Orca Security Reviews

Orca gives us visibility across all the assets in our multi-cloud environment in a single dashboard. That kind of visibility is rare for us and most organizations within the Fintech space. You could understand particular vulnerabilities in a pocket of your environment, but not to the extent that Orca provides today. To protect a business, you first want to look at your environment and inventory all your assets. All of these assets are still managed in a spreadsheet in many organizations today. Some of them are using tools that list all of the assets. We had an inventory, but the Orca tool could identify assets we thought were no longer operational.

It isn't easy to quantify right now, but I can say that Orca gives us greater visibility of assets that we thought were gone but were correctly configured. Using Orca, we were able to identify certain assets that were still lying around and using an older operating system. Some of these were actually unpatched even though we thought they were patched.

We like that Orca is continuously monitoring our environment. When you open the tool, you instantly get an overview of your current state of affairs. You see everything happening across your multi-cloud environment in one view. When you're working on GCP or Azure, and you also have some other elements within AWS, it isn't easy to have a tool that spans all these cloud environments. It's great to have a single dashboard that puts all your cloud environments at your fingertips.

Orca tool spans all our environments and gives us a compliance report. It can tell us where there are vulnerabilities within our environment and provide us with access to the logs of specific assets.

With any security tool, there's always room for improvement. We were among the early adopters, and many of the major improvements that we were looking for have already been added. Right now, we're looking at what the other players in that space are offering and if it can be integrated into Orca. I had a discussion with Orca six months ago about implementing these features. But once you start customizing your tool for specific customers, it doesn't necessarily mean that it will match the needs of other customers, and you begin to branch out. In general, I think the Orca's roadmap is pretty well aligned to what we need today.

We are fortunate to have been using Orca since its inception. I think we were among Orca's first customers. We're always searching for new tools with intriguing capabilities that can help us better protect our organization. When I came across Orca, I felt it offered something others on the market didn't. 

I rate Orca support 9.5 out of 10. Whenever we've sent a support ticket, Orca responds in less than an hour to tell us that they've received the request and are looking into it. We get a reply a couple of hours later most of the time. Sometimes it needed more work, but I think it was pretty fast.

Support is one of the essential features you look for when purchasing a tool. Of course, you could buy a SaaS product, but if there is no support behind it, you'll have difficulty configuring it properly within your environment. Sometimes, you expect certain features to work correctly, but maybe you are configuring the solution wrong, so it's great to have support personnel available to respond to all your queries. 

Positive

When we started using the Orca tool, we already had some tools offering some of these features. However, we realized we didn't need to have all these agent-based tools installed across our environment to understand our risk footprint. We quickly understood that it would be easier to deploy across our entire multi-cloud environment if we went agentless with the Orca tool. It would offer us more capabilities than Qualys or even some of the AWS tooling available today, and we could consolidate everything under one tool.

AWS has some tools that give you visibility into your environment. They can tell you where your PII is or if your assets are correctly configured. However, every new feature that AWS releases is only available in the US first. Sometimes they're not available in Japan, Canada, and Europe until months or years later. We're still waiting for these features to be available here in Japan. For example, AWS Macie is still not available in Japan today, and it has been two years now. There are many capabilities like this that we want the cloud provider to release in other countries, but it's not available today.

What's more, if I run some AWS tooling, it will only scan my AWS environment but not my GCP or Azure environments. It's complicated to consolidate all of these reports in one place at the end of the month. Orca gives me a single view across all my environments.

One of Orca's most significant advantages is that you can deploy it within your environment with a single click. There were no agents to install, so the deployment was quite easy. We simply entered the information about the cloud that we wanted to gain visibility into, and it was done. It can take days or weeks to deploy some other tools within an environment, especially if you're on-prem and sometimes on the cloud as well. We could deploy Orca in a matter of minutes. It was up and running within 15 minutes the first time we set it up.  

When you're talking about return on investment, you have to consider the resources needed to implement, maintain, and support a tool. With Orca, we didn't need to deploy or upgrade anything, and we didn't need to understand anything about support because they already had great support. I think we're saving hundreds of thousands of dollars every year in staffing costs alone. The time-to-value was instant. 

When we purchased Orca, it came with everything we needed. We didn't need to buy any additional features, extensions, etc. You pay one price, and you have access to everything. I think their pricing model is aligned with market demand. Of course, Orca could probably better align their pricing model with the needs of smaller businesses as well as some larger-scale enterprises with millions of assets. But in all fairness, I think the Orca sales team has been accommodating and ensured that we're happy with the pricing.

When we purchased Orca, there was some overlap with tools like Qualys that scan your environment for vulnerabilities. But Qualys is not well-suited for specific microservices. It doesn't give you all the visibility that you need in a particular area of your environment. 

We are PCI DSS compliant, so we need to scan our environment externally with tools vetted by the PCI DSS organization. Orca doesn't scan the environment externally. It only scans what's currently in the cloud. There is some overlap between Orca and other tools, but others can scan externally. I still don't think Orca is in the business of scanning assets externally because they only scan internally. That's why we purchased it.

I would rate Orca 9.5 out of 10. It covers our entire multi-cloud environment in a single view and tells us everything we need to know about our vulnerability footprint. For example, it can tell us whether our S3 bucket is misconfigured. There are so many valuable features that I could list, but one that I appreciate is the PCI DSS compliance report. Someone asked me if I would recommend Orca the other day, and I told them not to take my word for it. They should just try it.

We use Orca Security in the cloud to protect all of our cloud-based AWS applications.

It secures all of our perimeter and AWS, as well as all of our databases, applications, and transport. For every facet of AWS, right down to operating systems, we use Orca to take a look at it.

Orca provides the capability for agentless data collection directly from your cloud configuration and from the workloads' runtime block storage, which is one of the massive advantages of the tool. The tool gives us the ability to monitor things as we spin them up and as we tear them down. I can't state emphatically enough how important the agentless tool is.

For example, when most people move their applications from on-premises to the Cloud, which is what we in IT call a forklift, they just copy it over or re-create it there. Very seldom do people actually re-engineer or re-architect their applications to take full advantage of the cloud.

With the cloud, you can create serverless applications and serverless databases, so that when you need something you can spin it up and use it. When you don't need it, you can tear it down or destroy it so that it's gone. This not only saves money and is very efficient but from a security perspective, it's critical because every time you have something running somewhere, it could be attacked. This is what is referred to as an attack surface.

By using serverless tools and agentless monitoring, you can tear it down when you're done and that reduces your attack surface dramatically. Without a tool like Orca, that's agentless, you would not be able to do that. You would have to install software on the application and keep it running in order to monitor it, which really defeats the whole purpose of the cloud.

In terms of performance, because it's agentless, it's not stealing cycles from your application. It's not what's called a heavy application.

The agentless and direct collection of data enables Orca to see assets within its environmental and business contexts and prioritize truly critical security issues. This is one of the huge advantages of Orca. It sees everything in the environment and through its AI, properly categorizes what the threats are and shows them to you in a much better way. It aggregates all of the alerts and determines what's really important, and then shows them to you. It greatly reduces the need for additional staff to pore through all of the alerts to try and determine what's real, what's critical, and what the real problems are. It does all of that work for you.

Prior to Orca, our cloud visibility was perhaps 20% of what it is now. This is the reason that we were delaying moving to the cloud. The additional coverage has allowed us to move critical applications to the web that we had been holding off on because of the lack of cloud visibility. We have now moved multiple critical applications and we're able to view them in a way that we would not have been able to without Orca.

An important thing to consider is that Orca is a one-size-fits-all solution, which is very rare in the security world where everything is piecemeal. Normally, to protect something, you need five or six different tools or products. In this case, one product gives you all of the visibility that you need for your landscape, into all of your cloud properties. It is really the best of all worlds.

It's critically important to keep things simple, and it helps that Orca has everything included out-of-the-box. You only need one tool and it's helpful because there are so many security solutions on the market that a lot of security people get confused and they end up with products that overlap each other. Part of the reason for this is that all of the security solutions are trying to expand into other areas, and become more useful on the whole.

When you end up with these overlaps in products, it confuses people including end-users and support staff. Oftentimes, you end up with redundancy or things that conflict because the software isn't designed to be compatible with all of the other tools that are out there in the market. You end up with a messy collage of tools trying to accomplish something and it doesn't work well. It ends up with gaps, overlaps, and it just creates problems for security.

With Orca, it's as if they took a whiteboard and set out to fix all of that, and do everything in one tool. What they built architecturally is a beautiful, simple, and easy-to-use product. 

We are frequently audited by our clients, which are Fortune companies in the finance, automotive, utility, and telecom industries. They audit us from a security perspective quite frequently. By using Orca, we can prove to them that we are secure in all of the core areas that they're looking at.

Like a lot of cloud SaaS tools, which is the new generation of technology, you expect things to be automatically updated for you. It's like using Chrome, where when you decide to take an update, you don't have to pay for it. You assume that the company behind the product is constantly updating it on your behalf. This is a model that is critically important from a security perspective.

Imagine buying an antivirus product and the company says that they're not giving you updates until you pay for them. A lot of companies do that but more of the newer companies will instead license you the product for a year or two at a time. During the license period, you get all of your version updates and everything you need. It's included and it's done automatically. That's the model that Orca chose and from a security perspective, it's the best model for a customer like me.

Orca provides X-ray vision into everything within the cloud properties, whereas normally, this would require multiple tools. As an analogy, for on-premises equipment, you would need different tools to be able to see the performance of a system, determine what versions of software applications are installed, and look at the security. You would need yet another one to give you a holistic view of all of the hardware inside of the system.

From this one platform, we can get visibility right down into the hardware through all of the applications, and through the operating system. One application provides an entire view of our security. Gartner coined the name Cloud-Native Application Protection Platform, in reference to this product, because Orca created did not exist previously. Orca literally invented a whole new way to view security in the cloud.

Because the interface is so simple, you don't need people that have tons of experience. You can take a lower-level person and give them basic instructions on what to watch for. If anything comes up with a high-level or medium-level alert, then they have to contact somebody else. It's literally that easy.

As with all software, the user interface can always be made simpler to use. It would be helpful for people with very little knowledge, like somebody sitting behind the SOC, to allow them to be able to drill down into things a little bit easier than it is currently.

I have been using Orca Security for approximately two and a half years.

We haven't had a single stability issue. From my perspective, it's awesome.

Scalability is built into the product. We've scaled this pretty tremendously up and down as we've needed to, based on serverless needs across VPCs, across servers, and across various instances. It scales perfectly across our environment.

It monitors all of our AWS instances. We give it everything. In fact, as we add more and more to the cloud, Orca is there already, ready to protect us, so we're scaling it. Every month we add more to it.

We have been in touch with technical support a few times. It's been very few and far between but it was to ask about the meaning of some of the error messages that we saw.

I would rate the technical support a nine out of ten. We don't use it very much and as such, I don't have enough touchpoints to be able to assess it. I'm leery about rating something the highest possible score without having enough visibility into it.

There was a situation where we provided feedback to the vendor and they incorporated it into the product very quickly. We were very surprised that they listened and acted upon it so quickly and I think that this is more important than support because no product is perfect. They were eager to improve their product because they strive to be better. I can't say enough good things about them.

There was nothing on the market, anything like their solution, prior to Orca coming along. It literally created a whole new category. It was the right tool at the right time and they had the vision to create it.

We were using a myriad of bolt-on tools at the time, to try to cobble things together, but we never really accomplished very much using them. That is why we went looking for the product that we did. Ultimately, we weren't moving anything to the cloud because we couldn't find the visibility that we wanted.

In order to move to the cloud, you need a tool like Orca to have visibility of all of your real estate, architecture, and applications that are out there. Without it, you literally have gaps you don't know about and you are running blind. It's like running with blinders on and you can only see where you're looking, versus being able to look 360 degrees around you. It gives you that level of visibility. It's truly X-ray visibility.

The initial setup was amazingly easy. You don't have to really do anything outside of creating an account with them. It was absolutely simplistic. It exceeded our expectations from an installation perspective. It couldn't be easier.

Because there are no agents, you have no deployment time. Another beauty of it is that you don't have to sit there and try to install agents on every device and every server and every application and every instance or every VPC. It's just automatically done.

Once you give them access and they scan your environment, it's done for you. You don't have to do anything at all. It learns about your environment. You don't have to install anything, so it saves your time because you really don't do anything at all. It's the way that all software should be. They should do all of their learning on their own without you having to install things the whole way.

We implemented it with our in-house team.

This product has saved us tremendous amounts of time and money.

I would just say that you're doing yourself, your business, and your customers a disservice if you're not using Orca, or a tool like it, that provides a deep X-ray-like view into your environment to properly secure it.

We would not be in the cloud or have as much in the cloud without this tool. It's really a precursor to moving anything major into the cloud. In that regard, it's our future. Cloud is our future and without Orca carrying that future, we can't do the things that we want to do. It's very difficult for me to put a return on investment on it because it's so intertwined with everything that we do. We wouldn't be able to do the things that we do without it.

Our search for this product began because we wanted to move to the cloud and we knew that we were vulnerable if we moved up there. We didn't have the visibility that we needed so I actually went looking for this solution. I looked throughout the industry. I talked to everybody I knew and there was nothing. Everybody was cobbling solutions together, trying to achieve some sort of visibility.

A lot of people didn't even know that they were vulnerable or that they had gaps. We did and we saw it. We figured it out and we went looking for a solution.

Coincidentally, I was speaking with somebody at a conference who had recently learned about Orca and they told me about the product. Within a couple of months, he put me in contact with their co-founder and we entered discussions from that point.

The analogy that I like to use when discussing Orca is similar to that of purchasing a used house. When you look at it from the street or after doing a walkthrough, you have no idea what is going on under the floors, or above the ceiling, or behind the walls. There can be all kinds of problems like faulty wiring or leaking plumbing, and you wouldn't know that they existed. This is where the beauty of Orca and the X-ray vision comes in.

You can see all of these things right down to the chip that's used in your cloud instance. It's literally an amazing perspective that to my knowledge, no other tool prior to Orca provided. In my analogy about the house, there is no tool that you can use to see behind everything before you buy a house. However, with Orca, you can see everything.

Everything is laid bare to you before you move your apps up there, or once you move them to the cloud and you begin to build out your real estate. Without a tool like Orca, you're flying blind like a pilot in an airplane without radar. You just can't do that.

When I first looked at Orca, I was somewhat skeptical about whether it could do everything that they claimed. In fact, I'm always skeptical to a degree. In this case, it's different. It literally blew me away based on what I could see. If I consider the analogy of the house, I expected to be able to see under the floor. What I didn't expect was to be able to see behind all of the walls and through the ceiling and through the roof and into the basement, and everywhere. I thought to myself that we couldn't live without this tool. That's how good it is.

If I could rate this product a 15 out of 10, I would. It has well exceeded my expectations and I remember that when I first looked at the Orca environment, I thought that it was amazing. I was able to click, drill down, do everything that I wanted to be able to do, and more.

I would rate this solution a ten out of ten.

I've been working on this cloud security platform for the past one and a half years. Essentially, we focus on checking different components of AWS and Azure. 

We check over containers, instances, and various other elements running in the cloud. Our work is specifically designed for the cloud environment. We identify and address internal vulnerabilities across applications and operating systems which we are using in the cloud. 

If there are any patch management requirements, we ensure they are done across different applications and even API interfaces. 

In summary, our goal is to maintain security settings across the cloud infrastructure, such as AWS and Azure, used by our company. We connect with the DevSecOps team to actively work on securing the cloud environment and remediate vulnerabilities. We make sure incidents are properly handled, and necessary updates are implemented without causing disruptions. To facilitate communication, we use SMS for incident closure. This has been our focus for the past year.

Previously, we had a hybrid model where we used both physical devices and VMs across the cloud to manage enterprise security solutions. With Orca Security, we have a specific solution that allows us to monitor internal vulnerabilities and the most exploitable ones across the cloud. This platform is dependable and includes a powerful AI engine that we are currently using. 

It helps us identify and address vulnerabilities early on, including CPU weaknesses and other variations. Additionally, it provides remediation guidance and facilitates patching and updates. Furthermore, it gathers threat intelligence, which is beneficial during incidents.

Recently, Orca Security has updated its interface, making it more user-friendly. I find it particularly useful as it allows me to easily navigate the dashboard and prioritize actions based on severity and criticality. 

This feature makes it easy for me to look at prototypes and determine the necessary steps to take, focusing on critical issues first. I love the interface dashboard.

I would say that there are some loading issues. Since this is a cloud-native platform, there may be a problem with connecting to the dashboard as soon as it's open. The interface can be a bit cranky and sometimes takes a lot of time to load. So, the way APIs are deployed for our dashboards or monitoring systems needs to be corrected and optimized.

In future releases, Orca Secure needs to have new integrations with different security solutions apart from the cloud. We have EDRs, XDRs, and MDRs. Orca Security should automate the process of connecting and integrating with these solutions. It can be an essential way of protecting the infrastructure in an effective manner.

I have been using Orca Security for the last two years. 

I would rate the stability of Orca Secure a nine out of ten. 

I would rate the scalability of Orca Secure a nine out of ten. 

We directly bought this product from Orca Security itself, so we did not use any third party to install or deploy it.

The price is a bit expensive for smaller organizations. It can be expensive for smaller organizations, but if you are managing your infrastructure in the cloud, it's definitely worth trying.

We have certain subscriptions and licenses for around a thousand instances deployed across the cloud. We purchased the subscriptions for the necessary devices we are running. It has cost us a lot.

I would definitely recommend using Orca Secure. It's a very good cloud security platform. Apart from what I've seen, it has a really extensive dashboard and analysis capabilities. It picturizes actual vulnerabilities and provides guidance for remediation. It's a valuable cloud security evaluation tool, and I would suggest it as the first thing to learn.

Overall, I would rate the solution a solid nine out of ten. 

We are using primarily Orca Security for our vulnerability assessment management. We are using it for our container it does free image scanning to find security loopholes that might be present in our overall infrastructure. Additionally, it provides the remediation steps and an overall overview of the security of our infrastructure.

This solution has helped out organizations by recognizing security threats and vulnerabilities in the early stages of software development. That is one of the benefits that we are receiving from the tool. We are dealing with security loopholes and deficiencies in the earlier stages of our development.

We have the time to review the whole process and Orca Security provides security solutions to our clients. The solution has been beneficial for us to detect security loopholes in our early stages.

The most valuable feature of Orca Security is the automated scanning tool, user-friendliness, and ease of use.

The solution could improve by making the dashboards more elaborative and more descriptive.

I have been using Orca Security for approximately two years.

The stability of Orca Security is good.

Orca Security is scalable. We have 25 users using the solution in my organization.

I have used the support a couple of times when we escalated some queries regarding the report formatting and the false positive.

Most of the time whenever we open a support ticket to their technical department the response time is quite high because we are dealing with frequent deployments. We expect them to respond within one or two days but they take quite a long time to respond back.

I rate the support from Orca Security a six out of seven.

Neutral

We used to use an open-source vulnerability management tool from OWASP regarding the guidelines that they had listed on their own site using management systems, such as REM, CS, and CVSs, which is a risk management framework. We were using those frameworks for our vulnerability assessment and management.

Orca Security is an enterprise solution, it scales well with your own infrastructure. We thought that the use cases covers and were aligned with our use cases, and this is why we switched.

The initial setup of Orca Security is straightforward. I do not know how long the deployment took, but it is quite intensive, responsive, and has low latency.

I rate the initial setup of Orca Security an eight out of ten.

The implementation of the solution was done in-house.

We have a total of 25 licenses for this solution. The solution is on a pay-and-you-use model.

The vendor handles the maintenance of the solution, such as patches, and different enhancements.

Every organization has its own needs and requirements, and configuring a tool with customization depends on the use case of the current organization. It is not a solution for all organizations. If you are dealing with small projects you don't need to switch to this enterprise solution. The usage of this solution depends on the organization's needs and requirements, another solution might be better.

I rate Orca Security an eight out of ten.

We are a solution provider and Orca Security is one of the products that we implement for our clients. Most of them are start-ups and scale-ups that are building their software on the cloud platform. If they don't have cloud services, they cannot use Orca, so that's the first requirement. They need to use a cloud platform like Amazon Web Services or Microsoft Azure or Google Cloud.

Then to use Orca, they need to make a connection with the cloud platform's API. This means that they don't need to install any software or hardware. At that point, the site-scanning technology in Orca Security will check for vulnerabilities in the environment, and then check whether there are any configuration issues.

Our clients can see the progress in compliance after they implement Orca. For example, there is a weekly report to show how things change. Most of the time, our clients start with perhaps 30% compliance. It gives you the option to select which standards you want to comply with, for example to the ISO standard, or the GDPR standard. Orca Security also has its own standards for specific cloud platforms.

You can see that the security improves by changing the configuration and tightening your cloud set-up. Similarly, when you start reducing the vulnerabilities that you have, the number of alerts you are receiving will decrease compared to what it was in the beginning. It takes some time to achieve a healthy state of cloud security but once a baseline is achieved, you will immediately see the problem if there is a critical alert. When a new vulnerability appears, it can be solved as soon as possible.

Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance. This is something that is very important because now, there is a need to have full visibility of your cloud security every day. One cannot rely on only a penetration test once a year, because our customers are start-ups and scale-ups that are really innovating. They are deploying code almost every day. They make changes to the configuration of their clouds using automated tools like Terraform, and they really need to have a solution like Orca to have the guarantee and the confidence that there is nothing new and critical being configured or added to that environment. For me, it's a no-brainer to have Orca running in your cloud.

By using the agentless approach, our clients avoid the need to deploy and maintain multiple tools. Also, if you're using an agent then you need to have it installed. This means that you have something running in your production environment, so that can have an impact.

Secondly, if you forget to deploy the agent on the new machine, you will not know that machine is there. You will not have a complete picture, and that's an important thing to consider. With Orca, you will have a full inventory of all of your assets, your configuration, your network setup, even assets that are not internet-facing. The old-school agent approach will not work, because even if you have the agents installed, you will still need to have something in the cloud doing scans. You will also need something that will look at the configuration of your cloud platform, which is not possible if you are just installing an agent on a VM.

Prior to Orca, our clients had considerably less coverage for their environments. When we compared the results of Orca against a typical vulnerability scan using Tenable, for example, the classical solutions only found 20%. This is because Orca is scanning behind the security configuration of your cloud provider, which is possible with integration using the API.

The compliance dashboard is one of the features that our customers find very interesting. Instead of having to run checklists and provide access to auditors, you can just generate a report from Orca.

The automation and alerting capabilities are very good. When there is a new vulnerability or a new issue, you can get an automated alert in Microsoft Teams or in Slack.

The visibility that Orca gives into the environment is really in-depth because of their site-scanning technology. They provide full visibility into everything running in the cloud environment. They can look at virtual machines; they can look at serverless; they can look at the configuration of users and roles. They can also see, for example, that a specific administrative user has no multifactor authentication configured. It covers the full stack and not only one specific item.

The alerting capabilities are now being added, which is a very good evolution.

The integration with SIEM tools is now in place, which is a nice feature.

I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on. This would guarantee our customers that whatever is running in their cloud production is secure on all layers.

It would be nice if this solution had the capability of fixing issues. As it is now, it only reports them. Having a button to patch a product, disable a service, or delete a VM would be nice. At this point, this is something they might not want to do because they are only doing audits rather than making changes. It is also something that would require having additional permissions, including write access using the API.

I have been working with Orca Security for more than two years.

In the beginning, when we started to work with them more than two years ago, they were still just in the first phase of going live. At that point, we had some problems with the user interface and some bugs, but they have been developing very hard to solve those issues. For example, they migrated to a new version of the user interface, which is very good.

When there is a problem with stability, we can contact their support and they solve it immediately. These days, most issues have been solved and they're adding more functionality because they now have more developers working on it.

In terms of scalability, we have customers that have a lot of assets, and some that only have a few. Of course, the more assets you have, the more vulnerabilities you have, and the more work that has to be done to solve those issues. That is something that takes time.

Our largest customer used to have more than 250 assets.

The customer is responsible for solving problems but because of Orca, we can track the progress and we can follow up on the vulnerability management and remediation.

Technical support is very good. I would rate them a ten out of ten.

When you send an email, you get an answer immediately. They really try to determine what the problem is and identify the root cause. Either it's because it's something that we didn't know of or were unable to find in the documentation, or it's a bug or feature that is not known yet.

We have seen customers moving from other solutions to Orca. When you are running your entire software solution in the cloud, and you make a lot of changes, have new deployments and new features, as well as configuration changes, your classical vulnerability scanners will miss things. 

For example, a traditional scanner will miss scanning a specific IP address or domain. When you are working in the cloud, everything is more elastic. Another problem is that you have new IP addresses not being used, but get allocated to another cloud customer. You can have a situation where you're scanning with those classical solutions, and it is actually somebody else's infrastructure. This is not the ideal situation.

These are some of the reasons that we have moved to Orca Security, replacing those classical mobility scanners.

Using Orca has helped consolidate vendors and services because it gives a better overall view. It's much easier to install and maintain than the typical vulnerability scanning approach. Our clients have replaced solutions such as Tenable, Qualys, and manual consultancy. In this last instance, if you don't have Orca or another product and you need to have a compliance check, then a security consultant will need to use a checklist and perform a manual inspection of all of the configurations.

Consolidating services has saved our clients both time and money. For instance, if you need to generate a compliance report every quarter, it will normally consume five to ten days. However, using Orca, it's checked every day and you can generate a report whenever you want.

Alternatively, you can use open-source tools but you don't always know what they are doing. 

The initial setup is very straightforward. Everything is clearly documented and there is a video. They just need to log in and provide the API keys, which is very easy.

We have customers that first start with a trial or proof-of-concept, and then they immediately see the added value of the solution.

With the right access to the cloud platform, the deployment can take about 15 minutes.

Our customers are responsible for doing the setup because we don't have access to their cloud platform.

Orca is a SaaS product that is always up to date.

The pricing depends on how many assets you have running in your cloud and how many environments you have. If you have a dev environment, test environment, and a production environment then it's really important that you have coverage for all of them. But, you can start gradually because you can analyze one environment at a time. For example, you can begin with the production environment and fix all of the vulnerabilities there first. Then, add the test or acceptance environments, and then add your dev environments.

You really need to learn how Orca helps to improve your attack surface, and you don't want to start with everything at once. Instead, you want to start small and progress gradually, otherwise it will be a lot of work.

Pricing also depends on how you use your cloud provider. If you are working very cloud-native then it is much cheaper than a situation where you have a lot of virtual machines configured and running.

We generally look at the most innovative solution and start using it. We do not do benchmark testing because we don't have time for it.

We normally set up customers on a trial basis to show them what the product is capable of. When you run a trial for a specific customer environment, you immediately see the benefits and value. You see that it does what they say it will and there are no hidden features. You immediately see the results in the dashboard, and how it works.

My advice for anybody who is considering Orca Security is to start with a proof of concept, as it will only take five minutes to set it up. Let it run for a few days and then look at the results. It will show you how it benchmarks against your existing tools, including things that you didn't know of and you need to solve. After the evaluation, purchase it to make sure that it keeps monitoring your existing environments.

I would rate this solution a ten out of ten.

We manufacture cloud solutions and we employ Orca Security to monitor them.

When we implement Orca, we don't have to make changes to any other products. This is important because we can design the products to be best-in-class without worrying about incompatibilities from third-party vendors. Orca sits on the perimeter and is able to essentially do excellent security work without re-engineering our solutions.

The regulatory reporting has been very helpful for our own certifications from SOC and ISO.

The most valuable features are vulnerability management and attack detection.

The vulnerability management does not require network scanning or agent technology, so I don't need to modify any of my products in order to do vulnerability assessments.

The monitoring of logs and attack scenarios are basically hands-free. It's a non-intrusive approach.

In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties.

I would like to see support for FedRAMP certification.

I have been using Orca Security for more than two years.

Stability-wise, we have never had any problems. It's solid.

We are a middle-size business and we've had no scalability issues.

We have more than 4,000 cloud customers. The environments are across AWS and Azure, both public and private cloud. We manage this with three admins, a director, an engineer, and an analyst.

When there have been issues, the team is incredibly responsive to resolving them. One of the major benefits, since it's fully cloud-based, is that a single fix affects everything. You're not re-rolling agents or collectors or data aggregation tools. It's fixed once and it works everywhere. So, even from a support standpoint, it's a major benefit.

I would rate their support a nine out of ten. Nobody gets a ten.

We were fully deployed on Rapid7 and had 100% coverage. It was the primary tool that was replaced by Orca.

Some of the advantages to using Orca are its rapid time to deployment, extensive compatibility, and honoring security best practices like using the least privilege for the implementation.

Transitioning from Rapid7 to Orca has saved us time. I estimate that we save at least one person-year per year. The costs of the two products are similar.

Another important point is that we have more accurate results with fewer false positives.

The entire deployment was completed in two months. Actually turning on the product was weeks at most, but going through change control and testing for all of our production environments was two months, including writing standard operating procedures, all of our escalation paths, et cetera.

When I say deployment, I'm not just talking about installing the software and turning it on. I'm referring to making it fully business-integrated.

The cost of Orca is similar to that of Rapid7.

Overall, the pricing is reasonable and the discounts have been acceptable.

We've had no issues with the licensing model, including when we've needed to use burst licensing. It's been good.

In terms of visibility into our environment, we compared similar technologies that use intrusive methods and we found that the results from Orca were superior. We evaluated Rapid7 for both vulnerability management and incident detection and response (IDR).

If you compare Orca to a competitor like Lacework, Lacework requires agents but Orca does not. Orca's agentless approach is incredibly beneficial for maintenance upgrades, change control, certifications, et cetera. So basically, there is less code to deploy, less code to manage, and another vendor not to worry about. These are all positives.

When we were evaluating Orca, it was very important to us that they are a SaaS solution. It is updated regularly and new features become available at no extra cost. Also, managing the cloud from the cloud was critical for us.

Initially, I was quite skeptical that Orca Security could do all of the things that they claimed. In fact, I was skeptical to the point where I stalled the salesperson for six months before accepting a demo.

I've been in the vulnerability-management space for over 20 years, personally, and I didn't believe the claims. When they told me how they were doing it, I thought that there was no way it was accurate. Then, when they showed it to me, I realized that it was something that I'd never seen, heard, or even considered doing.

To any skeptics that are out there, this is a unique approach and a modern approach, and worth consideration. It basically breaks the mold of how vulnerability management has been done for the last 20 years.

Orca has a lot of features available out of the box, although that was not important for us when we initially chose it. We chose them for vulnerability management when that's all they had to replace agents. Originally, they were only for vulnerability management. All of the extra features that have come along since that time have just been very pleasant bonus add-ons. As they added features, we were able to do the rest.

The biggest lesson that I have learned from using this product is that there's a right way and a wrong way to modernize security best practices in the cloud. Orca is one of the vendors that is doing it the right way.

Overall, I'm thoroughly impressed with this product, which is the best way I can put it. It is a unicorn in the space, with a lot of people trying to play catch-up.

I would rate this solution a ten out of ten.

We're using Orca Security to identify threats and vulnerabilities, manage our cloud security posture, and alert us to CSPM and threat issues.

Orca has improved our security by helping us address high-risk threats first. I don't have to spend time determining the risk myself because Orca does that. Now we can resolve issues based on absolute risk, which is a huge relief. 

If we see an SSH key put up onto an externally facing machine by a developer, Orca will notify us, and we can deal with it immediately. Our other products don't tell us about that.

Orca's dashboard is excellent. My team needs to be able to focus on specific areas for improvement in our cloud environment. Most recently, we've started to get good use out of sonar, the search capabilities, and the alert creation. We plan on using that to automate notifications and remediations. So we have high hopes for that, but we haven't used much of that yet.

The visibility Orca provides is excellent. Orca allows agentless data collection directly from the cloud, so I assume there is no performance impact. It's important for a product not to get in the way of performance, but it's not my biggest concern. I mainly care about coverage. It was important for us to have a SaaS solution, but it wasn't critical. We prefer not to manage a service ourselves, so it matters.

Orca could give me more alerts. It could give me a dashboard with all the specific types of alerts I want to see for the day. It should just be one click. This is one area where I feel Datadog is better. Datadog has something called Security Signals, where they give you a dashboard, and you can structure it by the day or specify a period. It just tells you the different security signals that have occurred with a very obvious risk designation by color. That makes it easier than Orca's current view. So I think Orca could improve its interface.

Another shortcoming of Orca is that it doesn't integrate with our particular non-standard ticketing system. So we have to finish developing an appropriate webhook for it. Other than that, it's integrated well with our identity provider and with our cloud environments.

I've been using Orca Security since 2019, but my company has been using it since 2020.

We've never had an issue at all with it for as long as I've been running Orca. So I'm confident that it's perfectly stable and can handle the load.

We have not seen any issues with scalability because our scale increases in a nonlinear way. Primarily, Orca is used only for security, so a handful of people—fewer than five—are using it. The roles are mainly cloud security engineers, and some DevOps people sometimes use it.

We use it to monitor all of our cloud environments. So our usage is extensive, and it will monitor all of our cloud environments as we increase our cloud size.

Orca's support is extremely responsive and competent.

I used Lacework previously, and Orca is much better. My biggest concern is coverage. With Orca, I feel confident that I have full coverage of all of my resources. When I had Lacework, I found out that wasn't the case. I'm wary of any agent-based service like Lacework because we consistently fail to cover resources when the agents aren't applied correctly. I compared Lacework to Orca by running them side by side for several months. Lacework failed to cover about 23 percent of our resources.

What's more, Lacework required way too much effort to dig through the hundreds — if not thousands — of false positives. In effect, we got zero value out of it. We could never resolve an issue, which means the issue just sat there forever because there were so many false positives. And the way Lacework presents information was very difficult to use. It was a useless product.

Setting up Orca is straightforward. It took almost no effort. It was just a matter of doing the read-only integration for various accounts. That took less than two hours of someone's time. We started seeing results immediately.

The fact that Orca is agentless is a significant reason it was easy to deploy. It didn't require me to test it in different environments by DevOps. All of those things would've added up a couple of weeks to the deployment time. Instead, it only required the security team to do a pretty easy integration with our cloud environments. And because there's no impact, there is no heavy testing required, so we got it done in a couple of hours.

We've seen a return on investment insofar as that can be measured for an essential tool. We're not planning on giving Orca up, but it all depends on the price of competitors like Wiz. If their price drops and it's significantly cheaper than Orca, it's easy to switch. Also, the time to value for Orca was immediate — 24 hours — so it's much better than other solutions. With Lacework, it took at least a month before we saw any value, and then the value was extremely low.

While it's competitive with Palo Alto Prisma, I think Orca's list price is very high. I would advise Orca to lower it because, at that price, I might consider alternatives like Wiz, which also offers agentless services. 

We weren't using Datadog for security before Orca. We were using Orca. Datadog, of which we're a customer, started offering security in February. We used Datadog as a design partner, and I like aspects of it. But now that they're charging for it, we won't continue to use it. Datadog is overpriced for what it offers, and Orca gives us what we need. Orca tells us about vulnerabilities in a straightforward, manageable way. We haven't had many active threats, but Orca can also tell us about those. Datadog has something they call the workload security component, which is their agent-based component, and we found that to be very immature and inaccurate. We had to turn it off because it gave us so many false positives it was overwhelming us. So that's one area where Orca is superior to Datadog.

Still, Datadog is an excellent product. We didn't start with Datadog security, though. We were using Datadog for application performance monitoring. We added Datadog security when Datadog began to offer it to design partners like us. It has some qualities we like and others we don't. But in the end, we're not going to stay with Datadog. I've also evaluated Palo Alto Prisma multiple times, and I've used and evaluated Lacework. I've also used other services like Threat Stack and Tenable Nessus. Compared to Palo Alto Prisma, I like that I don't have to pick and choose with Orca. I expect all of my products to give me everything for the price and not have to select from a menu.

I rate Orca Security nine out of 10. When I first came across it a couple of years ago, I was skeptical about whether Orca could do everything they say it can do. At first, it was like magic. Now that I'm used to it, it's not magic anymore, but it does do a great job. I would advise anyone to try it. You'll immediately see the value.

With Orca, the main thing that we're leveraging is their Cloud Security Posture Management capability. 

It is a SaaS solution.

It provides the assurance that we have coverage across AWS specifically because we have so many accounts. As a large organization, we have prod environments for customers, and then we have our corporate environments and our playground environments where there are various levels of interactions, data flows, and business use cases. Because we have Orca, we have the competence and assurance that we know where our fleet and where our assets are.

The big thing for us was just making sure that the side channel scanning, which is their proprietary tech, does not really create any burden or load by adding an agent onto the box. It should just do another snapshot. It gives us a better performance overall because there is no implication down to the actual environment or AWS.

It provides agentless data directly from our cloud configuration and from the workload's runtime block storage. The agentless approach means that there is zero performance impact. That's kind of a big part. When you typically add an agent to any system, it's going to use some of the compute or the memory, but this has no performance implications. That part is exciting because when you think of the security realm, often, as a team out of the cost center and a business enabler, there are situations where if we do affect performance, it's not great for the business. So, we have the understanding and the Corporate EQ that we don't want to have any impact on performance. This enables us again with the confidence that we're getting the right information out without having that impact down to our engineers or our production support.

The agentless and direct collection of data enable Orca to see assets within our environmental and business contexts and prioritize truly critical security issues. It provides another notch up on confidence in terms of knowing what's in our production environment and having the ability to rapidly query in case there's a new CVE that's coming up. So if we know there is a drop in data, we have the ability to scan and see the assets and do the patch management as necessary or tear down boxes that don't need to be up there anymore. With the way it works, having visibility across the org is hands down the biggest benefit for us.

The agentless approach also means that we're able to avoid the need to deploy and maintain multiple tools.

With its Cloud Security Posture Management capability, we have the ability to read across all of our cloud-based environments, which includes AWS and Azure. We have visibility into those environments. Seeing all vulnerabilities and configurations is really powerful for us, but ultimately, the ability to use the API to query across the fleet to understand what is the current state, what is the patch level, which ones are potentially exposed for a new CVE that just came out is even more valuable. It allows us to gather really specific intelligence through simple queries.

Given the agentless deployment, its time-to-value is less than 24 hours. It took less than 24 hours, and we had intelligence and insight. Ultimately, it is getting access to the API, and then from there, it is about getting the side channel scanning going on. Once that is complete, the real-time proprietary nature of new assets pops up. We also have the visibility if an old asset has been sitting out there unused for a really long time.

They can expand a little bit in anti-malware detection. While we have pretty good confidence that it's going to detect some of the static malware, some of the detections are heuristics. There could be a growth in the library from where they're pulling their information, but we don't get a lot of those alerts based on the design of our products. In general, that might be an area that needs to be filled since they offer it as a service within it.

We've been using the Orca solution for about a year and a half. 

It had maybe two periods of downtime if my memory serves me correctly, but it was hard to even know that the service was down because we weren't actively querying during those windows. These downtimes were probably for less than a few hours. I read about them through an email from the founder. We wouldn't have even noticed them if they didn't update us on it.

We started with our production account, and then we kept scaling to our test environments, to our corporate environments, ultimately to every AWS account that we have out there. It is being used as extensively as we can in our environment. We have about 14 AWS accounts. If we need more environments, it will be included as part of the practice.

Luckily, we have a shared Slack channel. So, we have an extended Slack channel, and we're in there with the founders, as well as key engineers and members. So, it's real-time for us. If we have an issue, we go in and just message out, and then we can have that full loop within that Slack channel. We were customer number nine, and having this Slack channel was just something that made sense at the time.

I would rate them a 10 out of 10. We get everything addressed pretty quickly.

In terms of vulnerability assessment coverage, a lot of it was native tooling. We were using AWS GuardDuty across the environment as step one for anomaly detection, but for vulnerability management, there was very limited capacity.  We could leverage some of the existing tools that were out there to scan and perform analysis, but in reality, we're using a lot of what AWS offers. So, for the most part, it was native AWS tooling with GuardDuty and then just doing our best to query the fleet through AWS itself. Orca has really filled the gap for us.

Because of its agentless nature, there is zero deployment time. It is mostly just getting the connection and performing the analysis. The deployment strategy is mostly, "Choose the accounts that are there and then hookup Orca." It took less than 24 hours, and we had intelligence and insight. 

It is the cost of the visibility that you get. When you really sit down and think about what do you need to do to secure an environment with a low impact on the business, and you take a look out into the world, I think this tool is well justified around cost.

We were looking at a few other tools out there. Dome9 and Lacework were the big key ones that were out there. There were some of the old heavy hitters, but they really didn't add a ton of value to what we were looking for. Some of them were just AWS GuardDuty on steroids. 

For us, Orca just offered a better comprehensive solution. We had done enough demos and discussions, and we felt like, "Hey, it's worth the gamble on someone that's trying to solve something and maybe we can help drive the backlog or some of the features as well by being an early customer". That's a part of our strategy when it comes to choosing security solutions. It definitely fits our business needs.

When choosing to go with Orca, the fact that it is a SaaS solution that is updated daily, and that new features are available at no additional cost was useful for us. That's the way it should be. There shouldn't be paywalls and all these other things. You're paying for the proprietary technology of the company and how they kind of package that up. They've been very open in terms of what features are available when and how they work.

When we first looked at Orca, we weren't skeptical about whether it could do all the things that they said it can do. That's because the way it was presented was very logical in terms of how they instrumented the technological approach, and then the background of the founders made a lot of sense. So, either it was going to work, or it wasn't going to work, and if it didn't work, then we'd have an issue. When we did a PoC, it worked very well for us in a short window of time, and we had the confidence that this was going to be the right tool for us.

I would advise others to not just set it and forget it. This is an ongoing capability. Just like every vulnerability management process, it is an ongoing continuous cycle. So, I wouldn't leverage this for one-time use or quarterly use. This is real-time that you should be analyzing, and on top of that, as new vulnerabilities are set, use the search function.

Everything is included in Orca’s package, but Orca hasn't helped us to consolidate vendors or services. That's because we weren't replacing any existing ones. We didn't have six other things doing what they were doing. We were venturing out into a solution that has not ever been in place and figuring out exactly how to integrate it, how to leverage, and ultimately how to level up the organization.

I would rate this solution a 10 out of 10.