Orca Security (AI-Powered)

Overview

Orca Security is an agentless cloud security platform that scans workloads, configurations, identities, and data across AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud. Founded in 2019 by former Check Point executives, Orca pioneered the "SideScanning" approach — reading cloud workload disk snapshots and memory through the cloud provider's APIs rather than deploying agents inside the workloads. This agentless architecture was revolutionary when it launched and has since been adopted (or at least attempted) by virtually every cloud security vendor, including Wiz, which built its entire platform on a similar concept.

Orca has positioned itself as a unified cloud security platform that covers CSPM (cloud security posture management), CWPP (cloud workload protection), vulnerability management, identity security, data security, container security, API security, and AI security posture management — all from a single agentless scanner. The breadth is ambitious, and Orca delivers meaningful capability across all of these areas, though the depth varies. Some modules (CSPM, vulnerability management) are mature and competitive with best-of-breed alternatives. Others (API security, AI-SPM) are newer and less developed.

The company has raised over $730 million in funding and serves a significant enterprise customer base, though it competes fiercely with Wiz for the same accounts. The Orca vs. Wiz question is one of the most common comparisons in cloud security, and we'll address it directly in this review because it's impossible to evaluate Orca without acknowledging the elephant in the room.

How It Works

Orca's core technology is SideScanning. Instead of deploying agents inside your cloud workloads, Orca takes read-only snapshots of workload volumes through the cloud provider's native APIs and analyzes them externally. This lets Orca scan the full software bill of materials, find vulnerabilities, detect malware, identify misconfigurations, and discover sensitive data without any performance impact on running workloads and without deploying any software inside the workload itself. The scanning is continuous — Orca re-scans workloads regularly to detect changes.

The agentless approach has significant practical advantages: no deployment project, no agent maintenance, no performance impact, no compatibility issues with specialized workloads (GPU instances, containers, serverless functions). It also means Orca can scan workloads that agents can't reach — dormant VMs, paused containers, snapshots, and machine images in registries. The coverage is inherently more complete because there's nothing to install and nothing that can fail or fall out of date.

Orca builds a graph model of your cloud environment that maps relationships between resources, identities, network configurations, and data. This graph enables attack path analysis — showing how an attacker could chain together multiple vulnerabilities and misconfigurations to reach a high-value target. For example: "This publicly accessible VM has a critical vulnerability that could allow code execution, and the VM's IAM role has access to an S3 bucket containing customer PII." That chain of findings, presented as a visual attack path, is considerably more useful than a flat list of individual findings.

The platform integrates with CI/CD pipelines for shift-left scanning, ticketing systems for remediation workflows, SIEM and SOAR tools for alert routing, and cloud-native services for automated remediation. The API is well-documented, and the Terraform provider enables infrastructure-as-code integration for security policy management.

What We Liked

The deployment experience is outstanding. We connected three AWS accounts and one Azure subscription, and Orca was scanning workloads within an hour. No agents to deploy, no kernel modules to install, no compatibility testing. Within 24 hours, we had a complete inventory of every workload, its software stack, known vulnerabilities, misconfigurations, and data exposure risks. For comparison, deploying an agent-based CWPP across the same environment took us two weeks the last time we did it, and we still had coverage gaps on specialty workloads. The agentless approach isn't just technically elegant — it fundamentally changes the deployment timeline from weeks to hours.

The attack path analysis is Orca's most valuable feature. We found 1,200+ individual findings in our test environment, which is overwhelming as a flat list. But Orca's attack path analysis distilled these into 23 actionable attack paths ranked by severity and exploitability. The top path showed a chain from a public-facing container with a known RCE vulnerability to an internal database containing PII, traversing two IAM roles and a security group that allowed internal traffic. Fixing the security group rule eliminated the path, and Orca confirmed the remediation within minutes of the change. That kind of prioritized, contextual finding is worth 10x a flat vulnerability list.

The multi-cloud support is genuinely equitable across providers. We've used cloud security tools where the AWS coverage is deep and the Azure coverage is an afterthought. Orca's scanning depth was comparable across both providers in our testing — same vulnerability detection rates, same misconfiguration checks, same graph relationship mapping. For organizations running multi-cloud (which is increasingly common), this consistency matters. You don't want a security tool that gives you a false sense of parity when one cloud is actually getting 60% of the coverage.

We were impressed by the data security module (Orca DSPM). It identified sensitive data types — PII, PHI, financial records, credentials — across S3 buckets, Azure Blob storage, and databases, and mapped the access paths to that data. Finding a database backup in an S3 bucket with overly permissive access, containing what turned out to be production customer records, is exactly the kind of discovery that prevents a data breach. The DSPM integration with the attack path analysis means Orca doesn't just find the sensitive data — it shows you who can reach it and how.

What Fell Short

The runtime detection capability is weaker than agent-based alternatives. SideScanning is great for finding static risks — vulnerabilities, misconfigurations, exposed data — but it can't detect active runtime threats like an attacker executing commands on a compromised workload. Orca has added some runtime capabilities through eBPF-based sensors for containers, but these are optional add-ons that partially negate the agentless advantage. For organizations that need both posture management and runtime protection, Orca alone isn't sufficient — you'll still need a CWPP or EDR product for the runtime layer, which means you're back to managing agents on at least some workloads.

The Wiz comparison is unavoidable, and in some areas Orca comes up short. Wiz's graph visualization is more intuitive, Wiz's UI is more polished, and Wiz's go-to-market engine has been more aggressive, which translates into a larger customer community and more third-party integrations. Orca's graph and attack path analysis are technically comparable, but the user experience isn't quite as refined. If you're evaluating both, you'll likely find that Wiz "feels" more modern, even if the underlying capabilities are similar. Orca's advantages — broader cloud provider support, stronger DSPM, and often lower pricing — don't show up in a 30-minute demo but matter over a 12-month deployment.

The alert volume out of the box is high. Orca's default policies generate a lot of findings, and not all of them are appropriately prioritized. During initial deployment, we saw hundreds of "high severity" findings that were technically accurate but practically low-risk — like a development environment VM running an outdated library that wasn't internet-accessible and didn't contain sensitive data. The attack path analysis helps prioritize, but you still need to spend time tuning the baseline policies to filter out noise. Orca provides tuning guidance, but the default experience is noisier than it should be for a product at this maturity level.

Pricing and Value

Orca prices based on the number of cloud assets (compute instances, containers, serverless functions, storage buckets, databases, etc.) being scanned. Pricing is not publicly listed, but based on customer conversations, expect $30-60 per asset per year for the full platform. A mid-size deployment of 2,000-5,000 cloud assets typically costs $100,000-$250,000/year. Orca generally prices 10-20% below Wiz for comparable deployments, which is one of their competitive advantages in head-to-head evaluations.

The value proposition is strongest when Orca replaces multiple point tools. If you're currently running separate products for cloud vulnerability scanning, CSPM, identity analysis, and data security, consolidating onto Orca can reduce total tooling cost while improving coverage (because everything shares the same graph). If you're comparing Orca only to another CSPM or only to another vulnerability scanner, the pricing looks high — you need to account for the consolidation value to make the economics work.

Who Should Use This

Orca is the right choice for cloud-heavy organizations that want a unified security platform across multiple cloud providers without deploying agents. It's particularly strong for organizations running workloads on multiple cloud providers who need consistent visibility, organizations with compliance requirements that benefit from DSPM (healthcare, finance), and teams that are understaffed and need a platform that's fast to deploy and doesn't require ongoing agent management. Security teams of 3-15 people supporting 1,000-10,000 cloud assets are the sweet spot.

It's less suitable for organizations that need strong runtime threat detection (add a CWPP/EDR), organizations running primarily on-premises (Orca is cloud-only), or teams that have already deeply invested in Wiz (the switching cost isn't worth the delta for most organizations). If you're choosing between Orca and Wiz for a new deployment, evaluate both against your specific environment — the right answer depends on which cloud providers you use, what your DSPM requirements are, and how much you value pricing versus UI polish.

The Bottom Line

Orca Security is the cloud security platform that doesn't get enough credit. It pioneered the agentless scanning approach, its attack path analysis is among the best in the market, and the multi-cloud coverage is genuinely deep rather than checklist-deep. It lives in Wiz's shadow, and that's partly Orca's own fault — their marketing and UI haven't kept pace with a competitor that's better at selling the sizzle. But in a side-by-side technical evaluation, Orca holds its own and beats Wiz on DSPM and multi-cloud breadth. If you're in the market for a cloud security platform and your only evaluation criterion isn't "which vendor has the most buzz," Orca deserves serious consideration and a full proof-of-value deployment.