Connect Orca Security to ChatGPT: Query Cloud Assets and Alerts

If you need to connect Orca Security to ChatGPT to automate cloud asset discovery, vulnerability triage, or attack path analysis, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between ChatGPT's native tool calls and Orca Security's REST APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses Claude, check out our guide on connecting Orca Security to Claude or explore our broader architectural overview on connecting Orca Security to AI Agents.

Giving a Large Language Model (LLM) read and write access to a sprawling enterprise cloud security platform is an engineering challenge. You have to handle authentication lifecycles, map massive JSON schemas to MCP tool definitions, and deal with Orca's specific Domain Specific Language (DSL) for querying inventory. Every time an endpoint updates or a schema drifts, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Orca Security, connect it natively to ChatGPT, and execute complex security workflows using natural language.

The Engineering Reality of the Orca Security API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against complex security vendor APIs is painful. If you decide to build a custom MCP server for Orca Security, you own the entire API lifecycle.

Here are the specific integration challenges that break standard CRUD assumptions when working with Orca:

Complex DSL Filtering Requirements

Orca Security does not rely on simple query parameters for extracting alert and asset data. Their /api/query/alerts and /api/query/inventory endpoints require a proprietary Domain Specific Language (DSL) passed inside the request payload. Instructing an LLM to dynamically generate valid DSL structures - with nested filter, includes, and excludes operators - is highly prone to hallucination. Your MCP server must strictly define the DSL schema in the tool definition and reject malformed queries before they hit the upstream API, or the LLM will get trapped in an endless loop of 400 Bad Request errors.

Deeply Nested Data Models and Token Limits

When you pull an asset or a vulnerability from Orca Security, you are not just getting a flat record. A single asset response contains deeply nested objects mapping out cloud account hierarchies, Sonar findings, CVE details, connectivity graphs, and remediation steps. A list response of 50 assets can easily blow past an LLM's context window. You have to explicitly instruct the LLM on how to navigate the pagination cursors and request narrow data sets, or your agent will crash under the payload size.

Dynamic Sonar Schemas

Orca utilizes a proprietary engine (Sonar) to evaluate cloud posture. The schema for a finding changes entirely depending on the model (e.g., AzureSqlDbServer vs AwsEksCluster). An LLM cannot predict these fields. Your server must expose the list_all_orca_security_sonar_schema_models endpoint as a prerequisite tool, forcing the LLM to fetch the exact schema definition before it attempts to parse or patch a specific misconfiguration.

Rate Limits and 429 Errors

Security APIs heavily throttle requests to prevent performance degradation. When connecting ChatGPT to Orca Security via Truto, it is critical to understand that Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream Orca API returns an HTTP 429, Truto passes that error directly back to the LLM.

Truto normalizes the upstream rate limit information into standardized headers per the IETF specification:

You must explicitly prompt your LLM to read these headers when a tool call fails and execute an appropriate exponential backoff strategy before retrying.

The Managed MCP Approach

Instead of forcing your engineering team to build a Node.js or Python JSON-RPC server, define Pydantic models for every Orca DSL query, and manage token refreshes in a database, you can use Truto.

Truto dynamically derives MCP tool definitions directly from the integration's underlying resources and documentation. When you connect an Orca Security account to a specific tenant in Truto, you can generate a cryptographically secure MCP server URL. That URL is all ChatGPT needs to authenticate, discover tools, and execute API calls.

How to Generate an Orca Security MCP Server

Truto allows you to generate an MCP server scoped to a single integrated account. You can do this visually through the dashboard or programmatically via the API.

Method 1: Via the Truto UI

1. Log into your Truto dashboard and navigate to the Integrated Accounts section.
2. Select the connected Orca Security account you want to expose to ChatGPT.
3. Click on the MCP Servers tab.
4. Click Create MCP Server.
5. In the configuration modal, provide a name (e.g., Orca ChatGPT Triage) and specify any method or tag filters to restrict access.
6. Click Save and copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4e5f6...).

Method 2: Via the API

For teams automating infrastructure, you can generate the MCP server dynamically by making an authenticated POST request to the Truto API.

curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Orca Read-Only Triage Server",
    "config": {
      "methods": ["read", "list"]
    }
  }'

The API returns a payload containing the secure URL that you will pass to ChatGPT.

{
  "id": "mcp_8f7d9a1b",
  "name": "Orca Read-Only Triage Server",
  "config": { "methods": ["read", "list"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}

How to Connect the MCP Server to ChatGPT

Once you have your Truto MCP URL, you can plug it directly into ChatGPT. There are two primary ways to do this depending on your environment.

Method A: Via the ChatGPT UI (Custom Connectors)

If you are using ChatGPT Enterprise, Pro, or Team with Developer Mode enabled:

1. In ChatGPT, navigate to Settings -> Apps -> Advanced settings.
2. Toggle Developer mode on.
3. Under the MCP servers or Custom connectors section, click Add new server.
4. Name the server (e.g., "Orca Security").
5. Paste the Truto MCP URL into the Server URL field.
6. Click Save. ChatGPT will immediately perform a protocol handshake, pull down the Orca Security schemas, and confirm the tools are ready to use.

Method B: Via Manual Config File (SSE Transport)

If you are running local agents, customized desktop setups, or testing via the MCP CLI, you can define the connection in your MCP configuration file using Server-Sent Events (SSE).

{
  "mcpServers": {
    "orca_security": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Restart your agent interface, and the tools will automatically populate.

Hero Tools for Orca Security

Truto automatically maps the Orca Security API into discrete, strictly-typed MCP tools. Here are the most critical operations you should expose to your AI agents to automate cloud security workflows.

List All Orca Security Alerts via Query

list_all_orca_security_query_alerts

This is the core tool for fetching and filtering vulnerability, misconfiguration, and malware alerts. It utilizes Orca's DSL to narrow down noisy alerts into high-signal datasets.

"Find all open critical severity alerts in our production AWS environment related to publicly exposed S3 buckets. Use the DSL filtering tool to restrict the query by severity and asset type."

List All Orca Security Assets

list_all_orca_security_assets

Retrieves a comprehensive list of tracked assets across connected cloud accounts. The response includes details on scan status, resource types, and associated tags.

"Fetch the asset list for our primary GCP project. Filter the response to only show assets that have failed their most recent security scan."

List All Orca Security Chain Attack Paths

list_all_orca_security_chain_attack_paths

Retrieves the attack path snapshot for a specific chain. This is vital for understanding the blast radius of a vulnerability, allowing the LLM to trace how an attacker might pivot from a public-facing asset to internal crown jewels.

"Analyze the attack path for chain ID 90210. Map out the sequence of lateral movements an attacker could take, and summarize the immediate network risks."

List All Orca Security Accounts Remediation

list_all_orca_security_accounts_remediation

Fetches the specific remediation configuration details, templates, and action values for a specific cloud account. The LLM uses this to construct step-by-step fix instructions for DevOps teams.

"Get the remediation templates for our staging Kubernetes cluster account. Extract the exact CLI commands required to patch the misconfigured IAM roles based on Orca's recommendations."

List All Orca Security Cloud Accounts

list_all_orca_security_cloud_accounts

Retrieves metadata and aggregated statistics about all connected cloud environments. Helpful for auditing DSPM setups, onboarding statuses, and broad account health.

"Audit our connected cloud accounts. Give me a summary of any AWS accounts that currently have scanning limitations or incomplete onboarding statuses."

List All Orca Security User Audit Logs

list_all_orca_security_user_audit_logs

Fetches the audit trail of user activity within the Orca Security console. Use this to track who dismissed an alert or modified a scanning policy.

"Pull the user audit logs for the last 48 hours. Identify which team member manually closed the critical vulnerability alert for the payment gateway service."

To view the complete schema definitions and the full inventory of tools available, visit the Orca Security integration page.

Workflows in Action

Connecting an LLM to your security platform moves you from static dashboards to dynamic conversational investigations. Here is how ChatGPT executes real-world DevSecOps workflows using the Truto MCP server.

Workflow 1: Automated Incident Triage and Context Gathering

When an engineer gets paged about a critical vulnerability, they need immediate context on the affected asset, the severity of the alert, and how to fix it.

"We just got a Slack alert about a critical CVE in our Node.js microservice. Find the alert in Orca, trace its attack path to see if it exposes our database, and pull the exact remediation steps."

Execution Steps:

1. list_all_orca_security_query_alerts: ChatGPT constructs a DSL query to find the specific critical CVE alert affecting the Node service.
2. list_all_orca_security_chain_attack_paths: Using data from the alert, the agent queries the attack path graph to determine if the vulnerable container has network access to the database.
3. list_all_orca_security_accounts_remediation: The agent fetches the remediation template to retrieve the specific patch instructions.

Result: The user receives a comprehensive incident briefing, confirming the blast radius of the vulnerability and providing a ready-to-paste command block for fixing the issue.

Workflow 2: Cloud Account Audit and Crown Jewel Discovery

Security leadership frequently needs quick answers about the posture of specific environments without digging through the UI.

"Give me a health check on our newly acquired subsidiary's GCP environment. List their connected cloud accounts, identify any assets marked as Crown Jewels, and summarize the top three most severe vulnerabilities on those critical assets."

Execution Steps:

1. list_all_orca_security_cloud_accounts: The agent fetches all accounts and filters them locally to find the GCP environments associated with the subsidiary.
2. list_all_orca_security_attack_paths_crown_jewels: (Assuming availability of the crown jewels tool), the agent pulls the assets explicitly marked as critical business infrastructure.
3. list_all_orca_security_query_alerts: The agent builds a DSL query scoping for alerts mapped to those specific Crown Jewel asset IDs, sorting by critical severity.

Result: ChatGPT generates an executive-level summary of the subsidiary's risk posture, explicitly tying the highest priority vulnerabilities directly to business-critical infrastructure.

Security and Access Control

Giving an AI agent access to your cloud security posture data requires strict least-privilege guardrails. Truto's MCP architecture provides native controls to ensure ChatGPT cannot abuse the Orca Security API.

• Method Filtering: You can restrict your MCP server at creation using config.methods. Passing ["read", "list"] ensures the LLM can pull alerts and assets but is fundamentally blocked from creating sessions or launching new scans (create methods).
• Tag Filtering: If your integration configuration tags specific endpoints (e.g., ["audit"]), you can restrict the generated tools to only expose logging and audit data, hiding core asset data entirely.
• Require API Token Auth: By default, the MCP URL acts as a bearer token. By enabling require_api_token_auth: true, the MCP endpoint demands a secondary Truto API token in the Authorization header, ensuring that URL leakage alone does not grant access.
• Ephemeral Servers: You can configure an expires_at ISO datetime when creating the MCP server. Truto will automatically destroy the token and flush the database record once the time expires - perfect for granting a contractor temporary ChatGPT access to audit an environment.

The Path Forward for Agentic Security

Security teams are drowning in context-switching. Forcing engineers to jump between Jira, Slack, and the Orca Security dashboard to triage a single vulnerability burns valuable time during an active incident.

By leveraging the Model Context Protocol, you abstract away the API layer entirely. You no longer have to write custom scripts to parse Orca's DSL or navigate their pagination schemas. Generating a managed MCP server via Truto turns your entire cloud security inventory into an intelligent, queryable graph accessible directly from ChatGPT. Stop building boilerplate integration code and start automating your DevSecOps pipelines.