C6 Bank Strengthens Cybersecurity as a Core Value with Orca Security

Full-service digital banking serves millions across Brazil

Launched in 2019, Brazil’s C6 Bank is growing rapidly as a full-service digital bank. With more than 25 million customers on its digital platform today, C6 Bank is one of the fastest banks in the West to have reached 1 million customers. The company began with 15 employees and has grown to a workforce of around 4,000 people. The impressive start caught the attention of JPMorgan Chase, which took a 40% stake in C6 Bank in 2021.

The bank offers a range of services, including checking and savings accounts, debit and credit cards, toll tags, multi-currency global accounts, investments, and lending products. C6 Bank serves individuals as well as small and mid-sized businesses, and has accounts opened in all of Brazil’s 5,570 municipalities.

Jose Luiz Santana is one of the bank’s founding members. He is also the Chief Information Security Officer. “We are a digital bank with no branches,” says Santana. “Our main goal is to provide financial services to the Brazilian market in an easy, high-tech way that helps our customers to have a good relationship with money. We want to help people achieve their goals and the objectives in their lives.”

C6 Bank is a recognized leader for its security program

Santana says the bank is totally cloud-first. From the bank’s inception, the founders placed a high priority on security. “We view security as one of the most important pillars for our company,” says Santana. “It’s a business enabler and a competitive advantage for us. From the CEO on down, everyone embraces the principles of security.”


“Security is a business enabler and a competitive differentiator for C6 Bank.”
Jose Luiz Santana



Santana brought a background in both technology and financial services as part of the founding team. Over the years, he has built what is widely recognized as one of the most talented and skilled teams of security experts in Brazil. “We have set expectations, not only within the bank but in the broader Brazilian business community, that our security team is a leader in the ideas and projects that we bring forth in cybersecurity.”

Everton Souza concurs. Souza is the Global Security Director of C6 Bank’s systems integration partner, Oplium. “C6 Bank has the highest level of cybersecurity maturity,” says Souza. “Many companies – not just in financial services but all industries – see C6 Bank as the trend-setter in terms of their security program and the tools they use.”

Partnering with Orca Security to improve cloud security outcomes

Santana went to the RSA Conference and met with Avi Shua, Chief Innovation Officer and Co-Founder of Orca Security, in the exhibit hall, where they discussed Orca’s vision for cloud security. Santana learned what the Orca tool can do now and what is planned for the future. “That sold me,” he says. “I bought into the vision of what Orca will do in the future. Of course, what the tool does now is pretty cool, too. It’s very similar to what I want and how I think that security controls in the cloud environment should be.”


“Orca’s vision for security closely matches our own vision. That’s what sold me on Orca.”
Jose Luiz Santana



Orca is integral to securing Infrastructure-as-Code (IaC)

What he likes about Orca is what can be done with metadata. “It’s the ability to use all the metadata of the cloud provider to build your controls and to give you insights to prevent and detect threats,” says Santana. “C6 Bank built the cloud environment using Infrastructure-as-Code, so every security engineer we hire has to know how to code. It’s not the development environment; it’s all the infrastructure environment, but I want to merge the two things because that’s what cloud enables you to do.” 

His team has not implemented Orca’s capabilities as part of their build and deploy or development pipeline yet, but that is the goal. “Today we have Orca working alongside our development pipeline,” says Santana. “We’re setting up automation to get the approval from the security group, which is built on my code repository. Someone submits a security group rule by a pull request and a security team member approves that pull request because it’s just code. That’s the mindset here.”

Santana says that Orca has the same approach. “I can do everything about security with the information from Orca because it’s all about infrastructure as it relates to code. It’s a level of abstraction that the cloud provides. And this is cool because I’m planning for Orca to provide my vulnerability assessment too. Orca provides guidance on how to enable remediation, as well as monitoring and threat hunting. The information is all there in a single platform.”  

The value of the Orca Platform is in its versatility

The Orca Platform fulfills C6 Bank’s need for a variety of security functions. “The versatility of the tool increases the return on our investment,” Santana explains. “Something could be a threat, and Orca maps it to the MITRE ATT&CK Framework to ease identifying where the threat is, and at what level and at what stage, so that we can prioritize what to solve first. We view Orca as cloud security posture management, cloud workload protection, vulnerability assessment management, and incident response in a single solution. As a CISO, I’m happy to get so much out of one tool.”

C6 Bank also uses Orca to demonstrate compliance with a variety of regulations. As a financial services company, the bank must satisfy both Brazilian and U.S. regulators. “We have to provide information to FINRA and other federal regulators, and Orca eases the collection of information and reporting,” says Santana.

Oplium’s Souza adds that Orca helps his team see the real situation of the health of cloud security. “We can get to so many different points inside the C6 Bank cloud to see, for example, problems with the paths, or with a suspicious comportment.”