WIZ Cloud Infrastructure Security Platform

My experience with Wiz  varies on a case-by-case basis because I don't work on it daily; I engage with it when we need to research something that isn't fully implemented in the organization. Some elements are implemented, but they were done on a POC basis. I have hands-on experience where I've explored the environment extensively, checked vulnerabilities, and shared different findings with team members. So while I've worked with all that, I wouldn't classify it as part of my everyday BAU work, but I've been introduced to it in the last one or two years, max.

We have multiple subscriptions linked to Wiz , and we monitor various aspects including cloud security posture management findings. Compliance is another area we've focused on, where we've created our own compliance framework within Wiz. One feature I particularly appreciate about Wiz is that, similar to other cloud-native security tools like Microsoft's Defender for Cloud, it allows you to define policies as code and deploy them through a version control system with a continuous deployment pipeline. This functionality is also present in Wiz, where their Terraform  provider enables complete documentation on controlling aspects directly in the Wiz environment. The major things we've worked on include deploying policies based on CSPM findings detected in Wiz, setting up our own framework and rules within those categories, and we've also worked with inventory management, as Wiz provides an AI-driven inventory that gives visibility into all cloud deployments. Wiz also helps manage vulnerabilities in various environments, such as Kubernetes  clusters or Azure  container apps.

In different organizational contexts, whether product-based or service-based, the customization of dashboards is highly beneficial. For instance, if I'm a startup or a large company using Wiz for multiple applications, custom dashboards allow me to categorize data from various feeds. Dashboarding becomes effective after managing categorization; I can define a project and add relevant resources or subscriptions under that project. Moving forward in the dashboarding section, I can set up custom widgets to view high-severity CSPM findings or risks, thus visualizing data based on specific filters and categories.

One feature I appreciate about Wiz is the graph controls, which allow for the correlation of multiple findings. For example, if a virtual machine has a critical CVE and is exposed to the internet, this links multiple vulnerabilities such as initial access types. Wiz attempts to categorize these different types of findings, such as CWPP  and CSPM, and offers customization through graph controls where we can create our own contextual risk assessments in the cloud environment. Additionally, Wiz allows you to deploy aspects in the tool similarly to the GitHub  model, which I appreciate. Its UI is also very smooth and categorized, making it easy to navigate and search through resources efficiently. You can create custom reports and dashboards in your own way, which are some of the major aspects I value in Wiz.

There is definitely room for improvement with Wiz. Given the scope of CNAP technology, which covers the entire SDLC from deployment to monitoring and APIs, it would be beneficial to enhance data integration capabilities. Wiz could partner with leaders in the market, such as Checkmarx, for example; while it currently supports Checkmarx in preview, there still needs to be significant enhancement in contextually mapping risks from pre-deployment scans, such as SAS, SCA , and DAST scanning results. Including these results would elevate contextual risk assessments to a higher level.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

Currently, Wiz doesn't consolidate tools effectively. Though it is starting to move in that direction with Checkmarx integration in preview, it lacks the maturity to fully replace other mature open-source tools. Wiz does offer some capability in SCA  via CLI, but it falls short compared to its market counterparts and would benefit from further development in tool consolidation and correlation.

I started using Wiz around two years ago.

During the POC, there were indeed a lot of alerts generated by Wiz. It's important to note that alerts vary in type; there are different classifications for vulnerability alerts, CSPM alerts, and contextual risk alerts. Each category has its own significance, meaning that while there may be a high volume of alerts, they can be beneficial and informative based on the context.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

I rate Wiz's scalability a perfect 10 out of 10. During our POC, we successfully linked many subscriptions and could manage them effectively without encountering any scalability issues.

I would rate the vendor's technical support as a nine out of ten. They respond swiftly and provide support when needed; for instance, when we experienced some initial trouble figuring out how to configure CCRs and validate results, the vendor was readily available to assist us over calls, clarifying both technical aspects and theoretical insights.

I didn't handle the initial installation of Wiz directly; that task fell to the operations team responsible for deploying security tools. However, from what I gather, integrating Wiz into the environment is not complex. It primarily requires the creation of a service account with sufficient permissions for Wiz to access necessary resources, making the overall integration process straightforward. Challenges might arise from organizational dynamics when persuading stakeholders, but technically, the setup doesn't appear to be cumbersome.

Many people participated in the POC phase with Wiz, involving different teams such as the operational team for deployment and others handling various security dimensions. Many teams contributed during the POC phase., focusing primarily on the security specialists without including end users.

I would have appreciated providing a more specific return on investment metric for Wiz, but since my experience with it is based on a POC without full implementation, I cannot precisely track its impact on time or resource savings. It hasn't been operationalized fully yet in our organization.

My understanding of Wiz's pricing suggests it's not cheap. While I may not have direct involvement in pricing discussions due to different teams managing purchasing decisions, feedback indicates that Wiz is among the most expensive tools available. Though there's likely room for adjustment in pricing, it should be noted that, compared to tools such as Microsoft Defender for Cloud , which scales according to subscriptions, Wiz's pricing can be significantly higher when supporting multiple products within larger organizations.

Wiz was implemented as a POC, and while there were many subscriptions linked, I can share examples of its usage. For instance, when Log4j vulnerabilities emerged several years ago, we managed to quickly create a report through the Wiz dashboard, enabling us to identify all workloads impacted by a critical CVE. With resource tagging for ownership, this helped us reach out to the relevant individuals responsible. Although Wiz offers an option for service integrations such as Jira  for issue creation if implemented fully, our approach was manual report generation, where we exported findings and alerted personnel to maintain a zero-issues status.

I would rate this review a 9 out of 10 overall.