Listing Thumbnail

    Orca Security CNAPP Cloud Security Platform

     Info
    Deployed on AWS
    Free Trial
    Vendor Insights
    Quick Launch
    Agentless Cloud Security in a Single, Complete Platform with 100% Coverage
    4.7

    Overview

    Play video

    Orca Security is the true Cloud Native Application Protection Platform (CNAPP) that identifies, prioritizes, and remediates risks and compliance issues across all of your workloads, configurations, and identities on AWS. Orca offers the industrys most comprehensive cloud security solution in a single platform, eliminating the need to deploy and maintain multiple point solutions.

    FAST TIME TO VALUE: The Orca CNAPP Platform is agentless first, and connects to your environment in minutes using patented SideScanning™ technology that provides deep and wide visibility into your cloud environment, without requiring agents. In addition, Orca offers a lightweight agent for organizations that require real-time protection for critical workloads.

    RISK PRIORITIZATION: Orca effectively prioritizes risks by applying a granular risk score to each alert, and recognizes when seemingly unrelated issues can be combined to create dangerous attack paths straight to your crown jewels.

    FULL SDLC SECURITY: The Orca platform shifts security left by seamlessly integrating into the CI/CD process so that applications can be secured from code to cloud and back.

    AI-POWERED: Orca is at the forefront of leveraging Generative AI for simplified investigations and accelerated remediation, reducing required skill levels and saving cloud security, DevOps, and development teams time and effort, while significantly improving security outcomes.

    PURPOSE-BUILT CNAPP: Orca unifies many different point solutions in one platform, including CSPM, CWPP, CIEM, DSPM, Container security, API security, AI-SPM, and much more.

    Sign up for a demo to uplevel your cloud security and get the fastest time to value available in the industry: https://orca.security/demo/ 

    Additional platform licensing options are not shown in this listing but are available via Private Offer. Please email aws@orca.security .

    Highlights

    • Visibility to all your IAAS and PAAS assets including EC2, Containers, S3 buckets using account level read only permissions
    • Detect compromises, vulnerabilities and risky configuration within minutes
    • No impact on your assets, grows automatically with your cloud account

    Get personalized pricing in minutes - New

    If qualified, an express private offer gets you custom pricing and terms. Finalize your purchase in the AWS Marketplace console.

    Details

    Delivery method

    Deployed on AWS

    Features and programs

    Trust Center

    Trust Center
    Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.

    Buyer guide

    Gain valuable insights from real users who purchased this product, powered by PeerSpot.
    Buyer guide

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Quick Launch

    Leverage AWS CloudFormation templates to reduce the time and resources required to configure, deploy, and launch your software.

    Vendor Insights

     Info
    Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
    Security credentials achieved
    (2)

    Pricing

    Free trial

    Try this product free according to the free trial terms set by the vendor.

    Orca Security CNAPP Cloud Security Platform

     Info
    Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    1-month contract (4)

     Info
    Dimension
    Description
    Cost/month
    Small
    Small starter pack of concurrent workloads (EC2) per month
    $7,000.00
    Small-Medium
    Small-Medium starter pack of concurrent workloads (EC2) per month
    $12,000.00
    Medium
    Medium starter pack of concurrent workloads (EC2) per month
    $17,000.00
    Large
    large starter pack of concurrent workloads (EC2) per month
    $30,000.00

    Vendor refund policy

    Contact us

    Custom pricing options

    Request a private offer to receive a custom quote.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Software as a Service (SaaS)

    SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.

    Support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Product comparison

     Info
    Updated weekly

    Accolades

     Info
    Top
    10
    In Monitoring, Application Development
    Top
    25
    In Observability, Software Development
    Top
    10
    In Container Workloads

    Customer reviews

     Info
    Sentiment is AI generated from actual customer reviews on AWS and G2
    Reviews
    Functionality
    Ease of use
    Customer service
    Cost effectiveness
    Positive reviews
    Mixed reviews
    Negative reviews

    Overview

     Info
    AI generated from product descriptions
    Agentless Cloud Security Architecture
    Agentless-first approach using patented SideScanning technology that provides deep visibility into cloud environments without requiring agent deployment
    Risk Prioritization and Attack Path Analysis
    Granular risk scoring applied to each alert with capability to identify and correlate seemingly unrelated issues into dangerous attack paths
    Unified Cloud Security Platform
    Single platform consolidating multiple security functions including CSPM, CWPP, CIEM, DSPM, Container security, and API security
    CI/CD Integration for Application Security
    Seamless integration into CI/CD process to secure applications from code to cloud deployment
    AI-Powered Investigation and Remediation
    Generative AI capabilities for simplified security investigations and accelerated remediation workflows
    Offensive Security Engine
    Simulates external exploits to produce Verified Exploit Paths for prioritizing exposures that are reachable by outside attackers and reducing cloud attack surface.
    Cloud Security Posture Management
    Continuously monitors and manages security of AWS configurations to prevent public exposure and ensure compliance.
    Secrets Scanning
    Identifies more than 750 types of secrets across public and private repositories.
    Cloud Infrastructure Entitlements Management
    Detects and manages excessive or unused permissions to mitigate the risk of privilege escalation.
    Real-Time Malware Detection
    Detects malware including zero-days in milliseconds with scanning performed directly in cloud environment for object storage services like Amazon S3 and file storage services.
    Multi-Workload Security Coverage
    Unified platform securing containers, serverless, Kubernetes, and AI workloads across AWS, on-premises, and multi-cloud environments
    Runtime Threat Detection and Enforcement
    Runtime protection to detect threats, block malicious activity, and enforce compliance in production across all cloud native workloads
    AI and LLM Security Governance
    Purpose-built AI workload security to govern large language models and generative AI applications with model abuse detection and policy enforcement
    Full Lifecycle Security
    Security coverage across the entire software development lifecycle from code development through production deployment
    Compliance and Authorization Standards
    FedRAMP High authorization enabling compliance with rigorous security and regulatory standards

    Security credentials

     Info
    Validated by AWS Marketplace
    FedRAMP
    GDPR
    HIPAA
    ISO/IEC 27001
    PCI DSS
    SOC 2 Type 2
    -
    -
    -
    -
    -
    No security profile
    -
    -
    -

    Contract

     Info
    Standard contract
    No
    No
    No

    Customer reviews

    Ratings and reviews

     Info
    4.7
    306 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    76%
    23%
    1%
    0%
    0%
    22 AWS reviews
    |
    284 external reviews
    External reviews are from G2  and PeerSpot .
    Nykole Denoo

    Cloud risk visibility has transformed how I prioritize threats and reduce unnecessary spend

    Reviewed on Jul 02, 2026
    Review from a verified AWS customer

    What is our primary use case?

    I have used Orca Security  for continuous cloud assessment visibility, identifying and prioritizing vulnerabilities and misconfigurations. I also monitor compliance against frameworks, whether it's NIST or SOC 2. Additionally, I use it for detecting cloud security risk and supporting incident response because it provides context around affected cloud resources.

    Risk detection in Orca Security  is strong, mainly because it provides agentless visibility across the cloud environments I work in. My job involves identifying vulnerabilities, misconfigurations, identifying risk or exposed assets, and Orca Security does a great job helping to prioritize those risks on their potential business impact. It helps me align very well with the type of risk and the type of work I do in an AWS  environment.

    I have used Orca Security's Cloud Cost Optimization feature in one of my recent projects to help identify underutilized cloud resources or cloud resources that have been idle for a long time. That feature allows me to identify those resources. My main focus is security, but I find it useful because if I'm able to see those resources that are not being used, I can adjust them. If I have to reduce their size, depending on what the case might be, or if I have to get it decommissioned, I can do so to help reduce unnecessary cloud spending while maintaining a secure environment. As much as my part of the job is security, I think overall, making sure that we are not just spending money on resources that we're not taking full advantage of is definitely a role that I would have to play. It also helps support conversations with the infrastructure team about balancing cost, performance, and security, to be able to get more data to have those conversations with those teams.

    Regarding the Cloud to Dev feature, I personally have not used that. However, I do know about it. Orca Security has the capability to help developers identify and remediate security issues early in software development life cycles by connecting cloud risk back to the code, repositories, or development responsibility. Although I have not used it personally, I have had a conversation with the software team where it helps to bridge the gap between security and development by mapping cloud security findings back to relative code repositories and development teams. It makes it easier to identify root causes and prioritize remediation early in the development cycle, which helps with collaboration between engineers and the security team.

    How has it helped my organization?

    Orca Security has helped significantly to reduce the time it took to identify or prioritize cloud security alerts because of the way it provides a centralized view of risk and correlated findings across the cloud environment. Instead of manually investigating every alert, I am able to focus on high-risk issues first based on factors such as exposure, exploitability, or business impact. This definitely significantly improves response time and makes the remediation process more efficient. Taking that manual factor out of it overall reduces the time for everything.

    Orca Security has been very helpful in preventing risks and attacks across my application life cycle by providing continuous visibility into the cloud workload. This also allows my team to prioritize and remediate issues before they could be exploited in production. It has also helped strengthen collaborations between security and development teams by providing actionable findings, which reduce the overall attack surface and improve security posture.

    What is most valuable?

    The features of Orca Security that stand out to me from my experience are that it allows agentless deployments. Since it is integrated into my AWS  environment, it gives me comprehensive visibility across my whole AWS environment. With that kind of visibility, I am able to detect vulnerabilities or misconfigurations. I can do risk prioritizations and compliance monitoring through that. These capabilities of Orca Security align closely with the work I do when it comes to vulnerability management or security, cloud security assessments, or even regulatory compliance. Those features help with my day-to-day activities.

    Orca Security goes beyond just basic vulnerability detection when analyzing risks contextually and holistically. I think it adds a strong contextual understanding. Instead of treating each finding in isolation, it correlates risk across cloud assets, identities, network exposures, or workload configurations. That really helps provide a more holistic view of the attack path and potential business impact.

    What needs improvement?

    From my perspective, Orca Security is a really good tool. I would say one area I would like to see CNAPP  platforms get is more intelligence when it comes to risk prioritization, which correlates with vulnerability, exposing assets, identities, and active threats to help the security team focus on risks that are more likely to be exploited. I am a huge advocate for automation. I also think deeper automation for remediation or stronger integration with ticketing and CI/CD pipelines or more customization would help. Executive reporting would help the security team respond significantly faster and communicate risk more effectively if those kinds of improvements are made.

    For how long have I used the solution?

    I have relatively hands-on experience with Orca Security for about three to four years. I have worked more hands-on with cloud security projects, and some of them are integrated with Orca Security.

    What do I think about the stability of the solution?

    I think the state of stability with Orca Security is impressive. It generally provides strong availability and scalability compared to a traditional on-premises security tool. I think the agentless part of it and the fact that it integrates directly with a cloud provider such as AWS helps to reduce operational overhead and potential points of failure that come with managing agents across multiple systems. From what I have seen, the architecture can support consistent visibility and create a very good, reliable risk detection across environments, even as a cloud workload scales.

    What do I think about the scalability of the solution?

    Before Orca Security, I used different solutions for the same use cases because of my expertise in those areas. I have used Amazon Web Services Security Hub, IAM , native logging and monitoring tools, Nessus, and a lot of SIEM  platforms such as Splunk or QRadar. Overall, those tools together helped with vulnerability detection. They also helped with incident response or compliance monitoring and security alert triage. However, when it comes to more correlated data across multiple systems, Orca Security streamlines that by centralizing and correlating the risk all in one place.

    With my previous agent-based solutions, I have encountered performance issues when identifying risks. The challenges came more with the scalability of risk analysis across the multiple tools. Each solution provided a valuable insight on its own. For example, Nessus for vulnerability scanning and Splunk or QRadar for log analysis. However, the main limitation was that the findings were often siloed because they are different platforms. That meant I had to do the manual correlation of the data across the different platforms to understand the full context of the risk, which could slow down triage or investigation overall, especially if I was working with a larger environment with higher volume alerts.

    Which solution did I use previously and why did I switch?

    Before Orca Security, I used different solutions for the same use cases because of my expertise in those areas. I have used Amazon Web Services Security Hub, IAM , native logging and monitoring tools, Nessus, and a lot of SIEM  platforms such as Splunk or QRadar. Overall, those tools together helped with vulnerability detection. They also helped with incident response or compliance monitoring and security alert triage. However, when it comes to more correlated data across multiple systems, Orca Security streamlines that by centralizing and correlating the risk all in one place.

    With my previous agent-based solutions, I have encountered performance issues when identifying risks. The challenges came more with the scalability of risk analysis across the multiple tools. Each solution provided a valuable insight on its own. For example, Nessus for vulnerability scanning and Splunk or QRadar for log analysis. However, the main limitation was that the findings were often siloed because they are different platforms. That meant I had to do the manual correlation of the data across the different platforms to understand the full context of the risk, which could slow down triage or investigation overall, especially if I was working with a larger environment with higher volume alerts.

    How was the initial setup?

    I did not participate in the initial setup and installation process of Orca Security personally. When I joined the team, it was already set up. I was not directly involved in the initial installation or setup. However, in my previous role, I did support some onboarding of other tools. I have a good understanding of how certain platforms are implemented or operationalized in an enterprise environment, but I did not set up Orca Security that I work with now.

    What's my experience with pricing, setup cost, and licensing?

    This is somewhat out of my scope because I do not see the exact pricing structure of Orca Security. However, from what I know through research, I think it is good. I think it is fair pricing in my opinion. I have that in place of multiple tools. Orca Security kind of replaces multiple tools that help improve efficiency. So when it comes down to it, if it is cost-effective in terms of overall security operation, I think the price point is reasonable. However, I do not know the exact amount or the exact pricing.

    Which other solutions did I evaluate?

    That personally would not be a decision I made before choosing Orca Security. However, I have been collaborating with a bunch of other people in my team, and I think they have considered other options. Depending on what the environment is being used for and the use case in general, they like to look for something that will mix with cloud-native tools. Any third-party solution, whether it is Prism Cloud or Wiz , is something that I have heard of. However, the decision usually comes down to factors such as coverage across the multi-cloud environment or how easily it is to deploy or signal-to-noise ratio. Many factors come in before selecting what CNAPP  they want to get. I feel that across everything, Orca Security stands out. The main thing that many people appreciate is the agentless visibility and the contextual risk prioritization, which is a good benefit that it has over competitors.

    What other advice do I have?

    Regarding Orca  Sensor, I personally have not used it, but I do know of it. I have not used it directly, but my experience has been more about how it collaborates with the AWS environment, which is my strong field. However, I know it has been useful when deploying sensors and agents. I do not know how in-depth that goes because I have never done that personally, but I still feel that overall, it does what it needs to do. It still provides visibility into workloads and vulnerabilities, whether it is misconfigurations or exposed assets, in whatever environment they are running it in.

    I have used the official documentation offered by Orca Security a few times. I have used the documentation and guidelines in the context of IAM  management workflows, particularly around single sign-on, multi-factor authentication, and user provisioning. The documentation from Orca Security is structured really properly. It got all the points across really great. It made it easy for me to read and understand. It was very straightforward. I was able to understand what was put across in the documentation without having to do multiple research or over-explanation. I appreciate that.

    I would rate this review as an eight out of ten.

    Tatiana T.

    Orca Gives Full Visibility Into AI Agents and Data Access—Security Finally Keeps Pace

    Reviewed on Jul 01, 2026
    Review provided by G2
    What do you like best about the product?
    Inside our company, the number of people shipping to production has exploded. It’s no longer just engineers anymore—analysts are running automations, PMs are prototyping on Friday and pushing on Monday, and AI agents are now embedded in almost every workflow. Security used to find our issues only after something had already shipped. Orca gives us visibility into everything that has been built, including every AI agent, the identities they run as, and the data they can reach, without asking teams to change how they work. For the first time, security is keeping pace with how fast the business creates, especially across the agent layer.
    What do you dislike about the product?
    Because Orca showed us so much so quickly, the first few weeks required some tuning to separate the most urgent risks from the rest. That focused effort helped us quickly zero in on the AI agents and the paths that mattered most, and it has paid off with much clearer priorities.
    What problems is the product solving and how is that benefiting you?
    This closed the gap between how fast the company builds its agents and how fast security can understand what’s reachable, exploitable, and worth acting on. Our CISO can now help the business keep going safely with AI agents included, instead of forcing people to wait for approval only after something has already shipped.
    Laura T.

    Modern, User-Friendly Cloud Visibility That Simplifies Security Workflows

    Reviewed on Jun 24, 2026
    Review provided by G2
    What do you like best about the product?
    I appreciate the visibility the platform provides across our cloud resources. The interface is modern and easy to work with. Risk prioritization also helps us focus on the right tasks, and it has simplified our security workflow.
    What do you dislike about the product?
    Some of the advanced settings take time to understand, and additional onboarding resources would be useful. That said, these are relatively minor drawbacks.
    What problems is the product solving and how is that benefiting you?
    This helps us reduce manual investigations and improve monitoring. Teams can address vulnerabilities faster than before.
    Saranya M.

    Fast, Well-Organized Cloud Risk Overview with Effortless Agentless Deployment

    Reviewed on Jun 23, 2026
    Review provided by G2
    What do you like best about the product?
    I like how quickly the platform provides a complete overview of our cloud environment. The dashboard is well organized and helps me focus on the most important risks first. The agentless approach is also a big advantage because deployment was very simple, and it reduced a lot of manual effort.
    What do you dislike about the product?
    Some findings can be difficult to explain to non-technical team members. I’d also appreciate having more options for report customization.
    What problems is the product solving and how is that benefiting you?
    Orca Security helps us identify vulnerabilities and misconfigurations before they become serious problems. We spend less time gathering information manually, and this has improved both our efficiency and our response time.
    Marcin P.

    Clear Cloud Visibility with Time-Saving Agentless Maintenance

    Reviewed on Jun 21, 2026
    Review provided by G2
    What do you like best about the product?
    I like that it provides clear visibility across our cloud resources. The findings are easier to review once you become familiar with the platform. The agentless approach also reduces maintenance work, which saves a lot of time.
    What do you dislike about the product?
    The first learning phase takes some effort, and certain recommendations could include more context. Exporting reports could also be more flexible. Still, there are no major drawbacks.
    What problems is the product solving and how is that benefiting you?
    This helps us identify security risks earlier. We spend less time manually gathering information, and communication between teams has improved because everyone can access the same data.
    View all reviews