Orca Security CNAPP Cloud Security Platform

What do you like best about the product?

More people across the organization are now contributing to building and deploying solutions, and that shift has changed how we need to think about security. Orca gives us clear visibility into those activities without adding unnecessary friction. The platform helps us spot issues such as excessive permissions and risky configurations early, before they turn into bigger problems. Most importantly, teams can keep working at their normal pace without feeling slowed down or blocked by security processes.

What do you dislike about the product?

Helping less technical users understand the findings tied to their work took some extra internal guidance and support to make everything clear.

What problems is the product solving and how is that benefiting you?

It helps us support a culture of innovation while still maintaining strong security oversight. Rather than restricting how teams work, we’re able to identify and address risks proactively across our cloud environment. As a result, we’ve strengthened security without sacrificing speed or productivity.

What do you like best about the product?

What stands out most to me is the agentless approach. We were able to get visibility across our cloud environment without having to ask teams to install agents or change the way they work. As development cycles have sped up, it’s become even more important for security to keep pace without introducing delays. Orca provides the insights we need while still letting teams deliver at their usual speed.

What do you dislike about the product?

During the initial rollout, the platform surfaced more risks than we expected. That level of visibility was helpful, but it also took us some time to sort through the findings, set clear priorities, and decide which items needed immediate action.

What problems is the product solving and how is that benefiting you?

Orca helps bridge the gap between rapid cloud adoption and effective security oversight. With it, we can continuously monitor our workloads and surface meaningful risks without slowing down our development teams. As a result, collaboration between security and engineering has improved, and we’re able to maintain a stronger overall security posture.

What do you like best about the product?

Orca’s data security posture management is its best feature. It continuously inspects our cloud object storage and hosted databases to locate exposed PII. For example, if a database administrator accidentally copies a production backup containing unencrypted student registration profiles into a semi-public cloud environment,

What do you dislike about the product?

The automated compliance executive summaries are somewhat cold and heavily code-centric when I need to present our seasonal data security posture or GDPR readiness to our administrative board. Exporting a standard ORCa PDF forces me to manually clean up and simplify the technical jargon so it’s understandable for our directors with a more technical education.

What problems is the product solving and how is that benefiting you?

A data leak involving student profiles or internal academic registers would completely destroy the trust our international community places in our center. Orca provides a persistent, automated data-compliance safety net, helping ensure our cloud storage repositories remain tightly fortified against accidental data exposure.

I have used Orca Security for one year while working for a client where we set up Orca Security to scan our environment and identify vulnerabilities.

The main use case for using Orca Security is to identify vulnerabilities in our environment so that we can address them before any issues occur.

In one of our projects in GCP, we purchased Orca Security from the marketplace, which was enabled in our account at the organization level.

The main feature that I appreciated about Orca Security is that it is 100% agentless and context-aware, meaning it understands what it is doing.

The primary benefit is that it provides us with CVEs, through which I can identify the vulnerabilities in our security posture.

In the long run, as a security tool, it has helped us improve our security posture.

There is one issue that I encountered: when Orca Security provides CVEs and we attempt to implement its solutions, sometimes those solutions are not available on the cloud and cannot be implemented.

My main concern is the integration of Orca Security with generative AI for remediation inquiry.

Another concern I have is around the guardrails.

The primary improvement that Orca Security needs is to enhance its remediation steps based on the cloud platform being used.

I have been working in my current field for the past five or more years.

Orca Security has been stable in my experience.

Orca Security is internally based on cloud infrastructure and is 100% agentless, so it does not require significant scalability considerations.

Customer support is also good. I would rate it a 10 because they respond properly and communicate effectively.

Previously, I used to install an open-source tool to understand my security posture, which required some additional infrastructure investment.

I was using the native GCP Security Command Center.

We purchased Orca Security from the AWS Marketplace.

I am aligned with the pricing, as it is not that costly.

I did evaluate open-source tools, Orca Security, native open-source tools, and cloud-native tools as well.

When Orca Security provides CVEs, clicking on them gives suggestions about what can be done to resolve the issue.

I would advise others to use Orca Security because of the rich features that it offers.

I would rate this review a 9.

Public Cloud

Amazon Web Services (AWS)

Of my three customers, one is using Orca Security, and two are not using it. There are plenty of use cases available for Orca Security, and I can provide more details.

Orca Security is very good for faster management due to their CNAP, which stands for Cloud Native Application Protection Platform. It consolidates CSPM, CWPM, CWPP, and CAEM, which includes entitlement management and vulnerability scanning. Orca Security consolidates these solutions into a single platform. If I buy Orca Security, I can check data-related security posture management across various domains, including security and multi-cloud compliance. We put security at the forefront rather than waiting until project completion to engage security. It is important to place security in the field, and Orca Security is a very good tool for that.

Orca Security is an agentless vulnerability scanner, meaning we do not need to run any agents. The first use case is for consolidating various solutions into one. The second use case is agentless vulnerability scanning, and the third use case is for multi-cloud security. Some customers might have different cloud environments that can lead to vulnerabilities if not carefully managed, especially in stringent scenarios like FedRAMP. Orca Security is quite effective in these aspects, particularly for government and semi-government scenarios.

Orca Security serves to analyze configurations against what is optimally used and identify gaps. It identifies when servers are underutilized. For example, if a server is supposed to be at least eighty-eight percent utilized and is running below one percent, that results in unnecessary costs. This gap analysis is something every synaptic tool, including Orca Security, supports for cost optimization.

Orca Security has improved our cloud security visibility, streamlined vulnerability management, reduced alert fatigue through risk-based prioritization, and helped us remediate critical issues faster while maintaining compliance across our cloud environments.

Orca Security excels in identifying risks. If posture management is configured well, the tool performs effectively in identifying risks. I appreciate the tool as it finds various issues. In today's AI era, we see many new challenges, including tool poisoning and broken paths, which Orca Security identifies effectively. The tool captures all the risks related to entitlement management as well, focusing on the segregation of duties to minimize risks.

We use AI across the cloud environment, which helps in automating and remediating issues while enabling organizations to connect fragmented data for faster investigations and prioritizing measurable risks. Orca Security has seven distinct positive risks, including token theft and command injections, which are vital for security posture management.

I think Orca Security should be more SMB friendly since I mostly work with enterprise customers who have more budget. Orca Security could include options for smaller businesses and improve on areas like agentless functionalities and cost efficiency for small-scale deployments.

I work in an SMB organization and find Orca Security quite expensive. They typically offer some credit periods to conduct proofs of value for various products.

For enterprises, I find Orca Security to be fairly priced, whereas it is a bit more expensive for SMBs.

Everything is around five years, and I have been using it for the whole thing because I have been in this field since nineteen ninety-five. All these tools are five years old, maximum of five to six years old. In fact, they were born during my tenure.

Yes, Orca Security is generally considered a stable and mature enterprise-grade CNAPP (Cloud-Native Application Protection Platform) rather than an emerging startup product. However, stability can be viewed from three perspectives in my personal opinion, they are

1. Product Stability

2. Company Stability

3. Operational Stability

Yes. Scalability is actually one of the strongest differentiators of Orca Security compared to traditional agent-based cloud security platforms.

1. Agentless Architecture Eliminates Deployment Bottlenecks

Traditional CWPP and EDR-style cloud security solutions require agents on every VM, Kubernetes node, or workload. As organizations grow from hundreds to tens of thousands of cloud assets, agent deployment, upgrades, troubleshooting, and performance management become significant operational challenges.

Orca uses its patented Side Scanning™ technology to scan cloud workloads directly from cloud-provider storage snapshots and APIs without deploying agents. This means:

• No agent rollout projects
• No agent lifecycle management
• No performance impact on workloads
• New assets are automatically discovered and assessed

This architecture allows organizations to onboard large multi-cloud environments much faster than agent-centric solutions.

---

2. Designed for Large Multi-Cloud Estates

Orca supports:

• AWS
• Azure
• Google Cloud
• Oracle Cloud
• Alibaba Cloud
• Kubernetes environments

A large enterprise running thousands of subscriptions, accounts, projects, containers, and serverless workloads can manage them from a single platform and unified data model.

For organizations like:

• Global banks
• Telecom providers
• Retail giants
• SaaS companies

this becomes important because security teams do not need separate tools for CSPM, CWPP, CIEM, DSPM, vulnerability management, and container security.

---

3. Automatic Discovery of New Resources

One common scaling problem in cloud environments is asset churn:

• New VMs
• New Kubernetes clusters
• Auto-scaling groups
• Temporary containers
• Serverless functions

Orca automatically discovers and monitors newly created cloud assets without requiring manual updates or security onboarding processes. This is particularly valuable in DevOps-heavy environments where infrastructure changes continuously.

---

4. Unified Data Model Reduces Operational Complexity

Many enterprises end up with:

• Prisma Cloud
• Tenable
• Wiz
• CrowdStrike
• Native CSPM tools

all generating separate alerts.

Orca's Unified Data Model correlates:

• Vulnerabilities
• Misconfigurations
• IAM risks
• Sensitive data exposure
• Attack paths

into a single risk graph. This helps maintain operational scalability because the security team is not overwhelmed as cloud assets increase.

Orca Security's technical support is very good, aligning with my consulting operations, and I have not received any escalations.

In identifying risks with previous products, there are notable pros and cons between agent-based and agentless solutions. Agentless tools eliminate orchestration concerns, while agent-based tools allow more granular control and calculations.

The initial setup is straightforward, but I find it a bit complex due to the learning curve involved, which requires thorough guidance during the first configuration.

Yes, many organizations use either Orca Security Professional Services or partners such as Accenture, Deloitte, or Optiv for deployment. The feedback is generally positive, with customers highlighting fast onboarding, minimal operational overhead due to the agentless architecture, and strong implementation support. Orca Professional Services is often preferred for quicker deployments and product-specific expertise.

Regarding the time to value from Orca Security, if it is a SaaS setup, it is immediate. For larger solutions like ERP or MSSP setups, it can take more than six months. But for security scanning, it is shorter since we pay only for what we use.

Pricing was competitive for an enterprise-grade CNAPP platform, and the agentless architecture helped minimize deployment and maintenance costs. Licensing was straightforward, and the time-to-value was relatively fast compared to other cloud security solutions.

Among competitors like Trend Micro and Cisco, I compare Orca Security with offerings from those vendors based on features and costs.

In terms of objectives, I need functionality without paying a luxury price. The features offered by some competitors may be attractive, but what counts most is that Orca Security provides essential functions with lower costs.

I cannot provide a straightforward answer about the time it takes to address cloud security alerts because different levels of alerts exist, and fixing each alert can vary depending on how alerts are configured. Policies play a crucial role in alert management.

If SaaS is available, customers prefer it due to low engagement compared to hybrid models. The cost savings on SaaS are quite attractive.

Orca Security's ability to combine functionalities of multiple tools into one platform is indeed one of its strongest points.

I would rate support at eight plus points. My personal rating for Orca Security as a service provider would be nine.

Hybrid Cloud

Amazon Web Services (AWS)

What do you like best about the product?

We operate a premium, high-traffic marketplace and property technology platform for luxury real estate, high-end vacation rentals, and custom smart home integrations. Our multi-cloud environments across AWS and Azure host massive amounts of data, including high-resolution 3D virtual home tours, client financial records, and sensitive identity documentation.

What do you dislike about the product?

The initial dashboard layout can feel overwhelmingly loud. Because Hogar Dorado hourse inherited a fair amount of staging environments and legacy asset databases during the recent platform expansion, Orca instantly flagged thousands of low-priority vulnerabilities on day one.

What problems is the product solving and how is that benefiting you?

Before Orca, we had visibility gaps around orphaned testing environments and shadow IT projects spun up by regional development teams. Orca unifies our cloud security posture into a single dashboard and automatically helps us identify vulnerabilities.

What do you like best about the product?

Orca gives us a clear view of vulnerabilities, misconfigurations, and security risks across our cloud environment. Because it’s agentless, the setup was straightforward, and we were able to get it implemented and start monitoring resources quickly. I also appreciate the risk prioritization, which helps us focus on the most important findings rather than spending time chasing low-impact issues.

What do you dislike about the product?

The platform offers a wide range of capabilities, which can feel a bit overwhelming at first. A clearer starting point or guidance would help with the initial learning curve. Also, some reports could be more customizable to better match specific business requirements.

What problems is the product solving and how is that benefiting you?

It helps us centralize cloud security monitoring and reduces our reliance on multiple tools. Having everything in one platform improves visibility, and it’s easier to identify and address risks before they turn into bigger problems. Overall, it has saved us time and strengthened our security management process.

What do you like best about the product?

What I appreciate most is how quickly we gained clear visibility into our cloud environment. The agentless approach eliminated many of the usual deployment concerns, and the platform started surfacing meaningful findings right away. The risk prioritization feels practical and makes it easier to distinguish truly critical issues from lower-priority items. Having security, compliance, and vulnerability information consolidated in one place is also a major advantage.

What do you dislike about the product?

The interface is generally easy to use, although some of the more advanced features take a bit of extra exploration to figure out. I’d also appreciate more customization options for reporting, as that would make it easier to tailor reports to my needs.

What problems is the product solving and how is that benefiting you?

It helps us maintain a clearer understanding of cloud security risks without adding operational complexity. The centralized visibility makes it easier for teams to spot and resolve issues more quickly. As a result, we spend less time pulling information together and more time focusing on improving our security posture.

What do you like best about the product?

The platform provides centralized visibility into vulnerabilities, misconfigurations, and exposed assets without requiring agents on our workloads. Setup was smooth, and the dashboards make it easier to see where the biggest risks are. I also find the contextual prioritization valuable because it cuts down on noise and helps the team stay focused on the most important findings.

What do you dislike about the product?

Some of the more advanced features take time to fully learn, especially for new users. I also think the reporting customization could be improved in a few areas to make it easier to tailor reports to specific needs.

What problems is the product solving and how is that benefiting you?

It helps us manage cloud security from a single platform instead of relying on multiple disconnected tools. We’re able to identify risks sooner and respond more quickly, while also cutting down on manual monitoring. Overall, it has improved our visibility and made our cloud operations more efficient.

What do you like best about the product?

We manage high-volume travel booking engines, hospitality data, and our corporate cloud infrastructure. Because we process thousands of international flight and hotel transactions every hour, zero-latency cloud performance is non-negotiable. Orca Security’s agentless side-scanning is good.

What do you dislike about the product?

The executive reporting can feel a bit rigid. When I need to present our security posture to the board of directors—who are focused on business risk rather than technical metrics—Orca’s native reports are too granular. I usually have to export the raw data and build my own presentations to translate CVSS scores into actual business risk.

What problems is the product solving and how is that benefiting you?

This provides absolute visibility into an infrastructure that changes by the minute. Orca ensures that our cloud environment can scale up and down to meet seasonal travel demand, and our security scales with it effortlessly.