Skip to content
Home IaC Security Tools Wiz
Wiz

Wiz

Category: IaC Security
License: Commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
6 min read
Key Takeaways
  • Agentless CNAPP used by 50%+ of Fortune 100 companies. Google announced a $32B acquisition of Wiz in March 2025; the deal is expected to close in the first half of 2026. Fastest SaaS product to reach $100M and $200M ARR.
  • Security Graph maps resources, identities, vulnerabilities, and network exposure into attack paths — prioritizes toxic risk combinations over flat vulnerability lists.
  • Covers AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, and Kubernetes. Full risk profile available within 24 hours of connecting cloud accounts.
  • Three modules: Wiz Code (CI/CD scanning with 1-click fix PRs), Wiz Cloud (agentless CSPM/CWPP/CIEM/DSPM), Wiz Defend (eBPF runtime protection).

Wiz is an IaC security and CNAPP platform that scans cloud environments without installing agents. The platform connects to AWS, Azure, GCP, OCI, and Alibaba Cloud via API and maps relationships between resources, identities, and vulnerabilities through what it calls the Security Graph.

Wiz forensics analysis showing cloud threat investigation with attack path context

More than 50% of Fortune 100 companies use Wiz, including Morgan Stanley, Salesforce, BMW, Siemens, Snowflake, and Slack. The company was the fastest SaaS product to reach $100M and $200M ARR.

Google announced a $32B acquisition of Wiz in March 2025; the deal is pending regulatory approval and expected to close in the first half of 2026.

The platform integrates with 200+ security tools through the Wiz Integration Network (WIN).

What is Wiz?

Wiz connects to cloud provider APIs and scans every layer of infrastructure without agents. It covers virtual machines, containers, serverless functions, storage, databases, identity systems, and networking.

A full risk profile is available within 24 hours of connecting your cloud accounts.

The platform has three main modules. Wiz Code scans repositories, CI/CD pipelines, container registries, and images. It generates 1-click fix PRs when it finds issues. Wiz Cloud handles agentless posture management: CSPM, CWPP, CIEM, vulnerability scanning, and IaC checks. Wiz Defend adds eBPF-based runtime protection and threat detection for workloads that need real-time monitoring.

Wiz automatically discovers new cloud resources as they’re added. A free 14-day trial is available.

Agentless Scanning
Connects via cloud provider APIs. No agents to install, no performance impact on workloads. Covers VMs, containers, serverless, PaaS, storage, and networking.
Security Graph
Maps relationships between cloud resources, identities, vulnerabilities, and network exposure. Traces connections from source code through CI/CD to production infrastructure.
Attack Path Analysis
Identifies toxic combinations where multiple issues create exploitable paths. A misconfigured VM + critical CVE + excessive IAM permissions = one prioritized alert, not three separate ones.

Key features

ModuleDetails
Wiz CodeCode, CI/CD, registry, and container image scanning with 1-click fix PRs
Wiz CloudAgentless CSPM, CWPP, CIEM, DSPM, vulnerability management, IaC scanning
Wiz DefendeBPF runtime sensor, threat detection, CDR, forensic collection, threat hunting
Security GraphContext-driven risk analysis connecting resources, identities, and vulnerabilities
Attack pathsToxic risk combinations identifying exploitable multi-factor attack paths
AI-SPMAI model inventory, ML pipeline security, training data exposure detection
CompliancePCI-DSS, HIPAA, SOC 2, ISO 27001, GDPR, CIS benchmarks
Integrations200+ tools via WIN (Wiz Integration Network)
Cloud supportAWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Kubernetes, OpenShift

Agentless cloud scanning

Wiz reads cloud configurations and workload data through provider APIs. No agents, no network taps, no code running inside your environment.

It scans VMs, containers, serverless functions, storage buckets, databases, and networking configurations.

The initial scan completes in minutes. Within 24 hours you have a full risk profile of your cloud estate. New resources get picked up automatically as they’re deployed.

Agentless-first, agents optional

Wiz popularized the agentless-first model for cloud security. Most scanning happens via API.

For workloads that need real-time runtime protection, the optional Wiz Sensor (eBPF-based) adds process-level visibility and blocking without the overhead of traditional agents.

Security Graph

The Security Graph is the core of how Wiz prioritizes risk. It maps every cloud resource, identity, network path, and vulnerability into a single graph.

When the platform finds a CVE in a container image, it checks whether that container is running, whether it’s internet-facing, what identity it runs as, and whether that identity can reach sensitive data.

This is what separates Wiz from scanners that just produce vulnerability lists. A critical CVE on an internal, isolated workload with no network exposure gets a different priority than the same CVE on a public-facing service with admin credentials.

Wiz threat detection showing real-time cloud security alerts with context

Wiz Defend

Wiz Defend is the runtime layer. It uses an eBPF-powered sensor to capture system-level activity on workloads and correlate it with posture data from the Security Graph.

The module covers real-time threat detection, cloud detection and response (CDR), forensic collection for post-incident analysis, and threat hunting workflows. Alerts include full context: which resources are affected, what vulnerabilities exist on them, and what remediation steps to take.

Wiz forensics overview showing incident investigation and cloud-to-code tracing

You don’t need Wiz Defend on every workload. Most organizations deploy the sensor selectively on production systems handling sensitive data or facing the internet. The agentless scanning from Wiz Cloud covers everything else.

Wiz Code

Wiz Code scans source code, CI/CD pipelines, container registries, and container images for security issues. When it finds a vulnerability or misconfiguration, it can generate a fix PR directly in your repository.

The code-to-cloud correlation traces running resources back to the source code and developer who created them. If a misconfigured Terraform module is deployed to production, Wiz shows which repo, which file, and which developer to notify.

Wiz JetBrains IDE plugin showing security findings with 1-click remediation

IDE plugins are available for JetBrains and VS Code. The WizExtend browser extension overlays security context directly onto AWS, Azure, and GCP console pages so you can see risk data while working in your cloud provider’s portal.

WizExtend browser extension showing security overlay on cloud provider console

AI Security Posture Management (AI-SPM)

Wiz extends its scanning to AI workloads. The AI-SPM module inventories AI models, tracks ML pipeline configurations, and detects exposed training data or vulnerable model APIs across your cloud environment.

Compliance

Pre-built frameworks cover PCI-DSS, HIPAA, SOC 2, ISO 27001, GDPR, and CIS benchmarks. The platform monitors configurations against these requirements continuously and flags drift. Compliance dashboards produce audit-ready reports.

Integrations

Wiz integrates with 200+ tools through the Wiz Integration Network (WIN).

SIEM & Analytics
IBM QRadar IBM QRadar
Sumo Logic Sumo Logic
PagerDuty PagerDuty
Torq Torq
Ticketing & Communication
ServiceNow ServiceNow
Jira Jira
Azure DevOps Azure DevOps
Slack Slack
Cloud Providers
AWS AWS
Azure Azure
GCP GCP
OCI OCI
Alibaba Cloud Alibaba Cloud

Getting started

1
Connect cloud accounts — Grant Wiz read-only API access to your AWS, Azure, or GCP environments. No agents to install. Setup takes minutes.
2
Wait for the first scan — Wiz discovers all cloud resources automatically: VMs, containers, serverless, storage, databases, identities, and networking. A full risk profile is ready within 24 hours.
3
Review attack paths — Use the Security Graph to see which findings are actually exploitable. Focus on toxic combinations where misconfigurations, vulnerabilities, and excessive permissions create real attack paths.
4
Deploy Wiz Defend selectively — Add the eBPF sensor to production workloads that need runtime protection. Start with internet-facing services and systems handling sensitive data.

When to use Wiz

Wiz works best for organizations running cloud infrastructure at scale across multiple providers. If you have hundreds of cloud accounts and thousands of workloads, the agentless approach gives you visibility without the operational overhead of deploying and maintaining agents everywhere.

Strengths

No agents to manage. Full cloud visibility within 24 hours.

The Security Graph connects findings across CSPM, CWPP, CIEM, and vulnerability management into prioritized attack paths instead of separate alert streams.

The 200+ integrations via WIN connect to existing SIEM, ticketing, and orchestration workflows.

Limitations

Wiz is a cloud-native platform. If you have significant on-premises infrastructure, you’ll need something else for that. The platform requires cloud provider API access for scanning.

Pricing is based on cloud workloads (compute, data, AI) and requires a sales conversation. Smaller organizations or teams early in cloud adoption may find other IaC security tools more cost-effective.

For a broader view of cloud security platforms, see our cloud infrastructure security guide.

Best for
Enterprise security teams managing multi-cloud environments who want agentless visibility and risk-based prioritization without deploying agents across every workload.

Frequently Asked Questions

What is Wiz?
Wiz is a Cloud Native Application Protection Platform (CNAPP) that scans cloud environments without installing agents. It connects to AWS, Azure, GCP, OCI, and Alibaba Cloud via API and builds a Security Graph that maps relationships between resources, identities, and vulnerabilities. More than 50% of Fortune 100 companies use Wiz.
How does Wiz differ from traditional cloud security tools?
Wiz uses agentless scanning via cloud provider APIs instead of deploying agents on workloads. Rather than producing flat vulnerability lists, the Security Graph connects misconfigurations, identities, vulnerabilities, and network exposure into attack paths so teams can see which issues are actually exploitable in production.
Does Wiz support Kubernetes security?
Yes. Wiz scans Kubernetes clusters, container images, and serverless workloads without agent deployment. It also supports Red Hat OpenShift and VMware vSphere environments. The optional eBPF-based Wiz Sensor adds runtime protection for containers.
What clouds does Wiz support?
Wiz supports AWS, Azure, Google Cloud, Oracle Cloud (OCI), Alibaba Cloud, VMware vSphere, Kubernetes, and Red Hat OpenShift. Multi-cloud coverage is a core part of the platform.
Is there a free trial?
Yes. Wiz offers a 14-day unlimited access trial. The platform connects via API and delivers a risk profile of your cloud environment within 24 hours.
How we review tools Suggest an edit

Other IaC Security Tools

Sysdig Secure
Sysdig Secure

Runtime-first cloud security

Orca Security
Orca Security

Patented SideScanning technology

Checkov
Checkov

1,000+ Policies for Terraform, CloudFormation & K8s

Conftest
Conftest

Policy-as-Code Testing

Falco
Falco

Cloud-native runtime security

KICS
KICS

2,400+ Rego Queries for 22+ IaC Platforms

See all IaC Security tools

Complement with SCA

Pair IaC scanning with dependency analysis for broader coverage.

Syft
Syft

SBOM generation tool

Anchore
Anchore

SBOM-First Container Security Platform

See all SCA tools

Learn More

CSPM vs CNAPP Terraform Security Scanning What is CNAPP? What is IaC Security?

Explore all IaC Security guides and tools