What is ORCA by Giraffe?

ORCA is an intelligent traffic mirroring and monitoring tool developed by Giraffe. It works by receiving mirrored copies of HTTP requests via Nginx and comparing them against developer-defined API schemas imported from Postman collections. Unlike traditional WAFs, ORCA specifically detects payload structure deviations such as extra fields, wrong data types, and missing required fields.

How does ORCA differ from a traditional WAF?

Traditional WAFs look for known attack patterns. ORCA takes a different approach — it validates every incoming request against the exact API contract defined by your developers via Postman collections. If someone adds an extra field like 'role' or 'is_admin' to a payload, or sends a number where a string is expected, ORCA flags it as suspicious immediately.

How does ORCA integrate with Nginx?

ORCA uses Nginx's built-in mirror directive. You add two location blocks to your nginx.conf: the main route proxies to your application (e.g., Laravel on port 9000), and a mirror route sends an identical copy of each request to ORCA's Go service on port 8081. The mirror is internal-only and adds zero latency to your production traffic.

What is Postman collection import in ORCA?

You can upload your Postman collection file (.postman_collection.json) to ORCA. It automatically parses every endpoint — learning the allowed HTTP methods, headers, URL paths, payload field names, data types, and nested structures. This becomes the baseline schema that all incoming mirrored requests are validated against.

Coming Soon

ORCA

Intelligent Traffic Mirroring & Monitoring

Import your Postman collection — ORCA learns every endpoint's exact structure. It silently mirrors production traffic, compares each request against your developer-defined schema, and instantly flags any payload that doesn't match — extra fields, wrong types, or modified structures.

Architecture

How ORCA Works

ORCA uses Nginx request mirroring to silently duplicate traffic to a Go-based analysis service. Your app never knows it's being watched.

TRAFFIC FLOW DIAGRAM LIVE

Client Browser / API

REQUEST

Nginx Proxy + Mirror

PROXY

Laravel :9000

MIRROR

ORCA Go :8081

whitelist.yml — ORCA Rule Engine

GET /api/v1/users/* ALLOWED

POST /api/v1/auth/login ALLOWED

POST /api/v1/admin/exec BLOCKED

DELETE /api/v1/users/../../../etc/passwd SUSPICIOUS

GET /api/v1/products?page=* ALLOWED

Capabilities

Why Teams Choose ORCA

Zero-impact traffic analysis with powerful whitelist-based threat detection

Traffic Mirroring

Nginx mirrors every request to ORCA without affecting your app's response time or behavior

Postman Import

Upload your Postman collection — ORCA learns exact endpoints, headers, payload structures, and data types

Schema Enforcement

If a request adds extra fields, changes types, or deviates from the developer-defined structure — it's flagged

Full Request Logging

Every mirrored request is logged with headers, body, IP, payload diff, and schema analysis verdict

Go-Powered Speed

Built in Go for sub-millisecond analysis. Handles thousands of concurrent requests effortlessly

Zero Interference

ORCA only observes — it never modifies, blocks, or slows down your production traffic

Not just another WAF or monitoring tool

The Core Difference

You Define the Contract.
ORCA Enforces It.

Upload your Postman collection — ORCA learns every endpoint's exact structure: methods, headers, payload fields, and types. Any deviation is instantly flagged.

Import Postman Collection

Upload your Postman folder and ORCA instantly knows every endpoint — the exact headers, payload structure, data types, and allowed values your developer defined.

my-api-collection.postman_collection.json

Developer Defined Schema POSTMAN

POST /users/update-information

{ "username": "[email protected]" // string, email "user_information": { "first_name": "something" // string "last_name": "something" // string } }

Incoming Request MIRRORED

Schema Violation Detected

Request to POST /users/update-information contains fields not defined in schema: role, is_admin. This is a potential privilege escalation attempt.

Source IP: 185.234.72.19 — Flagged for review

ORCA doesn't guess what's suspicious. You upload your Postman collection — the exact endpoints, payloads, and types your developers defined. If someone sends a request with extra fields, wrong types, or modified structure — even via Postman, fetch, curl, anything — ORCA catches it instantly and shows you the IP, the diff, and the intent.

Educational

How ORCA Records Logs

From incoming request to actionable insight — here's what happens in milliseconds

Nginx Captures

Nginx receives the client request and mirrors an identical copy to ORCA's Go service on port 8081

ORCA Analyzes

The Go service parses headers, body, method, path, and IP — then compares each field against your imported Postman schema

Classify & Tag

Each request is tagged as CLEAN, WARNING, or SUSPICIOUS — extra fields? Wrong types? Missing payload? ORCA knows the exact diff

Store & Alert

Logs are stored with full context. Suspicious requests trigger real-time alerts to your security team

nginx.conf

# Main application route
location / {
    mirror /mirror; Duplicates request
    proxy_pass http://myapp:9000; Your Laravel app
}
# ORCA mirror endpoint
location /mirror {
    internal; Not publicly accessible
    proxy_pass http://orca:8081; ORCA Go service
}

Just two blocks in your nginx.conf — that's all it takes to enable ORCA mirroring

ORCA

How ORCA Works

Why Teams Choose ORCA

You Define the Contract.
ORCA Enforces It.

Import Postman Collection

How ORCA Records Logs

ORCA Log Stream

Get Early Access

ORCA

How ORCA Works

Why Teams Choose ORCA

You Define the Contract.ORCA Enforces It.

Import Postman Collection

How ORCA Records Logs

ORCA Log Stream

Get Early Access

You Define the Contract.
ORCA Enforces It.