Orca Security broke some ground on Wednesday by adding agentless API sidescanning to its cloud-native application protection platform (CNAPP), Orca’s Cloud Security Platform.
Avi Shua, co-founder and CEO of Orca Security, explained that unlike agents that sit inside workloads, Orca’s sidescanning technology collects data externally — similar to an MRI scanning the body. However, instead of identifying soft tissue damage, Shua said Orca identifies cloud vulnerabilities, malware, API risks, misconfigurations, and potentially exposed PII, and leverages its unified data model to put these risks into context in relation to the entire cloud environment so security teams can prioritize the risks that truly matter.
“By not installing agents or running any packets, the customer does not need to change anything in its architecture to adopt it,” Shua said. “Since no information gets transferred over the network, there’s no loss of data, no downtime, and no impact on users."
Melinda Marks, a senior analyst at the Enterprise Strategy Group, said Orca’s platform has been monitoring for vulnerabilities, malware, misconfigurations, access issues (like cloud infrastructure entitlement), while looking at behavior such as lateral movement and misplaced sensitive data.
“It’s all agentless, and now they are adding API security,” Marks explained. “CNAPP brings together cloud security posture management, cloud workload protection (like container security), and application security. So with a CNAPP adding API security, then the security teams can efficiently take that info in and take actions that reduce risk.”
Frank Dickson, who covers security and trust at IDC, cautioned that the drawback to agentless security is that it’s agentless: the strength is the weakness. Dickson said the “snapshot” approach of agentless limits visibility to the frequency of the snapshot. So if snapshots are taken every eight hours, for example, ephemeral workloads that spin up for minutes or seconds are invisible.
“Additionally, agentless solutions cannot extract activity telemetry like process information, Layer3/Layer4 connections activity, memory analysis or other real-time information,” Dickson said. “Essentially, you cannot ‘hear’ what’s happening behind the virtual pane of glass. Finally, you are very limited in taking action without an agent so response and remediation actions are limited. A security professional will be limited in the ability to isolate a workload or redeploy a golden image without an agent. Agentless security offers real value. However, it’s hardly a complete solution.”
ESG’s Marks also pointed out that there are standalone API security companies that feature API security — and many of the better-known ones focused on API security, such as Salt, Noname, and Cequence — are agentless.
“However, the trend is to avoid agents so it’s easy to connect instead of having something to install, but the ones with agents/in-app components to install generally claim deeper monitoring/more data collecting for better detection capabilities,” said Marks. "So with the Orca news, it’s a CNAPP adding API security, compared to a network security or firewall company with API security, and Orca is all agentless, and they are claiming deep monitoring with their sidescanning technology."
