orca-skills

Analyzes Orca Security alerts with timeline visualization, risk assessment, and progressive disclosure. Use when user asks to triage, analyze, explain, summarize, investigate, or check an Orca alert by ID (e.g., "triage orca-3636513", "what is alert orca-3548863", "check orca-3636513").

Full 360° security profile of any cloud asset — alerts, attack paths, compliance, permissions, exposure, sensitive data, and CDR activity in one view. Use when user asks about an asset's security posture or profile (e.g., "asset profile for web-bastion-host", "tell me about WEB-PRD", "security posture of", "show me everything about").

Cloud cost optimization analysis using Orca Security asset data. Discovers all cloud assets (AWS, GCP, Azure) through Orca MCP tools, compares current configurations against cheaper alternatives using live public pricing, and produces a prioritized cost reduction report with exact asset evidence. Use when the user asks about cloud cost optimization, reducing cloud spend, rightsizing instances, saving money on cloud infrastructure, cost reduction opportunities, unused resources, oversized VMs, reserved instances, storage tiering, or wants to know what changes would lower their cloud bill.

Deep-dive compliance gap analysis for any framework — failing controls ranked by impact, quick wins, account breakdown, and remediation plan. Use when user asks about compliance gaps, failures, or status (e.g., "compliance gaps", "PCI DSS status", "where are we failing", "SOC 2 compliance", "quick wins").

Traces any Orca alert back to who deployed it, what tool was used, what introduced the issue, and a full timeline of events. Use when user asks about origin, deployment, or ownership of an alert (e.g., "who created this", "where did this come from", "trace back orca-3380725", "who deployed", "what tool was used").

DSPM view — sensitive data at risk across the environment, exposed secrets/PII/credentials, data store security posture, and remediation priorities. Use when user asks about data exposure, sensitive data, or secrets (e.g., "data exposure", "where is our PII", "sensitive data at risk", "exposed secrets", "DSPM view").

External attack surface mapping — internet-facing assets ranked by risk, exposed ports/services, and attacker's-eye view of the environment. Use when user asks about attack surface, exposure, or external view (e.g., "exposure map", "attack surface", "what's exposed", "internet-facing", "external view").

Analyzes any cloud identity for overprivileged access, actual usage patterns, lateral movement risk, and least-privilege recommendations. Use when user asks about identity permissions, overprivileged access, or IAM review (e.g., "identity review for anika", "is this role overprivileged", "review permissions", "IAM analysis").

Analyzes the full impact of fixing an Orca alert — what closes, what breaks, and what the environment looks like after the fix. Use when user asks about impact, consequences, or blast radius of fixing an alert (e.g., "what's the impact of fixing orca-3380725", "if I fix this what breaks", "what else closes").

CDR-powered incident investigation — traces actor activity, builds session timelines, maps MITRE ATT&CK techniques, and assesses blast radius from cloud audit logs. Use when user asks to investigate activity, trace an actor, or analyze an incident (e.g., "investigate bastion-admin", "trace activity", "what did anika do", "incident investigation").

Daily security briefing summarizing new critical alerts, attack paths, compliance drift, exposure changes, and aging unactioned alerts from the last 24-72 hours. Use when user asks for a briefing, summary, or overview (e.g., "morning briefing", "what happened", "security summary", "daily report", "what needs attention").