Orca Security Reviews

The first two things you need to do in security are to know what you have and keep it updated. If you can do that you're going to stop 90-plus percent of security attacks. That's our first use case. To know what we have and keep it updated. In general, it's really hard to do that in the cloud. It can take multiple systems and a lot of overhead to do it. That's one of the main things we use Orca for, so that we always know what we have and make sure it's updated.

On top of that, we use it to build things that have to do with our security posture. For example, are the ports that are supposed to be closed actually closed? For the data that's going through PII, is something open that shouldn't be? Are the permissions as they should be, per best practices? Is the compliance level correct for PCI and CIS, et cetera? There are many use cases around the posture of our environment, including the endpoints and the workloads. 

Overall, we use Orca for anything that has to do with making sure we check all the boxes and cover all our bases. It's a very core product for cloud security.

Orca is saving us at least one full-time role. As we scale, it will be more. When I started using Orca, we were a company of about 100 people. As we grow and get more complex, as our environment gets bigger, it saves us more time. It could be hours per account and hours per patching cycle. We're two years in with Orca and now we're somewhat spoiled because it's very seamless. But in the beginning it was very noticeable. There were all of those annoying tasks that I don't have to do anymore. I spent hours on Excel spreadsheets, frustrated by vulnerabilities that I didn't know what to do with. Now, I don't even have to look at spreadsheets. It saves our team hours and hours, especially in our field of Fintech, which is super-audited.

It also helps with hardening our posture by baselining everything in our workloads and servers against best practices. It gives you a path to improvement. Even if you don't have a glaring gap or an open port, you can always improve your security posture. By way of analogy, if you as a person don't stand up straight, you can work on standing up straight. But then you can also go to the gym and get stronger. There are levels to posture. You can stand straight but you can also become super-buff. The same thing is true with any other posture. Orca helps us take care of the gaps because we get notified very fast, but then we want to improve. Maybe we can take down some services that nobody is using and improve based on other best-practice baselines. Orca has done an amazing job of adding more and more.

Orca's platform provides agentless data collection directly from your cloud configuration, from the workloads, and from the servers running the workloads. The SideScanning ability can take a snapshot of an EC2 instance and they can do whatever they want with it because it's a snapshot. It's not being used by anyone, so nobody feels it. There is zero impact. Orca uses that to provide all this information and that's a great ability. They can do malware analysis and a lot of things that, in an agentless solution, it's hard to do. The lack of performance impact is important because, as a payments company, we can't try to pay Walmart and not be able to because the CISO decided to put some heavy agents in the backend. But another important aspect is that it keeps the maintenance and the overhead down. That is what excites me, aside from the performance. You can circumvent performance issues, but you need people to work on overhead-related tasks.

The agentless approach decreases the number of tools we have to use. Orca covers off a few posture-related tools. For example, Palo Alto has a few modules, a few tools, that you have to run together to give you similar value.

Orca's SideScanning is the biggest feature. It's the "wow" factor. There are a few other solutions with that kind of functionality, but before Orca, nobody would do it. They would say, "You just have to put an agent somewhere, and we have to read your logs," and there was a lot of overhead and you had to make sure you kept these requirements happening. You always had to configure things to work. With Orca's SideScanning, they just need permissions for your account and that makes it so simple. It just works. And you get the insights that are super important.

Another valuable feature with Orca, something that's not talked about enough, is its ability to rank your gaps and your tasks. The one resource that's very finite is your engineers' time. Every CISO has the same problem: they have engineers, but not enough of them, and their engineers don't have enough time. Because of these limitations, the engineers need to focus on the most important tasks, and they need help to do that. The fact that Orca can take something that looks like a 10 out of 10, a critical CVE, and say, "Wait a second. It's not that important, because of A, B, C, D, E, and F reasons. You can delay it for your next patching cycle. But this issue, the one that's only a CVE 7, is explosive on the internet." That kind of ranking is super important because of the limited resources and time. I need to make sure that everybody is focused on the most important things. The ability to see that, seamlessly, along with the ranking, makes Orca a very good product.

One thing that has been really surprising to me is its ability to give us container posture. Everybody is talking about containers and there are so many container-specific companies. At one point we were wondering if we needed a container solution. We talked to Orca and started testing what's out there, and we were surprised to see that Orca is very strong in containers as well, including Kubernetes and Docker. The way they see it, it all has to do with your posture and how secure you are. That's their goal: that you will have the most secure cloud possible, based on best practices.

The fact that it's a cloud solution is also important. In the same way that I'm happy that Amazon maintains data centers and I don't have to, and that a lot of my solutions are maintained by their engineers, Orca allows my team to focus on more relevant tasks. I don't want anything on-prem. I don't want my team to deal with anything if they don't have to. Anything that would require in-house maintenance for us, is a no-go. The only admin with Orca is when you have a new account or there is a change to your account. You have to configure the Orca with it, but you can run an automation that helps you out with it.

Orca is also very good at keeping our data safe and masking it and not picking anything they don't need to pick. In that sense, it's also good.

I would be happy if they offered more automatic remediation options. They're working on that, but the more the better. For example, if they want you to harden a server, they would offer a hardening script that would be more aware of what's going on.

I would also be happy if they added more and more coverage. The cloud itself is changing, with Amazon and Azure adding more and more capabilities. Orca is working really hard to meet the challenge, but the more they add, the better it is for me.

Another improvement would be that, in addition to focusing on endpoint compliance, they would focus on general compliance.

These are things that they're working on and their roadmap is very good. If they keep to the roadmap, I'm pretty sure they'll get to the places they want to get to. For instance, I really want them to add IAM permissions and they added that.

They know where they're going—they understand how to secure a cloud—and they keep growing in that direction.

One final suggestion I would add is for Orca to improve user education. A lot of times they have features and capabilities but they don't tell us about them. They don't even have a "What's New" newsletter. I have said to them, "Tell us what's going on. You've got a lot of cool stuff here. Why do I have to ask you? Let me know." If you have Google products, Google sends out a newsletter every week with new features. It's important to know that kind of information. It's also a marketing tool to let users know that they're constantly improving. Orca is constantly improving, but they don't always communicate that.

I have been using Orca Security for about two years.

It's very stable. As long as you get your daily results and they find the issues, it's not something where stability is super crucial. But it doesn't crash. The product works. There's a lot of information but it's not slow. I'm not saying there have never been any problems, but we have not been aware of any.

Orca is very scalable. So far it has grown with us easily. We have added a lot more accounts and a lot more endpoints. The bill has gone up accordingly, but it's there with us.

We're using it as extensively as possible as a security tool, to the point that it's being used every day by the cloud security team. It's one of that team's core products and they love it.

They give very good support to us. We don't need a lot of support, but sometimes we get audited and the auditors want a certain kind of format to the report. They are really helpful on that. If we're not sure about something or we have a question about containers, they're always very helpful. When there has been a new vulnerability and we wanted to make sure we're covered, they have been there for us every time.

Positive

We had vulnerability system coverage but we had to work hard on it. What we didn't have was a good ranking of priorities. Prior to Orca, we were using traditional tools. Those tools do the job; they can scan your environment. But what they don't really give you is the ability to rank issues. Those solutions would scan and say, "We found 100 servers vulnerable to this CVE, so you should patch it." But what they don't tell you is that there's no patch, or that your servers are down so you don't even have to. The information from those solutions was missing context and the ranking. You can get visibility with agents and there are a lot of ways to do that. But the ranking and the context across the entire environment, that is what is unique about Orca.

With Orca, we have been able to replace all of the tools I just mentioned.

Consolidating those tools has saved us a lot of time, but not that much money. Generally, vulnerability scanning tools are pretty cheap. In the cloud, they are more expensive and their abilities are greater, but they're cheaper than Orca. So we didn't save a lot of money, but we saved a lot of time. We are able to do more with less, which is definitely worth money.

Another huge advantage that comes from being agentless and having the SideScanning is that it all works out-of-the-box. You don't have to implement anything. It takes five minutes to turn on. It scans and you get the data. That's one of the things we love about it because it's reducing overhead and saving time.

Our business acquires companies and that means we add more accounts, so we have to set up Orca for those accounts. It's a matter of five minutes to give the proper permissions and the proper key and you're in. It's very straightforward.

We have definitely seen ROI from Orca by reducing overhead and saving time. It's a huge ROI. We see it daily.

Cloud security engineers are hard to hire because there aren't a lot of experienced people out there. So you bring in juniors and all they have to do is "follow the yellow brick road." They just have to go on Orca, see what it says, and do it. When it gives remediation suggestions, they just need to go ahead and do that. Theoretically, you only need to be a little bit of an IT specialist to use it. You could be a system administrator who has never seen Amazon before, but you'll have 85 to 90 percent of the knowledge you'll need about what to do just by going to Orca. That's huge. You don't have to teach them how to SSH to the server to check this or to check that. It's all there. The simplicity is a giant ROI.

Cloud security engineers are expensive. If I save having to hire one cloud security engineer positionץ The vendors know it and that's why these tools aren't cheap. They price it expensively, because they know they give a lot of ROI. 

With Orca, the time to value is immediate. The second it scans, that's it. It's a whole new ball game, thanks to it being agentless and providing the rankings.

With Orca, there are no costs in addition to their standard licensing fees. There are no networking costs or extra bills for compute.

We put Orca up against all the incumbent vendors. Orca beat them easily. When it was up for renewal, we were looking at Orca versus the other leaders offering the same abilities. Again, Orca proved to be the most mature and the strongest product.

The agentless aspect of Orca is a big pro. And I really like the simplicity of Orca. It has a lot of options, but the way you experience it as an engineer, it's very easy to understand. You know what you have to do and what's important. The other systems proved to be complex. 

When I was looking for a posture management solution and they said, "This is agentless, it's amazing." My thoughts were, "Oh yeah? That's baloney. How can it even be agentless?" I was shocked. I said to my engineers, "If this actually works in the demo, it's going to be a game-changer for cloud security," and it was.

I also feel Orca's ranking system is much more mature. All the others show you a lot of things that they mark as important, but they aren't important. That means there could be 200 things to take care of but if you drill down, they're sort of like false positives, meaning "it's important, but it can wait." Orca would rank those kinds of issues a "medium." It would let you feel that they can wait a little bit, as opposed to things that are "high" and "critical."

The biggest lesson I've learned from using Orca is that agents suck. Until you see the difference, you're just not aware of how much time you spend on that stuff. Another lesson is how important the ranking is that Orca provides. They should blow that up and emphasize it a lot more. They always talk about the agentless side, but the fact that they can prioritize tasks is equally important. A lot of tools do that, but Orca is exceptionally good at it.

If somebody were looking into Orca, I would ask how his stack is built, how much on-prem he has versus cloud, and which cloud? I would recommend it wholeheartedly if he has a cloud presence. It's the go-to posture management tool. Start with Orca and test them. It's always good to have a PoC, understand the pros and cons, and make an educated buy. But I would definitely recommend Orca to anybody who has substantial data or substantial risk in the cloud.

We really enjoy using Orca. It's a very well-designed, well-executed product. I'm really super-impressed. This is a game-changer. This approach has never been done; at least, I haven't seen anything like it. Kudos to them.

Orca is the inceptive tool that I deploy when I join a company. It will be one of the first things I do after an awareness training program. The reason is that Orca serves the function of giving me insights into the resting risk state, abstractly, because it combines so many signals without actually having to govern the assets. As soon as I have access to the AWS or GCP or Azure accounts, I just drop Orca in and it shows me the abstract risk of everything in that cloud.

Using Orca, I build up a security program. Orca not only attests to and assesses these risks and helps me identify risks that need to be mitigated, but it also helps me build an entire security program because it does it —and this is key—in a deterministic fashion, where it's wholly governing the ecosystem.

Orca’s platform provides agentless data directly from your cloud configuration with zero performance impact. The way they do it is brilliant: They pull snapshots. So it just cannot affect the performance of the machine. From my understanding, the snapshot process in the major clouds is completely benign and does not affect the performance. First of all, that means it can analyze machines that I don't have access to. That in itself is the most game-changing thing I have seen, not just in security but in technology, in my 25-year career. Agents are a huge problem in security. They're necessary for certain things, but even if an agent doesn't cause performance issues it's not about having performance issues. It's about the perception, the concern, the fear, the accountability, and the confidence in the tool because of the small risk of those performance issues being caused.

Orca does more than allow you to see assets within their environmental and business contexts to prioritize critical security issues. The trend in security over the last two or three years ago has been to raise risks that are real. But Orca is doing more than that. Orca combines all these signals to aggregate risk. There is a discipline that they exercise in the way they process all the signals together. Whenever there is an Orca alert that there is an imminent compromise or an actual compromise, which are the two highest severities out of four, they're actionable, every time. We might have encountered a couple that weren't actionable, out of a couple of hundred. 

The visibility Orca provides into my environment is at the highest level. I was super skeptical about Orca when I interviewed the Orca team. When they told me that you can just drop their software in and you don't need to log in to the machines, nor do they need to be powered on, I said, "How the heck are you doing that?" When they told me how it worked I said, "Woah, that's pretty simple. Why didn't I think of that?" When I dropped them into the environment, from the very get-go I had more insight into the risks in my environment than I had had during the entire two and a half years I had been here.

I'm thinking about room for improvement that is really grand, in terms of ways that may not be possible. I like to partner with innovators and that's why I partnered with Orca. I don't think what I have in mind is possible—but I didn't think Orca was possible either when I met them. 

If they could disrupt the host intrusion detection space (HIDS) that would be huge. If I could have them assess risk in real-time—which does not seem possible from the block storage analysis perspective—and they could figure that out without an agent, there would be no need for other security tools except for CI/CD pipeline analysis. 

I'm thinking about "omniscient" and "omnipresent." That's what Orca does from a resting state risk standpoint. It's the "all-seeing eye." If it could do that from an active state standpoint in real-time, or even to the second, minute, or hour, that would be big stuff. If they could crack that I don't know what would stop them from dominating the market completely.

On a more practical level, Orca doesn't work in data centers right now. If a company has a large data center footprint, Orca is not necessarily the best solution for that business. If 20 percent of my risk lies in the cloud, and 80 percent is in data centers, I should probably go with an agent-based solution, assuming I can deploy it.

We became an Orca customer in February of 2020. We use their SaaS solution which is deployed on the three major public clouds.

There were a couple of times when Orca was down when I was trying to access it. I work strange hours because all of my team is in the UK right now. It was 2 a.m. on a Saturday and I was trying to log in but it wasn't working. That was pretty bad. What if I was trying to attend to an emergency security issue?

But relative to my other security tools, Orca is definitely the most stable that I've seen.

It is deployed everywhere in our company. It is a requirement that when we build a cloud or we have a new business joining the company, that it be deployed at inception. It is one of the very first things that I require before any integration is done.

We have used their technical support, but we haven't needed it very much.

When Orca was a very early stage startup and they were working out the kinks, one of our clouds, GCP, was not as easy to deploy in because we have 400 workloads running there. We didn't ask for any support but their CEO stepped up, worked all night, and did it himself.

Orca is focusing on what is right when it comes to customer success. Every business has a limited amount of resources and has to take a certain amount of risk. They didn't build a sales team until pretty late in the game. That speaks to why they're respected so much in the industry. They have a relatively new customer success team, maybe because they haven't had a need for it. When I encounter a problem I will want to put it to the test. I think they'll do pretty well. They have scaled up a bit.

Positive

We did not have a previous solution. Before I had Orca, my option for governing at the level that Orca governs was to use network TAP devices from companies like ExtraHop Networks, but they're not capable of gleaning the information that Orca can.

Deploying it only takes a couple of minutes and it hasn't required any maintenance at all. It's so easy to deploy that you can switch away from it pretty easily too. I just don't know anyone who wants to. The stickiness is only in their excellence. For the consumer that's a win-win.

For our deployment they brought in a junior CSM who was brilliant, a wonderful CSM. I was pressuring him and making him very nervous, but he explained the install process: "You copy this URL and paste it here." My DevOps engineer who was onsite messaged me and said, "It's actually really easy. We just put the card in and it was installed two minutes later."

It wasn't very important to me that Orca’s solution includes everything “out-of-the-box." But it was certainly a positive thing to have. My view on security is that I'll deploy something that nobody else has emulated. I'll have a very big, cumbersome stack to manage because I want to support excellence in each space. I believe in the Unix philosophy: Do one thing and do it well. But Orca is doing a lot of things well. I can't deny that. And that means I haven't secured some of these other solutions because it does things well. It's among the best cloud configuration auditing software there is. It has replaced a couple of things that were in my environment and avoided the need for an additional couple of things that would be in my environment. One of them is a portion of host intrusion detection, and that has enabled me to move to a solution that is half the cost. That particular move has saved me about $450,000. That's not my total spend in Orca but it's close to it.

Also, it is updated daily and new features are available at no additional cost. It's a "it just works" thing. And it actually mitigates the need for human expenses of around $80,000 a year in payroll. When you factor in the 1.4 times overhead for human resources, that's going to be $112,000 a year and the perceived liability of the company is probably three times that. We're looking at a replacement of $336,000 a year.

In addition, the time to value is better than any other security product in the market. Even if I wanted somebody else to do all the work, I would have to give them more information than I need to give Orca. It would take a couple of hours to filter the data for a mid-sized company, whereas Orca literally installed in two minutes.

I called my security team and we were talking about all the various players in the security space, and all the technical aspects. They were saying, "Orca does this, Orca does that," going on about it. I don't really see Orca as being the next Palo Alto displacer, but that's probably because I'm super skeptical. But that's how amazing the governance is. My security said, "Yeah, Orca is the tool that we use, even though you made us PoC all these other solutions."

I spoke with someone who knows the space well and I said, "Okay, Steve, please help me here. You guys know this field. Is there anything else that competes with Orca in this space?" I believe this was before Wiz was on peoples' radars. Steve said, "No, I haven't heard of anything else." I was worried that I would spend all this money on a tool that did something that doesn't exist but it turned out it actually existed.

Every CSO says they don't want false positives, but what CSOs never say is, "I don't want to have false negatives." That bothers me. They're happy because a solution doesn't say, "You need to fix this thing" when it doesn't need to be fixed. But they're ignoring the fact that solutions are not identifying things that do need to be fixed. That's where Orca comes in perfectly. By running it in tandem with my HIDS or some other system, it's validating or invalidating the attestation of security risks from the other software. I had one solution that never gave me any false positives but it did give me a lot of false negatives. After Orca exposed that, I was no longer a customer of that product.

Because I had Orca first and it attested to the risk, it demonstrated the need to employ their competitor. If I had deployed their competitor first, it would not have attested to that risk and the need to deploy Orca. Orca justifies the spend, a multi-hundred-thousand-dollar spend by a mid-sized company on one of their known competitors. That's cool because that means it's not really a competitor.

Whenever people ask me what Orca does, and I say vulnerability assessment, I always say, "But that is really downplaying it." We use Nexus to do vulnerability scanning, which costs almost nothing. But I have almost never acted on a single alert from Nexus because there are so many false positives and the risk categorization is not very good.

I was skeptical about whether it could do all the things they say it can do, and now that I have used it I would say to that skeptic: "Continue to be a skeptic." But the skepticism was blown away by Orca very quickly, at every single turn, on every single angle, and at every single opportunity. Orca destroyed my skepticism. But you have to be skeptical. Still, I would also say to that skeptic: "Just give it a shot. It takes two minutes to deploy." If I had just done that, I would have saved myself time.

Orca is much better than their competitor. They're the best in their space. They're the best in the security tool industry. And they're probably the best in terms of companies that I've worked with in general. Are they the best in mitigating actual risk versus the investment? I will always have to say that security awareness training, not as a service but as an abstract concept, is the best thing that we can do in security. Orca might help with awareness training by being so simple. I can use Orca to make technical leaders aware of security issues.

But technical leaders aren't the ones who need to be made aware of security issues. It's the general staff and public. That means customers and employees. Orca falls right in behind security awareness training. What CSOs out there need to do to make the greatest impact on their company is to get up on stage and tell people why security matters. But in all other areas, Orca is definitely the best. The first thing I'm going to spend my money on is Orca. I can do awareness training for free just by being vocal onstage. Orca requires no time. It doesn't compete with awareness training because I can do that while Orca is spending its time attesting to the pragmatic technical risks in my cloud environment.

Our use case is very simple. Orca Security is used to monitor and have control over your client's cloud environment, specifically the CP-CFPM.

One of the most valuable aspects is the agentless feature. Orca Security doesn't use agents at all.

Maybe the presentation of the data in the dashboard. It's a little bit chaotic. There is room for improvement.

I have been using Orca Security for one and a half years. 

I would rate the stability a ten out of ten. I never faced any problem with stability. Our client base is more SMB.  

I would rate the scalability a ten out of ten. It can easily scale and control a huge environment comprising thousands of VMs. 

The support is very good.

Positive

The initial setup is very easy. We have deployed the solution on the public cloud. However, there is a roadmap, a feature to deploy also in private environments and on-prem environments.

The deployment process takes at least an hour. To onboard, the process is very smooth. You have to collect some information from your cloud environment, specifically as an admin user of your cloud subscription. Then, you have to follow a three-step process inside the Orca platform because Orca will automatically create all the policies and data needed to onboard your subscription.

Orca Security is cheaper compared to other solutions in the same space. 

I would recommend trying this solution once, at least for a month. It is a very good product. 

Overall, I would rate the solution a ten out of ten.

Some of the customers use it to actually look at their assets in the cloud.

It's for protection. It's an agentless tool. We don't need to install anything at a customer's premises. We can just scan the entire assets in the cloud.

It helps increase cloud visibility on different platforms. And also in terms of the security vulnerability in the cloud space. They recommend specific steps as well. 

Actually, it's not all clouds that they are currently onboarded with. For instance, they are not yet with public cloud and many other private clouds.  

Therefore, there is room for improvement, and more private clouds should be added. For the private cloud, we need to install agents into the environment.

I have been using it for two years. 

So far, we haven't faced any complaints at all after two years. 

So, it has been a stable solution.

Many enterprises that have lesser workloads in the cloud, so there's no point in them monitoring themselves.  So those who have heavy workloads on the cloud need this tool too.

So it can handle large loads of information.

There is another company who copies them, like people from Wiz.

Theinterface is different, and we don't have a lot of updated stuff. They are copying Orca Security, and they are not the patent holder. The patent holder is Orca.

This product is very fast to onboard; it takes just five minutes. 

You just need to input the admin credentials for the cloud provider, meaning AWS, Azure, and Google. You can just pull it on, and then Orca covers the entire report already.

There's no need for integration because everything is on the cloud. That's why it's agentless.

Just a few steps for onboarding. It is really quick to deploy.

Orca Security charges are based on cloud workloads. So, it's based on workloads.  

If we look at one feature, it might be expensive. But if we're considering all the features they offer in monitoring and scanning, there aren't many tools out there that can do all they do in one tool. So if you compare that, then this is not really expensive. But if we compare just one feature, then it is more expensive than the others.

The user needs to utilize it as a package. 

I would recommend it. Overall, I would rate the solution an eight out of ten because it needs to expand more to support all the markets. They are not there yet.

Not all private clouds are supported, for example, SAP Cloud.