Orca Security Reviews

We use the solution to show misconfiguration. Often, users lack knowledge about their assets' fingerprints and their cloud provider's configurations.

Orca Security has patented technologies. It's an agentless solution, so you don't need to install an agent. Instead, it contacts your account provider and fetches metadata, eliminating the need for snapshots or reserved space to copy client infrastructure.

The multi-cloud capability displays essential information and potential vulnerabilities with granular detail. For instance, it identifies paths that attackers might exploit to gain root or admin access to machines.

It is comprehensive, covering a wide range of software needs. They also integrate with CI/CD pipelines, enabling developers to ensure security from the early stages of code deployment. This integration provides a 100% guarantee on security, safeguarding images, configurations, and other crucial information throughout the development process.

The company is managed by industry veterans. It's a cloud-based product. They handle misconfigurations and analyse your runtime to detect malware. They're at the forefront regarding developer security. The platform is vast, inundated with information. One can easily feel overwhelmed by the sheer volume of data.

The solution is very detail-oriented, which can be overwhelming for nontechnical people.  On the other hand, understanding the security posture is very valuable for a technical person. 

I have been using Orca Security for a year.

If you choose the traditional or legacy option, you'll have to install an agent. Agents don't scale well. You can't effectively scale with agents because it requires manual intervention on each machine, consulting the agent, and it's not scalable because you'll need to reproduce that process. With Orca, we employ scanning technology, avoiding all the workload of installing agents. And then you can scale very quickly, in just a couple of moments. You can basically scale quickly without the need for those interventions.

Support is fairly prominent. They have knowledgeable people.

The initial setup is straightforward and takes five minutes to complete.

The ticket is quite expensive; it depends on which way you want to go. If you want to buy the licence on your own, you can opt for MSP licences where people are going to run a managed service. If you're going in, "I've got no time and no resources to do that," you can use managed service. We manage, we run the scan, and we work on the information on the findings. It's very different from other cloud solutions. Company A is in front of a company in Portugal, and they are linked together. It's a subsidiary. Orca will allow you to get your asset inventory very quickly which is quite expensive.

Orca is a SaaS solution. It is deployed on cloud but you can have it on prem as well. It works with all cloud providers.

All vendors are offering a primary solution for free. You might need to consider Orca for a certain number of workloads like VM, a server, or even a phone.

Orca is very intuitive and offers a lot of features. You can click on it, and you can see it all. The proper way is to go through an integrator or reseller; that's called the retail side. Before you take any action, call the retailer and ask them for a demo, in order for you to understand. If you start tomorrow and buy Orca, if you never call those guys, it's going to be a little bit difficult for you. You need someone who's trained to explain and show you around the platform.

Overall, I rate the solution a nine out of ten.

We wanted to understand our cloud environment better, so we had a demo of Orca Security and then signed a deal to access the full platform and identify our most vulnerable areas. I started to schedule scans and monitor the machines in our cloud environment to help fix vulnerabilities. I set rules for certain situations and performed tests using those rules, which worked very well. Since I have familiarity with red teaming, I could perform malicious activities to trigger those rules and observed the rule blocking my actions effectively.

Orca Security has helped us significantly by giving clear visibility into our weakest points and allowing us to prioritize what truly matters. Its unified dashboard and contextual risk insights made it easier to quickly identify, fix, and protect the most critical vulnerabilities. As a result, we’ve been able to strengthen our environment faster and with much more focus.

Orca Security is a very user-friendly platform. We were migrating from another technology to Orca Security, and my first contact with Orca was excellent for seeing and understanding our cloud environment. It was very intuitive for me to use the platform.

I really appreciated how Orca Security uses AI. It was easier for me to explain to developers what they should fix. Sometimes it also has an auto-fix feature where AI provides the steps to fix that vulnerability. From an AppSec point of view, this is something that has been a game changer for me.

I experienced some problems with custom tags in Orca Security where I tried to separate the environment for business units so I could ask the tech lead responsible for that vulnerability to fix them. I had some problems trying to add custom tags because they create one custom tag for all assets in our environment, and they don't have that feature well prepared for this kind of situation.

The scans you try to perform on the platform can take a very long time to complete. I didn't face any delay or lagging issues otherwise, but the scans take considerable time.

I used Orca Security for the last ten months while working for a startup here in Brazil.

I installed Orca Sensor in some machines in our environment and it worked well at first, but it disconnected sometimes. Our support team helped us get it online as soon as possible.

I believe Orca Security can fit for both smaller and larger companies. In our case for a smaller company, it works very well, but it is really scalable for bigger companies.

I needed to contact support mainly for the custom tags issue I mentioned earlier. They are very clear and very fast with solutions. I could talk with engineers from Israel and India, and I also had a contact point in Brazil that helped me get responses as quickly as possible. I had a very positive experience with Orca Security support.

I would rate their support an eight out of ten. I had one or another problem that is on their roadmap to fix, but their answer was very fast. They communicated that certain features are planned but not currently available, or they might be ready for the next quarter. However, what they could help me with, they helped with as quickly as they could.

Positive

Previously we were using Palo Alto Prisma Cloud before Orca Security. Orca Security was much better for me in visual aspects to see the environment, see the vulnerabilities, see all the assets, and then split everything into our business units.

It was easy to install and set up everything. Setting up all the components, for example the sensors and the connection with our GCP, was straightforward and was assisted by someone on Orca Security's side.

In our case, it was me, someone on Orca Security's side helping us, and another person on my side who is a tech lead.

The return on investment occurred within one or two weeks, I believe.

I'm not sure about the details because my coordinator and manager signed that deal. However, I remember it was cheaper than Palo Alto Prisma Cloud. I'm not certain what the exact dollar amount per month was.

I'm not sure if we bought it from a reseller. I'm not certain right now whether it was from a reseller or directly from Orca Security.

We are not a reseller or partner of Orca Security. My overall rating for this solution is eight out of ten.

Neutral

We also looked at Lacework and CrowdStrike. The main problem with Lacework was the pricing model. It was based on capacity, and with our ever-growing environment, the costs became unsustainable.

The features, ease of integration, and compatibility with all our security frameworks swayed us towards Orca.

We migrated everything to Orca and haven't looked back.

It's not as expensive as some competitors like Prisma Cloud, but it's not the cheapest either. A subscription model based on AWS usage would be an interesting option to explore.

Users can meet all the needs around security, automation, customization, and reporting. Orca is a feature-rich tool, easy to use, and seamlessly integrates with major cloud providers.

It offers comprehensive visibility not just from a security standpoint but also for management and high availability. That's my key advice.

Overall, I would rate the solution a ten out of ten.

I've been working on this cloud security platform for the past one and a half years. Essentially, we focus on checking different components of AWS and Azure. 

We check over containers, instances, and various other elements running in the cloud. Our work is specifically designed for the cloud environment. We identify and address internal vulnerabilities across applications and operating systems which we are using in the cloud. 

If there are any patch management requirements, we ensure they are done across different applications and even API interfaces. 

In summary, our goal is to maintain security settings across the cloud infrastructure, such as AWS and Azure, used by our company. We connect with the DevSecOps team to actively work on securing the cloud environment and remediate vulnerabilities. We make sure incidents are properly handled, and necessary updates are implemented without causing disruptions. To facilitate communication, we use SMS for incident closure. This has been our focus for the past year.

Previously, we had a hybrid model where we used both physical devices and VMs across the cloud to manage enterprise security solutions. With Orca Security, we have a specific solution that allows us to monitor internal vulnerabilities and the most exploitable ones across the cloud. This platform is dependable and includes a powerful AI engine that we are currently using. 

It helps us identify and address vulnerabilities early on, including CPU weaknesses and other variations. Additionally, it provides remediation guidance and facilitates patching and updates. Furthermore, it gathers threat intelligence, which is beneficial during incidents.

Recently, Orca Security has updated its interface, making it more user-friendly. I find it particularly useful as it allows me to easily navigate the dashboard and prioritize actions based on severity and criticality. 

This feature makes it easy for me to look at prototypes and determine the necessary steps to take, focusing on critical issues first. I love the interface dashboard.

I would say that there are some loading issues. Since this is a cloud-native platform, there may be a problem with connecting to the dashboard as soon as it's open. The interface can be a bit cranky and sometimes takes a lot of time to load. So, the way APIs are deployed for our dashboards or monitoring systems needs to be corrected and optimized.

In future releases, Orca Secure needs to have new integrations with different security solutions apart from the cloud. We have EDRs, XDRs, and MDRs. Orca Security should automate the process of connecting and integrating with these solutions. It can be an essential way of protecting the infrastructure in an effective manner.

I have been using Orca Security for the last two years. 

I would rate the stability of Orca Secure a nine out of ten. 

I would rate the scalability of Orca Secure a nine out of ten. 

We directly bought this product from Orca Security itself, so we did not use any third party to install or deploy it.

The price is a bit expensive for smaller organizations. It can be expensive for smaller organizations, but if you are managing your infrastructure in the cloud, it's definitely worth trying.

We have certain subscriptions and licenses for around a thousand instances deployed across the cloud. We purchased the subscriptions for the necessary devices we are running. It has cost us a lot.

I would definitely recommend using Orca Secure. It's a very good cloud security platform. Apart from what I've seen, it has a really extensive dashboard and analysis capabilities. It picturizes actual vulnerabilities and provides guidance for remediation. It's a valuable cloud security evaluation tool, and I would suggest it as the first thing to learn.

Overall, I would rate the solution a solid nine out of ten. 

We are using primarily Orca Security for our vulnerability assessment management. We are using it for our container it does free image scanning to find security loopholes that might be present in our overall infrastructure. Additionally, it provides the remediation steps and an overall overview of the security of our infrastructure.

This solution has helped out organizations by recognizing security threats and vulnerabilities in the early stages of software development. That is one of the benefits that we are receiving from the tool. We are dealing with security loopholes and deficiencies in the earlier stages of our development.

We have the time to review the whole process and Orca Security provides security solutions to our clients. The solution has been beneficial for us to detect security loopholes in our early stages.

The most valuable feature of Orca Security is the automated scanning tool, user-friendliness, and ease of use.

The solution could improve by making the dashboards more elaborative and more descriptive.

I have been using Orca Security for approximately two years.

The stability of Orca Security is good.

Orca Security is scalable. We have 25 users using the solution in my organization.

I have used the support a couple of times when we escalated some queries regarding the report formatting and the false positive.

Most of the time whenever we open a support ticket to their technical department the response time is quite high because we are dealing with frequent deployments. We expect them to respond within one or two days but they take quite a long time to respond back.

I rate the support from Orca Security a six out of seven.

Neutral

We used to use an open-source vulnerability management tool from OWASP regarding the guidelines that they had listed on their own site using management systems, such as REM, CS, and CVSs, which is a risk management framework. We were using those frameworks for our vulnerability assessment and management.

Orca Security is an enterprise solution, it scales well with your own infrastructure. We thought that the use cases covers and were aligned with our use cases, and this is why we switched.

The initial setup of Orca Security is straightforward. I do not know how long the deployment took, but it is quite intensive, responsive, and has low latency.

I rate the initial setup of Orca Security an eight out of ten.

The implementation of the solution was done in-house.

We have a total of 25 licenses for this solution. The solution is on a pay-and-you-use model.

The vendor handles the maintenance of the solution, such as patches, and different enhancements.

Every organization has its own needs and requirements, and configuring a tool with customization depends on the use case of the current organization. It is not a solution for all organizations. If you are dealing with small projects you don't need to switch to this enterprise solution. The usage of this solution depends on the organization's needs and requirements, another solution might be better.

I rate Orca Security an eight out of ten.

I use it for our cloud security posture. Initially, the idea was to increase visibility because we had zero visibility into our cloud environment.

Orca provides agentless data collection directly from your cloud configuration and from the workload runtime block storage. They call it SideScanning. What it does is it copies the image of the assets and then the solution does all its analysis on the side. It just records the image and then looks at it. It sees everything that is installed on the image, like type of data, packages, applications, and the audit log. It can even see into ODD and other activity logs that are not collected by default by DevOps. It provides you with great visibility into each asset, including containers, storage devices such as RDS, CCS, and EC2, and S3—all the basic and major components in cloud environments. And that's true not only for AWS, but for all three cloud providers.

This agentless approach means there is zero performance impact. That's the whole idea. The only thing it does is copy the image and then it does the scan which is a read-only operation. It doesn't use the computing resources. That makes it very lightweight.

The agentless collection of data enables Orca to see assets within their environmental and business contexts and prioritize truly critical security issues. It sees things very clearly and you get a notification, alerts to Slack or whatever system you are using. We have also exported the alerts to our Splunk environment, to cross-reference them with other systems as well. It provides great focus on the right and the most important topics that we should attend to first.

In terms of consolidating vendors, Orca solved a few issues for us. Because we came across it very early in the process of picking tools for our cloud environment, we saved a lot of money by not having to pick multiple different tools to cover different aspects of cloud security. We had good timing when we picked Orca, rather than various tools to do the same job. If you have multiple scanners and you install Orca, you can remove the other ones. That's great and will save you money and a lot of working hours. A lot of the work we did previously was done manually. Now, we get good visibility and it saves manpower as well.

We didn't have anything, and Orca solved three or four different problems in a single tool. If I had had to buy three different tools, obviously it would cost more, but I can't estimate how much the difference would have been. What I can say is that Orca has saved us at least half of a SecOps FTE, at least in the beginning when I didn't have a team and did most of the work and the monitoring myself. It has saved me a lot of time, because I needed a lot of DevOps resources to help me before we had Orca. When I installed Orca, I became very independent. That was really a great feeling.

Orca gives you great visibility into your assets. It shows you the issues and the things that you need to attend to first, by prioritizing things. You can see a lot of information that is not always visible, even to DevOps, to help you know about the machines and their status. It's very easy to see everything in a single dashboard. That makes it a very useful tool.

The fact that it prioritizes vulnerabilities and findings, and doesn't present you with hundreds of unuseful findings, is important. They focus the information and make you concentrate on the high-priority items. This is something that differentiates it from the others.

They also now have the ability to filter findings based on best practices, like CIS, PCI, and even GDPR. That means you can filter your environment based on a specific filter, and that helped us when doing our PCI audit. We were able to show the auditors what our environment looks like from a PCI perspective. That's another great feature that it offers.

It's also very easy to use, very intuitive, and very detailed.

Another new feature shows you outliers and abnormalities for IAMs and access. It focuses on users with too many permissions and provides you with recommendations on what to do as a result.

There is a feature that searches for secrets on your infra and what can be done with those secrets.

You can also do very complex search queries to find assets that you think may be relevant. For example, searching for Log4g references in the infrastructure was very easy.

I also like the fact that the solution includes the most potentially painful parts, out-of-the-box, like malware and secrets scans, IAM, attack vectors, and benchmarks against CIS and other best practices. That full suite is something that every security professional needs. It solves the issue of having to run multiple tools, such as a vulnerability scanner, a secrets scanner, and a role management/permission/authorization tool that searches for abnormalities. I think it's a no-brainer, given that it runs everything, and you don't need to pick and choose anything. Everything comes out-of-the-box and is very easy to use, plug-and-play, and you get an instant view of things on the dashboard.

The main drawback in an agentless approach is that if the solution detects a virus or malware in the environment, we need to manually remove it. But from my experience with other production environments, it's not straightforward to install agents in the hope they will automatically remediate viruses, even from production environments. If you make mistakes, you can cause huge damage to your environment and, when it comes to production, there is zero tolerance for errors. And realistically, you can't use the most important feature of an agent, which is the remediation, because remediating on production is not something that is easy to do.

Orca's agentless approach makes more sense. Even if you have an agent, it takes resources. In addition, you need to deploy, maintain, and update an agent, which amounts to a lot of unnecessary work. And lastly, while it's true that an agent sees more when compared with an agentless solution, the gap is very small.

In the end, to make sure that we progress and that our security level is increasing, we need to take action. Orca is only a detection tool. It shows you the problems, but you need to make sure that the problems are fixed. It's a fair trade-off because production is a different environment. It's not like endpoint security where the cost of ruining an endpoint is worth the risk. You would rather kill an endpoint than risk being infected with malware. But this is not the same approach for data center or cloud security.

Ultimately, the ability to auto-remediate is something that I would like to see.

I've been using Orca Security for two years or so.

It's very available. We have never faced issues with the platform not functioning or not responding. It's a very stable tool that works and runs as expected.

We haven't noticed any scalability issues because we haven't had any performance issues with the tool. It's always up and running and we consume it as a service.

We have more than 10 Amazon accounts with tens of thousands of assets, including containers, which are a huge piece of the resource pool.

The team is fully supportive and we get everything we need. They're very responsive to our needs and feature requests. We benefit very much from the team and from the tool. They're doing a great job.

Positive

At first, we used an open-source solution and we did periodic scans on the cloud environment, but we were quite blind. Later, when I met the Orca team, they were in a very early stage and I decided to onboard them. The fact that we were blind was the main motivation for installing Orca. Now, the scanning happens constantly.

We now see everything, the whole cloud environment, including a small GCP implementation that we have. We have better coverage than our DevOps because DevOps doesn't have access to some of our subsidiaries, for example. We deployed Orca very quickly after buying some new companies and it gave us an edge over the DevOps team, because we saw way more compared to what they see.

It was super easy to connect the solution to all accounts, which is something that is not always so easy when you're taking it from a DevOps perspective. You do this from the dashboard. The fact that it is very easy to deploy is something that makes it stand out. Getting the coverage is very easy and it's super lightweight.

Deploying Orca for a single account takes a matter of minutes, if you have the right permissions or are an admin on the AWS environment. You just go to the console, copy-paste the ARN from AWS and put it in the Orca environment, and run a scan. The solution then does everything else in the background and starts the scanning process. It then takes a few more minutes, depending on the size of the environment. If it's a very large environment, it can take up to half an hour or so to show all the different assets. But from then on, that's it. Most of the work is done in the background.

The licensing is per-VM, but it really depends on the type of the environment. They offer large discounts if they see a customer as a potential strategic partner. Orca is very competitive when compared to the alternatives and is not the most expensive in the market, that's for sure.

At the time we looked at Orca, there weren't any competitors. I did meet with Palo Alto Prisma and Dome9, which were the main two alternatives to Orca then.

Now, there are other players. The main competitor is Wiz, which offers a very good suite. Lightspin offers the same type of solution, as does Aqua. You might include Ermatic if you count permissions/roles/IAM monitoring. Datadog also offers an agent-based system.

The main difference among these solutions is that there are two types of CSPMs. The first is agentless, such as Orca, Wiz, and Lightspin. The other vendors are agent-based, including Prisma Cloud, Dome9, Datadog, and, possibly Aqua. There are, of course, vulnerability scanners, like Qualys or Tenable, that are not based on agents, but they're limited to vulnerability scanning and are not full competitors.

The main advantage of Orca is that it is agentless, but still has great visibility into the assets and the cloud environment.

The second differentiator is the ability of Orca to prioritize and show you what you need to act upon. It doesn't bombard you with a lot of alerts that are meaningless and just create a lot of noise.

Another advantage is that Orca is very easy to deploy and very lightweight, compared to competitors, especially Wiz.

Orca was the first. I remember, as a design partner, at first there was something of a learning curve, especially for scanning S3 buckets. That can require a lot of resources and may result in an increase in billing. That is something that takes time to do properly. Orca has the advantage of being the first, and they bring a lot of field expertise and experience to avoid pitfalls and problems for newcomers to this market.

It's also a huge advantage that Orca is a SaaS offering. I don't like on-prem solutions. They require a lot of overhead and resources and you need to manage them. We work mostly with SaaS vendors.

Do a trial of Orca and check it against the current solution you have in place. You can assess how lightweight it is and the depth of insights that you get into the environment. Look at the new angles of visibility it will give you. It's very easy and you will see the differences instantly.

It's a great solution. It has solved so many problems for us. Before starting with Orca, I was blind. Think about someone who was blind and now they can see. It's a new world.

Orca gives us visibility across all the assets in our multi-cloud environment in a single dashboard. That kind of visibility is rare for us and most organizations within the Fintech space. You could understand particular vulnerabilities in a pocket of your environment, but not to the extent that Orca provides today. To protect a business, you first want to look at your environment and inventory all your assets. All of these assets are still managed in a spreadsheet in many organizations today. Some of them are using tools that list all of the assets. We had an inventory, but the Orca tool could identify assets we thought were no longer operational.

It isn't easy to quantify right now, but I can say that Orca gives us greater visibility of assets that we thought were gone but were correctly configured. Using Orca, we were able to identify certain assets that were still lying around and using an older operating system. Some of these were actually unpatched even though we thought they were patched.

We like that Orca is continuously monitoring our environment. When you open the tool, you instantly get an overview of your current state of affairs. You see everything happening across your multi-cloud environment in one view. When you're working on GCP or Azure, and you also have some other elements within AWS, it isn't easy to have a tool that spans all these cloud environments. It's great to have a single dashboard that puts all your cloud environments at your fingertips.

Orca tool spans all our environments and gives us a compliance report. It can tell us where there are vulnerabilities within our environment and provide us with access to the logs of specific assets.

With any security tool, there's always room for improvement. We were among the early adopters, and many of the major improvements that we were looking for have already been added. Right now, we're looking at what the other players in that space are offering and if it can be integrated into Orca. I had a discussion with Orca six months ago about implementing these features. But once you start customizing your tool for specific customers, it doesn't necessarily mean that it will match the needs of other customers, and you begin to branch out. In general, I think the Orca's roadmap is pretty well aligned to what we need today.

We are fortunate to have been using Orca since its inception. I think we were among Orca's first customers. We're always searching for new tools with intriguing capabilities that can help us better protect our organization. When I came across Orca, I felt it offered something others on the market didn't. 

I rate Orca support 9.5 out of 10. Whenever we've sent a support ticket, Orca responds in less than an hour to tell us that they've received the request and are looking into it. We get a reply a couple of hours later most of the time. Sometimes it needed more work, but I think it was pretty fast.

Support is one of the essential features you look for when purchasing a tool. Of course, you could buy a SaaS product, but if there is no support behind it, you'll have difficulty configuring it properly within your environment. Sometimes, you expect certain features to work correctly, but maybe you are configuring the solution wrong, so it's great to have support personnel available to respond to all your queries. 

Positive

When we started using the Orca tool, we already had some tools offering some of these features. However, we realized we didn't need to have all these agent-based tools installed across our environment to understand our risk footprint. We quickly understood that it would be easier to deploy across our entire multi-cloud environment if we went agentless with the Orca tool. It would offer us more capabilities than Qualys or even some of the AWS tooling available today, and we could consolidate everything under one tool.

AWS has some tools that give you visibility into your environment. They can tell you where your PII is or if your assets are correctly configured. However, every new feature that AWS releases is only available in the US first. Sometimes they're not available in Japan, Canada, and Europe until months or years later. We're still waiting for these features to be available here in Japan. For example, AWS Macie is still not available in Japan today, and it has been two years now. There are many capabilities like this that we want the cloud provider to release in other countries, but it's not available today.

What's more, if I run some AWS tooling, it will only scan my AWS environment but not my GCP or Azure environments. It's complicated to consolidate all of these reports in one place at the end of the month. Orca gives me a single view across all my environments.

One of Orca's most significant advantages is that you can deploy it within your environment with a single click. There were no agents to install, so the deployment was quite easy. We simply entered the information about the cloud that we wanted to gain visibility into, and it was done. It can take days or weeks to deploy some other tools within an environment, especially if you're on-prem and sometimes on the cloud as well. We could deploy Orca in a matter of minutes. It was up and running within 15 minutes the first time we set it up.  

When you're talking about return on investment, you have to consider the resources needed to implement, maintain, and support a tool. With Orca, we didn't need to deploy or upgrade anything, and we didn't need to understand anything about support because they already had great support. I think we're saving hundreds of thousands of dollars every year in staffing costs alone. The time-to-value was instant. 

When we purchased Orca, it came with everything we needed. We didn't need to buy any additional features, extensions, etc. You pay one price, and you have access to everything. I think their pricing model is aligned with market demand. Of course, Orca could probably better align their pricing model with the needs of smaller businesses as well as some larger-scale enterprises with millions of assets. But in all fairness, I think the Orca sales team has been accommodating and ensured that we're happy with the pricing.

When we purchased Orca, there was some overlap with tools like Qualys that scan your environment for vulnerabilities. But Qualys is not well-suited for specific microservices. It doesn't give you all the visibility that you need in a particular area of your environment. 

We are PCI DSS compliant, so we need to scan our environment externally with tools vetted by the PCI DSS organization. Orca doesn't scan the environment externally. It only scans what's currently in the cloud. There is some overlap between Orca and other tools, but others can scan externally. I still don't think Orca is in the business of scanning assets externally because they only scan internally. That's why we purchased it.

I would rate Orca 9.5 out of 10. It covers our entire multi-cloud environment in a single view and tells us everything we need to know about our vulnerability footprint. For example, it can tell us whether our S3 bucket is misconfigured. There are so many valuable features that I could list, but one that I appreciate is the PCI DSS compliance report. Someone asked me if I would recommend Orca the other day, and I told them not to take my word for it. They should just try it.

We are a solution provider and Orca Security is one of the products that we implement for our clients. Most of them are start-ups and scale-ups that are building their software on the cloud platform. If they don't have cloud services, they cannot use Orca, so that's the first requirement. They need to use a cloud platform like Amazon Web Services or Microsoft Azure or Google Cloud.

Then to use Orca, they need to make a connection with the cloud platform's API. This means that they don't need to install any software or hardware. At that point, the site-scanning technology in Orca Security will check for vulnerabilities in the environment, and then check whether there are any configuration issues.

Our clients can see the progress in compliance after they implement Orca. For example, there is a weekly report to show how things change. Most of the time, our clients start with perhaps 30% compliance. It gives you the option to select which standards you want to comply with, for example to the ISO standard, or the GDPR standard. Orca Security also has its own standards for specific cloud platforms.

You can see that the security improves by changing the configuration and tightening your cloud set-up. Similarly, when you start reducing the vulnerabilities that you have, the number of alerts you are receiving will decrease compared to what it was in the beginning. It takes some time to achieve a healthy state of cloud security but once a baseline is achieved, you will immediately see the problem if there is a critical alert. When a new vulnerability appears, it can be solved as soon as possible.

Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance. This is something that is very important because now, there is a need to have full visibility of your cloud security every day. One cannot rely on only a penetration test once a year, because our customers are start-ups and scale-ups that are really innovating. They are deploying code almost every day. They make changes to the configuration of their clouds using automated tools like Terraform, and they really need to have a solution like Orca to have the guarantee and the confidence that there is nothing new and critical being configured or added to that environment. For me, it's a no-brainer to have Orca running in your cloud.

By using the agentless approach, our clients avoid the need to deploy and maintain multiple tools. Also, if you're using an agent then you need to have it installed. This means that you have something running in your production environment, so that can have an impact.

Secondly, if you forget to deploy the agent on the new machine, you will not know that machine is there. You will not have a complete picture, and that's an important thing to consider. With Orca, you will have a full inventory of all of your assets, your configuration, your network setup, even assets that are not internet-facing. The old-school agent approach will not work, because even if you have the agents installed, you will still need to have something in the cloud doing scans. You will also need something that will look at the configuration of your cloud platform, which is not possible if you are just installing an agent on a VM.

Prior to Orca, our clients had considerably less coverage for their environments. When we compared the results of Orca against a typical vulnerability scan using Tenable, for example, the classical solutions only found 20%. This is because Orca is scanning behind the security configuration of your cloud provider, which is possible with integration using the API.

The compliance dashboard is one of the features that our customers find very interesting. Instead of having to run checklists and provide access to auditors, you can just generate a report from Orca.

The automation and alerting capabilities are very good. When there is a new vulnerability or a new issue, you can get an automated alert in Microsoft Teams or in Slack.

The visibility that Orca gives into the environment is really in-depth because of their site-scanning technology. They provide full visibility into everything running in the cloud environment. They can look at virtual machines; they can look at serverless; they can look at the configuration of users and roles. They can also see, for example, that a specific administrative user has no multifactor authentication configured. It covers the full stack and not only one specific item.

The alerting capabilities are now being added, which is a very good evolution.

The integration with SIEM tools is now in place, which is a nice feature.

I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on. This would guarantee our customers that whatever is running in their cloud production is secure on all layers.

It would be nice if this solution had the capability of fixing issues. As it is now, it only reports them. Having a button to patch a product, disable a service, or delete a VM would be nice. At this point, this is something they might not want to do because they are only doing audits rather than making changes. It is also something that would require having additional permissions, including write access using the API.

I have been working with Orca Security for more than two years.

In the beginning, when we started to work with them more than two years ago, they were still just in the first phase of going live. At that point, we had some problems with the user interface and some bugs, but they have been developing very hard to solve those issues. For example, they migrated to a new version of the user interface, which is very good.

When there is a problem with stability, we can contact their support and they solve it immediately. These days, most issues have been solved and they're adding more functionality because they now have more developers working on it.

In terms of scalability, we have customers that have a lot of assets, and some that only have a few. Of course, the more assets you have, the more vulnerabilities you have, and the more work that has to be done to solve those issues. That is something that takes time.

Our largest customer used to have more than 250 assets.

The customer is responsible for solving problems but because of Orca, we can track the progress and we can follow up on the vulnerability management and remediation.

Technical support is very good. I would rate them a ten out of ten.

When you send an email, you get an answer immediately. They really try to determine what the problem is and identify the root cause. Either it's because it's something that we didn't know of or were unable to find in the documentation, or it's a bug or feature that is not known yet.

We have seen customers moving from other solutions to Orca. When you are running your entire software solution in the cloud, and you make a lot of changes, have new deployments and new features, as well as configuration changes, your classical vulnerability scanners will miss things. 

For example, a traditional scanner will miss scanning a specific IP address or domain. When you are working in the cloud, everything is more elastic. Another problem is that you have new IP addresses not being used, but get allocated to another cloud customer. You can have a situation where you're scanning with those classical solutions, and it is actually somebody else's infrastructure. This is not the ideal situation.

These are some of the reasons that we have moved to Orca Security, replacing those classical mobility scanners.

Using Orca has helped consolidate vendors and services because it gives a better overall view. It's much easier to install and maintain than the typical vulnerability scanning approach. Our clients have replaced solutions such as Tenable, Qualys, and manual consultancy. In this last instance, if you don't have Orca or another product and you need to have a compliance check, then a security consultant will need to use a checklist and perform a manual inspection of all of the configurations.

Consolidating services has saved our clients both time and money. For instance, if you need to generate a compliance report every quarter, it will normally consume five to ten days. However, using Orca, it's checked every day and you can generate a report whenever you want.

Alternatively, you can use open-source tools but you don't always know what they are doing. 

The initial setup is very straightforward. Everything is clearly documented and there is a video. They just need to log in and provide the API keys, which is very easy.

We have customers that first start with a trial or proof-of-concept, and then they immediately see the added value of the solution.

With the right access to the cloud platform, the deployment can take about 15 minutes.

Our customers are responsible for doing the setup because we don't have access to their cloud platform.

Orca is a SaaS product that is always up to date.

The pricing depends on how many assets you have running in your cloud and how many environments you have. If you have a dev environment, test environment, and a production environment then it's really important that you have coverage for all of them. But, you can start gradually because you can analyze one environment at a time. For example, you can begin with the production environment and fix all of the vulnerabilities there first. Then, add the test or acceptance environments, and then add your dev environments.

You really need to learn how Orca helps to improve your attack surface, and you don't want to start with everything at once. Instead, you want to start small and progress gradually, otherwise it will be a lot of work.

Pricing also depends on how you use your cloud provider. If you are working very cloud-native then it is much cheaper than a situation where you have a lot of virtual machines configured and running.

We generally look at the most innovative solution and start using it. We do not do benchmark testing because we don't have time for it.

We normally set up customers on a trial basis to show them what the product is capable of. When you run a trial for a specific customer environment, you immediately see the benefits and value. You see that it does what they say it will and there are no hidden features. You immediately see the results in the dashboard, and how it works.

My advice for anybody who is considering Orca Security is to start with a proof of concept, as it will only take five minutes to set it up. Let it run for a few days and then look at the results. It will show you how it benchmarks against your existing tools, including things that you didn't know of and you need to solve. After the evaluation, purchase it to make sure that it keeps monitoring your existing environments.

I would rate this solution a ten out of ten.