Sold by: Orca Security CNAPP
Deployed on AWS
Free Trial
Vendor Insights
Quick Launch
Agentless Cloud Security in a Single, Complete Platform with 100% Coverage
4.6
Overview
Orca Security is the true Cloud Native Application Protection Platform (CNAPP) that identifies, prioritizes, and remediates risks and compliance issues across all of your workloads, configurations, and identities on AWS. Orca offers the industrys most comprehensive cloud security solution in a single platform, eliminating the need to deploy and maintain multiple point solutions.
FAST TIME TO VALUE: The Orca CNAPP Platform is agentless first, and connects to your environment in minutes using patented SideScanning™ technology that provides deep and wide visibility into your cloud environment, without requiring agents. In addition, Orca offers a lightweight agent for organizations that require real-time protection for critical workloads.
RISK PRIORITIZATION: Orca effectively prioritizes risks by applying a granular risk score to each alert, and recognizes when seemingly unrelated issues can be combined to create dangerous attack paths straight to your crown jewels.
FULL SDLC SECURITY: The Orca platform shifts security left by seamlessly integrating into the CI/CD process so that applications can be secured from code to cloud and back.
AI-POWERED: Orca is at the forefront of leveraging Generative AI for simplified investigations and accelerated remediation, reducing required skill levels and saving cloud security, DevOps, and development teams time and effort, while significantly improving security outcomes.
PURPOSE-BUILT CNAPP: Orca unifies many different point solutions in one platform, including CSPM, CWPP, CIEM, DSPM, Container security, API security, AI-SPM, and much more.
Sign up for a demo to uplevel your cloud security and get the fastest time to value available in the industry: https://orca.security/demo/
Additional platform licensing options are not shown in this listing but are available via Private Offer. Please email aws@orca.security .
Highlights
- Visibility to all your IAAS and PAAS assets including EC2, Containers, S3 buckets using account level read only permissions
- Detect compromises, vulnerabilities and risky configuration within minutes
- No impact on your assets, grows automatically with your cloud account
Get personalized pricing in minutes - New
If qualified, an express private offer gets you custom pricing and terms. Finalize your purchase in the AWS Marketplace console.
Details
Sold by
Categories
Delivery method
Deployed on AWS
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Quick Launch
Leverage AWS CloudFormation templates to reduce the time and resources required to configure, deploy, and launch your software.
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Security credentials achieved
(2)
ISO27001
AWS Security Specialization
Pricing
Free trial
Try this product free according to the free trial terms set by the vendor.
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
Small | Small starter pack of concurrent workloads (EC2) per month | $7,000.00 |
Small-Medium | Small-Medium starter pack of concurrent workloads (EC2) per month | $12,000.00 |
Medium | Medium starter pack of concurrent workloads (EC2) per month | $17,000.00 |
Large | large starter pack of concurrent workloads (EC2) per month | $30,000.00 |
Vendor refund policy
Contact us
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Orca Security CNAPP
By Aqua Security Software Inc.
Top
10
In Monitoring, Application Development
Top
25
In Observability, Software Development
Top
10
In Container Workloads
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Agentless Cloud Security Architecture
Agentless-first approach using patented SideScanning technology that provides deep visibility into cloud environments without requiring agent deployment
Risk Prioritization and Attack Path Analysis
Granular risk scoring applied to each alert with capability to identify and correlate seemingly unrelated issues into dangerous attack paths
Unified Cloud Security Platform
Single platform consolidating multiple security functions including CSPM, CWPP, CIEM, DSPM, Container security, and API security
CI/CD Integration for Application Security
Seamless integration into CI/CD process to secure applications from code to cloud deployment
AI-Powered Investigation and Remediation
Generative AI capabilities for simplified security investigations and accelerated remediation workflows
Offensive Security Engine
Simulates external exploits to produce Verified Exploit Paths for prioritizing exposures that are reachable by outside attackers and reducing cloud attack surface.
Cloud Security Posture Management
Continuously monitors and manages security of AWS configurations to prevent public exposure and ensure compliance.
Secrets Scanning
Identifies more than 750 types of secrets across public and private repositories.
Cloud Infrastructure Entitlements Management
Detects and manages excessive or unused permissions to mitigate the risk of privilege escalation.
Real-Time Malware Detection
Detects malware including zero-days in milliseconds with scanning performed directly in cloud environment for object storage services like Amazon S3 and file storage services.
Multi-Workload Security Coverage
Unified platform securing containers, serverless, Kubernetes, and AI workloads across AWS, on-premises, and multi-cloud environments
Runtime Threat Detection and Enforcement
Runtime protection to detect threats, block malicious activity, and enforce compliance in production across all cloud native workloads
AI and LLM Security Governance
Purpose-built AI workload security to govern large language models and generative AI applications with model abuse detection and policy enforcement
Full Lifecycle Security
Security coverage across the entire software development lifecycle from code development through production deployment
Compliance and Authorization Standards
FedRAMP High authorization enabling compliance with rigorous security and regulatory standards
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
-
-
-
-
-
No security profile
-
-
-
Standard contract
No
No
No
Customer reviews
Harsh Harsh
Cloud security has improved as we identify vulnerabilities and address risks proactively
Reviewed on Jun 04, 2026
Review from a verified AWS customer
What is our primary use case?
I have used Orca Security for one year while working for a client where we set up Orca Security to scan our environment and identify vulnerabilities.
The main use case for using Orca Security is to identify vulnerabilities in our environment so that we can address them before any issues occur.
In one of our projects in GCP , we purchased Orca Security from the marketplace, which was enabled in our account at the organization level.
What is most valuable?
The main feature that I appreciated about Orca Security is that it is 100% agentless and context-aware, meaning it understands what it is doing.
The primary benefit is that it provides us with CVEs, through which I can identify the vulnerabilities in our security posture.
In the long run, as a security tool, it has helped us improve our security posture.
What needs improvement?
There is one issue that I encountered: when Orca Security provides CVEs and we attempt to implement its solutions, sometimes those solutions are not available on the cloud and cannot be implemented.
My main concern is the integration of Orca Security with generative AI for remediation inquiry.
Another concern I have is around the guardrails.
The primary improvement that Orca Security needs is to enhance its remediation steps based on the cloud platform being used.
For how long have I used the solution?
I have been working in my current field for the past five or more years.
What do I think about the stability of the solution?
Orca Security has been stable in my experience.
What do I think about the scalability of the solution?
Orca Security is internally based on cloud infrastructure and is 100% agentless, so it does not require significant scalability considerations.
How are customer service and support?
Customer support is also good. I would rate it a 10 because they respond properly and communicate effectively.
Which solution did I use previously and why did I switch?
Previously, I used to install an open-source tool to understand my security posture, which required some additional infrastructure investment.
I was using the native GCP Security Command Center.
How was the initial setup?
We purchased Orca Security from the AWS Marketplace .
What's my experience with pricing, setup cost, and licensing?
I am aligned with the pricing, as it is not that costly.
Which other solutions did I evaluate?
I did evaluate open-source tools, Orca Security, native open-source tools, and cloud-native tools as well.
What other advice do I have?
When Orca Security provides CVEs, clicking on them gives suggestions about what can be done to resolve the issue.
I would advise others to use Orca Security because of the rich features that it offers.
I would rate this review a 9.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Krishnakumar-M
Integrated cloud risks have been managed centrally and security posture improves continuously
Reviewed on Jun 04, 2026
Review from a verified AWS customer
What is our primary use case?
Of my three customers, one is using Orca Security , and two are not using it. There are plenty of use cases available for Orca Security , and I can provide more details.
Orca Security is very good for faster management due to their CNAP, which stands for Cloud Native Application Protection Platform. It consolidates CSPM, CWPM, CWPP , and CAEM, which includes entitlement management and vulnerability scanning. Orca Security consolidates these solutions into a single platform. If I buy Orca Security, I can check data-related security posture management across various domains, including security and multi-cloud compliance. We put security at the forefront rather than waiting until project completion to engage security. It is important to place security in the field, and Orca Security is a very good tool for that.
Orca Security is an agentless vulnerability scanner, meaning we do not need to run any agents. The first use case is for consolidating various solutions into one. The second use case is agentless vulnerability scanning, and the third use case is for multi-cloud security. Some customers might have different cloud environments that can lead to vulnerabilities if not carefully managed, especially in stringent scenarios like FedRAMP. Orca Security is quite effective in these aspects, particularly for government and semi-government scenarios.
Orca Security serves to analyze configurations against what is optimally used and identify gaps. It identifies when servers are underutilized. For example, if a server is supposed to be at least eighty-eight percent utilized and is running below one percent, that results in unnecessary costs. This gap analysis is something every synaptic tool, including Orca Security, supports for cost optimization.
How has it helped my organization?
Orca Security has improved our cloud security visibility, streamlined vulnerability management, reduced alert fatigue through risk-based prioritization, and helped us remediate critical issues faster while maintaining compliance across our cloud environments.
What is most valuable?
Orca Security excels in identifying risks. If posture management is configured well, the tool performs effectively in identifying risks. I appreciate the tool as it finds various issues. In today's AI era, we see many new challenges, including tool poisoning and broken paths, which Orca Security identifies effectively. The tool captures all the risks related to entitlement management as well, focusing on the segregation of duties to minimize risks.
We use AI across the cloud environment, which helps in automating and remediating issues while enabling organizations to connect fragmented data for faster investigations and prioritizing measurable risks. Orca Security has seven distinct positive risks, including token theft and command injections, which are vital for security posture management.
What needs improvement?
I think Orca Security should be more SMB friendly since I mostly work with enterprise customers who have more budget. Orca Security could include options for smaller businesses and improve on areas like agentless functionalities and cost efficiency for small-scale deployments.
I work in an SMB organization and find Orca Security quite expensive. They typically offer some credit periods to conduct proofs of value for various products.
For enterprises, I find Orca Security to be fairly priced, whereas it is a bit more expensive for SMBs.
For how long have I used the solution?
Everything is around five years, and I have been using it for the whole thing because I have been in this field since nineteen ninety-five. All these tools are five years old, maximum of five to six years old. In fact, they were born during my tenure.
What do I think about the stability of the solution?
Yes, Orca Security is generally considered a stable and mature enterprise-grade CNAPP (Cloud-Native Application Protection Platform) rather than an emerging startup product. However, stability can be viewed from three perspectives in my personal opinion, they are
1. Product Stability
2. Company Stability
3. Operational Stability
What do I think about the scalability of the solution?
Yes. Scalability is actually one of the strongest differentiators of Orca Security compared to traditional agent-based cloud security platforms.
1. Agentless Architecture Eliminates Deployment Bottlenecks
Traditional CWPP and EDR-style cloud security solutions require agents on every VM, Kubernetes node, or workload. As organizations grow from hundreds to tens of thousands of cloud assets, agent deployment, upgrades, troubleshooting, and performance management become significant operational challenges.
Orca uses its patented Side Scanning™ technology to scan cloud workloads directly from cloud-provider storage snapshots and APIs without deploying agents. This means:
- No agent rollout projects
- No agent lifecycle management
- No performance impact on workloads
- New assets are automatically discovered and assessed
This architecture allows organizations to onboard large multi-cloud environments much faster than agent-centric solutions.
2. Designed for Large Multi-Cloud Estates
Orca supports:
- AWS
- Azure
- Google Cloud
- Oracle Cloud
- Alibaba Cloud
- Kubernetes environments
A large enterprise running thousands of subscriptions, accounts, projects, containers, and serverless workloads can manage them from a single platform and unified data model.
For organizations like:
- Global banks
- Telecom providers
- Retail giants
- SaaS companies
this becomes important because security teams do not need separate tools for CSPM, CWPP, CIEM , DSPM, vulnerability management, and container security.
3. Automatic Discovery of New Resources
One common scaling problem in cloud environments is asset churn:
- New VMs
- New Kubernetes clusters
- Auto-scaling groups
- Temporary containers
- Serverless functions
Orca automatically discovers and monitors newly created cloud assets without requiring manual updates or security onboarding processes. This is particularly valuable in DevOps-heavy environments where infrastructure changes continuously.
4. Unified Data Model Reduces Operational Complexity
Many enterprises end up with:
all generating separate alerts.
Orca's Unified Data Model correlates:
- Vulnerabilities
- Misconfigurations
- IAM risks
- Sensitive data exposure
- Attack paths
into a single risk graph. This helps maintain operational scalability because the security team is not overwhelmed as cloud assets increase.
How are customer service and support?
Orca Security's technical support is very good, aligning with my consulting operations, and I have not received any escalations.
Which solution did I use previously and why did I switch?
In identifying risks with previous products, there are notable pros and cons between agent-based and agentless solutions. Agentless tools eliminate orchestration concerns, while agent-based tools allow more granular control and calculations.
How was the initial setup?
The initial setup is straightforward, but I find it a bit complex due to the learning curve involved, which requires thorough guidance during the first configuration.
What about the implementation team?
Yes, many organizations use either Orca Security Professional Services or partners such as Accenture, Deloitte, or Optiv for deployment. The feedback is generally positive, with customers highlighting fast onboarding, minimal operational overhead due to the agentless architecture, and strong implementation support. Orca Professional Services is often preferred for quicker deployments and product-specific expertise.
What was our ROI?
Regarding the time to value from Orca Security, if it is a SaaS setup, it is immediate. For larger solutions like ERP or MSSP setups, it can take more than six months. But for security scanning, it is shorter since we pay only for what we use.
What's my experience with pricing, setup cost, and licensing?
Pricing was competitive for an enterprise-grade CNAPP platform, and the agentless architecture helped minimize deployment and maintenance costs. Licensing was straightforward, and the time-to-value was relatively fast compared to other cloud security solutions.
Which other solutions did I evaluate?
Among competitors like Trend Micro and Cisco, I compare Orca Security with offerings from those vendors based on features and costs.
In terms of objectives, I need functionality without paying a luxury price. The features offered by some competitors may be attractive, but what counts most is that Orca Security provides essential functions with lower costs.
What other advice do I have?
I cannot provide a straightforward answer about the time it takes to address cloud security alerts because different levels of alerts exist, and fixing each alert can vary depending on how alerts are configured. Policies play a crucial role in alert management.
If SaaS is available, customers prefer it due to low engagement compared to hybrid models. The cost savings on SaaS are quite attractive.
Orca Security's ability to combine functionalities of multiple tools into one platform is indeed one of its strongest points.
I would rate support at eight plus points. My personal rating for Orca Security as a service provider would be nine.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
James T.
Orca Delivers Strong Multi-Cloud Visibility for Our High-Traffic Luxury PropTech Platform
Reviewed on Jun 04, 2026
Review provided by G2
What do you like best about the product?
We operate a premium, high-traffic marketplace and property technology platform for luxury real estate, high-end vacation rentals, and custom smart home integrations. Our multi-cloud environments across AWS and Azure host massive amounts of data, including high-resolution 3D virtual home tours, client financial records, and sensitive identity documentation.
What do you dislike about the product?
The initial dashboard layout can feel overwhelmingly loud. Because Hogar Dorado hourse inherited a fair amount of staging environments and legacy asset databases during the recent platform expansion, Orca instantly flagged thousands of low-priority vulnerabilities on day one.
What problems is the product solving and how is that benefiting you?
Before Orca, we had visibility gaps around orphaned testing environments and shadow IT projects spun up by regional development teams. Orca unifies our cloud security posture into a single dashboard and automatically helps us identify vulnerabilities.
Anil S.
Clear, Agentless Cloud Risk Visibility with Smart Prioritization
Reviewed on Jun 03, 2026
Review provided by G2
What do you like best about the product?
Orca gives us a clear view of vulnerabilities, misconfigurations, and security risks across our cloud environment. Because it’s agentless, the setup was straightforward, and we were able to get it implemented and start monitoring resources quickly. I also appreciate the risk prioritization, which helps us focus on the most important findings rather than spending time chasing low-impact issues.
What do you dislike about the product?
The platform offers a wide range of capabilities, which can feel a bit overwhelming at first. A clearer starting point or guidance would help with the initial learning curve. Also, some reports could be more customizable to better match specific business requirements.
What problems is the product solving and how is that benefiting you?
It helps us centralize cloud security monitoring and reduces our reliance on multiple tools. Having everything in one platform improves visibility, and it’s easier to identify and address risks before they turn into bigger problems. Overall, it has saved us time and strengthened our security management process.
Ryan F.
Fast, Agentless Cloud Visibility with Practical Risk Prioritization
Reviewed on Jun 02, 2026
Review provided by G2
What do you like best about the product?
What I appreciate most is how quickly we gained clear visibility into our cloud environment. The agentless approach eliminated many of the usual deployment concerns, and the platform started surfacing meaningful findings right away. The risk prioritization feels practical and makes it easier to distinguish truly critical issues from lower-priority items. Having security, compliance, and vulnerability information consolidated in one place is also a major advantage.
What do you dislike about the product?
The interface is generally easy to use, although some of the more advanced features take a bit of extra exploration to figure out. I’d also appreciate more customization options for reporting, as that would make it easier to tailor reports to my needs.
What problems is the product solving and how is that benefiting you?
It helps us maintain a clearer understanding of cloud security risks without adding operational complexity. The centralized visibility makes it easier for teams to spot and resolve issues more quickly. As a result, we spend less time pulling information together and more time focusing on improving our security posture.