Orca Security CNAPP Cloud Security Platform logo

    Orca Security CNAPP Cloud Security Platform

    Agentless Cloud Security in a Single, Complete Platform with 100% Coverage

    Ratings and reviews

    4.7
    322 ratings
    2 star
    1 star
    77%
    22%
    1%
    0%
    0%
    23 AWS reviews
    |
    299 external reviews
    External reviews are from G2  and PeerSpot .

    Filters

    Review type

    AWS Marketplace reviews
    External reviews
    Reviews (322)
    Avraham Goldawsser

    Cloud security has become unified with agentless visibility, faster remediation, and better compliance

    Reviewed on Jul 14, 2026
    Review from a verified AWS customer

    What is our primary use case?

    My main use case for Orca Security is cloud security, and we integrated AppSec in the last year.

    What is most valuable?

    Orca Security offers good security as a CSPM, runtime security with the real-time security agent on Kubernetes, and excellent visual representation to see what is really going on. The visual representation helps me understand where our gaps are and what needs to be fixed through remediations. In terms of AppSec, it provides entire connectivity with some missing parts, but mainly the Git parts with the repos allow me to see everything, how it is integrated, and to assess its risks. The SCA with the SAST is also crucial.

    The feature that stands out the most for me is that it is agentless, so I have simple connectivity where I can see everything in one place. If there are misconfigurations, security risks, or misconfiguration gaps, I can be alerted and set up custom alerts and non-custom alerts, allowing our security team to observe these alerts and take action.

    Orca Security has positively impacted my organization mainly through use by the security team, but we also use it for compliance reports. We can set the compliance standards we want to adhere to in Orca Security, and then I can check in which areas of each resource or organization-wide efforts comply with those standards. This is really useful to know where our compliance gaps are.

    Risk detection and identification capabilities of Orca Security are great and really useful. They had too many false positives in the past, but over time, with their improvements, probably due to UBA or something similar, it has really improved.

    What needs improvement?

    Orca Security can be improved by adding more connectivity and more integrations because the world is moving so fast that having integrations is really poor compared to other vendors.

    What is also missing with Orca Security is more robust AI security. Even though they have something, it is still really immature. We need better observability, and not only for cloud-based issues but also for any AI LLMs to ensure real security over AI.

    Regarding Orca Security's AI capabilities, I think it is still immature and we are missing some introduction to it. In terms of Orca Security's accuracy and reliability of output, I find that it is still immature, so I have a gap over there.

    For how long have I used the solution?

    I have been using Orca Security for the last four years.

    What do I think about the stability of the solution?

    I find Orca Security stable.

    What do I think about the scalability of the solution?

    Orca Security's scalability is great and I have not seen any faults.

    How are customer service and support?

    The customer support from Orca Security is the best and it is really good. I would rate the customer support a ten.

    Which solution did I use previously and why did I switch?

    We did not previously use a different solution. We conducted a POC with other solutions, and at the end of the day, after checking everything, it was my choice to go with Orca Security.

    How was the initial setup?

    I purchased Orca Security through the AWS Marketplace.

    What was our ROI?

    Orca Security has helped my organization reduce the time it takes to address cloud security alerts, and it does so very fast. Its visualization of the alerts, including custom alerts, makes it really efficient. Today, it is integrated with our SOC team.

    I have utilized Orca Sensor for Cloud Detection and Response, CDR, and it has been effective in providing runtime visibility and security. This was the main part because we started with CDR straight at the beginning before doing anything else, and it was good.

    Orca Security has helped in preventing risks and attacks across my application lifecycle if it is about secrets, exposed secrets, or vulnerable packages within the CI/CD pipeline, which were detected through the pipeline. It has full integration with GitHub or other tools such as Azure DevOps.

    Which other solutions did I evaluate?

    Before choosing Orca Security, we evaluated other options, including Prisma Cloud, which is now in Cortex, Wiz, and Uptime.

    What other advice do I have?

    I rate Orca Security a ten out of ten. I chose this rating because we started with Orca Security when it was a new kind of competition to Wiz. We went with Orca Security because of its support, which is one of the best third-party supports we have. They made a really big jump over the last two years, especially in the last year where they changed almost everything, from visualization to reducing false positives, and now they categorize alerts separately compared to what it was earlier, making this really useful. My advice for others looking into using Orca Security is to really consider them. I have given this advice before, and I know that some have taken my advice and moved forward with Orca Security. My overall rating for Orca Security is ten.

    Kevin J.

    Orca Gives Us a Single View of AI Agent Risk Across AWS, Azure, and GCP

    Reviewed on Jul 11, 2026
    Review provided by G2
    What do you like best about the product?
    We build across AWS, Azure, and GCP. Different teams own each cloud and ship features independently, and our AI agents follow those same paths, calling services across multiple providers at once. Before Orca, that meant three different stories about where the agents lived and what they could reach. Orca connects to every account and subscription and gives us a single, contextual view of the risk tied to the AI agents and the services our business depends on. Our CISO can see the agents, their identities, and their blast radius across clouds in one place instead of chasing separate dashboards.
    What do you dislike about the product?
    Cloud specialists sometimes want more provider-specific detail at the top level, but the ability to drill down is there. Our teams have found a good balance between the unified agent view and the depth available for each cloud.
    What problems is the product solving and how is that benefiting you?
    It lets us run one coherent security program for both AI agents and traditional workloads across all our clouds, at the pace our teams ship. Agents that cross provider boundaries are now part of the same overall picture, so we can see their full multicloud blast radius instead of treating each provider as a separate silo.
    Santo J.

    Orca Makes Serverless Security Clear and Actionable

    Reviewed on Jul 10, 2026
    Review provided by G2
    What do you like best about the product?
    Our teams leaned hard into serverless. Developers, analysts, and even marketers writing Python scripts ended up shipping Lambda functions that touched important data. Traditional tools treated those functions as an afterthought. Orca sees serverless as part of the same unified risk surface, showing permissions, data access, and exposure in the context of the features we’re building. It lets our CISO enable that speed of creation instead of asking teams to slow down.
    What do you dislike about the product?
    We still rely on separate tools for performance and latency, so we’ve had to be clear internally about which findings are security-related versus operational. That distinction is straightforward to make.
    What problems is the product solving and how is that benefiting you?
    It makes our serverless estate visible to security at the same speed it was actually created, without forcing builders to change how they deploy. That visibility has been especially useful as more of our AI agents invoke the serverless functions as part of their day-to-day work.
    Pious C.

    Orca Brings Clear, Actionable Context to Kubernetes Security at Scale

    Reviewed on Jul 10, 2026
    Review provided by G2
    What do you like best about the product?
    Our Kubernetes footprint grew faster than our security efforts could keep up with. Engineers and analysts were pushing workloads across clusters, and misconfigurations were getting lost in the complexity. Orca surfaces Kubernetes issues in the same unified context as everything else, and it helps show which misconfigurations are actually reachable from the internet or from the identities tied to our critical services. It also makes it clearer which Kubernetes misconfigurations sit on the paths that the AI agents, or the services they drive, could realistically reach. That added context is what lets a small team keep up with the clusters that power the features our business depends on.
    What do you dislike about the product?
    Some of the Kubernetes terminology in the findings required a quick internal primer for non-cluster specialists, but once that foundation was in place, the insights became much easier to understand and act on.
    What problems is the product solving and how is that benefiting you?
    It gives us one place to see and prioritize Kubernetes risk alongside the rest of our estate, so the services that drive what we create stay safe without slowing down the teams shipping them.
    Deepika C.

    Orca Cuts Container CVE Noise and Highlights Real Exposure Along AI Agent Paths

    Reviewed on Jul 09, 2026
    Review provided by G2
    What do you like best about the product?
    We used to drown in container CVE lists that didn’t reflect how our teams—or the AI agents—actually use those services. Developers were shipping images quickly, product managers were prototyping and pushing features, and the agents were calling into containers in ways that security couldn’t easily prioritize.

    Orca shows which container vulnerabilities sit on the assets that are truly exposed, and more importantly, which ones fall along the paths our AI agents and their tools actually traverse. It filters out the noise and surfaces the container risks that could affect real agent workflows, not just theoretical package issues.
    What do you dislike about the product?
    The container view had a lot of depth, so we spent some time tuning the filters and groupings to match how our teams and the agents use services and environments. That tuning made it much easier for both builders and security to focus on the container risks that affect agent-driven paths.
    What problems is the product solving and how is that benefiting you?
    It turned container vulnerability management into something we can actually keep up with at the speed our builders and agents ship. Because Orca ties container findings to the AI agents that depend on them, we can focus our effort on the risks that could truly impact agent workflows and the data behind them, instead of spending time on issues that never sit on a real path.
    Sania J.

    Orca Surfaces Hidden Agentic Workflows and Helps Govern Access Fast

    Reviewed on Jul 08, 2026
    Review provided by G2
    What do you like best about the product?
    The CISO here is accountable for everyone who ships: the developer, the data scientist, the analyst deploying the agents, the PM, and even the marketer writing Python. Last month, an analyst spun up an agentic workflow with access to multiple internal systems, and nobody had told Security. Orca surfaced it, mapped what the agent could reach, and we were able to govern it before it became an exposure.
    What do you dislike about the product?
    With so much consolidated into one platform, we decided to rethink some internal team boundaries around who owns agents and their policies. More than anything else, that shift has improved clarity.
    What problems is the product solving and how is that benefiting you?
    This made it possible for one accountable leader to truly enable every builder and every agent across the company, instead of chasing risk one tool at a time.
    Juan C.

    Orca’s Unified Data Model Made Agentic Workflow Governance Clear and Actionable

    Reviewed on Jul 07, 2026
    Review provided by G2
    What do you like best about the product?
    The CISO here was accountable for everyone who ships: the developer, the data scientist, the analyst deploying the agents, the PM, and the marketer writing the Python. Last month, an analyst spun up an agentic workflow with access to multiple internal systems, and nobody had told security. Orca surfaced it, mapped what the agent could reach, and we were able to govern it before it became an exposure. That’s what the unified data model actually means in practice: code, cloud, AI services, and now agents, all in one place.
    What do you dislike about the product?
    With so much consolidated into one platform, we decided to rethink some internal team boundaries around who owns the agents and their policies. That change improved clarity more than anything else.
    What problems is the product solving and how is that benefiting you?
    It has made it possible for one accountable leader to actually enable every builder and every agent across the company, instead of chasing risk tool by tool.
    Nasir S.

    Orca Brings Clear Visibility Into Each Agent’s Tools, Services, and Data Paths

    Reviewed on Jul 07, 2026
    Review provided by G2
    What do you like best about the product?
    Our agents can call tools, hit APIs, and read from data sources, but until Orca we didn’t have a clear map of exactly which combinations were possible. Orca shows, for each agent, which tools it can invoke, which services it can reach, and what data stores sit behind those paths. That makes it obvious when an agent’s tool stack is broader than its job.
    What do you dislike about the product?
    We aligned the Orca tool and data labels with our internal naming conventions, which made it easier for builders to immediately recognize their own stacks.
    What problems is the product solving and how is that benefiting you?
    This turns agent capabilities from an opaque bundle of permissions into a clear set of tool and data relationships, so we can design agent roles without the blind flying.
    Alphonse S.

    Orca Delivers Crucial Visibility Into AI Agent Permissions and Blast Radius

    Reviewed on Jul 06, 2026
    Review provided by G2
    What do you like best about the product?
    The analyst spun up the AI agent with access to fourteen internal systems. Orca mapped the trust relationships the agent could traverse and surfaced the blast radius of its permissions well before we would have tripped over it during an incident. Shadow agents and their access used to be a complete blind spot for us, but now, as part of our regular posture reviews, we can quickly see what any new agents are able to reach. That visibility is really the only way to govern this stuff at the speed people are creating it.
    What do you dislike about the product?
    The agent and the identity graph have a lot of depth, so we spent some time learning how to read them properly. That effort has paid off in the quality of the insights we’re now getting.
    What problems is the product solving and how is that benefiting you?
    It gave us practical governance over the AI agents and their access before they turned into an incident. That way, we can discover issues and shrink our exposure up front, instead of learning about it the hard way after something breaks.
    Sahil K.

    Smarter Alert Context and Prioritization That Streamlines Our Security Workflow

    Reviewed on Jul 06, 2026
    Review provided by G2
    What do you like best about the product?
    Agents were being created in different clouds and business units , and nobody had a single list for what was running where, Orca effectively gives us an Ai agent restrict a unified view showing which agents exist, which accounts they live in ,what system, they touch wand who owns them. That registry like visibility means the CISO no longer has how many agents dow we even have.
    What do you dislike about the product?
    We chose to tag agents with owners and business units inside Orca and the small amount of work has paid off in every risk review since.
    What problems is the product solving and how is that benefiting you?
    This replaces the guesswork around AI agent inventory with a reliable, continuously updated picture, which is essential when agents are being created as quickly as new features.