Sold by: Orca Security CNAPP
Deployed on AWS
Agentless Cloud Security in a Single, Complete Platform with 100% Coverage
4.3
Overview
Orca Security is the true Cloud Native Application Protection Platform (CNAPP) that identifies, prioritizes, and remediates risks and compliance issues across all of your workloads, configurations, and identities on AWS. Orca offers the industries most comprehensive cloud security solution in a single platform, eliminating the need to deploy and maintain multiple point solutions.
FAST TIME TO VALUE: The Orca CNAPP Platform is agentless first, and connects to your environment in minutes using patented SideScanning technology that provides deep and wide visibility into your cloud environment, without requiring agents. In addition, Orca offers a lightweight agent for organizations that require real-time protection for critical workloads.
RISK PRIORITIZATION: Orca effectively prioritizes risks by applying a granular risk score to each alert, and recognizes when seemingly unrelated issues can be combined to create dangerous attack paths straight to your crown jewels.
FULL SDLC SECURITY: The Orca platform shifts security left by seamlessly integrating into the CI/CD process so that applications can be secured from code to cloud and back.
AI-POWERED: Orca is at the forefront of leveraging Generative AI for simplified investigations and accelerated remediation, reducing required skill levels and saving cloud security, DevOps, and development teams time and effort, while significantly improving security outcomes.
PURPOSE-BUILT CNAPP: Orca unifies many different point solutions in one platform, including CSPM, CWPP, CIEM, DSPM, Container security, API security, AI-SPM, and much more.
Sign up for a demo to uplevel your cloud security and get the fastest time to value available in the industry: https://orca.security/demo/
Additional platform licensing options are not shown in this listing but are available via Private Offer. Please email aws@orca.security .
Highlights
- Visibility to all your IAAS and PAAS assets including EC2, Containers, S3 buckets using account level read only permissions
- Detect compromises, vulnerabilities and risky configuration within minutes
- No impact on your assets, grows automatically with your cloud account
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Custom pricing options
Pricing is based on your specific requirements and eligibility. Sign in to view any offers that have been extended to you.
Legal
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Agentless Cloud Security in a Single, Complete Platform with 100% Coverage
Agentless Cloud Security in a Single, Complete Platform with 100% Coverage
skyPurple Cloud Managed Service for Orca Security
Blackshark ORCA™ HUNTR is a no-code AI/ML object detection development environment that enables rapid prototyping, training and execution of AI/ML models by anyone on any kind of RGB imagery - no experience necessary.
Customer reviews
Harsh Harsh
Cloud security has improved as we identify vulnerabilities and address risks proactively
Reviewed on Jun 04, 2026
Review from a verified AWS customer
What is our primary use case?
I have used Orca Security for one year while working for a client where we set up Orca Security to scan our environment and identify vulnerabilities.
The main use case for using Orca Security is to identify vulnerabilities in our environment so that we can address them before any issues occur.
In one of our projects in GCP , we purchased Orca Security from the marketplace, which was enabled in our account at the organization level.
What is most valuable?
The main feature that I appreciated about Orca Security is that it is 100% agentless and context-aware, meaning it understands what it is doing.
The primary benefit is that it provides us with CVEs, through which I can identify the vulnerabilities in our security posture.
In the long run, as a security tool, it has helped us improve our security posture.
What needs improvement?
There is one issue that I encountered: when Orca Security provides CVEs and we attempt to implement its solutions, sometimes those solutions are not available on the cloud and cannot be implemented.
My main concern is the integration of Orca Security with generative AI for remediation inquiry.
Another concern I have is around the guardrails.
The primary improvement that Orca Security needs is to enhance its remediation steps based on the cloud platform being used.
For how long have I used the solution?
I have been working in my current field for the past five or more years.
What do I think about the stability of the solution?
Orca Security has been stable in my experience.
What do I think about the scalability of the solution?
Orca Security is internally based on cloud infrastructure and is 100% agentless, so it does not require significant scalability considerations.
How are customer service and support?
Customer support is also good. I would rate it a 10 because they respond properly and communicate effectively.
Which solution did I use previously and why did I switch?
Previously, I used to install an open-source tool to understand my security posture, which required some additional infrastructure investment.
I was using the native GCP Security Command Center.
How was the initial setup?
We purchased Orca Security from the AWS Marketplace .
What's my experience with pricing, setup cost, and licensing?
I am aligned with the pricing, as it is not that costly.
Which other solutions did I evaluate?
I did evaluate open-source tools, Orca Security, native open-source tools, and cloud-native tools as well.
What other advice do I have?
When Orca Security provides CVEs, clicking on them gives suggestions about what can be done to resolve the issue.
I would advise others to use Orca Security because of the rich features that it offers.
I would rate this review a 9.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Krishnakumar-M
Integrated cloud risks have been managed centrally and security posture improves continuously
Reviewed on Jun 04, 2026
Review from a verified AWS customer
What is our primary use case?
Of my three customers, one is using Orca Security , and two are not using it. There are plenty of use cases available for Orca Security , and I can provide more details.
Orca Security is very good for faster management due to their CNAP, which stands for Cloud Native Application Protection Platform. It consolidates CSPM, CWPM, CWPP , and CAEM, which includes entitlement management and vulnerability scanning. Orca Security consolidates these solutions into a single platform. If I buy Orca Security, I can check data-related security posture management across various domains, including security and multi-cloud compliance. We put security at the forefront rather than waiting until project completion to engage security. It is important to place security in the field, and Orca Security is a very good tool for that.
Orca Security is an agentless vulnerability scanner, meaning we do not need to run any agents. The first use case is for consolidating various solutions into one. The second use case is agentless vulnerability scanning, and the third use case is for multi-cloud security. Some customers might have different cloud environments that can lead to vulnerabilities if not carefully managed, especially in stringent scenarios like FedRAMP. Orca Security is quite effective in these aspects, particularly for government and semi-government scenarios.
Orca Security serves to analyze configurations against what is optimally used and identify gaps. It identifies when servers are underutilized. For example, if a server is supposed to be at least eighty-eight percent utilized and is running below one percent, that results in unnecessary costs. This gap analysis is something every synaptic tool, including Orca Security, supports for cost optimization.
How has it helped my organization?
Orca Security has improved our cloud security visibility, streamlined vulnerability management, reduced alert fatigue through risk-based prioritization, and helped us remediate critical issues faster while maintaining compliance across our cloud environments.
What is most valuable?
Orca Security excels in identifying risks. If posture management is configured well, the tool performs effectively in identifying risks. I appreciate the tool as it finds various issues. In today's AI era, we see many new challenges, including tool poisoning and broken paths, which Orca Security identifies effectively. The tool captures all the risks related to entitlement management as well, focusing on the segregation of duties to minimize risks.
We use AI across the cloud environment, which helps in automating and remediating issues while enabling organizations to connect fragmented data for faster investigations and prioritizing measurable risks. Orca Security has seven distinct positive risks, including token theft and command injections, which are vital for security posture management.
What needs improvement?
I think Orca Security should be more SMB friendly since I mostly work with enterprise customers who have more budget. Orca Security could include options for smaller businesses and improve on areas like agentless functionalities and cost efficiency for small-scale deployments.
I work in an SMB organization and find Orca Security quite expensive. They typically offer some credit periods to conduct proofs of value for various products.
For enterprises, I find Orca Security to be fairly priced, whereas it is a bit more expensive for SMBs.
For how long have I used the solution?
Everything is around five years, and I have been using it for the whole thing because I have been in this field since nineteen ninety-five. All these tools are five years old, maximum of five to six years old. In fact, they were born during my tenure.
What do I think about the stability of the solution?
Yes, Orca Security is generally considered a stable and mature enterprise-grade CNAPP (Cloud-Native Application Protection Platform) rather than an emerging startup product. However, stability can be viewed from three perspectives in my personal opinion, they are
1. Product Stability
2. Company Stability
3. Operational Stability
What do I think about the scalability of the solution?
Yes. Scalability is actually one of the strongest differentiators of Orca Security compared to traditional agent-based cloud security platforms.
1. Agentless Architecture Eliminates Deployment Bottlenecks
Traditional CWPP and EDR-style cloud security solutions require agents on every VM, Kubernetes node, or workload. As organizations grow from hundreds to tens of thousands of cloud assets, agent deployment, upgrades, troubleshooting, and performance management become significant operational challenges.
Orca uses its patented Side Scanning™ technology to scan cloud workloads directly from cloud-provider storage snapshots and APIs without deploying agents. This means:
- No agent rollout projects
- No agent lifecycle management
- No performance impact on workloads
- New assets are automatically discovered and assessed
This architecture allows organizations to onboard large multi-cloud environments much faster than agent-centric solutions.
2. Designed for Large Multi-Cloud Estates
Orca supports:
- AWS
- Azure
- Google Cloud
- Oracle Cloud
- Alibaba Cloud
- Kubernetes environments
A large enterprise running thousands of subscriptions, accounts, projects, containers, and serverless workloads can manage them from a single platform and unified data model.
For organizations like:
- Global banks
- Telecom providers
- Retail giants
- SaaS companies
this becomes important because security teams do not need separate tools for CSPM, CWPP, CIEM , DSPM, vulnerability management, and container security.
3. Automatic Discovery of New Resources
One common scaling problem in cloud environments is asset churn:
- New VMs
- New Kubernetes clusters
- Auto-scaling groups
- Temporary containers
- Serverless functions
Orca automatically discovers and monitors newly created cloud assets without requiring manual updates or security onboarding processes. This is particularly valuable in DevOps-heavy environments where infrastructure changes continuously.
4. Unified Data Model Reduces Operational Complexity
Many enterprises end up with:
all generating separate alerts.
Orca's Unified Data Model correlates:
- Vulnerabilities
- Misconfigurations
- IAM risks
- Sensitive data exposure
- Attack paths
into a single risk graph. This helps maintain operational scalability because the security team is not overwhelmed as cloud assets increase.
How are customer service and support?
Orca Security's technical support is very good, aligning with my consulting operations, and I have not received any escalations.
Which solution did I use previously and why did I switch?
In identifying risks with previous products, there are notable pros and cons between agent-based and agentless solutions. Agentless tools eliminate orchestration concerns, while agent-based tools allow more granular control and calculations.
How was the initial setup?
The initial setup is straightforward, but I find it a bit complex due to the learning curve involved, which requires thorough guidance during the first configuration.
What about the implementation team?
Yes, many organizations use either Orca Security Professional Services or partners such as Accenture, Deloitte, or Optiv for deployment. The feedback is generally positive, with customers highlighting fast onboarding, minimal operational overhead due to the agentless architecture, and strong implementation support. Orca Professional Services is often preferred for quicker deployments and product-specific expertise.
What was our ROI?
Regarding the time to value from Orca Security, if it is a SaaS setup, it is immediate. For larger solutions like ERP or MSSP setups, it can take more than six months. But for security scanning, it is shorter since we pay only for what we use.
What's my experience with pricing, setup cost, and licensing?
Pricing was competitive for an enterprise-grade CNAPP platform, and the agentless architecture helped minimize deployment and maintenance costs. Licensing was straightforward, and the time-to-value was relatively fast compared to other cloud security solutions.
Which other solutions did I evaluate?
Among competitors like Trend Micro and Cisco, I compare Orca Security with offerings from those vendors based on features and costs.
In terms of objectives, I need functionality without paying a luxury price. The features offered by some competitors may be attractive, but what counts most is that Orca Security provides essential functions with lower costs.
What other advice do I have?
I cannot provide a straightforward answer about the time it takes to address cloud security alerts because different levels of alerts exist, and fixing each alert can vary depending on how alerts are configured. Policies play a crucial role in alert management.
If SaaS is available, customers prefer it due to low engagement compared to hybrid models. The cost savings on SaaS are quite attractive.
Orca Security's ability to combine functionalities of multiple tools into one platform is indeed one of its strongest points.
I would rate support at eight plus points. My personal rating for Orca Security as a service provider would be nine.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
RiteshWalia
Centralized cloud scanning has improved compliance and simplifies cross-account reporting
Reviewed on May 16, 2026
Review from a verified AWS customer
What is our primary use case?
Orca Security serves as a centralized solution within our organization that offers scanning of all issues found in our cloud accounts. We have AWS , Azure , and GCP , and Orca Security identifies best practices we are not following or configurations that are not optimal. Orca Security automatically finds these issues and generates reports for us.
For example, if we have any EBS volumes or file systems which are not encrypted, Orca Security scans all cloud resources and detects such misconfigurations. These issues are then flagged in the report and we act on them accordingly.
What is most valuable?
The best feature I appreciate about Orca Security is its reporting functionality. The dashboard is very clear and concise, and it helps filter multiple accounts by issue type. Exporting the dashboard into an Excel sheet provides a good user experience.
To ensure we remain compliant, Orca Security's dashboard is really helpful in tracking the issues we have, with the end goal of always being compliant with our compliance standards and organizational requirements. It helps significantly with that.
Orca Security has helped our organization become compliant and maintain high standards because any organization with multiple products needs to be compliant, especially when it comes to underlying infrastructure and cloud resources. Orca Security helps tremendously in that regard.
What needs improvement?
Orca Security could benefit from more agentic workflows, where agentic workflows could be integrated with Orca Security to provide a quick view of large reports and issues we have. Additionally, data analytics capabilities could be improved.
For how long have I used the solution?
I have been using Orca Security for the last five years.
What do I think about the stability of the solution?
Orca Security is quite stable.
What do I think about the scalability of the solution?
Scalability is good. So far, we have not faced any issues related to scalability when using it or the underlying infrastructure on AWS . It is quite responsive and we have not encountered any issues. Orca Security provides a highly scalable architecture for us.
Which solution did I use previously and why did I switch?
We have used only Orca Security.
What was our ROI?
We save a lot of time now. We have also implemented automations from our side so that people receive reports automatically, whether they are Orca Security IVM issues or Orca Security issues related to any resource. This has been really helpful.
Which other solutions did I evaluate?
We did not evaluate alternate solutions because this organization initiated Orca Security centrally. We do not have much control over it as I am just a user.
What other advice do I have?
The advice I would give is that you can make good use of the issues depending on different organizational use cases. Try your best to have all Orca Security issues into one dashboard and then export them. Additionally, making it more AI-enabled would be beneficial because when you have multiple Excel sheets exported with all the data, that data can be visualized in a better way. I would rate this review a 9.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
reviewer2817672
Automated cloud risk visibility has reduced manual checks and prioritizes real threats effectively
Reviewed on May 04, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Orca Security is cloud security posture management for our cloud in the company.
A specific example of how I use Orca Security for cloud security posture management is that we connect Orca Security to our main cloud providers, it scans all of the configurations, and it lets us know if we have risks in our configurations and how to mitigate them, and also it helps us to prioritize those risks.
I would also like to add that we are evaluating using Orca Security for scanning Infrastructure as Code and scripts.
What is most valuable?
In my opinion, the best features Orca Security offers include the integration to our cloud services, which is smooth, easy, and plug and play, along with its effectiveness in prioritizing risks, taking into account all of the different factors that make a risk—not only vulnerabilities but also if you have sensitive data or if you have your cloud resources exposed, giving you the risk based on that context, which helps you to prioritize the risks to know where to mitigate first.
This has changed the way my team works and responds to threats because it saves us a lot of time and helps us to focus on the real risk rather than all of the alerts that we receive, as we have a lot; therefore, we cannot fix everything and need to prioritize, making the way that Orca Security prioritizes the risks key for us.
Orca Security has impacted my organization positively by giving us visibility on what is happening in the cloud and helping us detect risks fast. Before Orca Security, we did not have that visibility, and we had to manually check our cloud to understand if we had risks. Today, with Orca Security, we are comfortable and feel that we have the visibility that we need in the cloud to be sure that we do not have risks there.
What needs improvement?
I would add that the CDR, the Cloud Detection and Response that Orca Security offers, could be improved as it is not the best functionality that it offers. Orca Security is good at posture, but not at the response and alerting in real time.
Orca Security can be improved as it is very good at posture, but it does not detect attacks or behavioral attacks in the cloud on its own; it depends on other security features or logs like GuardDuty from Amazon, lacking its own intelligence to detect and respond to attacks.
Additionally, it could be useful if Orca Security has more context on the network and how the resources are exposed. For example, it could take into account that we have a firewall in front of an S3 in Amazon and understand that we do not have so much risk there because of that firewall, incorporating the network topology context, which today does not function as it should.
For how long have I used the solution?
I have been using Orca Security for three years.
What do I think about the stability of the solution?
In my experience, Orca Security is stable.
What do I think about the scalability of the solution?
Orca Security's scalability is quite good; it scales smoothly, and adding more resources or clouds is easy.
How are customer service and support?
Orca Security's customer support is not very good. We are practically alone; we do not use the support, and they are not very responsive.
Which solution did I use previously and why did I switch?
I did not previously use a different solution for cloud security.
How was the initial setup?
My experience with pricing, setup cost, and licensing is good. The costs are reasonable, licensing is clear, and the renewal process is good.
What was our ROI?
We do not see a return on investment in that way; rather, we see that we improve our risk posture, as we have detected risks that without Orca Security, we would not have detected. In that sense, I can say that it mitigates risks, but I do not have a metric on that.
What's my experience with pricing, setup cost, and licensing?
We do not have specific metrics; however, I can say that in the past, it took us two to three hours a week to do manual checks, whereas today with Orca Security, we just check the dashboard for ten minutes a day and that is all.
Which other solutions did I evaluate?
Before choosing Orca Security, I evaluated other options, specifically Wiz .
What other advice do I have?
My advice to others looking into using Orca Security is to access the console every day to see if you have risks, to try to stay close to customer support to understand new features, and to not rely on the CDR because it is not very effective. I rated this product an eight out of ten.
Marcus Cassilia
Cloud risk visibility has improved and security teams gain faster, more focused remediation
Reviewed on Apr 23, 2026
Review from a verified AWS customer
What is our primary use case?
When discussing the main use case for Orca Security , I am referring to implementations for my clients. I participate in several CSPM implementations for my company, but I cannot comment much on the customers due to confidentiality rules. The projects that I participate in typically involve a cloud environment that is already in production, such as AWS , Azure Cloud, or GCP . We create a context of the environment and connect multiple accounts for scanning all assets and containers in the cloud accounts of customers. We perform onboarding and create initial maps of risks. Orca Security supports remediation with clear technical evidence, objective remediation recommendations, and monitoring of risk reduction over time.
What is most valuable?
The best feature is Orca Side-Scanning. Because of this feature, the platform does not need to use agents for the detection of virtual machines, containers, and hosts. It can connect via a cloud-native API and perform out-of-band scanning using read-only access. Orca Side-Scanning has made things both easier and faster for security teams and for the people who have to act on findings. This platform is very useful for the maintenance of vulnerability in cloud environments, with the impact on the security team's workflow being a much faster time-to-value.
The Attack Path feature is a great option for the capabilities of Orca Security's strengths because it models network exposure, permissions, vulnerabilities, and trust relationships. This feature helps security teams think like attackers and identify high-impact risks.
What needs improvement?
In two implementation projects that I participated in, the customers reported difficulty with the options for generating specific reports. With these same customers, we had problems importing the custom tags from the connections in an AWS account. Orca Security needs report customization and custom collection, as well as custom tag collection improvements for the platform. Integration with Vulcan, a feature of Tenable, also needs improvement.
For how long have I used the solution?
I have been using Orca Security for about one year.
What do I think about the stability of the solution?
Orca Security is stable in my experience.
What do I think about the scalability of the solution?
The fact that Orca Security does not need to use local agents permits the scale-up for more assets in the environment to be easy.
How are customer service and support?
We have interacted with their support team, and it is good.
Which solution did I use previously and why did I switch?
Orca Security is my first experience with CSPM.
How was the initial setup?
I have experience in license and installation, but I do not have experience in pricing because I am participating in the technical team.
What about the implementation team?
I only participate in the implementation, but all the customers report good results from using Orca Security.
What other advice do I have?
Orca Security typically delivers three major positive changes, in my opinion: a faster understanding of risks in cloud environments, better prioritization, and less noise. Orca Security enables collaboration between security and cloud teams for better troubleshooting and monitoring of the cloud environment. There is a faster time to visibility and results, along with a high reduction in security noise. I have a case of a customer who managed to significantly reduce the number of vulnerabilities in a team of development for web software and also in maintenance for virtual machines and containers for this environment.
The deployment of Orca Security in my organization depends on which client is doing the implementation.
The cloud providers my clients use most often with Orca Security are AWS and GCP .
I would suggest they test it and talk to Orca Security representatives because it will be a very positive experience for their company. I rate this product an eight out of ten.