Wiz Expert Agent

Product Overview

Wiz's differentiator: Agentless deployment. Connect a cloud account once (read-only API/role), and Wiz has full visibility within hours. No agents, no performance impact, no deployment complexity.

Agentless Architecture

How Agentless Scanning Works

For virtual machines (EC2, Azure VMs, GCP instances):

1. Wiz creates read-only snapshots of VM disks during off-hours
2. Snapshots are analyzed in Wiz's own cloud environment (not on customer VMs)
3. Analysis extracts: installed packages, OS version, vulnerabilities (CVE matching), secrets, malware indicators, sensitive data samples
4. Snapshot deleted after analysis (15-30 minute analysis window)
5. Zero impact on running workloads

For cloud resources (S3, IAM, security groups, databases, etc.):

1. Wiz reads resource configurations via cloud provider APIs (AWS describe calls, Azure ARM API, GCP Resource Manager)
2. No data plane access -- only control plane metadata
3. Evaluates configurations against CSPM policies

For containers/Kubernetes:

1. Reads Kubernetes API (pod specs, RBAC, namespaces, cluster configuration)
2. Pulls container images from registries for layer analysis
3. Snapshot-based scanning of running container filesystem (when co-located with target)

Cloud Connector Deployment

AWS:

CloudFormation template deploys:
  - IAM Role: WizAccessRole
    - SecurityAudit (AWS managed policy)
    - ReadOnlyAccess (AWS managed policy)
    - Wiz-specific custom policy for snapshot operations
  - Trust relationship: Wiz AWS account can assume WizAccessRole
    (cross-account role assumption)
  
Required permissions include:
  - ec2:CreateSnapshot, ec2:DeleteSnapshot (for VM scanning)
  - s3:GetObject, s3:ListBucket (for data scanning)
  - sts:AssumeRole (for cross-account)
  - iam:Get*, iam:List* (for CIEM)

Azure:

Service Principal created with:
  - Reader role (Management Group level for broad coverage)
  - Storage Blob Data Reader (for storage scanning)
  - Key Vault Reader (for secrets detection)
  
Wiz app registered in Entra ID (Azure AD)
API permissions for Microsoft Graph: Directory.Read.All

GCP:

Service Account with roles:
  - roles/viewer (project-level)
  - roles/cloudasset.viewer (Cloud Asset Inventory)
  - roles/storage.objectViewer (Cloud Storage scanning)
  - roles/iam.securityReviewer (IAM analysis)

Kubernetes (In-Cluster or API-Only):

• API-only mode: Reads K8s API from outside cluster (no agent needed)
• In-cluster connector: Optional pod for richer runtime data
• Required permissions: cluster-reader ClusterRole or equivalent

Security Graph

The Security Graph is Wiz's core data model -- a property graph that maps relationships between cloud resources, vulnerabilities, misconfigurations, identities, network paths, and data.

Graph Node Types

Graph Relationships (Edges)

The power of the Security Graph is relationships:

• "VM A has vulnerability CVE-2023-44487 (HTTP/2 Rapid Reset)"
• "VM A is exposed to internet via security group rule 0.0.0.0/0"
• "VM A has permission to read S3 bucket with PII data"
• "S3 bucket contains sensitive data (PII detected)"

Combined: VM A is internet-exposed + vulnerable + has access to PII = toxic combination

WQL (Wiz Query Language)

WQL is a graph query language for searching the Security Graph.

Example queries:

# Find internet-exposed VMs with critical vulnerabilities
SELECT * FROM Cloud_VM
WHERE (
  configuration.status IN ("running")
  AND vulnerabilities.criticalCount > 0
  AND networkExposure.isExposedToInternet = true
)

# Find overprivileged service accounts with admin permissions
SELECT * FROM Cloud_Identity
WHERE (
  identityType = "ServiceAccount"
  AND effectivePrivileges.isAdmin = true
  AND lastActivityDate < now() - 90d  # Unused admin
)

# Find secrets in VM disks
SELECT * FROM Cloud_VM
WHERE secrets.count > 0

# Find S3 buckets with public access AND sensitive data
SELECT * FROM Cloud_Storage
WHERE (
  configuration.isPublic = true
  AND dataFindings.hasSensitiveData = true
)

# Toxic combination: external exposure + critical vuln + access to sensitive data
SELECT * FROM Cloud_VM
WHERE (
  networkExposure.isExposedToInternet = true
  AND vulnerabilities.criticalCount > 0
  AND accessToSensitiveData = true
)

Toxic Combinations

Toxic combinations are multi-factor risk chains where individual issues are low priority alone, but their intersection creates critical risk.

Classic toxic combination:

1. Internet-facing exposure (security group open to 0.0.0.0/0)
2. • Running as privileged user or with admin IAM role
3. • Has unpatched critical vulnerability (remotely exploitable)
4. • Has access to sensitive data store (S3 bucket with PII)

Any one of these alone = medium risk. All four together = critical immediate action.

Wiz surfaces toxic combinations automatically:

• Pre-built toxic combination rules covering common attack scenarios
• Custom toxic combos via WQL
• "Issue" type: "Publicly Exposed Workload with Critical Vulnerability and Sensitive Data Access"

Attack path analysis:

• Shows step-by-step: "Attacker exploits CVE-2023-XXXX on host A, pivots to host B via lateral movement path C, accesses S3 bucket D containing PII"
• Identifies "chokepoints" -- single remediations that break the entire attack path
• Prioritize chokepoints over individual findings

CSPM (Cloud Security Posture)

Compliance Frameworks

Wiz includes 1,000+ built-in policies mapped to:

• CIS Benchmarks (AWS, Azure, GCP, Kubernetes)
• NIST 800-53, NIST CSF
• PCI DSS v3.2.1 / v4.0
• SOC 2 Type II
• HIPAA
• ISO 27001
• CSA CCM (Cloud Controls Matrix)
• GDPR
• Custom compliance frameworks (Policy Builder)

Key CSPM Findings Categories

Custom Policies

Build custom CSPM rules using Wiz Policy Builder:

• Define resource type, attribute conditions, severity
• Map to compliance framework
• Example: "All EC2 instances must have backup tag AND belong to a backup plan"

CIEM (Cloud Identity & Entitlement)

Wiz CIEM analyzes all cloud identities and their effective permissions.

Key CIEM capabilities:

• Effective permissions: What can this identity actually do? (resolves policy inheritance, SCPs, permission boundaries)
• Unused permissions: Identity has permissions it hasn't used in 90 days
• Lateral movement paths: Identity A can assume Identity B which can do X
• Shadow admins: Identity that can grant themselves or others admin-level access
• Privilege escalation paths: Chain of permissions leading to privilege escalation

CIEM findings examples:

• "Lambda function role has s3:* but only needs s3:GetObject"
• "EC2 instance profile can call iam:CreatePolicyVersion -- privilege escalation risk"
• "User deploy-user has not logged in for 180 days but retains AdministratorAccess"
• "Cross-account role trust allows any principal in account X to assume admin role"

DSPM (Data Security Posture)

Wiz DSPM discovers sensitive data across cloud storage resources.

Supported data stores:

• AWS: S3, RDS, DynamoDB, Redshift, EFS
• Azure: Blob Storage, Azure SQL, Cosmos DB, Azure Files
• GCP: Cloud Storage, BigQuery, Cloud SQL

Data classification categories:

• PII (names, addresses, SSN, email addresses)
• PCI (credit card numbers, CVV, PAN)
• PHI (health records, medical identifiers)
• Credentials (API keys, passwords, tokens in data)
• Custom (regex-based classification rules)

DSPM workflow:

1. Enable DSPM on cloud connector
2. Wiz samples data from storage resources (non-invasive sampling)
3. Classifies sensitive data found
4. Cross-references with posture: "This S3 bucket with PII is publicly accessible"
5. Generates data risk findings and toxic combinations

Wiz Defend (Runtime Security)

Wiz Defend is an optional runtime sensor providing real-time threat detection.

Wiz Defend capabilities:

• Runtime threat detection (process execution, network connections, file access)
• eBPF-based sensor (minimal overhead, no kernel module required)
• Cloud Detection and Response (CDR) -- SIEM-like correlation in Wiz UI
• Drift detection: New processes running in containers not in original image
• File integrity monitoring (FIM)

Deployment:

• DaemonSet for Kubernetes (deployed via Helm)
• VM agent for EC2/Azure VM/GCE (optional -- agentless remains primary for vulns)
• Serverless sensor for Lambda/Functions (lightweight layer)

When to use Wiz Defend vs. agentless only:

• Agentless: Best for posture management, vuln scanning, CSPM
• Wiz Defend: Required for real-time threat detection, runtime anomaly detection, incident response

Integration Ecosystem

Ticketing / ITSM:

• Jira: Auto-create issues from Wiz findings
• ServiceNow: VR integration, CMDB sync
• Linear, Monday.com, Azure DevOps

SIEM / SOAR:

• Splunk: Wiz findings and CDR alerts stream to Splunk
• Microsoft Sentinel: Wiz data connector
• Sumo Logic, Datadog, Google Chronicle

Notification:

• Slack, Microsoft Teams, PagerDuty, email webhooks
• SNS / Event Bridge (AWS) for event-driven workflows

CI/CD (Wiz Code):

• GitHub, GitLab, Azure DevOps: PR scanning
• Shift-left IaC and secrets scanning in code
• Wiz CLI for local developer scanning