Dazz Unified Remediation Platform

Our AppSec journey focuses specifically on secret scanning to SCA , and we have been using Wiz Code  IAC lately to perform Terraform  and IAC code scannings for security posture before deployment to the cloud. Wiz Code  has another feature where we ingest AppSec findings from Semgrep , Snyk , and Gosec.

When developers write microservices with containers, Azure Functions , or any sort of microservice or monolithic applications, they use a default branch focused towards production and feature branches. Approximately 30 to 40% of code comes via AI agentic development. When engineers develop new features, their code is scanned as part of the feature branch using Wiz Code. Wiz Code supports first-party and third-party code scanning along with secrets and IAC, and provides constructive feedback for security hygiene and code posture. Engineers or agents receive this feedback, act upon it, and fix findings before merging to the default branch, which may be main or any release branch we have. Our CD pipeline then kicks in. Wiz Code fits into our Application Security Posture Management and gives us thorough insights.

I prefer Wiz Code specifically because it creates less friction and the intuitive UI helps me significantly. Wiz Code has a rules policy that is not noisy for the engineering team, which is quite important. Less false positives with Wiz Code is the key USP that I love.

The UI is everything in the AppSec world and dashboards. If results are not constructively presented and showcased with prioritizations and metrics, they will be misguided. Wiz Code helps us show results in the best way, and this has been consumed by the engineering team with good prioritization metrics. Wiz Code has a UI dashboard and performance metrics that help us triage vulnerabilities quicker.

People are writing secure code with good visibility about how the code is performing and the posture is becoming visible. Wiz Code has helped us have better visibility across our source code and gives us thorough insights.

Wiz Code could be better in secret scanning where no push protections are enabled at the GitHub  or GitLab  level to prevent pushing secrets on GitHub  itself. There appear to be limitations in terms of Wiz Code as an external party to SCM source code management systems, which makes this somewhat problematic. Otherwise, it still seems to be good.

I have been using Wiz Code for around 15 months.

Approximately 30 to 40% of vulnerabilities are being remediated quicker and easily because Wiz Code has an auto-fixing PR feature available for IAC code, which helps us fix issues quickly. We also use it for containers. Using Wiz  OS, we were able to resolve many vulnerabilities, and Wiz Code scans those and gives assurance that these particular images are not vulnerable anymore. Secure coding practices are improving.

Wiz Code is used to develop our AppSec dashboards. We have our internal CMDB  tied up to Wiz . Wiz Code is used as an inventory to see our application security postures. It is used across our engineering teams, product teams, vulnerability management team, GRC , architecture teams, CISO, head of engineering, head of cybersecurity, and SecEng teams, all of whom use Wiz Code for checking the posture of our applications.

Wiz Code has mature ways of handling AI, which seems to be good. The efficacy seems to be very good. The review rating for this product is 7.

We are using Wiz Code  for cloud security across AWS , Google Cloud  Platform, and Azure . We utilize Wiz Code  for vulnerability scanning and misconfiguration issue detection across all three cloud platforms.

For vulnerability management with Wiz Code, we perform daily checks for vulnerabilities and receive CVEs, which we then provide to appropriate teams for remediation guidance. Regarding misconfigurations, we primarily focus on IAMs. If any extra privileges exist with any users, we work with the team to fix these issues.

Wiz Code is very useful for us because it is agentless, so it does not require attention for storage issues on VMs or Kubernetes . It is very useful and supports cloud environments such as Amazon Web Services , Microsoft Azure , and Google Cloud . We use this for identity management, misconfiguration issues, and CSPM security posture management.

CSPM is a cloud security posture management feature in Wiz Code. We review the percentage metrics in Wiz Code, and when we identify anomalies or vulnerabilities and fix them, we follow the score on Wiz Code.

Previously, we identified over 500,000 vulnerabilities before Wiz Code. After implementing Wiz Code, we identified more vulnerabilities and misconfiguration issues but reduced the score significantly. Now we identify only 200,000 vulnerabilities, which means Wiz Code helped us reduce 300,000 vulnerabilities in our organization.

First of all, Wiz Code has given us more accurate results. When we identify vulnerabilities, we review that vulnerability and CVE, check publicly affected vulnerabilities in our organization, and determine which VMs are affected. We segregate the data based on CVE codes and work with other teams to remediate these vulnerabilities or address OS upgrades and end-of-life issues.

The AI capabilities in Wiz Code are a very good feature. Employees working on this will get more remediations and detailed remediation guidance. If some tools provide a vulnerability list without remediation guidance, Wiz Code reduces the load of searching for remediation information. For governance and security, Wiz Code is very helpful. It scans everything and provides really deep scans, identifying more vulnerabilities than other tools can find. Vulnerability management is my primary focus, and Wiz Code is a very good tool for this.

There are many improvements that could be made to Wiz Code, but I would point out that sometimes it gives false results, though not every time. We know that Wiz Code scans our environment once a day. If it scanned twice a day, that would be more accurate. This is a suggestion from my side.

I have been using Wiz Code for the past two and a half years.

I did not participate in the integration part as my senior handled those tasks, but I heard that the integration was very easy for any organization.

It is very easy to use, especially the dashboards and everything. We have created many dashboards in Wiz Code for our utilization. We use Wiz Code dashboards and queries daily to identify vulnerabilities.

I would say that they are very responsive. When we initiate a case for Wiz Code customer support, they immediately respond and contact us to help reduce that issue and address any possibilities. It is very good.

Previously we used Rapid7, and now we are using Defender. Wiz Code is better than both Defender and Rapid7 and gives more accurate results.

It is very easy to pick up on this new tool, and Wiz Code is very useful and easy to learn and apply in our day-to-day work. We plan to keep Wiz Code for a long time with our subscription through 2030. Wiz Code is a good tool that gives accurate results for our environment and is very useful and user-friendly for employees. Overall, Wiz Code is a very good tool to use in any organization, whether mid-level or high-level. Wiz Code fits any organization. I have given this tool a rating of nine out of ten.

I have been using Wiz Code  for the past one and a half years.

The main use case for Wiz Code  is to write the security guardrails for our environment. For example, I need to write infrastructure guardrails such as S3  buckets must not be public, security groups must not allow 0.0.0.0 on SSH port 22, and RDS  databases must have encryption enabled. These are examples for which we use Wiz Code to write these guardrails.

We also use Wiz Code to write Identity and Access Management  guardrails such as detecting overly permissive permissions. For instance, no IAM  policy should contain action star, and no role should have administrator access unless approved. Cross-account trust relationships must be justified.

Some of the best features Wiz Code offers is code-to-cloud mapping. Most tools will tell us that you have a vulnerable package, but Wiz  tells us this vulnerable package is running in a production workload that is internet-facing and has access to sensitive data. This context dramatically improves the prioritization because I can focus on exploitable risk instead of thousands of theoretical findings. For AWS  environments, this is extremely useful. Wiz Code can scan Terraform , CloudFormation , Kubernetes  manifests, and can catch issues before deployment such as public S3  buckets, unencrypted databases, overly permissive security groups, containers running as root, and hardcoded secrets. This is where I can codify architecture standards into enforceable controls. The ability to define guardrails and fail builds is a major strength.

One of the best features I have been using day to day, which is the lowest effort win, is finding AWS  keys, tokens, passwords, and certificates before they hit GitHub  or production, which prevents many incidents. There is a unique capability in Wiz Code that instead of viewing cloud findings, vulnerability findings, IAM  findings, and code findings in separate tools, Wiz Code correlates them through its security graph, allowing us to trace an issue from code all the way to the business impact. This is where I think Wiz Code is the strongest.

Wiz Code provides a unified developer experience where developers can see findings in IDEs, pull requests in GitHub , and in CI/CD pipelines, which reduces the back-and-forth effort. Wiz Code has impacted the organization positively by providing these features, the ease of work, and all these security graph correlation, unified developer experience, secrets detection, and security policies that block bad deployments. With all these, it has actually helped us prevent a lot of vulnerabilities in the environment, which has had a positive impact on the organization. The incident count has reduced almost 35 to 40 percent with the Wiz Code guardrails that we have been using for a long time now.

First, Wiz Code's areas of improvement can be better architecture-aware analysis. Today, most findings are resource-centric; for example, a security group is public, an IAM  role is over-permissive, or an S3 bucket is exposed. What architects want is for Wiz Code to understand that this design violates the organization's reference architecture and to identify deviations from approved patterns such as hub-and-spoke networking and shared services. It would be beneficial to move from configuration review to architecture review.

Another improvement area is that many organizations struggle to translate security standards into policies, so Wiz Code could generate and validate the policy automatically. That would actually benefit the organization in faster guardrail creation and maintenance. Imagine uploading Terraform  architecture diagrams and design documents and asking Wiz Code to review this architecture against enterprise security standards; the output could include risks, missing controls, compensating controls, and recommended guardrails, bridging architecture governance and automated security. This point needs to be worked on and improved by Wiz Code.

From Wiz Code's AI capabilities, I would say Wiz Code has been investing heavily in AI-driven workflows, security agents, remediation, guidance, and AI-powered investigation. I appreciate that AI recommendations are grounded in actual cloud context, and they can trace risk from code to cloud to resource to exposure. There are areas of improvement; more architecture-level reasoning is required, better explanations of why a design violates the enterprise standards, and more what-if analysis before deployment. Governance  is the area where Wiz Code actually shines; for large enterprises, governance is not just finding vulnerabilities; it includes ownership, accountability, exceptions, policies, risk acceptance, and auditability. For a financial bank, the most valuable governance capabilities are mapping risk to business owners, consistent guardrails across cloud accounts, evidence for auditors, policy-driven enforcement, and risk prioritization based on context. Security is, again, Wiz Code's strongest area.

I rate the accuracy and reliability as good, but not yet at a level where I trust it without validation. It does well with security explanations; the AI is quite good at explaining why a finding matters, potential attack paths, impact to cloud resources, and security best practices. For example, if it finds a public S3 bucket, overly permissive IAM roles, or public security group, the explanations are usually accurate and aligned with security principles. The remediation suggestions for common issues such as restricting IAM permissions, enabling encryption, and removing public exposure save engineers time because they do not have to research the fix themselves. However, I am cautious with least privilege recommendations because the AI may suggest removing permissions or tightening IAM policies, but it does not always fully understand business requirements, operational dependencies, and future use cases. As an architect, I never approve IAM changes solely based on AI output. Additionally, complex architecture decisions such as shared VPC models can be problematic; AI often lacks the broader organizational context needed to judge whether a design is appropriate, and it might recommend practices that do not align with organization-approved patterns.

I have been using Wiz Code for the past one and a half years.

Wiz Code is really stable.

Wiz Code scales quite well from an enterprise perspective, and I would consider scalability one of its stronger attributes. When evaluating scalability, I look at repository scalability; Wiz Code is designed to integrate with major SCM platforms and can scan thousands of repositories across multiple business units and development teams. Secondly, in terms of cloud environment scalability, this is where Wiz Code generally excels, being built to handle thousands of AWS accounts, multi-cloud environments, and millions of cloud resources. The code-to-cloud correlation capability benefits from this large-scale architecture.

Customer support is really helpful with immediate responses and quick turnaround times.

Before Wiz Code, the security team manually correlated the cloud assets, vulnerabilities, IAM permissions, and internet exposure, with critical issues identified in five days. Now, with the security graph automatically correlating findings, critical issues are identified in 30 minutes, resulting in a 90 percent plus reduction in investigation effort. There is also a reduction in security review effort relevant to the architecture review role, where previously three hours were needed for security review and 20 manual checks; now, Wiz Code validates all this and does it for us.

I was not actively involved in the setup cost and licensing, but I definitely know the pricing was something good given the usage and benefits it provides. I would say the pricing is not too high.

My team evaluated Palo Alto Networks Prisma Cloud, Microsoft Defender for Cloud , Checkmarx One , and Snyk  when choosing Wiz Code.

One must give some time to using Wiz Code initially, and they will definitely have a positive experience with using it. Wiz Code was purchased through the AWS Marketplace . Wiz Code is deployed in my organization on public cloud. AWS is our cloud provider. I rate this product 8 out of 10.