It’s a security-as-a-service platform that monitors whatever clouds or systems you plug into it for security vulnerabilities, but is built specifically for public cloud service providers and their workloads. I quite liked the product, as it would notify my team of erroneous configurations, outdated AMIs, exposed ports, vulnerable workloads, and whatever custom policies we setup (e.g., SSH open between VPCs in AWS, rather than via a Jumpbox).
I loved the product when I used it (huge improvement over Nessus), and am immensely disappointed Google owns it as it means I’ll have to find something else going forward. This is the sort of acquisition a regulator should block, because Wiz really is best-in-class at what they do for every cloud they support, and customers benefit more from it being agnostic.
It is a very legitimate tool. It identifies misconfigurations and vulnerabilities in cloud deployments. Anything from a container with a known-vulnerable package in the manifest to a workload with improper firewall rules.
I understand those (I haven’t used them) to primarily be about software composition analysis. Wiz does that, but they are mainly known for Cloud Security Posture Management (the “you have an exposed S3 bucket”, “you have a workload with no inbound firewall”, “etc.”) and integrating things like SCA to increase alert fidelity (do you care as much that a workload has an inbound ACL allowing MongoDB connections from the Internet if the workload isn’t running MongoDB?)
Wiz is closer to the CNAPP field instead of the software composition analysis tools you mention, Snyk would fit here for SCA.
Sysdig, Palo Alto's Prisma Cloud, or a few others compete with Wiz's CNAPP offering. Wiz also strays into some SCA and SCA-alike tooling for containers, code or XDR with their CDR/XDR products log ingest and agents available for response/quarantine.
Basically give it read access to your cloud account, and it will scan all of the resources to identify potential miss-configurations. Identifying CVE in software is one thing, but it's identifying incorrectly configured resources that would otherwise be secure can dramatically reduce the risk surface.
A lot of cloud providers already have little hints like "hey - did you mean to create this account in God mode?" or "It is recommended not to create this god mode json key file" - Wiz is taking this to the next level of detail
Would also be interested in this. I don't know anyone who uses Wiz. Google says they had 350 million in revenue last year, aiming for 1 billion this year. So 100x revenue TTM. Crazy stuff.
That's because A) big companies that use it don't really like bragging about their security tooling, lest it be used to better profile their infrastructure by attackers, and B) it's basically enterprise-only and insanely expensive.
Source: worked for a large enterprise company that used it, and I loved it. Phenomenal tool, will be a shame to see it die (or at least its non-GCP aspects wither and die) under Alphabet's ownership.
They were the one's to first report on DeepSeek's recent data leak, and they've found a few others.
One exploit I remember Wiz finding was "ChaosDB". A flaw in Microsoft's Cosmos DB allowed anyone to use the default-enabled Jupyter Notebook to basically dump and modify anyone's databases, without authentication. Full admin access.
My last company used it to complement other cloud security scanning products. It’s probably a bit of an understatement to call it a scanning tool. It was easy to integrate with our other systems so we could assign vulns to different teams.
