⚠️ Problem Statement: In a post-compromise scenario targeting a hybrid multi-cloud estate, an adversary dwelling inside an AWS workload for 47 days is not detected by SIEM alone — because the attack chain spans IAM misconfiguration, a vulnerable container image, and a permissive cross-account role. No single legacy tool sees the full blast radius. This is the exact kill chain Wiz security was architected to destroy.
Executive Summary (TL;DR)
The shift to cloud-native architectures — containers, serverless functions, and multi-cloud environments — has rendered traditional perimeter security obsolete. Wiz security has emerged as the market leader in the Cloud-Native Application Protection Platform (CNAPP) space by solving the industry’s biggest headache: contextual visibility across heterogeneous cloud fabrics.
On March 11, 2026, Google completed its $32 billion all-cash acquisition of Wiz — the largest in Google’s history — signaling that cloud security is now a boardroom-level infrastructure investment, not just a tool purchase.
- 🔵 Agentless SideScanning: Deep OS-level inspection without production impact, deployed in minutes via RBAC-gated API connections.
- 🔵 The Security Graph: Context-aware risk prioritization that reduces 10,000 CVEs to a single actionable “Toxic Combination” — the killer feature that makes Wiz CSPM operationally superior.
- 🔵 Detection Engineering: Sigma rules, KQL queries, and Python automation hooks allow L2/L3 analysts to operationalize Wiz findings directly into SIEM/SOAR pipelines.
- 🔵 Post-Acquisition Roadmap: Wiz will maintain multi-cloud neutrality (AWS, Azure, OCI) under Google Cloud while delivering a “unified security platform” with expanded AI threat detection capabilities.
The Technical Anatomy of Wiz Security
To understand wiz security, you must first understand the architectural flaw it was designed to fix. Traditional security tools operate in silos. You have one tool for vulnerabilities (CVEs), another for cloud configuration (CSPM), and a third for identity permissions (CIEM). Each generates its own alert queue. Each requires its own team.
Wiz unifies these disciplines by treating the entire cloud infrastructure as a property graph. It connects to your cloud environment (AWS, Azure, GCP, OCI, Kubernetes) via native API and performs a deep-layer assessment of every node and edge in your stack. The result is a live attack surface model — not a flat spreadsheet of findings.
The “SideScanning™” Technology — Deep Technical Breakdown
Wiz’s claim to fame is its patented SideScanning™ technology. Here is the exact technical execution chain:
- API Connection: You grant Wiz a cross-account IAM Role (e.g.,
WizSecurityAuditRolein AWS) with read-only permissions scoped to SecurityAudit + specific ListBucket / DescribeInstances actions. No agents. No network probes. - Snapshotting: Wiz triggers a native cloud snapshot of the workload’s root volume using the cloud provider’s own snapshot APIs (e.g.,
ec2:CreateSnapshoton AWS). - Out-of-Band Analysis: The snapshot is copied to a secure, ephemeral scanner running inside the same cloud region. This avoids cross-region data transfer charges and keeps data in-jurisdiction — critical for GDPR/SOC 2 compliance.
- Deep Inspection: The ephemeral runner mounts the snapshot and analyzes the OS layer: installed packages (rpm/dpkg/apk), secrets in file system paths, running process inventory from /proc, kernel configuration, and open network ports.
- Destruction: After analysis — typically 4–15 minutes — the snapshot and runner are cryptographically wiped and destroyed. No persistent footprint.
📐 Architecture Ratio Note: Wiz’s agentless model shifts the compute burden from your workload (0% CPU tax) to Wiz’s ephemeral infrastructure (100% isolated). The trade-off: scan frequency defaults to every 24 hours, not real-time. The new Runtime Sensor bridges this gap for event-driven detection. See the IR Workflow section for how to compensate.
The Wiz Security Graph — Property Graph Architecture
The Security Graph is a Neo4j-style property graph database that maps every cloud asset and its relationships. Nodes represent cloud objects (VMs, S3 buckets, IAM roles, container images, secrets). Edges represent relationships (has_permission, exposed_to, contains, deployed_from).
This enables path-based queries that flat CSPM tools cannot execute. The canonical example is the “Toxic Combination” — a risk that only becomes critical when multiple conditions intersect:
Real-World Toxic Combination — Fintech Scenario:
A standard vulnerability scanner reports 10,000 instances of CVE-2024-XXXX (CVSS 6.5) in a Linux library. Your team cannot patch 10,000 servers overnight. Wiz’s graph queries reveal:
Out of 10,000 instances, exactly one has this condition stack:
✦ Vulnerable library version confirmed (Vuln node)
✦ Security group allows inbound 0.0.0.0/0 on port 443 (Network node)
✦ Hard-coded AWS_SECRET_ACCESS_KEY in /etc/app/config.env (Secrets node)
✦ Attached IAM role has s3:GetObject on arn:aws:s3:::prod-customer-data/* (Identity node)
Core Platform Capabilities — L3 Technical View
1. Wiz CSPM (Cloud Security Posture Management)
Wiz CSPM continuously evaluates cloud configuration against CIS Benchmarks, NIST SP 800-53, PCI DSS, SOC 2, and custom policy frameworks. Key CloudTrail event fields consumed for configuration drift detection:
eventName: PutBucketAcl— S3 ACL modification (immediate alert if Public)eventName: AuthorizeSecurityGroupIngress— inbound rule added (flag 0.0.0.0/0)eventName: CreateAccessKey— new IAM access key (flag if root account)eventName: ConsoleLogin+additionalEventData.MFAUsed: No— MFA bypass
2. DSPM (Data Security Posture Management)
Most CNAPPs focus on infrastructure. Wiz DSPM scans the actual content of buckets and databases (RDS, S3, Blob Storage, BigQuery) to detect PII, PCI, and PHI data using regex classifiers and ML-based pattern matching. Result: you stop chasing empty S3 buckets. You only alert on buckets that contain sensitive data AND are misconfigured.
3. KSPM (Kubernetes Security Posture Management)
Wiz KSPM maps cluster architecture at the control plane level, ingesting the Kubernetes API server audit log to detect:
- Pods running with
privileged: trueorhostPID: true - ServiceAccounts with
cluster-adminrole binding - Container images with critical CVEs in the registry before runtime deployment
- Misconfigured NetworkPolicies allowing unrestricted pod-to-pod communication
4. AI-SPM (AI Security Posture Management)
A critical evolution in the 2025–2026 Wiz cloud security suite. Wiz AI-SPM discovers Shadow AI — unmanaged AI models, training datasets, and AI API endpoints (e.g., SageMaker endpoints, Azure OpenAI deployments, Vertex AI pipelines) spun up by developers without security review. It maps sensitive training data exposure and flags AI models with unrestricted public inference endpoints — a threat vector that became prominent in Google’s cybersecurity forecast for 2026.
5. Runtime Sensor (2024–2026 Evolution)
Historically, Wiz was passive. The new lightweight Runtime Sensor (eBPF-based, ~1% CPU overhead) closes the detection gap between 24-hour snapshot cycles. It streams real-time syscall telemetry to the Wiz platform, enabling:
- Cryptominer process detection (
execveof known miner binaries) - Fileless malware via
memfd_createsyscall monitoring - Lateral movement detection (
sshspawn from unexpected parent process) - C2 beacon detection via anomalous outbound connection patterns
Forensic Artifact Analysis & Detection Logic
In a live incident response engagement, Wiz findings must be operationalized into your SIEM/SOAR layer. The following detection logic covers the most critical Wiz-identified attack patterns.
KQL Query — Microsoft Sentinel: Wiz Toxic Combination to SIEM Correlation
This query correlates Wiz API-exported findings (ingested as a custom log) with Azure Activity Log to identify when a flagged “Toxic Combination” asset generated authentication activity, signaling active exploitation in progress:
🔷 Code Block 1 — KQL (Microsoft Sentinel / Azure Log Analytics)
// SENTINEL KQL: Correlate Wiz "Toxic Combination" findings with live Azure activity
// Source: WizFindings_CL (custom log via Wiz → Sentinel integration)
// Tuning: Adjust severity_s threshold to match your risk appetite
// CloudTrail equivalent fields: eventSource, eventName, userIdentity.arn
// Sysmon Tag Equivalent: EventID 3 (Network Connect) + EventID 1 (Process Create)
let WizCriticalAssets = WizFindings_CL
| where severity_s == "CRITICAL"
| where finding_type_s has_any ("TOXIC_COMBINATION", "ATTACK_PATH")
| project
resource_id_s,
resource_name_s,
subscription_id_s,
finding_title_s,
exposed_secrets_b,
internet_exposed_b,
critical_cve_s,
TimeGenerated
| summarize
ToxicComboCount = count(),
FindingTitles = make_set(finding_title_s),
HasExposedSecret = max(exposed_secrets_b),
HasInternetExposure = max(internet_exposed_b)
by resource_id_s, resource_name_s, subscription_id_s;
// Join against Azure Activity Log for live access events on flagged resources
WizCriticalAssets
| join kind=inner (
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatus has_any ("Succeeded", "Accepted")
| where OperationNameValue has_any (
"MICROSOFT.COMPUTE/VIRTUALMACHINES/START",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS",
"MICROSOFT.KEYVAULT/VAULTS/SECRETS/READ",
"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
)
| project
ActivityTime = TimeGenerated,
CallerIpAddress,
Caller,
OperationNameValue,
ResourceId = tolower(ResourceId),
CorrelationId
)
on $left.resource_id_s == $right.ResourceId
| extend
RiskScore = case(
HasExposedSecret == true and HasInternetExposure == true, "CRITICAL — Active Exploitation Likely",
HasExposedSecret == true, "HIGH — Credential Theft Risk",
HasInternetExposure == true, "HIGH — Lateral Movement Risk",
"MEDIUM"
)
| project
ActivityTime,
resource_name_s,
CallerIpAddress,
Caller,
OperationNameValue,
FindingTitles,
RiskScore,
CorrelationId
| sort by ActivityTime desc
// Alert threshold: any result = P1 incident, page on-call IMMEDIATELYSigma Rule — Cloud Attack Path: IAM Privilege Escalation via Wiz-Detected Misconfiguration
This Sigma rule targets the specific MITRE ATT&CK technique TA0004 (Privilege Escalation) / T1078.004 (Cloud Accounts) that Wiz attack path analysis commonly surfaces. Deploy to any Sigma-compatible SIEM backend (Splunk, Elastic, QRadar).
🔷 Code Block 2 — Sigma Rule (Cloud IAM Privilege Escalation)
# Sigma Rule: Cloud IAM Privilege Escalation — Wiz Attack Path Operationalization
# MITRE ATT&CK: TA0004 / T1078.004 / T1098.001
# Wiz Finding Type: ATTACK_PATH_PRIVILEGE_ESCALATION
# CloudTrail EventSource: iam.amazonaws.com | sts.amazonaws.com
# Sysmon Equivalent: N/A (Cloud-native — no Sysmon for AWS)
# Author: SolideInfo Security Research Team
# Date: 2026-03-13
# Version: 2.1
# Status: production
title: Cloud IAM Privilege Escalation via Assumed Cross-Account Role
id: a7f2e3d1-8c4b-4a91-b2f6-9e5d0c3a1b7f
status: production
description: |
Detects privilege escalation pattern where a low-privilege identity assumes a
cross-account role with elevated permissions — a Wiz CSPM attack path that
precedes lateral movement to sensitive data. Maps to Wiz "Toxic Combination"
involving over-permissive trust policies on cross-account roles.
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
author: SolideInfo Security Research Team
tags:
- attack.privilege_escalation
- attack.t1078.004
- attack.t1098.001
- wiz.attack_path
- wiz.cspm
logsource:
product: aws
service: cloudtrail
detection:
selection_assume:
eventSource: 'sts.amazonaws.com'
eventName: 'AssumeRole'
requestParameters.roleArn|contains:
- ':role/Admin'
- ':role/PowerUser'
- ':role/OrganizationAccountAccessRole'
- ':role/AWSControlTowerExecution'
filter_legitimate:
userIdentity.type: 'Service'
userIdentity.invokedBy|contains:
- 'cloudformation.amazonaws.com'
- 'lambda.amazonaws.com'
selection_cross_account:
# Triggered when caller account differs from role account (cross-account assumption)
userIdentity.accountId|not_contains: '${TRUSTED_ACCOUNT_IDS}'
selection_after_hours:
# Optional: Enrich with time-based anomaly
# eventTime|re: '(0[0-9]|1[0-9]|2[0-3]):(0[0-9]|[1-5][0-9])' — all times
errorCode: 'null' # Successful assumption only
condition: selection_assume and not filter_legitimate and selection_cross_account
falsepositives:
- Authorized third-party security tooling (Wiz itself, Datadog, Lacework)
- Approved cross-account deployments via CI/CD pipelines (allowlist in filter)
- AWS Organizations management account activity
level: high
fields:
- userIdentity.arn
- userIdentity.accountId
- requestParameters.roleArn
- requestParameters.roleSessionName
- sourceIPAddress
- userAgent
- recipientAccountIdPython — Automated Wiz Finding to Jira/Slack Escalation Pipeline
This script automates the operationalization of Wiz API findings. It pulls critical findings via the Wiz GraphQL API, enriches with MITRE ATT&CK mapping, and escalates to Jira and Slack with SLA timestamps — eliminating the manual triage bottleneck that burns L2 analyst time.
🔷 Code Block 3 — Python (Wiz API → SOAR Escalation Pipeline)
#!/usr/bin/env python3
"""
wiz_soar_pipeline.py — Wiz Security Finding → SOAR Escalation
Author: SolideInfo Security Research Team
Version: 2.0.1 | 2026-03-13
Requirements: pip install requests python-dateutil slack_sdk jira
MITRE ATT&CK Mappings:
- T1098.001 (Additional Cloud Credentials) → Wiz: EXPOSED_SECRET
- T1190 (Exploit Public-Facing Application) → Wiz: TOXIC_COMBINATION
- T1078.004 (Cloud Accounts) → Wiz: ATTACK_PATH_PRIVILEGE_ESCALATION
- T1530 (Data from Cloud Storage) → Wiz: EXPOSED_SENSITIVE_DATA
CloudTrail Events Monitored: See KQL block above.
Sysmon EventID Cross-Reference: Not applicable (cloud-native).
"""
import os
import json
import logging
from datetime import datetime, timezone, timedelta
from typing import Optional
import requests
from slack_sdk import WebClient
from jira import JIRA
# ── CONFIG ────────────────────────────────────────────────────────────────────
WIZ_CLIENT_ID = os.environ["WIZ_CLIENT_ID"]
WIZ_CLIENT_SECRET = os.environ["WIZ_CLIENT_SECRET"]
WIZ_AUTH_URL = "https://auth.app.wiz.io/oauth/token"
WIZ_API_URL = "https://api.us1.app.wiz.io/graphql"
SLACK_TOKEN = os.environ["SLACK_BOT_TOKEN"]
SLACK_SOC_CHANNEL = "#soc-critical-alerts"
JIRA_SERVER = os.environ["JIRA_SERVER"]
JIRA_USER = os.environ["JIRA_USER"]
JIRA_TOKEN = os.environ["JIRA_API_TOKEN"]
JIRA_PROJECT = "SECINC"
# SLA: Critical findings must be acknowledged within 60 minutes
SLA_CRITICAL_MINUTES = 60
LOOKBACK_HOURS = 1 # Run this script hourly via cron/Lambda
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
log = logging.getLogger("wiz_soar")
# MITRE ATT&CK enrichment map — keyed on Wiz finding type
MITRE_MAP = {
"EXPOSED_SECRET": {"technique": "T1552.001", "tactic": "Credential Access"},
"TOXIC_COMBINATION": {"technique": "T1190", "tactic": "Initial Access"},
"ATTACK_PATH_PRIVILEGE_ESCALATION": {"technique": "T1078.004", "tactic": "Privilege Escalation"},
"INTERNET_EXPOSED_SENSITIVE_DATA": {"technique": "T1530", "tactic": "Collection"},
"LATERAL_MOVEMENT_RISK": {"technique": "T1021.007", "tactic": "Lateral Movement"},
}
def get_wiz_token() -> str:
"""Authenticate to Wiz using OAuth 2.0 Client Credentials."""
resp = requests.post(WIZ_AUTH_URL, data={
"grant_type": "client_credentials",
"client_id": WIZ_CLIENT_ID,
"client_secret": WIZ_CLIENT_SECRET,
"audience": "wiz-api",
}, timeout=15)
resp.raise_for_status()
token = resp.json()["access_token"]
log.info("Wiz token acquired successfully.")
return token
def fetch_critical_findings(token: str, lookback_hours: int = 1) -> list[dict]:
"""
Pull CRITICAL severity findings from Wiz GraphQL API.
Filters: severity=CRITICAL, status=OPEN, created in last N hours.
Returns list of finding dicts enriched with MITRE mapping.
"""
since = (datetime.now(timezone.utc) - timedelta(hours=lookback_hours)).isoformat()
query = """
query GetCriticalFindings($filter: IssueFilters) {
issues(filterBy: $filter first: 50) {
nodes {
id
title
severity
status
type
createdAt
resource {
id
name
type
region
subscription { externalId name }
}
attackPathBased
hasSensitiveData
hasInternetExposure
hasExposedSecret
}
}
}
"""
variables = {
"filter": {
"severity": ["CRITICAL"],
"status": ["OPEN"],
"createdAt": {"after": since},
}
}
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
resp = requests.post(WIZ_API_URL,
json={"query": query, "variables": variables},
headers=headers, timeout=30)
resp.raise_for_status()
findings = resp.json()["data"]["issues"]["nodes"]
log.info(f"Fetched {len(findings)} CRITICAL findings from Wiz API.")
# Enrich with MITRE ATT&CK data
for f in findings:
mitre = MITRE_MAP.get(f.get("type", ""), {})
f["mitre_technique"] = mitre.get("technique", "T1000")
f["mitre_tactic"] = mitre.get("tactic", "Unknown")
f["sla_deadline"] = (
datetime.fromisoformat(f["createdAt"].replace("Z", "+00:00"))
+ timedelta(minutes=SLA_CRITICAL_MINUTES)
).isoformat()
return findings
def create_jira_ticket(jira: JIRA, finding: dict) -> str:
"""Create a P1 Jira incident ticket from a Wiz critical finding."""
resource = finding.get("resource", {})
summary = f"[WIZ-CRITICAL] {finding['title']} — {resource.get('name', 'Unknown')}"
body = f"""
*Wiz Finding ID:* {finding['id']}
*MITRE ATT&CK:* [{finding['mitre_technique']}] {finding['mitre_tactic']}
*Severity:* CRITICAL
*SLA Deadline:* {finding['sla_deadline']}
*Resource:*
- Name: {resource.get('name')}
- Type: {resource.get('type')}
- Region: {resource.get('region')}
- Account: {resource.get('subscription', {}).get('name')}
*Risk Indicators:*
- Internet Exposed: {finding.get('hasInternetExposure')}
- Exposed Secret: {finding.get('hasExposedSecret')}
- Sensitive Data: {finding.get('hasSensitiveData')}
- Attack Path: {finding.get('attackPathBased')}
*Next Steps:*
1. Isolate workload if actively exploited.
2. Rotate exposed credentials immediately (if hasExposedSecret=true).
3. Restrict security group to private subnet (if hasInternetExposure=true).
4. Review CloudTrail for the last 72h on this resource ARN.
5. Mark resolved in Wiz once mitigated.
_Auto-generated by SolideInfo Wiz SOAR Pipeline v2.0.1_
"""
issue = jira.create_issue(fields={
"project": {"key": JIRA_PROJECT},
"summary": summary,
"description": body,
"issuetype": {"name": "Security Incident"},
"priority": {"name": "Highest"},
"labels": ["wiz-critical", "auto-escalated", finding["mitre_technique"].lower()],
})
log.info(f"Jira ticket created: {issue.key}")
return issue.key
def notify_slack(client: WebClient, finding: dict, jira_key: Optional[str]) -> None:
"""Post a formatted Slack alert for a Wiz critical finding."""
resource = finding.get("resource", {})
flags = []
if finding.get("hasInternetExposure"): flags.append("🌐 Internet Exposed")
if finding.get("hasExposedSecret"): flags.append("🔑 Exposed Secret")
if finding.get("hasSensitiveData"): flags.append("💾 Sensitive Data")
if finding.get("attackPathBased"): flags.append("⚔️ Attack Path")
client.chat_postMessage(
channel=SLACK_SOC_CHANNEL,
blocks=[
{"type": "header",
"text": {"type": "plain_text", "text": "🚨 WIZ CRITICAL FINDING — P1 INCIDENT"}},
{"type": "section",
"fields": [
{"type": "mrkdwn", "text": f"*Finding:*\n{finding['title']}"},
{"type": "mrkdwn", "text": f"*Resource:*\n{resource.get('name')} ({resource.get('type')})"},
{"type": "mrkdwn", "text": f"*Region:*\n{resource.get('region')}"},
{"type": "mrkdwn", "text": f"*MITRE:*\n{finding['mitre_technique']} — {finding['mitre_tactic']}"},
{"type": "mrkdwn", "text": f"*SLA Deadline:*\n{finding['sla_deadline']}"},
{"type": "mrkdwn", "text": f"*Risk Flags:*\n{' | '.join(flags) if flags else 'None'}"},
]},
{"type": "section",
"text": {"type": "mrkdwn",
"text": f"*Jira Ticket:* <{JIRA_SERVER}/browse/{jira_key}|{jira_key}> | "
f"*Wiz Finding:* https://app.wiz.io/issues/{finding['id']}"}},
]
)
log.info(f"Slack notification sent for finding {finding['id']}.")
def main():
token = get_wiz_token()
findings = fetch_critical_findings(token, lookback_hours=LOOKBACK_HOURS)
if not findings:
log.info("No new CRITICAL findings in the last hour. All clear.")
return
jira_client = JIRA(server=JIRA_SERVER, basic_auth=(JIRA_USER, JIRA_TOKEN))
slack_client = WebClient(token=SLACK_TOKEN)
for finding in findings:
try:
jira_key = create_jira_ticket(jira_client, finding)
notify_slack(slack_client, finding, jira_key)
except Exception as err:
log.error(f"Failed to escalate finding {finding['id']}: {err}")
log.info(f"Pipeline complete. Escalated {len(findings)} critical findings.")
if __name__ == "__main__":
main()
IR Workflow: Detection to Eradication with Wiz Security
When a Wiz CRITICAL finding fires, the IR playbook below governs the L2/L3 analyst response. This is not a dashboard exercise — each phase has explicit technical actions, ownership, and SLA gates.

Phase-by-Phase Analyst Actions
Phase 1 — Detection (0–15 min): The Python SOAR pipeline creates the Jira P1 and fires the Slack alert. The on-call L2 analyst acknowledges within the SLA window. Do not dismiss a Wiz alert without CloudTrail validation.
Phase 2 — Analysis (15–45 min): Pull the last 72 hours of CloudTrail logs for the affected resource ARN. Specifically check for: AssumeRole events from unexpected source IPs, GetSecretValue calls against the flagged secret, and RunInstances from the compromised IAM identity. Simultaneously, check CrowdStrike/SentinelOne for active processes on the flagged VM — Wiz found the configuration gap, but EDR tells you if it’s already being exploited.
Phase 3 — Containment (45–90 min): Apply a “Deny-All” Security Group to the flagged VM to cut network access. Rotate all IAM Access Keys associated with the flagged role. If a secret was exposed, rotate it via Secrets Manager and audit all services consuming that secret. Take a forensic snapshot before any remediation to preserve evidence for post-mortem.
Phase 4 — Eradication (90 min → Close): Patch the vulnerability or rebuild the workload from a clean AMI/image. Trigger a manual Wiz rescan to confirm the finding is resolved. Close the Jira P1 with a five-field post-mortem: root cause, detection gap, containment timeline, remediation action, and control improvement.
Google’s $32B Acquisition — What Changes for Enterprise Security Teams
📰 Breaking Update — March 11, 2026: Google has officially completed its acquisition of Wiz for $32 billion in cash, the largest acquisition in Google’s 26-year history. Wiz crossed $1 billion ARR in 2025. Wiz will maintain its brand and multi-cloud neutrality across AWS, Azure, GCP, and OCI.
“This acquisition is an investment by Google Cloud to improve cloud security and enable organizations to build fast and securely across any cloud or AI platform.” — Google
$32B Acquisition Price
$1B+ Wiz ARR (2025)
#1 Google Acquisition (All-Time)
~4K Enterprise Customers
Strategic Implications for L2/L3 Security Teams
Multi-Cloud Neutrality Preserved: This is the most critical operational point. Despite becoming part of Google Cloud, Wiz has explicitly committed to maintaining full support for AWS, Azure, and OCI. Your existing Wiz deployment does not change. No migration required.
Google Chronicle + Wiz Integration: The logical next step is deep integration between Wiz’s Security Graph and Google’s Chronicle SIEM. Expect Wiz finding data to become a first-class source in Chronicle’s UDMS (Unified Data Model), enabling more powerful detection rules that span Wiz posture findings and Chronicle’s live log telemetry — a combination that closes the gap between static posture and dynamic threat detection.
Vertex AI + Wiz AI-SPM: Google’s Vertex AI platform and Wiz’s AI-SPM capability will likely converge into enterprise-grade AI governance controls. For organizations building AI workloads on GCP, this becomes a native control plane — not a bolt-on scanner.
Antitrust-Cleared Multi-Cloud: The deal received EU clearance in February 2026 and US clearance in November 2025. Google committed to preserving Wiz’s interoperability with competing clouds — a binding commitment that enterprise customers should document in their vendor contracts.
Pricing Impact (Near-Term): No announced changes to the workload-based pricing model. However, GCP customers may see bundling options that did not exist pre-acquisition. Monitor the Wiz.io pricing page for Q3 2026 updates.
Scaling with AI/LLMs — Automation Logic for the Enterprise SOC
Wiz’s native AI assistant (integrated into the platform since mid-2024) allows natural language queries against the Security Graph. But the deeper value for a mature SOC lies in using the Wiz API as a data source for custom LLM-powered workflows.
The architecture pattern: Wiz API → LLM pre-processing → SOAR action. The LLM’s job is not to make security decisions. Its job is to translate structured Wiz JSON findings into human-readable incident narratives, enriched with MITRE mappings and remediation runbooks — eliminating the cognitive overhead of L2 analysts decoding raw graph data at 3am.
Key automation patterns being adopted by Tier 3 SOC teams in 2026:
- Automated Root Cause Narratives: LLM ingests the Wiz finding JSON + associated CloudTrail events and generates a 200-word plain-English incident narrative for the Jira ticket body — same as the Python pipeline above, but with free-form analysis.
- Terraform Remediation Generation: For CSPM configuration findings (e.g., overly permissive S3 bucket policy), an LLM generates the corrected Terraform/CloudFormation snippet, which engineers can apply after review — reducing remediation time from hours to minutes.
- Threat Hunt Query Generation: Given a Wiz attack path finding, an LLM generates the corresponding KQL/SPL hunting query (like the one in Code Block 1) — allowing analysts to verify exploitation status without writing detection logic from scratch.
- AI-SPM Governance: For unmanaged AI models discovered by Wiz AI-SPM, an LLM classifies the risk level based on model type, training data sensitivity, and endpoint exposure, then routes to the appropriate governance team (ML Engineering vs. InfoSec vs. Legal).
CTI Integration: MISP Ingestion & IoC Pivoting with Wiz
A critical capability gap in most Wiz deployments is the absence of a threat intelligence feedback loop. Wiz identifies the attack surface. But if you’re not enriching those findings with live IoC (Indicators of Compromise) data, you’re operating blind to active threat actor infrastructure targeting your specific industry vertical.

MISP → Wiz IoC Pivoting Workflow
Step 1 — MISP Ingestion: Configure your MISP instance to ingest STIX 2.1 bundles from TAXII 2.1 feeds relevant to your sector. For financial services: FS-ISAC. For healthcare: H-ISAC. For technology: CISA AIS. Enable automatic galaxy cluster tagging to map threat actor TTPs to MITRE ATT&CK framework.
Step 2 — IoC Export: Use the MISP Automation API to export high-confidence IoCs (threat level = high, at least 3 correlations, NOT expired) on a 4-hour cycle. Filter for IoC types relevant to cloud attacks: IPv4 addresses, domain names, file hashes (SHA256 of known malware droppers), and URL patterns (C2 beacon callbacks).
Step 3 — Wiz Asset Pivot: Query the Wiz API’s Security Graph for all internet-exposed assets. Cross-reference against the MISP IoC export. If a known-malicious IP address matches the sourceIPAddress in CloudTrail for a Wiz-flagged internet-exposed resource, you have a confirmed active attack chain — not a theoretical posture risk.
Step 4 — Automated Response: For high-confidence IoC matches: automatically add the malicious IP to an AWS WAF IP block list or an Azure Front Door custom rule, push a P1 Jira ticket (using the Python pipeline above), and notify the threat intel team via Slack with the MISP event ID and the Wiz finding ID for cross-referencing.
Step 5 — TTP-Based Threat Hunting: Use MISP galaxy clusters to extract known TTPs for threat actors targeting your sector. Map those TTPs to Wiz attack path finding types. For example: if MITRE G0016 (APT29) commonly uses T1078.004 (Cloud Accounts), query Wiz for all resources with open attack paths involving cross-account role assumptions — proactively hunting rather than waiting for an alert.
Enterprise vs. Open-Source Tooling Comparison
The Wiz cloud security ecosystem does not exist in isolation. Understanding where Wiz integrates, competes, and is complemented by other tools is essential for building a defensible cloud security architecture.
Primary Enterprise CNAPP Comparison
| Feature | Wiz Security | Palo Alto Prisma Cloud | Microsoft Defender for Cloud | Orca Security |
|---|---|---|---|---|
| Architecture | 100% Agentless-Native (SideScanning™) | Hybrid (Agentless + Defenders) | Native (Azure) / Hybrid (AWS/GCP) | Agentless (SideScanning-style) |
| Deployment Speed | Minutes (API connection) | Weeks/Months (Agent rollout) | Instant (Azure) / Slow (Multi-cloud) | Minutes |
| Security Graph | ✅ Best-in-class property graph | ⚠️ Limited (module-based) | ⚠️ Attack path analysis (Azure-strong) | ✅ Comparable “Orca Brain” |
| Runtime Protection | ⚠️ New Runtime Sensor (eBPF) | ✅ Best-in-class (Active Blocking) | ✅ Good (Defender Plans) | ⚠️ Limited |
| DSPM | ✅ Native | ⚠️ Limited | ⚠️ Defender for Storage only | ✅ Native |
| AI-SPM | ✅ Native (2024) | ❌ Not available | ⚠️ Limited (Azure AI only) | ❌ Not available |
| Pricing Model | Per Workload (Predictable) | Credit-Based (Complex) | Consumption/License (Variable) | Per Workload |
| Post-Acquisition Owner | Google Cloud (2026) | Palo Alto Networks | Microsoft | Independent |
Open-Source Alternatives for Budget-Constrained Environments
| Tool | Function | Wiz Equivalent | Limitation vs. Wiz |
|---|---|---|---|
| Prowler | AWS/Azure/GCP CSPM | Wiz CSPM | No Security Graph / no attack path analysis |
| ScoutSuite | Cloud posture audit | Wiz CSPM | Point-in-time scans only, no continuous monitoring |
| Trivy | Container/IaC vuln scanning | Wiz KSPM + Container scanning | No cloud context — sees CVEs, not exploitability |
| Falco | Kubernetes runtime detection | Wiz Runtime Sensor | Agent required; no posture/config management |
| Checkov | IaC static analysis (Terraform/CF) | Wiz IaC scanning (CLI) | Pre-deploy only; no runtime cloud state awareness |
📐 Architect’s Verdict: For organizations with <500 cloud workloads and limited budget, a stack of Prowler + Trivy + Falco + Checkov approximates ~60% of Wiz’s core CSPM/KSPM value at near-zero cost. The irreplaceable 40% is the Security Graph’s contextual prioritization — there is no open-source equivalent that crosses the asset-identity-network-data boundary in a single queryable model.
Implementation Guide & Pricing
Deploying wiz security is fast, but configuring it for operational success requires strategy. Here is the production-tested deployment sequence used by enterprise organizations.
Step 1 — The Golden Root Connection
Connect your root management account (AWS Organizations root / Azure Management Group / GCP Organization). Do not connect individual accounts one by one. This ensures that when a developer spins up a new subscription, Wiz automatically discovers and protects it without human intervention.
Step 2 — Identity Provider Integration
Connect Wiz to your SSO (Okta, Azure AD / Entra ID). This allows Wiz to map human identities to cloud permissions, enabling the platform to flag lateral movement risks. Example: a developer account in the Dev OU that has inherited Admin permissions in Production via a misconfigured role boundary.
Step 3 — Operationalize Alerts (The Critical Step)
A common mistake is treating Wiz like a dashboard you review weekly. The value is in integrations:
- Ticketing: Hook Wiz into Jira or ServiceNow. Route CRITICAL/HIGH findings to P1/P2 tickets automatically.
- Channel Routing: Send Container/KSPM alerts to the DevOps Slack channel. Send Infrastructure alerts to the SysAdmin channel. Send Identity alerts to the IAM team.
- Wiz CLI / IaC Shift-Left: Enforce
wiz iac scanas a mandatory CI/CD pipeline stage. Block deployments if any CRITICAL IaC findings are detected. This prevents Wiz from being a reactive tool — it becomes a prevention control in the development workflow.
Common Configuration Mistakes
- Ignoring Ephemeral Resources: Not filtering out short-lived test environments skews your risk score. Use Wiz “Projects” to segregate Prod vs. Dev environments and apply different SLA policies.
- Over-Alerting at Launch: Turning on notifications for Low and Medium severity issues immediately creates alert fatigue. Start with Critical only for the first 30 days. Add High in week five. Add Medium after you’ve established baseline remediation cadence.
- Ignoring Service Accounts: Human users are easy to focus on. Wiz consistently reveals that machine identities (Jenkins service accounts, Terraform Cloud runners, CI/CD OIDC tokens) have accumulated excessive permissions over time. These are the highest-value targets for privilege escalation attacks.
- Not Connecting the SIEM: Wiz findings without SIEM correlation (see KQL block above) leave a detection gap. A Wiz finding represents a posture risk. Only SIEM correlation tells you if the risk is being actively exploited.
Pricing Model
Wiz uses a Billable Workload model. You are charged based on the number of compute assets secured — VMs, serverless function instances, and container hosts.
| Pricing Factor | Details |
|---|---|
| Billing Unit | Per active/billable workload (running instance) |
| Billing Frequency | Monthly, based on peak workload count |
| Key Pro | Predictable — you know your workload count |
| Key Risk | Idle/stopped instances still scanned and billed — clean up orphaned resources |
| vs. Prisma Cloud | Wiz is simpler; Prisma uses credit-based model (different asset types burn credits at different rates — difficult to forecast) |
Deep-Tech FAQ — Long-Tail Technical Queries
Q1: Can Wiz security actively block attacks in 2026?
Historically, no — Wiz was purely passive agentless scanning. The Runtime Sensor introduced in 2024 (eBPF-based, ~1% CPU overhead) now provides real-time threat detection and can integrate with SOAR platforms to trigger automated response actions. However, active kernel-level blocking comparable to a traditional HIPS (e.g., Prisma Cloud’s Defender agent or a CrowdStrike Falcon prevention policy) is not Wiz’s primary design goal. Its core strength remains eliminating the attack surface before exploitation — not killing processes after they execute.
Q2: Does Wiz replace my EDR (CrowdStrike/SentinelOne)?
No — and understanding why matters for your security architecture. Wiz creates the “Shield”: it hardens the cloud environment by eliminating misconfigurations, exposed secrets, and toxic risk combinations before attackers can exploit them. CrowdStrike/SentinelOne creates the “Spear”: they detect and kill active malware execution on the endpoint. These are orthogonal controls. Critically, Wiz integrates with EDR platforms to display which VMs are missing EDR coverage — closing the agent deployment gap that silently grows in large cloud estates.
Q3: How does Wiz handle scan frequency for fast-moving cloud environments?
Cloud configuration events (CloudTrail/Activity Log) are detected in near-real-time because Wiz streams API events. Deep file-system scans (detecting embedded malware, secrets in config files) rely on the snapshot cycle — defaulting to every 24 hours. For high-velocity environments (10+ deployments/day), deploy the Runtime Sensor to close the detection window for filesystem changes between snapshot cycles. The Wiz CLI IaC scan in your CI/CD pipeline adds a third detection layer at pre-deployment time.
Q4: How does the Google acquisition affect data residency and compliance?
Google has committed to maintaining Wiz’s data processing architecture, which performs snapshot analysis within the same cloud region as the source workload. No cross-cloud data transfer to GCP infrastructure is required for Wiz to function on AWS or Azure deployments. For organizations with strict data residency requirements (GDPR Article 44+, FedRAMP), verify this commitment is documented in your updated Wiz Data Processing Agreement post-acquisition. Review any DPA amendments issued by Wiz in Q2 2026.
Q5: What is the difference between Wiz CSPM and Wiz CNAPP?
CSPM (Cloud Security Posture Management) is a specific function — it evaluates cloud configurations against security benchmarks. CNAPP (Cloud-Native Application Protection Platform) is the umbrella architecture that consolidates CSPM, CWPP (Cloud Workload Protection), CIEM (Cloud Identity & Entitlement Management), DSPM, and container/Kubernetes security into a single platform with a shared data model. Wiz is a CNAPP — CSPM is one of its six integrated capabilities, not a synonym for the entire platform.
Q6: How does Wiz detect secrets in cloud workloads?
During the SideScanning™ process, the ephemeral runner mounts the snapshot and executes a secrets scanner (similar to TruffleHog/Gitleaks logic) against the file system. It searches common paths (/etc/, /home/, application config directories, Docker layer manifests) and environment variable exports for high-entropy strings matching known secret patterns: AWS Access Key IDs (AKIA[0-9A-Z]{16}), private key headers, database connection strings with embedded passwords, and OAuth tokens. Detected secrets are cross-referenced against active credential status via the cloud provider’s IAM API — flagging only secrets that are still valid and have associated permissions.
Q7: Can Wiz protect on-premise environments?
Wiz is cloud-native by design. It has connectors for on-premise Kubernetes (Red Hat OpenShift) and VMware vSphere environments, but its full Security Graph context — linking network exposure, cloud identity, and data sensitivity — only activates in public cloud environments (AWS, Azure, GCP, OCI). If your estate is 90%+ on-premises, evaluate Tenable.sc, Rapid7 InsightVM, or Qualys CSAM before committing to a Wiz deployment. For hybrid estates (>40% cloud), Wiz delivers strong ROI even if on-prem coverage is partial.
The rise of wiz cloud security represents a paradigm shift from “securing the server” to “securing the cloud fabric.” By removing the agent, Wiz removed the friction that traditionally made security the enemy of DevOps. By building the Security Graph, it removed the noise that made cloud security the enemy of operations teams drowning in CVE lists.
Google’s $32 billion acquisition in March 2026 is not a warning sign — it is a validation signal. The world’s largest cloud-adjacent organization bought the best cloud security graph on the market because cloud security is no longer a compliance checkbox. It is infrastructure.
For the L2/L3 analyst and cloud security architect, the operational playbook is clear:
- Deploy Wiz at the organization root level, not account by account.
- Operationalize findings into your SIEM with the KQL and Sigma rules in this guide.
- Enrich Wiz findings with MISP IoC data to separate theoretical attack paths from active campaigns.
- Automate the Wiz-to-Jira escalation pipeline to enforce SLA accountability.
- Deploy the Runtime Sensor on production workloads to close the 24-hour snapshot detection gap.
If you haven’t validated your actual attack surface yet, the fastest ROI in cloud security remains a Wiz Proof of Concept. Because Wiz is agentless, you can connect it to a non-production account in under 15 minutes and see your real Toxic Combinations — including exposed secrets, internet-accessible databases, and over-permissive IAM roles — before the end of the working day. That visibility, powered by wiz security, is the foundation of every defensible cloud architecture in 2026.
Discover more from Solide Info | The Engineer’s Authority on Cyber Defense
Subscribe to get the latest posts sent to your email.



