We use CyberArk ourselves; it is a fairly well-built client. I dont think you will be able to brute force it off the device without the secure token if you have Agent Defense enabled. Assuming EPM allows sudo to be run against its own binary with its permissions control.
Most of EPM's protections are disabled in safemode, but I still dont think the client can be brute forced off though the vendor may know how to do it if possible.
Uninstall EPM agents on macOS | CyberArk Docs
