Orca provides a collection of industry standard compliance reports such as AWS CIS v1.3.0, PCI DSS, and NIST CSF. We also include an Orca Best Practices report, but recognize that predefined reports may not always align with the needs of every security organization.
Orca’s ability to replace multiple security tools mandated by today’s stringent regulatory and industry standards, from vulnerability management to malware scanning to file integrity monitoring, means that Orca automatically runs all the critical checks required by default. To provide complete flexibility, users also have the option of defining custom frameworks.
After a test is run, when the “manual/external” type appears, this means that Orca does not have the authority to either check or change the given control. For example, Orca cannot ensure that Security Key Enforcement is enabled for all admin accounts of a given client, this has to be done by an Admin user on the client’s side.
Alternatively, the tests performed by Orca that return with the type “system” are those we do have the authority to check and can verify whether the given control being checked is compliant with the chosen framework.
The average score recommended by Orca for framework compliance is 90%, anything below that is considered insecure and should be addressed.