1
Total air-gap
No telemetry. No license callback. SHA-256 is the whole change-control artifact. CyberArk's TPP phones home; CertGuard doesn't.
2
Zero footprint
No MSI. No agents on production. No SQL backend. One SWAB approval, ever. CyberArk needs servers + DB + agents on every target.
3
Extremely portable
USB-stick deployable. Runs from a PAW. Carry it onto a SCIF visit. 64 MB drive holds the entire install + data.
4
80% feature parity
Inventory, chain map, expiration monitor, AD CS template mgmt, multi-domain, EPA/CBT NTLM, LDIF edits. The 20% skipped is enterprise-scale only.
Line item
CyberArk CM
CertGuard
Software license (entry → mid-shop)
$150K – $600K
$0 – $15K
Infrastructure (Win Server + SQL, 3y)
$45K
$0
Agent rollout to ~50 servers (PM time)
$40K
$0
Annual maintenance (3y)
$75K
included
Professional services / implementation
$50K
$0
3-year TCO
$360K – $810K
$0 – $15K
| Capability | CertGuard | CyberArk CM |
| Single binary, no installer, no admin rights to run | YES | NO |
| Air-gap / no telemetry / no license callback | YES | NO |
| STIG-friendly install (no DA logon-locally, no MSI, no service) | YES | NO |
| USB-portable deployment | YES | NO |
| Local keygen + CSR (RSA/ECDSA, full DN + SANs + EKUs) | YES | YES |
| Cert format conversion (PEM / DER / PKCS#7 / PKCS#12) | YES | YES |
| AD CS template discovery via LDAPS | YES | YES |
| AD CS template modification (LDIF changetype:modify) | YES | YES |
| EPA / Channel Binding Token aware NTLM | YES | YES |
| Cert expiration monitor with 30/60/90-day buckets | YES | YES |
| Visual chain map / cert architecture health | YES (front-and-center) | PARTIAL (buried) |
| Multi-domain / multi-forest support | YES | YES |
| AD CS HTTP enrollment (POST CSR + fetch cert + push) | v0.2 (next) | YES |
| Multi-CA orchestration (DigiCert / Sectigo / LE / 100+) | AD CS-only today | YES |
| Kubernetes cert-manager / SPIFFE workload identity | NO | YES |
| ServiceNow / ITSM / PagerDuty integration | v0.4 roadmap | YES |
| HSM / FIPS 140-2 Level 3 key escrow | NO | YES |
| Multi-tenant / MSP deployment | NO | YES |
| 10,000+ cert scale, multi-cloud (AWS + Azure + GCP) | Designed for 50-2K | YES |
When CyberArk IS the right answer (be honest in procurement)
Choose CyberArk if your org has: 10,000+ certs across multi-cloud,
Kubernetes/SPIFFE as a hard requirement, ServiceNow integration as a procurement gate,
HSM-backed code-signing, 24/7 vendor support, or multi-tenant MSP deployment needs.
For everything else — small-to-mid AD CS shops, DoW / SCIF / air-gap environments,
STIG'd networks, teams without budget for $200K+ infrastructure — CertGuard wins on
TCO, footprint, and operational simplicity.