Orca Security Reviews

I've been working on this cloud security platform for the past one and a half years. Essentially, we focus on checking different components of AWS and Azure. 

We check over containers, instances, and various other elements running in the cloud. Our work is specifically designed for the cloud environment. We identify and address internal vulnerabilities across applications and operating systems which we are using in the cloud. 

If there are any patch management requirements, we ensure they are done across different applications and even API interfaces. 

In summary, our goal is to maintain security settings across the cloud infrastructure, such as AWS and Azure, used by our company. We connect with the DevSecOps team to actively work on securing the cloud environment and remediate vulnerabilities. We make sure incidents are properly handled, and necessary updates are implemented without causing disruptions. To facilitate communication, we use SMS for incident closure. This has been our focus for the past year.

Previously, we had a hybrid model where we used both physical devices and VMs across the cloud to manage enterprise security solutions. With Orca Security, we have a specific solution that allows us to monitor internal vulnerabilities and the most exploitable ones across the cloud. This platform is dependable and includes a powerful AI engine that we are currently using. 

It helps us identify and address vulnerabilities early on, including CPU weaknesses and other variations. Additionally, it provides remediation guidance and facilitates patching and updates. Furthermore, it gathers threat intelligence, which is beneficial during incidents.

Recently, Orca Security has updated its interface, making it more user-friendly. I find it particularly useful as it allows me to easily navigate the dashboard and prioritize actions based on severity and criticality. 

This feature makes it easy for me to look at prototypes and determine the necessary steps to take, focusing on critical issues first. I love the interface dashboard.

I would say that there are some loading issues. Since this is a cloud-native platform, there may be a problem with connecting to the dashboard as soon as it's open. The interface can be a bit cranky and sometimes takes a lot of time to load. So, the way APIs are deployed for our dashboards or monitoring systems needs to be corrected and optimized.

In future releases, Orca Secure needs to have new integrations with different security solutions apart from the cloud. We have EDRs, XDRs, and MDRs. Orca Security should automate the process of connecting and integrating with these solutions. It can be an essential way of protecting the infrastructure in an effective manner.

I have been using Orca Security for the last two years. 

I would rate the stability of Orca Secure a nine out of ten. 

I would rate the scalability of Orca Secure a nine out of ten. 

We directly bought this product from Orca Security itself, so we did not use any third party to install or deploy it.

The price is a bit expensive for smaller organizations. It can be expensive for smaller organizations, but if you are managing your infrastructure in the cloud, it's definitely worth trying.

We have certain subscriptions and licenses for around a thousand instances deployed across the cloud. We purchased the subscriptions for the necessary devices we are running. It has cost us a lot.

I would definitely recommend using Orca Secure. It's a very good cloud security platform. Apart from what I've seen, it has a really extensive dashboard and analysis capabilities. It picturizes actual vulnerabilities and provides guidance for remediation. It's a valuable cloud security evaluation tool, and I would suggest it as the first thing to learn.

Overall, I would rate the solution a solid nine out of ten. 

We are using primarily Orca Security for our vulnerability assessment management. We are using it for our container it does free image scanning to find security loopholes that might be present in our overall infrastructure. Additionally, it provides the remediation steps and an overall overview of the security of our infrastructure.

This solution has helped out organizations by recognizing security threats and vulnerabilities in the early stages of software development. That is one of the benefits that we are receiving from the tool. We are dealing with security loopholes and deficiencies in the earlier stages of our development.

We have the time to review the whole process and Orca Security provides security solutions to our clients. The solution has been beneficial for us to detect security loopholes in our early stages.

The most valuable feature of Orca Security is the automated scanning tool, user-friendliness, and ease of use.

The solution could improve by making the dashboards more elaborative and more descriptive.

I have been using Orca Security for approximately two years.

The stability of Orca Security is good.

Orca Security is scalable. We have 25 users using the solution in my organization.

I have used the support a couple of times when we escalated some queries regarding the report formatting and the false positive.

Most of the time whenever we open a support ticket to their technical department the response time is quite high because we are dealing with frequent deployments. We expect them to respond within one or two days but they take quite a long time to respond back.

I rate the support from Orca Security a six out of seven.

Neutral

We used to use an open-source vulnerability management tool from OWASP regarding the guidelines that they had listed on their own site using management systems, such as REM, CS, and CVSs, which is a risk management framework. We were using those frameworks for our vulnerability assessment and management.

Orca Security is an enterprise solution, it scales well with your own infrastructure. We thought that the use cases covers and were aligned with our use cases, and this is why we switched.

The initial setup of Orca Security is straightforward. I do not know how long the deployment took, but it is quite intensive, responsive, and has low latency.

I rate the initial setup of Orca Security an eight out of ten.

The implementation of the solution was done in-house.

We have a total of 25 licenses for this solution. The solution is on a pay-and-you-use model.

The vendor handles the maintenance of the solution, such as patches, and different enhancements.

Every organization has its own needs and requirements, and configuring a tool with customization depends on the use case of the current organization. It is not a solution for all organizations. If you are dealing with small projects you don't need to switch to this enterprise solution. The usage of this solution depends on the organization's needs and requirements, another solution might be better.

I rate Orca Security an eight out of ten.

We manufacture cloud solutions and we employ Orca Security to monitor them.

When we implement Orca, we don't have to make changes to any other products. This is important because we can design the products to be best-in-class without worrying about incompatibilities from third-party vendors. Orca sits on the perimeter and is able to essentially do excellent security work without re-engineering our solutions.

The regulatory reporting has been very helpful for our own certifications from SOC and ISO.

The most valuable features are vulnerability management and attack detection.

The vulnerability management does not require network scanning or agent technology, so I don't need to modify any of my products in order to do vulnerability assessments.

The monitoring of logs and attack scenarios are basically hands-free. It's a non-intrusive approach.

In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties.

I would like to see support for FedRAMP certification.

I have been using Orca Security for more than two years.

Stability-wise, we have never had any problems. It's solid.

We are a middle-size business and we've had no scalability issues.

We have more than 4,000 cloud customers. The environments are across AWS and Azure, both public and private cloud. We manage this with three admins, a director, an engineer, and an analyst.

When there have been issues, the team is incredibly responsive to resolving them. One of the major benefits, since it's fully cloud-based, is that a single fix affects everything. You're not re-rolling agents or collectors or data aggregation tools. It's fixed once and it works everywhere. So, even from a support standpoint, it's a major benefit.

I would rate their support a nine out of ten. Nobody gets a ten.

We were fully deployed on Rapid7 and had 100% coverage. It was the primary tool that was replaced by Orca.

Some of the advantages to using Orca are its rapid time to deployment, extensive compatibility, and honoring security best practices like using the least privilege for the implementation.

Transitioning from Rapid7 to Orca has saved us time. I estimate that we save at least one person-year per year. The costs of the two products are similar.

Another important point is that we have more accurate results with fewer false positives.

The entire deployment was completed in two months. Actually turning on the product was weeks at most, but going through change control and testing for all of our production environments was two months, including writing standard operating procedures, all of our escalation paths, et cetera.

When I say deployment, I'm not just talking about installing the software and turning it on. I'm referring to making it fully business-integrated.

The cost of Orca is similar to that of Rapid7.

Overall, the pricing is reasonable and the discounts have been acceptable.

We've had no issues with the licensing model, including when we've needed to use burst licensing. It's been good.

In terms of visibility into our environment, we compared similar technologies that use intrusive methods and we found that the results from Orca were superior. We evaluated Rapid7 for both vulnerability management and incident detection and response (IDR).

If you compare Orca to a competitor like Lacework, Lacework requires agents but Orca does not. Orca's agentless approach is incredibly beneficial for maintenance upgrades, change control, certifications, et cetera. So basically, there is less code to deploy, less code to manage, and another vendor not to worry about. These are all positives.

When we were evaluating Orca, it was very important to us that they are a SaaS solution. It is updated regularly and new features become available at no extra cost. Also, managing the cloud from the cloud was critical for us.

Initially, I was quite skeptical that Orca Security could do all of the things that they claimed. In fact, I was skeptical to the point where I stalled the salesperson for six months before accepting a demo.

I've been in the vulnerability-management space for over 20 years, personally, and I didn't believe the claims. When they told me how they were doing it, I thought that there was no way it was accurate. Then, when they showed it to me, I realized that it was something that I'd never seen, heard, or even considered doing.

To any skeptics that are out there, this is a unique approach and a modern approach, and worth consideration. It basically breaks the mold of how vulnerability management has been done for the last 20 years.

Orca has a lot of features available out of the box, although that was not important for us when we initially chose it. We chose them for vulnerability management when that's all they had to replace agents. Originally, they were only for vulnerability management. All of the extra features that have come along since that time have just been very pleasant bonus add-ons. As they added features, we were able to do the rest.

The biggest lesson that I have learned from using this product is that there's a right way and a wrong way to modernize security best practices in the cloud. Orca is one of the vendors that is doing it the right way.

Overall, I'm thoroughly impressed with this product, which is the best way I can put it. It is a unicorn in the space, with a lot of people trying to play catch-up.

I would rate this solution a ten out of ten.

We're using Orca Security to identify threats and vulnerabilities, manage our cloud security posture, and alert us to CSPM and threat issues.

Orca has improved our security by helping us address high-risk threats first. I don't have to spend time determining the risk myself because Orca does that. Now we can resolve issues based on absolute risk, which is a huge relief. 

If we see an SSH key put up onto an externally facing machine by a developer, Orca will notify us, and we can deal with it immediately. Our other products don't tell us about that.

Orca's dashboard is excellent. My team needs to be able to focus on specific areas for improvement in our cloud environment. Most recently, we've started to get good use out of sonar, the search capabilities, and the alert creation. We plan on using that to automate notifications and remediations. So we have high hopes for that, but we haven't used much of that yet.

The visibility Orca provides is excellent. Orca allows agentless data collection directly from the cloud, so I assume there is no performance impact. It's important for a product not to get in the way of performance, but it's not my biggest concern. I mainly care about coverage. It was important for us to have a SaaS solution, but it wasn't critical. We prefer not to manage a service ourselves, so it matters.

Orca could give me more alerts. It could give me a dashboard with all the specific types of alerts I want to see for the day. It should just be one click. This is one area where I feel Datadog is better. Datadog has something called Security Signals, where they give you a dashboard, and you can structure it by the day or specify a period. It just tells you the different security signals that have occurred with a very obvious risk designation by color. That makes it easier than Orca's current view. So I think Orca could improve its interface.

Another shortcoming of Orca is that it doesn't integrate with our particular non-standard ticketing system. So we have to finish developing an appropriate webhook for it. Other than that, it's integrated well with our identity provider and with our cloud environments.

I've been using Orca Security since 2019, but my company has been using it since 2020.

We've never had an issue at all with it for as long as I've been running Orca. So I'm confident that it's perfectly stable and can handle the load.

We have not seen any issues with scalability because our scale increases in a nonlinear way. Primarily, Orca is used only for security, so a handful of people—fewer than five—are using it. The roles are mainly cloud security engineers, and some DevOps people sometimes use it.

We use it to monitor all of our cloud environments. So our usage is extensive, and it will monitor all of our cloud environments as we increase our cloud size.

Orca's support is extremely responsive and competent.

I used Lacework previously, and Orca is much better. My biggest concern is coverage. With Orca, I feel confident that I have full coverage of all of my resources. When I had Lacework, I found out that wasn't the case. I'm wary of any agent-based service like Lacework because we consistently fail to cover resources when the agents aren't applied correctly. I compared Lacework to Orca by running them side by side for several months. Lacework failed to cover about 23 percent of our resources.

What's more, Lacework required way too much effort to dig through the hundreds — if not thousands — of false positives. In effect, we got zero value out of it. We could never resolve an issue, which means the issue just sat there forever because there were so many false positives. And the way Lacework presents information was very difficult to use. It was a useless product.

Setting up Orca is straightforward. It took almost no effort. It was just a matter of doing the read-only integration for various accounts. That took less than two hours of someone's time. We started seeing results immediately.

The fact that Orca is agentless is a significant reason it was easy to deploy. It didn't require me to test it in different environments by DevOps. All of those things would've added up a couple of weeks to the deployment time. Instead, it only required the security team to do a pretty easy integration with our cloud environments. And because there's no impact, there is no heavy testing required, so we got it done in a couple of hours.

We've seen a return on investment insofar as that can be measured for an essential tool. We're not planning on giving Orca up, but it all depends on the price of competitors like Wiz. If their price drops and it's significantly cheaper than Orca, it's easy to switch. Also, the time to value for Orca was immediate — 24 hours — so it's much better than other solutions. With Lacework, it took at least a month before we saw any value, and then the value was extremely low.

While it's competitive with Palo Alto Prisma, I think Orca's list price is very high. I would advise Orca to lower it because, at that price, I might consider alternatives like Wiz, which also offers agentless services. 

We weren't using Datadog for security before Orca. We were using Orca. Datadog, of which we're a customer, started offering security in February. We used Datadog as a design partner, and I like aspects of it. But now that they're charging for it, we won't continue to use it. Datadog is overpriced for what it offers, and Orca gives us what we need. Orca tells us about vulnerabilities in a straightforward, manageable way. We haven't had many active threats, but Orca can also tell us about those. Datadog has something they call the workload security component, which is their agent-based component, and we found that to be very immature and inaccurate. We had to turn it off because it gave us so many false positives it was overwhelming us. So that's one area where Orca is superior to Datadog.

Still, Datadog is an excellent product. We didn't start with Datadog security, though. We were using Datadog for application performance monitoring. We added Datadog security when Datadog began to offer it to design partners like us. It has some qualities we like and others we don't. But in the end, we're not going to stay with Datadog. I've also evaluated Palo Alto Prisma multiple times, and I've used and evaluated Lacework. I've also used other services like Threat Stack and Tenable Nessus. Compared to Palo Alto Prisma, I like that I don't have to pick and choose with Orca. I expect all of my products to give me everything for the price and not have to select from a menu.

I rate Orca Security nine out of 10. When I first came across it a couple of years ago, I was skeptical about whether Orca could do everything they say it can do. At first, it was like magic. Now that I'm used to it, it's not magic anymore, but it does do a great job. I would advise anyone to try it. You'll immediately see the value.

With Orca, the main thing that we're leveraging is their Cloud Security Posture Management capability. 

It is a SaaS solution.

It provides the assurance that we have coverage across AWS specifically because we have so many accounts. As a large organization, we have prod environments for customers, and then we have our corporate environments and our playground environments where there are various levels of interactions, data flows, and business use cases. Because we have Orca, we have the competence and assurance that we know where our fleet and where our assets are.

The big thing for us was just making sure that the side channel scanning, which is their proprietary tech, does not really create any burden or load by adding an agent onto the box. It should just do another snapshot. It gives us a better performance overall because there is no implication down to the actual environment or AWS.

It provides agentless data directly from our cloud configuration and from the workload's runtime block storage. The agentless approach means that there is zero performance impact. That's kind of a big part. When you typically add an agent to any system, it's going to use some of the compute or the memory, but this has no performance implications. That part is exciting because when you think of the security realm, often, as a team out of the cost center and a business enabler, there are situations where if we do affect performance, it's not great for the business. So, we have the understanding and the Corporate EQ that we don't want to have any impact on performance. This enables us again with the confidence that we're getting the right information out without having that impact down to our engineers or our production support.

The agentless and direct collection of data enable Orca to see assets within our environmental and business contexts and prioritize truly critical security issues. It provides another notch up on confidence in terms of knowing what's in our production environment and having the ability to rapidly query in case there's a new CVE that's coming up. So if we know there is a drop in data, we have the ability to scan and see the assets and do the patch management as necessary or tear down boxes that don't need to be up there anymore. With the way it works, having visibility across the org is hands down the biggest benefit for us.

The agentless approach also means that we're able to avoid the need to deploy and maintain multiple tools.

With its Cloud Security Posture Management capability, we have the ability to read across all of our cloud-based environments, which includes AWS and Azure. We have visibility into those environments. Seeing all vulnerabilities and configurations is really powerful for us, but ultimately, the ability to use the API to query across the fleet to understand what is the current state, what is the patch level, which ones are potentially exposed for a new CVE that just came out is even more valuable. It allows us to gather really specific intelligence through simple queries.

Given the agentless deployment, its time-to-value is less than 24 hours. It took less than 24 hours, and we had intelligence and insight. Ultimately, it is getting access to the API, and then from there, it is about getting the side channel scanning going on. Once that is complete, the real-time proprietary nature of new assets pops up. We also have the visibility if an old asset has been sitting out there unused for a really long time.

They can expand a little bit in anti-malware detection. While we have pretty good confidence that it's going to detect some of the static malware, some of the detections are heuristics. There could be a growth in the library from where they're pulling their information, but we don't get a lot of those alerts based on the design of our products. In general, that might be an area that needs to be filled since they offer it as a service within it.

We've been using the Orca solution for about a year and a half. 

It had maybe two periods of downtime if my memory serves me correctly, but it was hard to even know that the service was down because we weren't actively querying during those windows. These downtimes were probably for less than a few hours. I read about them through an email from the founder. We wouldn't have even noticed them if they didn't update us on it.

We started with our production account, and then we kept scaling to our test environments, to our corporate environments, ultimately to every AWS account that we have out there. It is being used as extensively as we can in our environment. We have about 14 AWS accounts. If we need more environments, it will be included as part of the practice.

Luckily, we have a shared Slack channel. So, we have an extended Slack channel, and we're in there with the founders, as well as key engineers and members. So, it's real-time for us. If we have an issue, we go in and just message out, and then we can have that full loop within that Slack channel. We were customer number nine, and having this Slack channel was just something that made sense at the time.

I would rate them a 10 out of 10. We get everything addressed pretty quickly.

In terms of vulnerability assessment coverage, a lot of it was native tooling. We were using AWS GuardDuty across the environment as step one for anomaly detection, but for vulnerability management, there was very limited capacity.  We could leverage some of the existing tools that were out there to scan and perform analysis, but in reality, we're using a lot of what AWS offers. So, for the most part, it was native AWS tooling with GuardDuty and then just doing our best to query the fleet through AWS itself. Orca has really filled the gap for us.

Because of its agentless nature, there is zero deployment time. It is mostly just getting the connection and performing the analysis. The deployment strategy is mostly, "Choose the accounts that are there and then hookup Orca." It took less than 24 hours, and we had intelligence and insight. 

It is the cost of the visibility that you get. When you really sit down and think about what do you need to do to secure an environment with a low impact on the business, and you take a look out into the world, I think this tool is well justified around cost.

We were looking at a few other tools out there. Dome9 and Lacework were the big key ones that were out there. There were some of the old heavy hitters, but they really didn't add a ton of value to what we were looking for. Some of them were just AWS GuardDuty on steroids. 

For us, Orca just offered a better comprehensive solution. We had done enough demos and discussions, and we felt like, "Hey, it's worth the gamble on someone that's trying to solve something and maybe we can help drive the backlog or some of the features as well by being an early customer". That's a part of our strategy when it comes to choosing security solutions. It definitely fits our business needs.

When choosing to go with Orca, the fact that it is a SaaS solution that is updated daily, and that new features are available at no additional cost was useful for us. That's the way it should be. There shouldn't be paywalls and all these other things. You're paying for the proprietary technology of the company and how they kind of package that up. They've been very open in terms of what features are available when and how they work.

When we first looked at Orca, we weren't skeptical about whether it could do all the things that they said it can do. That's because the way it was presented was very logical in terms of how they instrumented the technological approach, and then the background of the founders made a lot of sense. So, either it was going to work, or it wasn't going to work, and if it didn't work, then we'd have an issue. When we did a PoC, it worked very well for us in a short window of time, and we had the confidence that this was going to be the right tool for us.

I would advise others to not just set it and forget it. This is an ongoing capability. Just like every vulnerability management process, it is an ongoing continuous cycle. So, I wouldn't leverage this for one-time use or quarterly use. This is real-time that you should be analyzing, and on top of that, as new vulnerabilities are set, use the search function.

Everything is included in Orca’s package, but Orca hasn't helped us to consolidate vendors or services. That's because we weren't replacing any existing ones. We didn't have six other things doing what they were doing. We were venturing out into a solution that has not ever been in place and figuring out exactly how to integrate it, how to leverage, and ultimately how to level up the organization.

I would rate this solution a 10 out of 10.

The first two things you need to do in security are to know what you have and keep it updated. If you can do that you're going to stop 90-plus percent of security attacks. That's our first use case. To know what we have and keep it updated. In general, it's really hard to do that in the cloud. It can take multiple systems and a lot of overhead to do it. That's one of the main things we use Orca for, so that we always know what we have and make sure it's updated.

On top of that, we use it to build things that have to do with our security posture. For example, are the ports that are supposed to be closed actually closed? For the data that's going through PII, is something open that shouldn't be? Are the permissions as they should be, per best practices? Is the compliance level correct for PCI and CIS, et cetera? There are many use cases around the posture of our environment, including the endpoints and the workloads. 

Overall, we use Orca for anything that has to do with making sure we check all the boxes and cover all our bases. It's a very core product for cloud security.

Orca is saving us at least one full-time role. As we scale, it will be more. When I started using Orca, we were a company of about 100 people. As we grow and get more complex, as our environment gets bigger, it saves us more time. It could be hours per account and hours per patching cycle. We're two years in with Orca and now we're somewhat spoiled because it's very seamless. But in the beginning it was very noticeable. There were all of those annoying tasks that I don't have to do anymore. I spent hours on Excel spreadsheets, frustrated by vulnerabilities that I didn't know what to do with. Now, I don't even have to look at spreadsheets. It saves our team hours and hours, especially in our field of Fintech, which is super-audited.

It also helps with hardening our posture by baselining everything in our workloads and servers against best practices. It gives you a path to improvement. Even if you don't have a glaring gap or an open port, you can always improve your security posture. By way of analogy, if you as a person don't stand up straight, you can work on standing up straight. But then you can also go to the gym and get stronger. There are levels to posture. You can stand straight but you can also become super-buff. The same thing is true with any other posture. Orca helps us take care of the gaps because we get notified very fast, but then we want to improve. Maybe we can take down some services that nobody is using and improve based on other best-practice baselines. Orca has done an amazing job of adding more and more.

Orca's platform provides agentless data collection directly from your cloud configuration, from the workloads, and from the servers running the workloads. The SideScanning ability can take a snapshot of an EC2 instance and they can do whatever they want with it because it's a snapshot. It's not being used by anyone, so nobody feels it. There is zero impact. Orca uses that to provide all this information and that's a great ability. They can do malware analysis and a lot of things that, in an agentless solution, it's hard to do. The lack of performance impact is important because, as a payments company, we can't try to pay Walmart and not be able to because the CISO decided to put some heavy agents in the backend. But another important aspect is that it keeps the maintenance and the overhead down. That is what excites me, aside from the performance. You can circumvent performance issues, but you need people to work on overhead-related tasks.

The agentless approach decreases the number of tools we have to use. Orca covers off a few posture-related tools. For example, Palo Alto has a few modules, a few tools, that you have to run together to give you similar value.

Orca's SideScanning is the biggest feature. It's the "wow" factor. There are a few other solutions with that kind of functionality, but before Orca, nobody would do it. They would say, "You just have to put an agent somewhere, and we have to read your logs," and there was a lot of overhead and you had to make sure you kept these requirements happening. You always had to configure things to work. With Orca's SideScanning, they just need permissions for your account and that makes it so simple. It just works. And you get the insights that are super important.

Another valuable feature with Orca, something that's not talked about enough, is its ability to rank your gaps and your tasks. The one resource that's very finite is your engineers' time. Every CISO has the same problem: they have engineers, but not enough of them, and their engineers don't have enough time. Because of these limitations, the engineers need to focus on the most important tasks, and they need help to do that. The fact that Orca can take something that looks like a 10 out of 10, a critical CVE, and say, "Wait a second. It's not that important, because of A, B, C, D, E, and F reasons. You can delay it for your next patching cycle. But this issue, the one that's only a CVE 7, is explosive on the internet." That kind of ranking is super important because of the limited resources and time. I need to make sure that everybody is focused on the most important things. The ability to see that, seamlessly, along with the ranking, makes Orca a very good product.

One thing that has been really surprising to me is its ability to give us container posture. Everybody is talking about containers and there are so many container-specific companies. At one point we were wondering if we needed a container solution. We talked to Orca and started testing what's out there, and we were surprised to see that Orca is very strong in containers as well, including Kubernetes and Docker. The way they see it, it all has to do with your posture and how secure you are. That's their goal: that you will have the most secure cloud possible, based on best practices.

The fact that it's a cloud solution is also important. In the same way that I'm happy that Amazon maintains data centers and I don't have to, and that a lot of my solutions are maintained by their engineers, Orca allows my team to focus on more relevant tasks. I don't want anything on-prem. I don't want my team to deal with anything if they don't have to. Anything that would require in-house maintenance for us, is a no-go. The only admin with Orca is when you have a new account or there is a change to your account. You have to configure the Orca with it, but you can run an automation that helps you out with it.

Orca is also very good at keeping our data safe and masking it and not picking anything they don't need to pick. In that sense, it's also good.

I would be happy if they offered more automatic remediation options. They're working on that, but the more the better. For example, if they want you to harden a server, they would offer a hardening script that would be more aware of what's going on.

I would also be happy if they added more and more coverage. The cloud itself is changing, with Amazon and Azure adding more and more capabilities. Orca is working really hard to meet the challenge, but the more they add, the better it is for me.

Another improvement would be that, in addition to focusing on endpoint compliance, they would focus on general compliance.

These are things that they're working on and their roadmap is very good. If they keep to the roadmap, I'm pretty sure they'll get to the places they want to get to. For instance, I really want them to add IAM permissions and they added that.

They know where they're going—they understand how to secure a cloud—and they keep growing in that direction.

One final suggestion I would add is for Orca to improve user education. A lot of times they have features and capabilities but they don't tell us about them. They don't even have a "What's New" newsletter. I have said to them, "Tell us what's going on. You've got a lot of cool stuff here. Why do I have to ask you? Let me know." If you have Google products, Google sends out a newsletter every week with new features. It's important to know that kind of information. It's also a marketing tool to let users know that they're constantly improving. Orca is constantly improving, but they don't always communicate that.

I have been using Orca Security for about two years.

It's very stable. As long as you get your daily results and they find the issues, it's not something where stability is super crucial. But it doesn't crash. The product works. There's a lot of information but it's not slow. I'm not saying there have never been any problems, but we have not been aware of any.

Orca is very scalable. So far it has grown with us easily. We have added a lot more accounts and a lot more endpoints. The bill has gone up accordingly, but it's there with us.

We're using it as extensively as possible as a security tool, to the point that it's being used every day by the cloud security team. It's one of that team's core products and they love it.

They give very good support to us. We don't need a lot of support, but sometimes we get audited and the auditors want a certain kind of format to the report. They are really helpful on that. If we're not sure about something or we have a question about containers, they're always very helpful. When there has been a new vulnerability and we wanted to make sure we're covered, they have been there for us every time.

Positive

We had vulnerability system coverage but we had to work hard on it. What we didn't have was a good ranking of priorities. Prior to Orca, we were using traditional tools. Those tools do the job; they can scan your environment. But what they don't really give you is the ability to rank issues. Those solutions would scan and say, "We found 100 servers vulnerable to this CVE, so you should patch it." But what they don't tell you is that there's no patch, or that your servers are down so you don't even have to. The information from those solutions was missing context and the ranking. You can get visibility with agents and there are a lot of ways to do that. But the ranking and the context across the entire environment, that is what is unique about Orca.

With Orca, we have been able to replace all of the tools I just mentioned.

Consolidating those tools has saved us a lot of time, but not that much money. Generally, vulnerability scanning tools are pretty cheap. In the cloud, they are more expensive and their abilities are greater, but they're cheaper than Orca. So we didn't save a lot of money, but we saved a lot of time. We are able to do more with less, which is definitely worth money.

Another huge advantage that comes from being agentless and having the SideScanning is that it all works out-of-the-box. You don't have to implement anything. It takes five minutes to turn on. It scans and you get the data. That's one of the things we love about it because it's reducing overhead and saving time.

Our business acquires companies and that means we add more accounts, so we have to set up Orca for those accounts. It's a matter of five minutes to give the proper permissions and the proper key and you're in. It's very straightforward.

We have definitely seen ROI from Orca by reducing overhead and saving time. It's a huge ROI. We see it daily.

Cloud security engineers are hard to hire because there aren't a lot of experienced people out there. So you bring in juniors and all they have to do is "follow the yellow brick road." They just have to go on Orca, see what it says, and do it. When it gives remediation suggestions, they just need to go ahead and do that. Theoretically, you only need to be a little bit of an IT specialist to use it. You could be a system administrator who has never seen Amazon before, but you'll have 85 to 90 percent of the knowledge you'll need about what to do just by going to Orca. That's huge. You don't have to teach them how to SSH to the server to check this or to check that. It's all there. The simplicity is a giant ROI.

Cloud security engineers are expensive. If I save having to hire one cloud security engineer positionץ The vendors know it and that's why these tools aren't cheap. They price it expensively, because they know they give a lot of ROI. 

With Orca, the time to value is immediate. The second it scans, that's it. It's a whole new ball game, thanks to it being agentless and providing the rankings.

With Orca, there are no costs in addition to their standard licensing fees. There are no networking costs or extra bills for compute.

We put Orca up against all the incumbent vendors. Orca beat them easily. When it was up for renewal, we were looking at Orca versus the other leaders offering the same abilities. Again, Orca proved to be the most mature and the strongest product.

The agentless aspect of Orca is a big pro. And I really like the simplicity of Orca. It has a lot of options, but the way you experience it as an engineer, it's very easy to understand. You know what you have to do and what's important. The other systems proved to be complex. 

When I was looking for a posture management solution and they said, "This is agentless, it's amazing." My thoughts were, "Oh yeah? That's baloney. How can it even be agentless?" I was shocked. I said to my engineers, "If this actually works in the demo, it's going to be a game-changer for cloud security," and it was.

I also feel Orca's ranking system is much more mature. All the others show you a lot of things that they mark as important, but they aren't important. That means there could be 200 things to take care of but if you drill down, they're sort of like false positives, meaning "it's important, but it can wait." Orca would rank those kinds of issues a "medium." It would let you feel that they can wait a little bit, as opposed to things that are "high" and "critical."

The biggest lesson I've learned from using Orca is that agents suck. Until you see the difference, you're just not aware of how much time you spend on that stuff. Another lesson is how important the ranking is that Orca provides. They should blow that up and emphasize it a lot more. They always talk about the agentless side, but the fact that they can prioritize tasks is equally important. A lot of tools do that, but Orca is exceptionally good at it.

If somebody were looking into Orca, I would ask how his stack is built, how much on-prem he has versus cloud, and which cloud? I would recommend it wholeheartedly if he has a cloud presence. It's the go-to posture management tool. Start with Orca and test them. It's always good to have a PoC, understand the pros and cons, and make an educated buy. But I would definitely recommend Orca to anybody who has substantial data or substantial risk in the cloud.

We really enjoy using Orca. It's a very well-designed, well-executed product. I'm really super-impressed. This is a game-changer. This approach has never been done; at least, I haven't seen anything like it. Kudos to them.

Orca is the inceptive tool that I deploy when I join a company. It will be one of the first things I do after an awareness training program. The reason is that Orca serves the function of giving me insights into the resting risk state, abstractly, because it combines so many signals without actually having to govern the assets. As soon as I have access to the AWS or GCP or Azure accounts, I just drop Orca in and it shows me the abstract risk of everything in that cloud.

Using Orca, I build up a security program. Orca not only attests to and assesses these risks and helps me identify risks that need to be mitigated, but it also helps me build an entire security program because it does it —and this is key—in a deterministic fashion, where it's wholly governing the ecosystem.

Orca’s platform provides agentless data directly from your cloud configuration with zero performance impact. The way they do it is brilliant: They pull snapshots. So it just cannot affect the performance of the machine. From my understanding, the snapshot process in the major clouds is completely benign and does not affect the performance. First of all, that means it can analyze machines that I don't have access to. That in itself is the most game-changing thing I have seen, not just in security but in technology, in my 25-year career. Agents are a huge problem in security. They're necessary for certain things, but even if an agent doesn't cause performance issues it's not about having performance issues. It's about the perception, the concern, the fear, the accountability, and the confidence in the tool because of the small risk of those performance issues being caused.

Orca does more than allow you to see assets within their environmental and business contexts to prioritize critical security issues. The trend in security over the last two or three years ago has been to raise risks that are real. But Orca is doing more than that. Orca combines all these signals to aggregate risk. There is a discipline that they exercise in the way they process all the signals together. Whenever there is an Orca alert that there is an imminent compromise or an actual compromise, which are the two highest severities out of four, they're actionable, every time. We might have encountered a couple that weren't actionable, out of a couple of hundred. 

The visibility Orca provides into my environment is at the highest level. I was super skeptical about Orca when I interviewed the Orca team. When they told me that you can just drop their software in and you don't need to log in to the machines, nor do they need to be powered on, I said, "How the heck are you doing that?" When they told me how it worked I said, "Woah, that's pretty simple. Why didn't I think of that?" When I dropped them into the environment, from the very get-go I had more insight into the risks in my environment than I had had during the entire two and a half years I had been here.

I'm thinking about room for improvement that is really grand, in terms of ways that may not be possible. I like to partner with innovators and that's why I partnered with Orca. I don't think what I have in mind is possible—but I didn't think Orca was possible either when I met them. 

If they could disrupt the host intrusion detection space (HIDS) that would be huge. If I could have them assess risk in real-time—which does not seem possible from the block storage analysis perspective—and they could figure that out without an agent, there would be no need for other security tools except for CI/CD pipeline analysis. 

I'm thinking about "omniscient" and "omnipresent." That's what Orca does from a resting state risk standpoint. It's the "all-seeing eye." If it could do that from an active state standpoint in real-time, or even to the second, minute, or hour, that would be big stuff. If they could crack that I don't know what would stop them from dominating the market completely.

On a more practical level, Orca doesn't work in data centers right now. If a company has a large data center footprint, Orca is not necessarily the best solution for that business. If 20 percent of my risk lies in the cloud, and 80 percent is in data centers, I should probably go with an agent-based solution, assuming I can deploy it.

We became an Orca customer in February of 2020. We use their SaaS solution which is deployed on the three major public clouds.

There were a couple of times when Orca was down when I was trying to access it. I work strange hours because all of my team is in the UK right now. It was 2 a.m. on a Saturday and I was trying to log in but it wasn't working. That was pretty bad. What if I was trying to attend to an emergency security issue?

But relative to my other security tools, Orca is definitely the most stable that I've seen.

It is deployed everywhere in our company. It is a requirement that when we build a cloud or we have a new business joining the company, that it be deployed at inception. It is one of the very first things that I require before any integration is done.

We have used their technical support, but we haven't needed it very much.

When Orca was a very early stage startup and they were working out the kinks, one of our clouds, GCP, was not as easy to deploy in because we have 400 workloads running there. We didn't ask for any support but their CEO stepped up, worked all night, and did it himself.

Orca is focusing on what is right when it comes to customer success. Every business has a limited amount of resources and has to take a certain amount of risk. They didn't build a sales team until pretty late in the game. That speaks to why they're respected so much in the industry. They have a relatively new customer success team, maybe because they haven't had a need for it. When I encounter a problem I will want to put it to the test. I think they'll do pretty well. They have scaled up a bit.

Positive

We did not have a previous solution. Before I had Orca, my option for governing at the level that Orca governs was to use network TAP devices from companies like ExtraHop Networks, but they're not capable of gleaning the information that Orca can.

Deploying it only takes a couple of minutes and it hasn't required any maintenance at all. It's so easy to deploy that you can switch away from it pretty easily too. I just don't know anyone who wants to. The stickiness is only in their excellence. For the consumer that's a win-win.

For our deployment they brought in a junior CSM who was brilliant, a wonderful CSM. I was pressuring him and making him very nervous, but he explained the install process: "You copy this URL and paste it here." My DevOps engineer who was onsite messaged me and said, "It's actually really easy. We just put the card in and it was installed two minutes later."

It wasn't very important to me that Orca’s solution includes everything “out-of-the-box." But it was certainly a positive thing to have. My view on security is that I'll deploy something that nobody else has emulated. I'll have a very big, cumbersome stack to manage because I want to support excellence in each space. I believe in the Unix philosophy: Do one thing and do it well. But Orca is doing a lot of things well. I can't deny that. And that means I haven't secured some of these other solutions because it does things well. It's among the best cloud configuration auditing software there is. It has replaced a couple of things that were in my environment and avoided the need for an additional couple of things that would be in my environment. One of them is a portion of host intrusion detection, and that has enabled me to move to a solution that is half the cost. That particular move has saved me about $450,000. That's not my total spend in Orca but it's close to it.

Also, it is updated daily and new features are available at no additional cost. It's a "it just works" thing. And it actually mitigates the need for human expenses of around $80,000 a year in payroll. When you factor in the 1.4 times overhead for human resources, that's going to be $112,000 a year and the perceived liability of the company is probably three times that. We're looking at a replacement of $336,000 a year.

In addition, the time to value is better than any other security product in the market. Even if I wanted somebody else to do all the work, I would have to give them more information than I need to give Orca. It would take a couple of hours to filter the data for a mid-sized company, whereas Orca literally installed in two minutes.

I called my security team and we were talking about all the various players in the security space, and all the technical aspects. They were saying, "Orca does this, Orca does that," going on about it. I don't really see Orca as being the next Palo Alto displacer, but that's probably because I'm super skeptical. But that's how amazing the governance is. My security said, "Yeah, Orca is the tool that we use, even though you made us PoC all these other solutions."

I spoke with someone who knows the space well and I said, "Okay, Steve, please help me here. You guys know this field. Is there anything else that competes with Orca in this space?" I believe this was before Wiz was on peoples' radars. Steve said, "No, I haven't heard of anything else." I was worried that I would spend all this money on a tool that did something that doesn't exist but it turned out it actually existed.

Every CSO says they don't want false positives, but what CSOs never say is, "I don't want to have false negatives." That bothers me. They're happy because a solution doesn't say, "You need to fix this thing" when it doesn't need to be fixed. But they're ignoring the fact that solutions are not identifying things that do need to be fixed. That's where Orca comes in perfectly. By running it in tandem with my HIDS or some other system, it's validating or invalidating the attestation of security risks from the other software. I had one solution that never gave me any false positives but it did give me a lot of false negatives. After Orca exposed that, I was no longer a customer of that product.

Because I had Orca first and it attested to the risk, it demonstrated the need to employ their competitor. If I had deployed their competitor first, it would not have attested to that risk and the need to deploy Orca. Orca justifies the spend, a multi-hundred-thousand-dollar spend by a mid-sized company on one of their known competitors. That's cool because that means it's not really a competitor.

Whenever people ask me what Orca does, and I say vulnerability assessment, I always say, "But that is really downplaying it." We use Nexus to do vulnerability scanning, which costs almost nothing. But I have almost never acted on a single alert from Nexus because there are so many false positives and the risk categorization is not very good.

I was skeptical about whether it could do all the things they say it can do, and now that I have used it I would say to that skeptic: "Continue to be a skeptic." But the skepticism was blown away by Orca very quickly, at every single turn, on every single angle, and at every single opportunity. Orca destroyed my skepticism. But you have to be skeptical. Still, I would also say to that skeptic: "Just give it a shot. It takes two minutes to deploy." If I had just done that, I would have saved myself time.

Orca is much better than their competitor. They're the best in their space. They're the best in the security tool industry. And they're probably the best in terms of companies that I've worked with in general. Are they the best in mitigating actual risk versus the investment? I will always have to say that security awareness training, not as a service but as an abstract concept, is the best thing that we can do in security. Orca might help with awareness training by being so simple. I can use Orca to make technical leaders aware of security issues.

But technical leaders aren't the ones who need to be made aware of security issues. It's the general staff and public. That means customers and employees. Orca falls right in behind security awareness training. What CSOs out there need to do to make the greatest impact on their company is to get up on stage and tell people why security matters. But in all other areas, Orca is definitely the best. The first thing I'm going to spend my money on is Orca. I can do awareness training for free just by being vocal onstage. Orca requires no time. It doesn't compete with awareness training because I can do that while Orca is spending its time attesting to the pragmatic technical risks in my cloud environment.

Orca gives us visibility across all the assets in our multi-cloud environment in a single dashboard. That kind of visibility is rare for us and most organizations within the Fintech space. You could understand particular vulnerabilities in a pocket of your environment, but not to the extent that Orca provides today. To protect a business, you first want to look at your environment and inventory all your assets. All of these assets are still managed in a spreadsheet in many organizations today. Some of them are using tools that list all of the assets. We had an inventory, but the Orca tool could identify assets we thought were no longer operational.

It isn't easy to quantify right now, but I can say that Orca gives us greater visibility of assets that we thought were gone but were correctly configured. Using Orca, we were able to identify certain assets that were still lying around and using an older operating system. Some of these were actually unpatched even though we thought they were patched.

We like that Orca is continuously monitoring our environment. When you open the tool, you instantly get an overview of your current state of affairs. You see everything happening across your multi-cloud environment in one view. When you're working on GCP or Azure, and you also have some other elements within AWS, it isn't easy to have a tool that spans all these cloud environments. It's great to have a single dashboard that puts all your cloud environments at your fingertips.

Orca tool spans all our environments and gives us a compliance report. It can tell us where there are vulnerabilities within our environment and provide us with access to the logs of specific assets.

With any security tool, there's always room for improvement. We were among the early adopters, and many of the major improvements that we were looking for have already been added. Right now, we're looking at what the other players in that space are offering and if it can be integrated into Orca. I had a discussion with Orca six months ago about implementing these features. But once you start customizing your tool for specific customers, it doesn't necessarily mean that it will match the needs of other customers, and you begin to branch out. In general, I think the Orca's roadmap is pretty well aligned to what we need today.

We are fortunate to have been using Orca since its inception. I think we were among Orca's first customers. We're always searching for new tools with intriguing capabilities that can help us better protect our organization. When I came across Orca, I felt it offered something others on the market didn't. 

I rate Orca support 9.5 out of 10. Whenever we've sent a support ticket, Orca responds in less than an hour to tell us that they've received the request and are looking into it. We get a reply a couple of hours later most of the time. Sometimes it needed more work, but I think it was pretty fast.

Support is one of the essential features you look for when purchasing a tool. Of course, you could buy a SaaS product, but if there is no support behind it, you'll have difficulty configuring it properly within your environment. Sometimes, you expect certain features to work correctly, but maybe you are configuring the solution wrong, so it's great to have support personnel available to respond to all your queries. 

Positive

When we started using the Orca tool, we already had some tools offering some of these features. However, we realized we didn't need to have all these agent-based tools installed across our environment to understand our risk footprint. We quickly understood that it would be easier to deploy across our entire multi-cloud environment if we went agentless with the Orca tool. It would offer us more capabilities than Qualys or even some of the AWS tooling available today, and we could consolidate everything under one tool.

AWS has some tools that give you visibility into your environment. They can tell you where your PII is or if your assets are correctly configured. However, every new feature that AWS releases is only available in the US first. Sometimes they're not available in Japan, Canada, and Europe until months or years later. We're still waiting for these features to be available here in Japan. For example, AWS Macie is still not available in Japan today, and it has been two years now. There are many capabilities like this that we want the cloud provider to release in other countries, but it's not available today.

What's more, if I run some AWS tooling, it will only scan my AWS environment but not my GCP or Azure environments. It's complicated to consolidate all of these reports in one place at the end of the month. Orca gives me a single view across all my environments.

One of Orca's most significant advantages is that you can deploy it within your environment with a single click. There were no agents to install, so the deployment was quite easy. We simply entered the information about the cloud that we wanted to gain visibility into, and it was done. It can take days or weeks to deploy some other tools within an environment, especially if you're on-prem and sometimes on the cloud as well. We could deploy Orca in a matter of minutes. It was up and running within 15 minutes the first time we set it up.  

When you're talking about return on investment, you have to consider the resources needed to implement, maintain, and support a tool. With Orca, we didn't need to deploy or upgrade anything, and we didn't need to understand anything about support because they already had great support. I think we're saving hundreds of thousands of dollars every year in staffing costs alone. The time-to-value was instant. 

When we purchased Orca, it came with everything we needed. We didn't need to buy any additional features, extensions, etc. You pay one price, and you have access to everything. I think their pricing model is aligned with market demand. Of course, Orca could probably better align their pricing model with the needs of smaller businesses as well as some larger-scale enterprises with millions of assets. But in all fairness, I think the Orca sales team has been accommodating and ensured that we're happy with the pricing.

When we purchased Orca, there was some overlap with tools like Qualys that scan your environment for vulnerabilities. But Qualys is not well-suited for specific microservices. It doesn't give you all the visibility that you need in a particular area of your environment. 

We are PCI DSS compliant, so we need to scan our environment externally with tools vetted by the PCI DSS organization. Orca doesn't scan the environment externally. It only scans what's currently in the cloud. There is some overlap between Orca and other tools, but others can scan externally. I still don't think Orca is in the business of scanning assets externally because they only scan internally. That's why we purchased it.

I would rate Orca 9.5 out of 10. It covers our entire multi-cloud environment in a single view and tells us everything we need to know about our vulnerability footprint. For example, it can tell us whether our S3 bucket is misconfigured. There are so many valuable features that I could list, but one that I appreciate is the PCI DSS compliance report. Someone asked me if I would recommend Orca the other day, and I told them not to take my word for it. They should just try it.