The goal of Transparency for Cybersecurity is to elevate transparency within the
We Believe: A message from Avi Shua, CEO and co-founder of Orca Security
I want to personally thank you for learning about our new industry initiative, Transparency
Cybersecurity. I encourage you, either as a vendor or customer, to get involved. Our goal is
the need to eliminate obscurity is clear.
The need for greater transparency became clear to me after Orca Security published a comparison between the Orca Cloud Security Platform and a few other cloud security tools—including Palo Alto Networks’ Prisma Cloud. In response, Palo Alto sent Orca a cease and desist letter, demanding our comparison be removed. This dialog sparked some interesting industry discussion — The Cybersecurity Community Demands Transparency, Not Legal Threats.
It is time for a change.
“Without cybersecurity transparency, the solutions organizations rely on for security,
operations, management, marketing, development, and daily operations can be leveraged by
threat actors against your environment. Identifying risks within them is critical to
securing your organization and without cybersecurity transparency, vendors can obfuscate
flaws that leave you unable to quantify the risks they represent. Remediating risks is a top
priority for security professionals and cybersecurity transparency ensures they are
identified, rated, and ultimately tracked through closure.”
- Morey Haber, CIO | CISO of BeyondTrust
Add your voice
"Cyber security users seek transparency in an industry which is, by definition, sensitive about disclosing information. We are proud to take part in this important initiative, as product reviews provide an authentic perspective that can only come from a real customer. Neutral, structured reviews and analysis are critical to the validation and feedback sought by cyber security users and buyers."
- Russell Rothstein, CEO | IT Central Station
Add your voice
“Imagine a world where automotive manufacturers can legally prohibit safety reviews, pharmaceutical lab testing is barred by force of civil lawsuit, and the health claims of food additives cannot be publicly assessed. To our industry's shame, that is the world of cybersecurity software. It's anti-competitive, blinds the market, hurts the customer, and reduces the credibility of security software creators. It's time to end the practice of gagging consumers and create a free and transparent industry. The result will only be better products, informed consumers, and a more secure industry."
- Joel Fulton, PhD - CEO & Co-Founder | Lucidum
Add your voice
“It’s important that security teams understand the capabilities of their security solutions.
Not just what works, but where they might need to bring in additional capabilities to
complement the boundaries of their existing defenses. Without vendor transparency, companies
might be surprised unpleasantly one day.”
- Andy Ellis, CSO Hall of Fame 2021
Add your voice
Frequently Asked Questions
Q: Why should I care if my vendor has counter-transparency clauses?
Such clauses mean the data you see is skewed, as the vendors try to control the product and marketing messages. As much as we all want to analyze all solutions by ourselves, the truth is product reviews, done by independent third parties, customers, and competitors, provide invaluable data for a practitioner choosing their tools.
Q: What is Orca’s view on reviewing its product?
We welcome it with open arms. Our EULA permits publishing reviews and benchmarks, with one requirement: If you publish reviews and benchmarks of Orca products, you must not have a clause limiting disclosure or benchmark of your products. We believe in transparency!
Q: What prompted Orca to start this initiative?
Orca Security published the Punch-Out Series, comparing our product to other cloud security tools—including Palo Alto Networks’ Prisma suite. In response, we got a cease and desist letter (you can read more about that here). A widespread public discussion followed, during which many people asked, ’How can we quickly know if my products have such clauses?’ This page is the answer.
Q: What’s the deal about ‘Promotes independent reviews in marketing materials’?
We chose to highlight vendors that, on the one hand, incorporate EULA clauses preventing the public publishing of reviews. And on the other hand, they promote positive product reviews, usually written on platforms such as G2 Crowd, Capterra, and Gartner Peer Insights. The concern we raise is that such “objective” reviews might not be so objective. Reviewers had to get vendor permission to write them, thereby creating a natural bias.
Q: Shouldn’t we limit public reviews to prevent data from leaking to the bad guys?
Security by obscurity doesn’t work. Furthermore, we’re predominately talking about publicly available products, for which anyone having an email address can get a trial. It’s borderline absurd to think that such clauses will prevent bad guys from sharing attack vectors.
Q: Should I refrain from buying tools from vendors with EULAs having anti-competitive clauses?
The choice is yours and many factors make up such a decision. But we urge you to consider this, showing your preference for solutions from vendors that support open discussion. Take into consideration that many times these clauses exist in EULA templates and your vendor may not even be aware it’s in their agreement. This happened to Orca as well – we found out that some of our SAAS agreement variants had this clause (and of course we changed it immediately). We recommend talking to your vendor, and asking them to remove this clause before assuming that they really stand behind this restriction. If they prevent taking it out then it’s a different story altogether. You can also let your vendor know that this is a parameter you’re looking into when choosing a product. Here you can use this email template:
Dear <vendor representative name here>,
We are considering purchasing your <enter product name here>. I recently learned that the EULA for this product includes a clause prohibiting publishing reviews and benchmarks.
We believe such clauses are anti-competitive and harm prospects like us when we are choosing tools. When such clauses exist, we can’t be confident that we’re exposed to all the data we need to make an informed decision. Therefore, we’re going to refrain from choosing tools with such clauses in their EULA.
We urge you to remove them and support transparency in cybersecurity.