CWPP

Key Features

• Agentless workload discovery & inventory – Identifies all VMs, containers, images, Kubernetes clusters and serverless functions, including idle/paused assets that agents often miss.

• Deep vulnerability management – Uses 20+ vulnerability data sources to detect vulnerable OS packages, libraries and apps, then ranks them using context such as exposure, lateral movement risk and data proximity.​

• Malware detection engine – Combines signature‑based scanning, heuristic file analysis, sandbox‑style dynamic execution and “genetic” family signatures to find known and unknown malware in workload file systems.

• Sensitive data & secrets discovery – Scans “hidden corners” of workloads for PII, PCI and healthcare data as well as hard‑coded secrets, even on stopped or idle assets.​

• Reachability‑aware vuln prioritization – Agentless Reachability Analysis shows which vulnerable packages are actually network‑reachable; optional Dynamic Runtime Reachability with Orca Sensor verifies which ones execute at runtime, reducing container vuln noise by up to 90%.

• Lightweight runtime protection (Orca Sensor) – Optional eBPF‑based sensor delivers real‑time process and threat visibility (e.g., privilege escalation, suspicious processes, lateral movement) for critical workloads, integrated back into the same console.

• Unified context with CSPM/CIEM/DSPM – CWPP findings are automatically correlated with misconfigurations, IAM issues and data locations to highlight toxic risk combinations and attack paths.

Ideal For & Use Cases

Ideal For

• Organizations running cloud‑native workloads at scale (VMs, containers, Kubernetes, serverless) that struggle with agent deployment, blind spots and performance impact.

• Teams wanting workload protection tightly integrated with posture (CSPM), identity (CIEM) and data security (DSPM) instead of a standalone CWPP.

Representative Use Cases

• Cloud vuln & malware management without agents – Rapidly find exploitable vulns and malware across all workloads, including dark or unmanaged ones.

• Container and Kubernetes risk reduction – Prioritize container vulns using reachability, clean up risky images, and monitor runtime behavior on critical clusters.​

• Sensitive data risk on workloads – Detect PII/PCI/PHI and secrets stored on disks, then correlate with exposure and IAM risk to focus on real data‑breach paths.​

• Runtime threat detection for crown‑jewel workloads – Use Orca Sensor on selected high‑value nodes to detect privilege escalation, malware execution and suspicious process chains.

Deployment & Technical Specs

• Architecture: Agentless‑first CWPP via SideScanning (cloud API + storage snapshots) plus optional eBPF‑based Orca Sensor for runtime protection.

• Coverage: Linux/Windows VMs, containers and images, Kubernetes clusters, and serverless functions on AWS, Azure and GCP.

• Telemetry Collected: OS packages, apps, libraries, file contents, configuration files, binaries, scripts, logs and data signatures reconstructed from runtime block storage.

• Analysis Engines: Vulnerability scanning, malware detection (signature, heuristic, dynamic, genetic), sensitive‑data detection, reachability analysis, runtime behavior analytics (via Sensor).

• Performance Impact: SideScanning runs entirely out‑of‑band with zero CPU/memory overhead on workloads; Sensor is lightweight eBPF with automatic updates.

• Integrations: Shared with the Orca platform—SIEM/SOAR, ITSM (Jira, ServiceNow), messaging (Slack, Teams), CI/CD tools for policies and gating.

Pricing & Plans

• Licensing Model: Orca uses a single, all‑inclusive CNAPP SKU priced by the number of cloud workloads (VMs, containers, serverless), and CWPP is included—there’s no separate CWPP add‑on license.

• Indicative Costs: Third‑party benchmarks show median Orca contracts around USD ~$85–90K/year across CNAPP (including CWPP), with savings often 25–30% versus some competitors. Actual pricing varies by workload count, term and discounts.​

• Procurement: Sold direct and through cloud marketplaces such as AWS Marketplace and Azure Marketplace, with starter packs per block of concurrent EC2 workloads.

Net: you buy Orca once (per workload) and get CWPP alongside CSPM, CIEM, DSPM and runtime features.​

Pros & Cons

Pros

• Agentless 100% coverage, including idle/paused workloads that traditional agents miss.

• Deep workload insight (vulns, malware, sensitive data, secrets) without performance impact.

• Context‑rich prioritization by combining CWPP findings with config, IAM and data context.

• Optional runtime sensor gives deeper detection where needed without abandoning agentless simplicity.

Cons

• Enterprise‑level pricing may be overkill if you only need basic host scanning rather than full CNAPP.

• Some organizations still want traditional EDR/XDR agents for host‑level response; Orca CWPP is not a complete replacement for those tools.​

• Runtime sensor adds another component to manage on critical workloads, even if lighter than legacy agents.

Final Verdict

Orca Security CWPP is a strong fit for organizations that want deep, context‑aware workload protection without the operational pain of agents. SideScanning gives unusually rich insight into vulnerabilities, malware and sensitive data across all workloads, while the unified CNAPP graph ensures CWPP findings are prioritized by real attack‑path risk, not raw CVSS scores. The addition of Orca Sensor for selective runtime protection rounds out the story for high‑value assets.

It’s best adopted as part of Orca’s full CNAPP rather than as a standalone CWPP: if your strategy is to consolidate cloud security (CSPM, CWPP, CIEM, DSPM) into one platform, Orca’s agentless CWPP is a compelling cornerstone. If you only need a low‑cost host scanner or are heavily invested in traditional EDR/XDR for workload response, you’ll want to weigh cost and overlap carefully.