---
title: "Connect Orca Security to Claude: Analyze CVEs and Security Risks"
slug: connect-orca-security-to-claude-analyze-cves-and-security-risks
date: 2026-06-09
author: Uday Gajavalli
categories: ["AI & Agents"]
excerpt: "Learn how to connect Orca Security to Claude using a managed MCP server. Automate CVE triage, analyze security risks, and execute custom DSL queries."
tldr: "A complete engineering guide to generating a managed MCP server for Orca Security using Truto. Connect Orca to Claude to automate vulnerability triage, query cloud assets, and manage security alerts without maintaining custom integration code."
canonical: https://truto.one/blog/connect-orca-security-to-claude-analyze-cves-and-security-risks/
---

# Connect Orca Security to Claude: Analyze CVEs and Security Risks


If your team needs to connect Orca Security to Claude to automate vulnerability triage, analyze CVEs, or run security compliance audits, you need a [Model Context Protocol (MCP) server](https://truto.one/what-is-mcp-and-mcp-servers-and-how-do-they-work/). This server acts as the translation layer between Claude's natural language tool calls and Orca Security's REST APIs. You can either build and maintain this infrastructure yourself, or use a [managed integration platform like Truto](https://truto.one/managed-mcp-for-claude-full-saas-api-access-without-security-headaches/) to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on [connecting Orca Security to ChatGPT](https://truto.one/connect-orca-security-to-chatgpt-query-cloud-assets-and-alerts/) or explore our broader architectural overview on [connecting Orca Security to AI Agents](https://truto.one/connect-orca-security-to-ai-agents-automate-scans-and-remediation/).

Giving a Large Language Model (LLM) read and write access to a sprawling enterprise security platform like Orca is an engineering challenge. You have to handle session tokens, map massive nested JSON schemas for assets and alerts into MCP tool definitions, and deal with complex Domain Specific Language (DSL) queries. Every time the API updates, you have to update your server code, redeploy, and test the integration. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Orca Security, connect it natively to Claude Desktop, and execute complex security workflows using natural language.

## The Engineering Reality of the Orca Security API

A custom MCP server is a self-hosted integration layer that translates JSON-RPC requests into HTTP REST calls. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against an advanced Cloud Security Posture Management (CSPM) API like Orca is painful.

If you decide to build a custom MCP server for Orca Security, you own the entire API lifecycle. Here are the specific challenges you will face:

**Complex DSL Querying**
Orca Security relies heavily on a Domain Specific Language (DSL) for filtering assets, alerts, and inventory (e.g., via the `list_all_orca_security_query_alerts` endpoint). If you expose a raw REST endpoint to Claude without strict schema guidance, the model will frequently hallucinate DSL syntax or fail to construct valid filter parameters. Translating the API's query catalog into a format an LLM can reliably execute requires deep schema mapping.

**Massive, Nested Data Models**
Orca does not return flat records. A single alert object contains deeply nested arrays for `asset_details`, `rule_information`, `compliance_status`, and `cloud_provider_information`. Writing and maintaining accurate JSON Schemas for these responses - so the LLM understands exactly what it is reading - is tedious. A [managed MCP server](https://truto.one/auto-generated-mcp-tools-for-ai-agents-a-2026-architecture-guide/) derives these schemas dynamically from the integration documentation, ensuring the model always has the correct structural context.

**Rate Limits and Bulk Query Exhaustion**
Security APIs are frequently rate-limited to protect system performance, especially when executing massive inventory queries. **Truto does not magically retry or absorb rate limit errors.** When an upstream API like Orca returns an HTTP `429 Too Many Requests`, Truto passes that error directly to the caller. However, Truto normalizes the upstream rate limit information into standardized IETF headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`). It is the responsibility of the caller (your agent framework or Claude) to read these headers and implement appropriate retry and exponential backoff logic. 

Instead of building this entire integration layer from scratch, Truto normalizes authentication and schema generation, exposing Orca Security's endpoints as ready-to-use MCP tools.

## How to Generate an Orca Security MCP Server with Truto

Truto dynamically generates MCP tools from an integration's configured resources and documentation. To get started, you need to create an MCP server scoped to a specific integrated account. You can do this via the Truto UI or programmatically via the API.

### Method 1: Via the Truto UI

For ad-hoc analysis or testing, generating a server through the dashboard takes seconds.

1. Navigate to the integrated account page for your connected Orca Security instance.
2. Click the **MCP Servers** tab.
3. Click **Create MCP Server**.
4. Select your desired configuration (e.g., naming the server, filtering for specific tags or read-only methods).
5. Click **Create** and copy the generated MCP server URL (e.g., `https://api.truto.one/mcp/a1b2c3d4e5f6...`).

### Method 2: Via the Truto API

For production workflows, you can generate MCP servers dynamically. The API validates that the integration is AI-ready, generates a cryptographically secure token, and returns a ready-to-use URL.

**Endpoint:** `POST /integrated-account/:id/mcp`

```typescript
const response = await fetch('https://api.truto.one/integrated-account/<YOUR_INTEGRATED_ACCOUNT_ID>/mcp', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_TRUTO_API_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: "Orca Security CVE Analysis",
    config: {
      methods: ["read", "list", "get"], // Restrict to safe operations
      require_api_token_auth: false
    },
    expires_at: "2026-12-31T23:59:59Z"
  })
});

const mcpServer = await response.json();
console.log(mcpServer.url); // Pass this URL to your MCP client
```

## Connecting Orca Security to Claude

Once you have your Truto MCP server URL, you need to register it with Claude. You can do this through the Claude Desktop application or via a standard JSON configuration file.

### Method A: Via the Claude UI

If you are using Claude Desktop or an enterprise workspace that supports UI-based connector management:

1. Open Claude Settings.
2. Navigate to **Integrations** or **Connectors** (depending on your tier).
3. Click **Add MCP Server** or **Add custom connector**.
4. Paste the Truto MCP URL.
5. Click **Add**. Claude will automatically ping the server, execute the initialization handshake, and load the available Orca Security tools.

### Method B: Via Manual Config File

For developer environments, you can configure Claude Desktop using the `claude_desktop_config.json` file. Because Truto's MCP endpoints use HTTP POST, we use the `@modelcontextprotocol/server-sse` transport adapter to translate standard I/O into Server-Sent Events.

Update your config file (typically located at `~/Library/Application Support/Claude/claude_desktop_config.json` on macOS):

```json
{
  "mcpServers": {
    "orca_security": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/<YOUR_TRUTO_TOKEN>"
      ]
    }
  }
}
```

Restart Claude Desktop. You will see a new hammer icon in the input bar indicating that the Orca Security tools are connected and ready.

## Essential Orca Security Tools for Claude

Truto dynamically transforms Orca Security API endpoints into descriptive, snake_case tools. Here are the highest-leverage tools available for your security agent.

### list_all_orca_security_alerts

Retrieves standard alerts from the Orca platform. This is the primary entry point for triaging security issues, providing detailed information about alert attributes, related assets, and compliance status.

> "Fetch the latest 50 alerts from Orca Security. Filter the list to only show alerts with a 'critical' severity level and group them by cloud provider."

### get_single_orca_security_alert_by_id

Retrieves deep diagnostic details for a specific alert. The response contains extended information including step-by-step remediation details, compliance status, and granular asset connectivity details.

> "I need more details on alert ID 'alrt-89234'. Retrieve the specific alert and summarize the recommended remediation actions and the current verification status."

### list_all_orca_security_alerts_vulns_malware

Specifically retrieves alerts related to vulnerabilities and malware. The schema includes deep CVE details, CVSS scores, exploit data, and information on whether a patch or fix is available for the affected package.

> "Query Orca for vulnerability alerts related to malware. Identify any critical alerts that have a known fix available and list the affected cloud assets."

### list_all_orca_security_assets

Retrieves the foundational inventory of assets monitored by Orca. The payload includes asset types, scan status, associated cloud accounts, state, and Orca tags.

> "Pull the list of all AWS assets scanned in the last 24 hours. Are there any EC2 instances currently marked in a degraded scan state?"

### list_all_orca_security_cloud_accounts

Retrieves a high-level list of connected cloud accounts (AWS, GCP, Azure). This tool is critical for mapping the scope of an incident across your infrastructure, returning onboarding status, DSPM setup, and scan limitations.

> "List all connected GCP cloud accounts in our Orca environment. Highlight any accounts where the onboarding status is incomplete or where DSPM is not configured."

### create_a_orca_security_scan

Triggers an active security scan for a specific asset. This allows Claude to move beyond read-only triage and actively command Orca to reassess an asset after a configuration change.

> "We just deployed a patch to asset ID 'ast-5512'. Trigger a new Orca Security scan for this asset to verify that the vulnerability has been resolved."

For the complete inventory of available tools, query parameters, and schema definitions, visit the [Orca Security integration page](https://truto.one/integrations/detail/orcasecurity).

## Workflows in Action

When connected via MCP, Claude can chain multiple Orca Security tools together to execute complex, multi-step incident response workflows.

### Scenario 1: Zero-Day Vulnerability Triage

When a new critical CVE is announced, security engineers waste hours mapping the vulnerability to their infrastructure. Claude can automate this entirely.

> "Find all critical alerts related to CVE-2024-3094. Once you have the alerts, list the specific cloud accounts affected, and then retrieve the detailed asset state for the most critical machine."

**Step-by-step execution:**
1. Claude calls `list_all_orca_security_alerts_vulns_malware` filtering for the specific CVE ID and sorting by critical severity.
2. Claude extracts the cloud account IDs from the vulnerability response.
3. Claude calls `get_single_orca_security_cloud_account_by_id` to retrieve the account owners and metadata.
4. Claude calls `list_all_orca_security_assets` to pull the precise configuration state of the impacted machines.
5. Claude outputs a formatted incident response briefing, complete with asset IDs, account owners, and exact patch availability status.

### Scenario 2: Compliance Auditing and Automated Rescanning

Compliance teams frequently need to ensure that remediated assets are actually verified by the platform before closing a ticket.

> "Check the current state of alert ID 'alrt-9942'. If the alert is still open, check the associated asset. If the asset shows recent patching activity, initiate a new security scan on that asset to clear the alert."

**Step-by-step execution:**
1. Claude calls `get_single_orca_security_alert_by_id` and analyzes the `current_status` and `verification_status`.
2. Recognizing the alert is open, Claude extracts the associated asset ID and calls `list_all_orca_security_assets` to inspect the asset state.
3. Claude calls `create_a_orca_security_scan`, passing the asset ID to force Orca to re-evaluate the target.
4. Claude returns a summary stating the scan has been queued and provides the tracking ID.

## Security and Access Control

Giving an AI agent access to a CSPM platform requires strict governance. Truto's MCP servers are designed with enterprise security constraints by default.

*   **Method Filtering:** You can restrict a server to safe operations. By passing `methods: ["read"]` during creation, the server will only expose `get` and `list` endpoints. Tools like `create_a_orca_security_scan` are structurally omitted from the server entirely.
*   **Tag Filtering:** Integration resources can be tagged (e.g., `inventory`, `compliance`). You can configure the MCP server to only expose tools matching specific tags, ensuring an agent built for compliance checking cannot access malware alerts.
*   **Time-to-Live (TTL):** By defining an `expires_at` timestamp, you can provision ephemeral MCP servers. Truto uses distributed key-value storage and durable alarms to permanently evict the token at the exact second of expiration. Lookups fail immediately.
*   **Double Authentication (`require_api_token_auth`):** By default, possessing the MCP URL grants access. By setting `require_api_token_auth: true`, the caller must *also* pass a valid Truto API token in the `Authorization` header. This ensures that if an MCP URL leaks in a log file, it remains completely useless without the underlying developer credential.

## Automate Cloud Security Posture Operations

Connecting Orca Security to Claude transforms your LLM from a passive knowledge base into an active security operator. By abstracting away the pain of DSL parsing, nested JSON mapping, and authentication lifecycles, Truto lets your engineering team focus on building intelligent security runbooks rather than maintaining connector boilerplate.

Stop writing custom integration code for complex vendor APIs. Use a [managed infrastructure layer](https://truto.one/auto-generated-mcp-tools-for-ai-agents-a-2026-architecture-guide/) to securely expose your enterprise systems to AI agents.

:::cta{buttonText="Talk to us" buttonUrl="https://cal.com/truto/partner-with-truto"} 
Want to connect Orca Security to your AI agents in production? Learn how Truto's managed MCP servers eliminate integration tech debt.
:::