Agentless Approach and Deep Visibility. It doesn't require the installation of any agents or additional software, that’s why we need just minutes to onboard new accounts to Orca. After onboarding, Orca provides really comprehensive asset discovery, vulnerability scanning, and risk assessment. Also, I am impressed by Orca Security's continuous product development and its dedication to introducing new features. Review collected by and hosted on G2.com.
Usually, Orca performs scans every 24 hours, that's why alerts are not real-time. Also, it would be great if Orca expand its integration capabilities especially with Cloudflare Review collected by and hosted on G2.com.
Video Reviews
Orca -A Revolutionary Tool for Security Governance
208 out of 209 Total Reviews for Orca Security
Overall Review Sentiment for Orca Security
Log in to view review sentiment.
The interface is very intuitive and there was not a learning curve at all. Being able to create reports on pretty much any dashboard has been very helpful. Vulnerabilities and misconfigurations found by Orca give us more than enough information to be handed to our development team for remediation without having to do any additional research. Overall, this is a very well thought out platform. Review collected by and hosted on G2.com.
I honestly have not found anything I dislike yet. Review collected by and hosted on G2.com.
Orca provides top-tier dashboards and easy dashboard customization which quickly surfaces critical risks.
Orca support replies rapidly and consistently works to resolve issues.
Orca installation in 2/3 of our main cloud environments was a smooth process, and the last environment took just an extra hour of work. Overall, a very smooth onboarding process, and great training resources were provided.
Orca provides incredibly rich, useful data about the risks it detects, with very low/none false positives. Review collected by and hosted on G2.com.
The compliance modules currently load extremely slowly, lack CIS critical controls v8.1, and waiting for the promised module rewrite next year sucks.
Orca knowledgebase documentation is tied to your Orca login. To faciliate non-technical staff (or folks who don't need console access) working with the tool, it would be great if they were decoupled.
Exporting risk data to CSV from Orca often requires selecting which of 119-250+ columns I want, at least once, unless you like getting a 1 GB CSV file (wow!)
Exporting to CSV frequently hangs (probably due to the default enormous CSV size), requiring the usage of scheduled reports, which is less convenient. Review collected by and hosted on G2.com.
Easy Onboarding, I don't need consider the agent implementation plan, or any rollback plan if any bad thing happens. Review collected by and hosted on G2.com.
lack of sandbox, or real-time protection Review collected by and hosted on G2.com.
I really appreciate that Orca brings together multiple aspects of cloud security in a single console. It covers everything we need, from vulnerability management to misconfigurations, compliance, entitlement management, IaC, and code security, all in one place. The integration options are also strong - especially the bi-directional integration with ServiceNow, which has been a huge help for us. Slack integration is another plus, making it easy for our team to discuss alerts across departments and coordinate remediation efforts without missing a beat.
One feature we’ve found especially valuable is Orca’s compliance management. The AWS CIS Benchmark tool has been a game changer for us. With Orca’s guidance and insights, we were able to identify compliance gaps we hadn’t even noticed and systematically address them. This took our compliance score from 58% all the way up to 100%. Now we’re not just meeting industry standards but have much more confidence in the security and compliance of our AWS setup. Review collected by and hosted on G2.com.
I wish Orca offered an endpoint agent for managing vulnerabilities on non-cloud devices. If this capability were added, we’d likely consider consolidating our vulnerability management into Orca, which would be more convenient than juggling multiple platforms. Currently, we’re running two overlapping solutions to cover vulnerabilities on our endpoints, which adds complexity.
Also, we found it necessary to adjust the default permissions assigned to the role used by Orca, as the out-of-the-box required permissions were too broad and didn’t align with our organization’s principle of least privilege. By tailoring the permissions more specifically to our needs, we were able to enhance security by limiting access only to what was essential for Orca’s operations in our environment. Review collected by and hosted on G2.com.
Very easy to configure and get start with.
Excellent support for the 3 main Cloud providers.
They invested a lot in their product and it is incredibly more extensive than it was a couple years ago.
The pricing is relatively reasonable for smaller organizations.
Excellent Customer Success and Executive Teams.
The flexibility of its API, Sonar Queries and automations.
The full revamp of the Discovery feature has been impressive.
So many new perks have been keep coming up as part of the Premium plan: Shifleft, DSPM, API security, ThreatOptix.
The support is incredibly quick even during weekend. I've in all honesty never experienced a vendor as prompt as Orca to support their customers. Review collected by and hosted on G2.com.
I'm still waiting for a dark mode since the UI change.
Automations don't use Sonar querying language yet.
Could be interesting to have a Terraform module to manage configurations.
The new pricing model is a bit confusing. Review collected by and hosted on G2.com.
It still has the best technology in the cloud security space. I've compared it to Wiz, side-by-side just recently, and still find Orca to have the
- Highest quality findings
- Most accurate prioritization
- Best integration with related systems
- Easiest—much, much easier—UI and best UX
- Implemenation ease, and
- Best customer support.
I and my team use Orca daily, multiple times a day. It's a foundational security product for us. After testing out Wiz for a month, side by side, I appreciate Orca even more. Review collected by and hosted on G2.com.
I would love to see Orca expand into the area of more automated remediation. Review collected by and hosted on G2.com.
I love how Orca brings everything together in one place, making it an excellent tool for someone specializing in vulnerability management. Its ease of use and ease of implementation streamline our work, and the number of features it offers is impressive. Orca has significantly helped us reduce vulnerabilities and address each item effectively. Although Orca sometimes flags any visible item as vulnerable, it’s still one of the best tools I've enountered so far.
The customer support is exceptional; I can get a support representative on a call within five minutes, which only enhances my desire to use it. Their support team has also been incredibly helpful with integrations, which has made the tool even easier to integrate and use frequently. This outstanding support and ease of integration contribute to our high frequency of use, making Orca an invaluable asset in our security toolkit. Review collected by and hosted on G2.com.
There are several minor issues in Orca that have accumulated into larger challenges. For example, the same vulnerability path is sometimes duplicated across multiple Orca alert IDs, which leads to confusion. Additionally, when a scan is performed on a server, it doesn't display the exact time the scan was completed, nor does it provide backend visibility into scan failures, making it difficult to troubleshoot assets effectively.
We've submitted multiple feature requests, including support for asset scanning on devices like Fortinet and Ivanti, which our organization heavily relies on but aren’t currently detected by Orca. Furthermore, we occasionally encounter issues with hardening scan reports for specific assets, and pulling an inventory report is challenging due to the vast number of assets—over 3 to 4 million. While it's understandable given the scale, it’s still a limitation. Another significant issue is the inability to fetch more than 10,000 alerts through the API when retrieving data for a particular CVE.
Despite these drawbacks, I appreciate Orca’s efforts to adapt to our needs and continuously improve the tool. Review collected by and hosted on G2.com.
The tool provides a pragmatic view of you security posture. We all know CVEs err on the side of more severe criticality. Orca is aware of this too and tries to reserve the Critical status for things that should be looked at now.
Attack paths provide a seed for internal investigations.
Webhook oriented scans for your repositories are easy to implement.
Customer support is very good. Just a click and you get a chat bot that is quickly picked up by a human. Review collected by and hosted on G2.com.
Attack paths aren't always accurate. For example, a ddos vulnerability won't lead to a pivot to an internal access. Not by itself anyway.
Out of the box scans are fairly infrequent in an environment where changes happen often. Review collected by and hosted on G2.com.
Orca's implementation was very fast and straight forward. All my contacts with Orca stay in touch with me to see if everything is working as intended. The product is very straight forward and very simple ones you login and you can immedatly see everything from a single pane of glass.
The integrations and features that are provided are world class. We are constantly using the product in order to acheive our goals in stregthening our security posture here. A solution like Orca is really a next gen product that every organization should have.
I stand by my decision by choosing Orca and we are seeing our ROI with the tool. Review collected by and hosted on G2.com.
Documentation could be updated and be a bit more straight forward when trying to solve issues on our own or seeing what other capabilities are there, but the support team has been wonderful in helping us solve our issues. Review collected by and hosted on G2.com.
Context-driven security was considered the future of Cloud Security, and Orca led the charge. The level of depth provided around resources and assets in your cloud is one of the best out there.
We love the ability to clone and customize "baked-in" alerts to meet our environmental needs, specifically around asset tagging/labeling. Their Code Security capabilities are starting to rival those of Synk and others in the space. The potential there is promising, and the product teams are constantly keeping us in the loop.
The Custmoziable Alerts dashboard, which meets my leadership needs, is easy to use. My team can also create and share customized views without much effort.
Searching and "Discovery" have greatly improved in the latest iteration of the product, and the speed at which we find assets and configurations has improved.
Orca provides very in-depth "attack path" visualizations that are easy to follow, clearly visualize risks, and tell an attack story. Although this would be considered intimidating to view, their visual representation is strong.
Side-scanning continues to provide tremendous value to us. It still amazes me how quickly they scan our entire environment and report back changes, threats, risks associated with "data" or storage.
There is a lot more to mention, but lastly, our customer support and sales team has been top-notch. One of the best we have worked with. Review collected by and hosted on G2.com.
Reporting on containerization vulnerabilities has improved, but it needs to be better. (Orca has been investing a lot in this space and the future is promising).
Infrastructure as Code custom policy creation is effective but challenging and needs to be more closely linked to the UI. (There might be technical challenges here but overall, we need more visualizations in the UI around this)
Identity-based reporting around "inactive" non-human accounts is an area that needs more attention. (GCP Support is a little behind.) Review collected by and hosted on G2.com.
