deployment options, deeper integration in complex environments, and extended security features (like fine-grained auth and API protection). Both are leaders in the space – the choice often comes down to an enterprise’s specific needs (cloud-only vs hybrid, degree of custom requirements, etc.). Analysts frequently place Ping and Okta together in the Leaders quadrant, with Ping edging out for companies that have more advanced or non-cloud needs, and Okta for those prioritizing rapid cloud adoption (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg) (Ping Identity vs. Okta: Differences, Limitations, and How to Choose | Frontegg).
Ping Identity vs. ForgeRock
Ping Identity and ForgeRock have been direct competitors in the IAM market, with very similar target customers and product breadth. Both offer comprehensive suites covering workforce and customer identity, both support on-prem and cloud, and both emphasize standards-based identity. However, as of 2023, this dynamic has changed – Thoma Bravo acquired ForgeRock and merged it with Ping Identity, meaning the two are now part of the same family (Ping CEO on ForgeRock integration and future of identity | Computer Weekly). Still, understanding their differences is useful, especially for existing customers of either platform:
In summary, Ping vs. ForgeRock as separate choices is becoming a moot point post-merger. Historically, both were chosen for their enterprise-grade, highly customizable IAM. Now that they’ve joined forces, Ping Identity (the combined entity) is positioned as an even stronger competitor to others, with ForgeRock’s capabilities folded in. For existing comparisons: large enterprises choosing between Ping and ForgeRock used to consider fine details of features and ecosystem preference, but going forward those two will share a “unified roadmap” and customers can expect the best of both worlds under the Ping Identity brand (Ping CEO on ForgeRock integration and future of identity | Computer Weekly). The merger solidifies Ping’s market position, eliminating a rival and consolidating their technology leadership in the IAM space.
Ping Identity vs. Microsoft Entra (Azure AD)
Microsoft Entra ID (formerly known as Azure Active Directory) is Microsoft’s cloud-based identity and access management service, which is ubiquitously used in organizations that subscribe to Microsoft 365 and Azure. Entra ID provides core IAM functions like user directory, SSO to Microsoft and third-party apps, conditional access policies, and multi-factor auth. Many organizations face a decision between using Azure AD’s native capabilities versus an independent IAM platform like Ping. Here’s how Ping Identity compares to Microsoft’s Entra ID:
In summary, Microsoft Entra (Azure AD) is a formidable built-in competitor that covers IAM basics and excels for pure Microsoft cloud scenarios. Ping Identity distinguishes itself by providing a more comprehensive and flexible IAM platform for diverse enterprise environments, including those with non-Microsoft systems or advanced requirements. Many enterprises actually use both: Azure AD for their Microsoft apps and Ping for enterprise SSO spanning everything else (including as a federation bridge). The two can integrate – e.g., PingFederate can trust Azure AD tokens and vice versa – so it’s not always an either/or decision. But where a choice must be made: Ping is chosen when an organization needs richer IAM functionality or deployment flexibility that goes beyond what Entra ID offers, whereas Azure AD is chosen for simplicity and tight integration if an organization is mostly within Microsoft’s ecosystem. Notably, Ping has been named a Leader in access management by Gartner for many years running ( Ping Identity Named a Leader in 2024 Gartner? Magic Quadrant? for Access Management ), reflecting its capabilities beyond the basics that even Microsoft provides.
Market Positioning and Acquisitions
Position in the IAM Market: Ping Identity is widely regarded as a leader in the Identity and Access Management market, particularly in the enterprise and hybrid-cloud segment. Gartner has named Ping a Leader in its Magic Quadrant for Access Management for eight consecutive years as of 2024 ( Ping Identity Named a Leader in 2024 Gartner? Magic Quadrant? for Access Management ), highlighting Ping’s completeness of vision and strong execution in the space. Ping’s platform is often praised for its breadth (covering workforce and customer IAM use cases) and its ability to support both on-prem and cloud needs – a combination few vendors offer at scale. With the IAM market growing due to digital transformation and heightened security needs, Ping is well-positioned as a “one-stop shop” for identity solutions that can be tailored to complex requirements. Its customer base of Fortune 500 companies and large government agencies attests to its standing in high-end enterprise IAM. In the CIAM (customer identity) arena, Ping (along with ForgeRock) has been a leading choice for companies needing secure, scalable login for millions of users, which further solidifies its market position in that sub-segment.
Acquisitions Strategy: Ping Identity has strategically acquired several companies over the past decade to broaden its capabilities. These acquisitions have played a major role in Ping assembling a comprehensive platform:
These acquisitions (UnboundID, Elastic Beam, ShoCard, Symphonic, SecuredTouch, Singular Key) have been instrumental in Ping’s evolution from a federation/MFA company to a broad identity platform with directory, MFA, SSO, access control, authorization, fraud detection, and orchestration. Ping’s strategy has been to fill gaps via acquisition rather than build everything from scratch – accelerating time to market for new capabilities.
Additionally, it’s worth noting Thoma Bravo’s acquisitions around Ping: Thoma Bravo acquired Ping in 2022, and also ForgeRock in 2023, and had acquired SailPoint (identity governance) in 2022. While SailPoint remains separate, the trio of Ping + ForgeRock + SailPoint under one PE owner creates potential for collaboration or integration (covering Access Management, CIAM, and Governance together). As mentioned, Ping and ForgeRock are merging their offerings. This consolidation may enable Ping to offer an even more comprehensive identity platform (e.g., PingOne with built-in identity governance from SailPoint or ForgeRock’s IGA, though that’s speculative). The market positioning here is that Ping is at the center of one of the largest identity solution portfolios under Thoma Bravo, aimed at competing directly with the likes of Oracle, IBM, and Microsoft for full-stack identity solutions in large enterprises.
Partnerships and Alliances: Aside from acquisitions, Ping has built partnerships to extend its reach. Ping is known to partner with SailPoint (for identity governance integration – many customers use SailPoint for governance and Ping for access, and the two have documented integrations). Ping also partners with cybersecurity firms like CrowdStrike and Zscaler in the context of Zero Trust; for instance, Ping is part of the Cloudflare Zero Trust ecosystem where Ping provides identity and Cloudflare provides network security (Zero Trust security with Ping Identity and Cloudflare Access) (Zero Trust security with Ping Identity and Cloudflare Access). Ping has a partnership with Akamai as well, integrating PingOne with Akamai’s CDN/security platform to provide secure digital experiences (Akamai & Ping Identity Partner to Modernize Identity Security). These alliances help Ping position itself not just as an IAM tool, but as an identity platform that plugs into a broader IT security environment. On the channel side, global consultancies and integrators (Deloitte, Accenture, PwC, etc.) often include Ping in large digital transformation projects, and Ping’s Nexus partner network supports scores of regional IAM specialists who resell and implement Ping products. All of this bolsters Ping’s presence in the market as a trusted enterprise solution.
Future Growth Prospects: Looking ahead, Ping Identity’s growth prospects appear strong, buoyed by several factors. The secular trend towards Zero Trust security and identity-centric security works in Ping’s favor – organizations are investing heavily in IAM, both for securing remote workforces and improving customer experiences. Ping’s emphasis on passwordless authentication, decentralized identity (verified credentials), and AI-driven security aligns with where the industry is heading. For example, Ping has been developing passwordless login options (e.g., FIDO2 support and pairing that with PingID), which many enterprises are expected to adopt for better security and UX. Its exploration of decentralized identity (via projects like ShoCard and joining standards bodies) could position it for Web3 or future digital ID ecosystems where users control their identities.
Under Thoma Bravo, Ping may also pursue further acquisitions or integrations – one area to watch is identity governance, as Ping could integrate SailPoint more tightly or develop its own governance features to offer an all-in-one IAM+IGA platform. Another area is cloud infrastructure identity (managing identities of services, IoT, etc.), where Ping could expand capabilities (maybe via partnerships with cloud providers). Since the Thoma Bravo acquisition, Ping’s stated focus is accelerating its cloud transformation (Ping Identity to Go Private in $2.8B Thoma Bravo Acquisition) – we can expect PingOne to continue evolving rapidly, potentially unifying the best features of Ping and ForgeRock into a single cloud platform.
The competitive landscape will push Ping to innovate: Okta is expanding into privileged access and governance, Microsoft is integrating AI into Entra, etc. Ping’s advantage is its entrenched enterprise base and feature-rich platform – by continuing to invest in user-friendly orchestration, developer-friendly APIs, and broad integrations (such as support for DevOps and API security use cases), Ping can maintain and grow its share in the IAM market. With private equity backing, Ping might also be more aggressive in capturing mid-market or cloud-only customers than it was before (possibly by offering more SaaS, quicker deployments, or flexible pricing to compete with Okta in those segments). Overall, Ping Identity is positioned as a leading vendor in a market that is expected to grow for the foreseeable future, and its combination of product capabilities and new ownership support gives it a solid foundation to expand its footprint globally.
Key Personnel
Leadership Team: Ping Identity’s leadership is anchored by seasoned executives with deep experience in the identity and security industry. Andre Durand, Founder and CEO, has led Ping since its inception in 2002 and is a highly respected figure in the IAM community. He previously founded Jabber, Inc. (an early instant messaging platform) which was acquired by Cisco in 2008 ( Ping Identity Leadership Team), and he founded Ping with a vision of replacing passwords through identity federation. Under Durand’s leadership, Ping grew from a startup to a public company and through two major private equity transactions, all while establishing Ping as an identity market leader. Durand is known for his thought leadership in digital identity (he even helped start the Identiverse conference). His continued presence as CEO post-acquisition provides continuity and is seen as a positive sign that Ping will stay true to its identity-security mission.
Ping’s executive team includes other notable figures:
Other key leaders include Pete Angstadt (Chief Revenue Officer) focusing on sales growth, Aaron LaPoint (Chief Administrative Officer) handling internal operations, and Shalini Sharma (Chief Legal Officer) overseeing legal and compliance aspects ( Ping Identity Leadership Team) ( Ping Identity Leadership Team). This well-rounded C-suite has guided Ping through its transitions and continues to steer its strategic direction.
Executive Changes and Impact: Over the past few years, Ping’s leadership has seen some infusion of new talent, especially coinciding with its cloud push. The addition of Bernard Harguindeguy as CTO in 2020 (former CEO of Elastic Beam) brought AI and API security expertise into Ping’s leadership (Ping Identity Announces Additions to Leadership Team), although as of 2024 Bernard is no longer listed as CTO (he may have transitioned out after integrating PingIntelligence). Similarly, Richard Bird had joined as Chief Customer Information Officer, reflecting focus on customer-centric security, but he also departed after some time. These changes indicate Ping’s evolution: early on, leadership was very Ping-grown, but as the company expanded, they brought in external experts for specific domains (AI, cloud, etc.). The ForgeRock merger led to perhaps the most significant recent leadership change: the integration of ForgeRock’s top execs. Besides Peter Barker (CPO), ForgeRock’s CEO Fran Rosch did not continue (Andre Durand remains CEO of the combined entity), but other ForgeRock product and engineering leaders likely joined Ping’s ranks. The swift 100-day integration Durand executed (Ping CEO on ForgeRock integration and future of identity | Computer Weekly) suggests the leadership teams were aligned and possibly consolidated with some role shuffles to ensure clarity for customers.
The continuity of having Andre Durand stay on as CEO through all ownership changes cannot be overstated in impact. It provides stability and a clear, consistent vision (“identity security for the enterprise”) that permeates Ping’s culture. Customers and analysts often cite Durand’s passion and understanding of the market as a driving force for Ping. As an industry pioneer, he keeps Ping plugged into broader trends and standards efforts.
One notable board-level role: Durand serves on the board of Jamf (enterprise device management) ( Ping Identity Leadership Team), which doesn’t directly impact Ping’s operations, but it shows his involvement in adjacent tech spaces and could foster partnerships (device identity tying into Ping, for example).
In conclusion, Ping Identity’s leadership team blends long-standing identity veterans (Durand and team who have grown the company for two decades) with new experts in cloud, product, and security. This balance positions Ping to maintain its core ethos while adapting to new technology demands. There have been no seismic negative leadership disruptions – rather, planned additions – so the direction of Ping remains focused on innovation in IAM. The emphasis on product (with Barker) and security (with Kees) at the executive level, along with strong financial and sales leadership, means Ping has the human capital to execute on its strategy and continue its growth as a top-tier identity provider.
Sources: