Increased Delay and Errors in Asset Scanning (AWS Only)

Incident Report for Orca Security

Postmortem

Post-Incident Report & Root Cause Analysis
On 8th December, Orca's AWS asset-visibility pipeline experienced an unexpected interruption that temporarily affected how a limited subset of AWS assets appeared within the platform.

Some customers observed a brief period where certain assets appeared missing and later re-appeared as newly or updated discovered assets.

This document provides a high-level explanation of what occurred, the customer-facing impact, and the long-term corrective actions we have taken.

‌

What Happened
Orca's cloud-asset modeling relies on a combination of AWS-hosted public endpoint and internal logic, to determine service availability.

During the incident window, an unexpected change in the output of that AWS-hosted endpoint - caused Orca to incorrectly treat some AWS services as temporarily unavailable.

As a result, some assets that relied on those API responses were not modeled during that cycle, which led them to appear temporarily unavailable in the platform.

Once our engineering team identified and resolved the issue, a full re-scan of affected accounts restored complete and accurate asset visibility. However, it led to creation of some assets, as if they were newly discovered.

‌

Customer Impact
The impact was limited to asset visibility only and affected a small subset of AWS accounts. No security, monitoring, alert logic, or runtime protection was disabled.

‌

Root Cause
The underlying cause was the interaction of:
- An AWS service change, affecting Orca's visibility of a certain API's availability
- Our monitoring worked correctly, halting affected modeling to prevent propagation of incorrect data - but resulting in temporary asset suppression.
- While the detection mechanisms behaved as designed, this combination created a unique scenario where asset visibility was interrupted before full context was available.

‌

Resolution
Our engineering team implemented a fix to restore stable modeling logic and eliminate reliance on the affected API behavior. Scanning was re-enabled after validation and a full asset refresh was completed.
Impacted assets should have now re-appeared and are accurately represented.

‌

Closing Statement
We understand that uninterrupted asset visibility is essential for operational awareness and downstream automations.

While this type of upstream behavior change is very unlikely and uncommon, our alerting and monitoring acted as intended - halting propagation of uncertain data until the issue was understood and resolved.

Our R&D teams are already working on enhanced safeguards to reduce the likelihood of similar issues in the future.

We acknowledge the temporary inconvenience caused particularly around "new asset" and alerts, and we are committed to ensuring even smoother resilience in the future.

Posted Dec 10, 2025 - 13:30 UTC

Resolved

The issue has been identified and fully remediated. All services are now functioning as expected.

A comprehensive incident report, including the root cause analysis and corrective measures, will be provided once the review is complete.

We appreciate your patience and understanding.

Posted Dec 10, 2025 - 12:20 UTC

Monitoring

AWS scan recovery has been completed.

The US region has now been fully restored and validated, and all AWS scans are operating normally across all regions.

We are currently assessing the full impact and conducting a root-cause analysis. We will share additional details once the review is complete.

The environment is currently under close monitoring to ensure continued stability.

Posted Dec 09, 2025 - 22:05 UTC

Update

We continue AWS scans recovery - The following regions have been fully restored and validated: SA, ID, IN, AU, EU

We are continuing work to restore functionality in the remaining regions: US
We are re-scanning impacted accounts to restore all missing assets and alerts.

We will fully unblock AWS scans after the process will complete.

Posted Dec 09, 2025 - 19:02 UTC

Update

We are currently recovering from an issue that caused some AWS assets to be mistakenly hidden in the platform and certain alerts to be incorrectly marked as closed.

The following regions have been fully restored and validated: SA, ID, IN, AU
We are continuing work to restore functionality in the remaining regions: US, EU

A fix has been deployed, and we are re-scanning impacted accounts to restore all missing assets and alerts.

We will fully unblock AWS scans after the process will complete.

Posted Dec 09, 2025 - 16:41 UTC

Update

We have deployed a fix across all regions and have begun validation.

The following regions have been fully restored and validated: SA, ID, AU.

We are continuing work to restore functionality in the remaining regions: US, EU, IN.

Posted Dec 09, 2025 - 14:36 UTC

Identified

The issue has been identified and a fix is being implemented.

Posted Dec 09, 2025 - 08:29 UTC

Investigating

We are currently investigating an issue affecting Orca Security scans.

At this time, AWS (only) scans will be blocked, and some assets may be missing or not updated, as a result of the ongoing issue. We are still determining the full scans impact.

There is no impact to the Orca Security UI or API, and all non-AWS vendor scans continue to operate normally.

Our engineering team is actively working to identify the root cause and restore full service. We will provide updates as more information becomes available.

Posted Dec 09, 2025 - 07:27 UTC

This incident affected: AU (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans), US (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans), EU (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans), IN (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans), SA (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans), and ID (Orca Dashboard, Orca Scanner Engine, Orca Cloud Provider Platform, Orca Shift-Left Scans).