Secure Your Entire Cloud Stack with Wiz CNAPP and CSPM

Wiz has rapidly become a leader in the Cloud-Native Application Protection Platform (CNAPP) market by fundamentally changing how organizations secure their cloud environments. Unlike traditional security tools that rely on cumbersome agents, Wiz utilizes an agentless, snapshot-based approach to provide 100% visibility into cloud infrastructure, including VMs, containers, serverless functions, and databases.

This guide is designed for IT leaders, CISOs, and Cloud Architects looking to understand how Wiz can simplify their security stack. You will learn about the 'Wiz Security Graph'—a unique feature that prioritizes risks by identifying 'toxic combinations' of vulnerabilities, misconfigurations, and identity risks. By the end of this guide, you will have the necessary criteria to determine if Wiz is the right fit to secure your multi-cloud environment and how to plan for a successful deployment.

• Agentless Scanning: Provides full visibility into cloud workloads (disk, OS, applications, and secrets) without the performance overhead or deployment friction of traditional agents.
• Wiz Security Graph: Contextualizes risks by mapping the relationships between vulnerabilities, identities, network exposure, and data to identify 'toxic combinations.'
• Unified CNAPP: Consolidates CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection), CIEM (Cloud Infrastructure Entitlement Management), and Vulnerability Management into a single pane of glass.
• Sensitive Data Discovery: Automatically identifies and classifies sensitive data (PII, PHI) across cloud buckets and databases to prevent data leakage.
• Vulnerability Management: Continuously monitors for CVEs across all layers of the cloud stack, from the OS to third-party libraries.
• Compliance Dashboarding: Maps cloud resources against 100+ industry frameworks (SOC2, HIPAA, PCI-DSS, NIST) with automated evidence collection.
• Runtime Sensor (Optional): While primarily agentless, Wiz offers a lightweight sensor for real-time threat detection and forensic analysis.

• Vulnerability Management at Scale: A global financial services firm uses Wiz to scan 50,000+ VMs daily, identifying critical patches without ever installing an agent on a production server.
• Cloud Compliance Automation: A healthcare technology company uses Wiz to maintain HIPAA and SOC2 compliance, using automated reports to provide evidence to auditors in minutes rather than weeks.
• Eliminating Identity Risks: A retail giant uses Wiz CIEM features to identify 'over-privileged' identities and service accounts that could be exploited to move laterally through their cloud environment.
• Securing the Software Supply Chain: A SaaS provider integrates Wiz into their GitHub Actions pipeline to block any code deployments that contain hardcoded secrets or critical vulnerabilities in third-party libraries.
• Cloud Detection and Response (CDR): A security team uses the Wiz Runtime Sensor to detect active cryptojacking attempts on their Kubernetes clusters and instantly correlate the threat with the underlying vulnerability.

Wiz uses a predictable pricing model based on the scale of your cloud environment:

• Workload-Based Pricing: Pricing is primarily driven by the number of 'Workloads' (VMs, Serverless Functions, Database instances) being protected.
• Tiered Packages: While specific pricing is typically custom-quoted, tiers often vary based on features like advanced data security, IaC scanning, or the inclusion of the runtime sensor.
• Annual Subscription: Standard contracts are typically 1-3 years in duration.
• Main Cost Drivers: The total volume of cloud resources and the specific modules (e.g., Data Security, CDR) selected.
• No Hidden Fees: Unlike some competitors, Wiz generally does not charge for the amount of data scanned or the number of users accessing the platform.

Because Wiz is a SaaS-based, agentless solution, the technical requirements are minimal compared to legacy tools:

• Cloud Access: Requires the ability to create 'Read-Only' IAM roles/service accounts in your cloud environment (AWS, Azure, GCP).
• Browser: Modern web browser (Chrome, Firefox, Safari, Edge) for the management console.
• Network: No inbound network changes are required; Wiz connects to cloud APIs and takes snapshots of volumes for scanning.
• Permissions: For the 'Side-Scanning' technology, Wiz requires permissions to create and mount temporary snapshots of EBS/Managed Disks in a dedicated Wiz-managed or customer-managed account.
• Container Environments: Requires access to Kubernetes APIs (EKS, AKS, GKE) for full cluster visibility.

To successfully adopt Wiz, organizations should prepare for the following:

• Cloud Governance Structure: A clear understanding of cloud account ownership is necessary to route alerts to the correct remediation teams.
• Cross-Functional Collaboration: Strong buy-in from DevOps and Engineering teams is critical, as Wiz is designed to be used by both security and non-security personnel.
• Change Management: Organizations must be prepared to transition from legacy agent-based scanning workflows to a centralized, agentless snapshot-based approach.
• Cloud IAM Permissions: The security team will need the authority to grant Wiz 'Read-Only' access (via IAM roles) across the entire cloud footprint to enable the initial scan.
• Remediation Workflows: Existing ticketing systems (like Jira or ServiceNow) should be ready to receive automated exports from Wiz to ensure findings are acted upon.

Wiz is known for one of the fastest 'time-to-value' metrics in the industry due to its agentless architecture:

• Phase 1: Discovery & Connection (Hours to Day 1): Connecting cloud environments (AWS, Azure, GCP) via IAM roles. Initial scanning begins immediately.
• Phase 2: Initial Visibility (Days 1-3): The Wiz Security Graph populates, identifying the 'toxic combinations' and high-priority risks across the environment.
• Phase 3: Fine-Tuning & Integration (Weeks 1-3): Integrating with CI/CD pipelines, SIEMs (Splunk), and ticketing systems (Jira). Defining custom compliance frameworks.
• Phase 4: Scaling & Democratization (Month 1+): Rolling out access to developer teams, setting up automated remediation rules, and establishing regular reporting cadences.

Wiz provides high-touch support designed for enterprise customers:

• Success Tiers: Offers standard and premium support levels. Premium often includes a dedicated Customer Success Manager (CSM).
• Wiz Academy: An extensive online learning platform with certifications for security engineers and architects.
• Documentation: A comprehensive, searchable knowledge base with step-by-step integration guides.
• Community: Access to a user community for sharing custom queries and best practices.
• Response Times: Enterprise-level SLAs for critical issues, often with 24/7 global coverage for high-priority tickets.
• Professional Services: Available for complex deployments, custom integrations, or strategic security consulting.

Wiz offers extensive integration capabilities designed to fit into modern DevOps toolchains:

• Cloud Providers: Native API integrations for AWS (including GovCloud), Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud.
• Infrastructure as Code (IaC): Scans Terraform, CloudFormation, and ARM templates to find misconfigurations before deployment.
• CI/CD Pipelines: Plugins for GitHub Actions, GitLab, Jenkins, and Azure DevOps.
• Ticketing & SIEM: Pre-built connectors for Jira, ServiceNow, Slack, Splunk, PagerDuty, and Sumo Logic.
• Container Registries: Integration with Docker Hub, Amazon ECR, Azure ACR, and Google GCR to scan images for vulnerabilities.
• API Access: A robust GraphQL API is available for custom data extraction and automation.

Wiz is built with enterprise-grade security to ensure it can be trusted with sensitive cloud data:

• Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and HIPAA compliant.
• FedRAMP: Wiz is 'FedRAMP Moderate' authorized, making it suitable for US government agencies and highly regulated industries.
• Data Residency: Offers multiple regional hosting options (US, EU, etc.) to comply with local data sovereignty laws.
• Access Control: Supports SAML-based SSO and granular Role-Based Access Control (RBAC).
• Encryption: All data is encrypted at rest and in transit using industry-standard protocols.
• Privacy: Wiz uses a 'side-scanning' approach that reads snapshots of disks rather than live memory, minimizing the impact on production systems.