Wiz serves as our enterprise tool for securing our cloud platform. We use AWS as our cloud platform and have Wiz integrated across multiple accounts for IT, engineering, and other departments. Within IT itself, we have different environments including development, production, and stage accounts. In every account, we have Wiz integrated and use policies based on the environment. For example, the dev environment has a less secure policy while production has a high-security policy. Technically, we use Wiz for securing our cloud platform.

The best feature of Wiz is the ability to detect any security violations across multi-cloud platforms and the ability to integrate for creating security incidents and vulnerability incidents. It works very well for scanning the environment, detecting vulnerabilities, and reporting them based on our requirements. It can generate reports via email or create ServiceNow incidents. It has helped me identify threats more easily. When it comes to the Kubernetes cluster, we do not have any other option for detecting vulnerabilities. This is the only way we observe our Kubernetes clusters to determine whether they are secured or not. Regarding speed, I cannot compare it with other solutions, but so far, we are happy with the way it works.

Wiz has improved our business in many ways. While I do not know in numbers how it has helped the business gain more profit, as a technical expert and part of our IT architect team, I would say Wiz has helped tremendously to secure our cloud platform. There were many security vulnerabilities existing before we implemented this solution that were not at all in our attention because there was nothing to scan and report what was wrong. After implementing Wiz, it has helped significantly. There was a program for implementing high-security measures in our environment, and Wiz has contributed substantially to that program.

I feel there is a delay in detection, though I am uncertain whether this is due to our implementation disadvantage. Wiz can detect all the issues, threats, and security vulnerabilities, but the delay may be due to the time taken for running a scan because we have a 24-hour scan cycle. When I checked with the team, there was no on-demand scanning possibility. We still see improvement scopes in this area. It does the work, but we are not seeing the changes very fast. Once you get a threat and fix it, to see that fix reflected in Wiz, you have to wait 24 hours. That is something I am not happy with.

One improvement that I am looking for in Wiz is the capability for on-demand scanning. That should be available. Second, we should be able to see the fixes faster. Once a threat is detected and we apply the fix, we want to see that result updated in the dashboard or portal as soon as possible. If Wiz can detect it faster and update it in the portal, that would be beneficial.

I have been using Wiz for more than two years, approximately two years and four months.

Regarding stability, it is stable. I would rate it nine out of ten.

Regarding scalability, I would also rate it nine out of ten.

I would rate the technical support of Wiz eight out of ten on a scale from one to ten, with ten being the best.

When comparing Wiz with other software, I did not use any other software similar to Wiz for the same purpose. A similar tool was Qualys, but we used Qualys for a different use case. We used it for vulnerability scanning of our servers, not end-user devices. For securing or detecting threats from cloud accounts, I do not have any other tool that I am aware of. Qualys is another vulnerability management tool, but the use cases are different, so I do not have the expertise to compare.

Deployment took approximately three months.

From one to ten, with one being cheap and ten being expensive, I would rate the implementation cost a seven.

Wiz does require some maintenance.

Wiz does require some maintenance.

My thoughts on the pricing of Wiz are that it is not cheap, but it is cost-efficient. From one to ten, with one being cheap and ten being expensive, I would rate it a seven.

I would recommend Wiz to anyone. If anyone wants to secure their infrastructure, cloud environment, or Kubernetes cluster, I would strongly recommend Wiz as a tool because it is easy to use and user-friendly. It has tight integration with many tools out-of-the-box for sending alerts, creating emails, and creating incidents.

My advice to others looking to implement Wiz is that when you implement Wiz, if your hybrid environment is not managed properly, it will be difficult to implement. It is better to make some cleanup and ensure that the environment you are going to implement meets Wiz standards. If you do not take care of that and simply implement Wiz, you will encounter many issues being reported by the system. It is better to follow the prerequisite standards of your cloud account and then implement the solution. Otherwise, you will see many issues being reported.

Regarding whether Wiz has helped reduce alert fatigue, I do not have a definitive answer because we do not see that much decrease in the alerts. Initially, when we implemented Wiz, since we were not using any tool like that before, there were too many alerts. Because it was the first implementation, it started sending too many alerts. Later on, the alerts decreased, but this decrease was not because of Wiz itself. Rather, it was because we implemented security fixes wherever Wiz reported threats or vulnerabilities. That is how the number of alerts got reduced. I feel we can also customize the Wiz policy to reduce the number of alerts, but I am not at that level here, so I do not have that expertise.

My overall rating for this solution is eight out of ten.

My experience with Wiz varies on a case-by-case basis because I don't work on it daily; I engage with it when we need to research something that isn't fully implemented in the organization. Some elements are implemented, but they were done on a POC basis. I have hands-on experience where I've explored the environment extensively, checked vulnerabilities, and shared different findings with team members. So while I've worked with all that, I wouldn't classify it as part of my everyday BAU work, but I've been introduced to it in the last one or two years, max.

We have multiple subscriptions linked to Wiz, and we monitor various aspects including cloud security posture management findings. Compliance is another area we've focused on, where we've created our own compliance framework within Wiz. One feature I particularly appreciate about Wiz is that, similar to other cloud-native security tools like Microsoft's Defender for Cloud, it allows you to define policies as code and deploy them through a version control system with a continuous deployment pipeline. This functionality is also present in Wiz, where their Terraform provider enables complete documentation on controlling aspects directly in the Wiz environment. The major things we've worked on include deploying policies based on CSPM findings detected in Wiz, setting up our own framework and rules within those categories, and we've also worked with inventory management, as Wiz provides an AI-driven inventory that gives visibility into all cloud deployments. Wiz also helps manage vulnerabilities in various environments, such as Kubernetes clusters or Azure container apps.

In different organizational contexts, whether product-based or service-based, the customization of dashboards is highly beneficial. For instance, if I'm a startup or a large company using Wiz for multiple applications, custom dashboards allow me to categorize data from various feeds. Dashboarding becomes effective after managing categorization; I can define a project and add relevant resources or subscriptions under that project. Moving forward in the dashboarding section, I can set up custom widgets to view high-severity CSPM findings or risks, thus visualizing data based on specific filters and categories.

One feature I appreciate about Wiz is the graph controls, which allow for the correlation of multiple findings. For example, if a virtual machine has a critical CVE and is exposed to the internet, this links multiple vulnerabilities such as initial access types. Wiz attempts to categorize these different types of findings, such as CWPP and CSPM, and offers customization through graph controls where we can create our own contextual risk assessments in the cloud environment. Additionally, Wiz allows you to deploy aspects in the tool similarly to the GitHub model, which I appreciate. Its UI is also very smooth and categorized, making it easy to navigate and search through resources efficiently. You can create custom reports and dashboards in your own way, which are some of the major aspects I value in Wiz.

There is definitely room for improvement with Wiz. Given the scope of CNAP technology, which covers the entire SDLC from deployment to monitoring and APIs, it would be beneficial to enhance data integration capabilities. Wiz could partner with leaders in the market, such as Checkmarx, for example; while it currently supports Checkmarx in preview, there still needs to be significant enhancement in contextually mapping risks from pre-deployment scans, such as SAS, SCA, and DAST scanning results. Including these results would elevate contextual risk assessments to a higher level.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

Currently, Wiz doesn't consolidate tools effectively. Though it is starting to move in that direction with Checkmarx integration in preview, it lacks the maturity to fully replace other mature open-source tools. Wiz does offer some capability in SCA via CLI, but it falls short compared to its market counterparts and would benefit from further development in tool consolidation and correlation.

I started using Wiz around two years ago.

During the POC, there were indeed a lot of alerts generated by Wiz. It's important to note that alerts vary in type; there are different classifications for vulnerability alerts, CSPM alerts, and contextual risk alerts. Each category has its own significance, meaning that while there may be a high volume of alerts, they can be beneficial and informative based on the context.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

I rate Wiz's scalability a perfect 10 out of 10. During our POC, we successfully linked many subscriptions and could manage them effectively without encountering any scalability issues.

I would rate the vendor's technical support as a nine out of ten. They respond swiftly and provide support when needed; for instance, when we experienced some initial trouble figuring out how to configure CCRs and validate results, the vendor was readily available to assist us over calls, clarifying both technical aspects and theoretical insights.

I didn't handle the initial installation of Wiz directly; that task fell to the operations team responsible for deploying security tools. However, from what I gather, integrating Wiz into the environment is not complex. It primarily requires the creation of a service account with sufficient permissions for Wiz to access necessary resources, making the overall integration process straightforward. Challenges might arise from organizational dynamics when persuading stakeholders, but technically, the setup doesn't appear to be cumbersome.

Many people participated in the POC phase with Wiz, involving different teams such as the operational team for deployment and others handling various security dimensions. Many teams contributed during the POC phase., focusing primarily on the security specialists without including end users.

I would have appreciated providing a more specific return on investment metric for Wiz, but since my experience with it is based on a POC without full implementation, I cannot precisely track its impact on time or resource savings. It hasn't been operationalized fully yet in our organization.

My understanding of Wiz's pricing suggests it's not cheap. While I may not have direct involvement in pricing discussions due to different teams managing purchasing decisions, feedback indicates that Wiz is among the most expensive tools available. Though there's likely room for adjustment in pricing, it should be noted that, compared to tools such as Microsoft Defender for Cloud, which scales according to subscriptions, Wiz's pricing can be significantly higher when supporting multiple products within larger organizations.

Wiz was implemented as a POC, and while there were many subscriptions linked, I can share examples of its usage. For instance, when Log4j vulnerabilities emerged several years ago, we managed to quickly create a report through the Wiz dashboard, enabling us to identify all workloads impacted by a critical CVE. With resource tagging for ownership, this helped us reach out to the relevant individuals responsible. Although Wiz offers an option for service integrations such as Jira for issue creation if implemented fully, our approach was manual report generation, where we exported findings and alerted personnel to maintain a zero-issues status.

I would rate this review a 9 out of 10 overall.

My use cases for Wiz mostly revolve around cloud security posture management, compliance, internal opex reporting, and shift-left security tooling, centered around compliance and cloud security shift-left.

What I appreciate most about Wiz is that the compliance and CSPM aspects of this cloud-native application protection offering are genuinely better than other products available in the market. Having worked on Prisma, Orca, and Qualys as well, when I compare Wiz with everything else, it definitely has an edge. The graph queries and graph explorer in Wiz are exceptionally well done by their team, giving me a complete view of resources, how they relate to other resources in the account or in other accounts, and how they pose an external threat or risk.

I have created boards in Wiz for internal projects and teams depending on what product line it is, and I have tried creating custom dashboards. My experience with creating custom dashboards is that it is neither easy nor difficult; it is somewhere in between. Obviously, it is not the same as Power BI or any other visualization tool, so I understand it will not be at that level, but it gets the job done. I get a high-level overview of trends of the findings or non-compliant items, and it accomplishes what I need. I also do not expect it to be at that level because that is not what it is built for.

I really cannot think of anything that Wiz can improve, because the use cases I deal with have almost all features that cater to them, so I really do not have anything in mind right now.

One thing Wiz can do better is regarding support for the open-source fork of Terraform called OpenTofu. Many organizations are moving from Terraform to OpenTofu to save costs in licensing, but their documentation does not officially state that they are supporting OpenTofu, so that would be beneficial to have. Since it is just a copy of Terraform, it should not be a difficult addition, but that would be a valuable feature.

I have been using Wiz in my career for close to one and a half years.

I have seen some lagging or downtime a couple of times, but I am not sure why it happened. It was just a couple of times, and it did not impact what I was doing.

Wiz is very scalable.

I have contacted Wiz's technical support. The quality and speed of the support are very good; most of the time, I do get the answers I am looking for, and if not, the team works internally. If there is no feature, they raise a feature request for us, so it has been very good. On a scale from 1 to 10, I would give Wiz's support a 10.

The initial deployment of Wiz is very easy for me. The first time I deployed Wiz, it took me approximately 10 to 20 minutes, depending on the availability of the other team. When they are available, I usually get it done within 10 or 15 minutes, or even less than that when we have all the prerequisites ready.

Wiz does require some maintenance on my end, but it is minimal. The maintenance involves configuring connectors for Wiz, and it does require a few permissions for Wiz to scan the cloud accounts and other resources. That is the only maintenance needed, such as adding or updating the role in Wiz if other permissions or services introduced by the cloud provider are not covered.

I have used some alternatives and similar solutions to Wiz. I remember the names of those alternatives; one is Palo Alto's Prisma Cloud, and the other was Qualys' tool, which was kind of a makeshift tool, not a full-fledged CSPM, but they called it CSPM. When I compare Wiz to those tools, I prefer Wiz a lot more because it is definitely a couple of notches above all those tools. They have done much better with their UI, which is very organized, whereas Prisma is mostly a lot of acquisitions and a lot of tools stitched together and offered as a SaaS solution. Not saying it is bad, but Wiz does it better than what they have been doing.

I personally have not worked on Wiz Runtime Sensor, so I cannot really comment on whether it has helped identify active threats more effectively compared to any other solutions that I have used. We have plans, but not yet. I would rate this review overall as a 9.

I have used Wiz for security findings, which includes dashboards with the main purpose of Cloud Security Posture Management. Wiz scans all cloud accounts to detect misconfigurations, open ports, publicly exposed resources, and weak IAM permissions. I also utilize it for vulnerability management, such as VMs, containers, serverless functions, and any IAM risky visibilities. I use Wiz for all these things as I work on these areas most of the time. Essentially, it is a cloud risk tool that prioritizes the most critical issues, allowing me to address high-yield issues quickly with the help of Wiz's architecture.

Achieving zero critical issues in Wiz means eliminating all critical severity securities across the cloud platform, which is a significant goal for our cloud security teams. I utilize the Risk Graph to identify real critical issues, prioritizing the resolution of public exposures and patching high and critical CVEs. I track OS-level and package vulnerabilities that need fixing, and sometimes when our OS isn't updated, it flags the errors. My processes involve patching libraries, upgrading AMIs, and removing secrets found in workloads, such as rotating keys for public IPs or un-updated software and databases. It is critical to implement least privilege measures for IAM risks, ensuring admin access is minimized. Moreover, I encrypt all storage and use tags to separate non-production issues according to different environments such as dev, stage, or prod. Utilizing Wiz projects, I segment teams such as network, platform, application, or DevOps so that each team handles their assigned issues, boosting closure speed. I also automate workflows through Jira to create tickets for critical exposures or IAM risks. Thus, achieving zero criticals in Wiz reflects my commitment to eradicating public exposures, patching critical vulnerabilities, and addressing IAM risks, ensuring I adhere to cloud best practices.

I love this interface because it is very clean, neat, and easy to understand. It includes the CNAPP and CSPM security features and extensively uses detection for vulnerabilities and misconfigurations. Everything is present on the dashboard. My personal interest lies in agentless scanning, which I consider the most powerful feature. The unique capability I can highlight is Attack Path Analysis, which identifies the exact path an attacker can exploit by correlating network exposure and any misconfigurations. Additionally, the unified Risk Graph is a very strong feature that helps teams find the most critical issues. I appreciate the accurate prioritization, which saves a great deal of time. Overall, Wiz provides a full CNAPP platform, encompassing CSPM, vulnerability management, IaC scanning, and more. I really appreciate these elements, and the dashboard is also very good.

I do not identify many areas for improvement, but I believe dashboard customization is somewhat limited. While the dashboards are quite good, the variety of widget types is restricted; I cannot fully customize colors or create complex multi-level dashboards. There is also alert noise in larger environments that generates duplicate alerts for the same issues under different categories. Furthermore, remediation automation is limited; Wiz suggests fixes but lacks auto-remediation for many issues. Compared to Prisma, the auto-resolve options are fewer. Although I have heard about deeper container and K8s scanning capabilities, I do not have a clear understanding of what that entails. I perceive that real-time cluster events are also somewhat limited. Regarding the reports, I face limitations in fully customizing PDF reports.

I have been using Wiz for more than eight months.

The setup for Wiz is a one-time configuration, similar to setups in ServiceNow or Ultimatics. This one-time setup ensures proper cloud integration, assessing the type of cloud account, the API permissions in place, and avoiding mistakes during the initial configuration. It highlights any missing requirements, such as IAM roles or permissions, and shows failed connections to allow for quick fixes. Agentless scanning is feasible, so this setup ensures proper configurations are in place. Additionally, it aids the administration in understanding what has been completed versus what remains pending. In summary, it guides onboarding tools to configure cloud accounts, permissions, and integrations accurately and prevents security visibility gaps while reducing onboarding errors.

The deployment time is not measured in days, weeks, or months; rather, it typically takes between five to ten minutes at most. IAM configurations and similar setups may take about two to three minutes.

When comparing Wiz with other solutions on the market, I note that my initial experience was with Prisma Cloud. Wiz stands out for its strengths, particularly in agentless scanning and graph-based risk prioritization, in addition to its comprehensive CNAPP capabilities and multi-cloud coverage. However, I recognize that certain areas, such as runtime threat detection and response, might be handled better by other vendors; while Wiz excels in posture and risk analysis, its runtime protection may not be as advanced as specialized tools designed for workload protection. Other tools might offer better capabilities for behavioral or anomaly detection, as Wiz may not capture the most subtle runtime issues. For instance, scanning public and private buckets requires waiting for scheduled scans or conducting manual scans, which can take significant time to yield updated records. While other vendors might possess better flexibility, the overall effectiveness depends heavily on data size and volume. I observe that legacy security vendor solutions offer mature enterprise support, while newer CNAPP solutions such as Wiz move rapidly but face trade-offs in large regulated enterprises. Overall, Wiz receives high ratings for its innovation and speed, which are great qualities despite some areas requiring improvement. So, in summary, I consider Wiz one of the strongest CNAPP platforms due to its agentless scanning architecture, making it lighter to deploy than competitors such as Prisma Cloud or Lacework. Nonetheless, organizations needing deep runtime protection or specialized identity entitlement management might want to explore other platforms, but I can definitely recommend Wiz for various needs.

For the dashboard itself, it is a very simple and clear function. I generally go to the dashboards to create and add widgets for vulnerability by severity, public exposure, or misconfigurations. I also include widgets such as graphs or tables based on my requirements. I utilize saved views for custom data, which filters the exact information I have in the dashboard, for example, all AWS EC2 instances with critical CVEs or public-facing VMs with secret keys. Multiple sections include critical compliance and posture scores, and I apply filters at the dashboard level too. Essentially, I have almost everything available in terms of customization. I simply need to understand how to use Wiz dashboard in conjunction with my project requirements. Although Wiz is a relatively new tool and I have only worked on a portion of its capabilities, I can refer to the documentation to successfully carry out the needed customizations.

I find the pricing to be cost-effective, as Wiz includes features that many other vendors lack. It seems reasonable when compared to alternatives. Overall, pricing can vary significantly based on Wiz's licensing of workloads, which depends on the number of VMs, containers, and functions I deploy. However, I can request volume-based discounts for larger deployments, especially if managing numerous workloads. Hence, I classify Wiz as cost-effective.

I notice that redeployment is generally very easy compared to other CNAPP tools because it is agentless. The agentless architecture permits multiple operations without the need for redeployment. I only need to connect to the cloud, set up scans, and ensure workload visibility, making the entire process straightforward.

The results from using Wiz have been quite positive; it effectively reduces alert fatigue within my organization. It is clearly a time-efficient solution, which enhances operational efficiency.

I indeed consolidate tools when using Wiz, effectively streamlining processes to enhance focus on critical risks. I would rate this solution a nine out of ten.