Wiz Pocket Book — Uplatz
50 in-depth cards • Wide layout • Readable examples • 20-question interview Q&A included
1) What is Wiz?
Wiz is a cloud security platform that builds a unified graph across cloud resources, identities, network paths, runtime signals, and code artifacts to prioritize risks and prevent breaches. It supports AWS, Azure, GCP, Kubernetes, and more.
Core pillars: CSPM, CNAPP, CIEM, CWPP, Container/K8s, IaC scanning, SBOM/VEX.2) Wiz Security Graph
All discoveries (assets, vulns, identities, secrets, configs, exposures) are modeled as nodes/edges. Queries (WSG/WQL) traverse relationships to surface toxic combinations, e.g., internet → VM → secret → DB.
# Conceptual
FIND resources WHERE exposed_to = "internet" AND has_secret = true AND can_reach = "db"3) Connectors & Coverage
Connect cloud accounts/subscriptions/projects via read-only APIs, optional agentless snapshot scanning, and integrations for EDR, ticketing, SIEM. Coverage spans IaaS/PaaS/K8s/Serverless.
Typical setup: AWS Org, Azure Tenant, GCP Org + K8s clusters + registries4) Agentless + Runtime
Agentless analysis inspects disk snapshots, images, and metadata; optional runtime sensors add process/behavior context for higher-fidelity risk.
Signals: packages, secrets, keys, CVEs, misconfigs, malware indicators5) Risk = Context
Wiz prioritizes by reachability, exploitability, blast radius, data sensitivity, and business tags—not just CVSS scores.
Priority = (Exposure × Identity Power × Data Sensitivity) - Compensating Controls6) Projects, Folders & RBAC
Group assets by business unit or environment. Use granular roles for read/triage/fix. Map to SSO groups for least-privilege access.
7) Findings, Issues, Tasks
Raw findings (signals) become issues after policy evaluation. Tasks route to owners via Jira/ServiceNow/Asana with SLA and auto-close on fix.
8) Benchmarks & Frameworks
Built-in policies align to CIS, NIST, PCI, ISO, SOC2, HIPAA, and cloud provider best practices. Map controls to compliance views.
9) Tags & Business Context
Sync cloud tags/labels and CMDB metadata to enrich the graph. Use tags (owner, app, tier, data_class) to scope policies and SLAs.
10) Q&A — “Why Wiz vs classic CSPM?”
Answer: Classic CSPM flags misconfigs in isolation. Wiz adds identity, network, vuln, and data context in a single graph to prioritize exploitable attack paths and reduce noise.
11) Query Language (WQL/Graph)
Use UI query builder or text to search the graph. Queries can filter by exposure, identity permissions, CVEs, secrets, networks, and data stores.
FIND vm
WHERE exposed_to = "internet"
AND has_cve(severity >= "high")
AND path_to(datastore where classification="sensitive")12) Attack Path Explorer
Visualize multi-hop paths (entry → lateral move → crown jewels). Break paths by removing exposure, revoking permissions, or patching.
Path example: 0.0.0.0:22 → EC2 → instance profile → S3 (PII)13) Saved Searches & Boards
Pin critical queries and build boards per team (e.g., “Internet-exposed + Secret present”, “High-priv identities on compute”).
14) Drilldown & Root Cause
From any issue, open graph drilldown to see why it’s risky: which security groups, routes, identity roles, and secrets contribute.
15) Data Classification
Discover sensitive data stores and link them to compute paths. Raise priority when reachable from exposed assets.
FIND datastore WHERE classification IN ("PCI","PHI","PII") AND reachable_from(exposed)16) Custom Fields & Enrichment
Ingest business inventory (owners, tiers, RTO/RPO) via API to improve triage and routing.
17) Exceptions & Waivers
Document justified exceptions with expiry and compensating controls. Auto-review on expiration.
18) Alerting & Integrations
Push real-time alerts to Slack/MS Teams; stream findings to SIEM (e.g., Splunk) for correlation with logs.
19) KPIs & Trends
Track MTTR, open issues by severity, % internet-exposed, identity risk counts, and compliance posture over time.
20) Q&A — “What makes a ‘toxic combo’?”
Answer: Multiple low/medium issues that combine into exploitable risk, e.g., public bucket + access keys in VM + overprivileged role enabling data exfiltration.
21) Vulnerability Management
Agentless scanning of OS packages, language deps, images, and functions. Prioritize by exploitability and exposure.
FIND vm WHERE cve IN ("CVE-2023-XXXXX") AND exposed_to="internet"22) SBOM & Image Scanning
Generate SBOM for container images and correlate CVEs with runtime deployments. Focus on images actually running in prod paths.
23) Secrets & Keys
Detect hardcoded secrets in images/disks, cloud keys on hosts, and public exposure. Auto-rotate guidance and revocation checks.
FIND vm WHERE has_secret=true AND reachable_from("internet")24) Container Runtime Risks
Flag privileged pods, hostPath mounts, CAP_SYS_ADMIN, and exposed NodePorts. Tie to identity permissions and network reach.
FIND k8s.pod WHERE securityContext.privileged=true25) K8s Posture
Audit cluster config: API server flags, etcd encryption, RBAC, network policies, and admission controls.
26) Serverless & PaaS
Scan Lambda/Functions, App Services, Cloud Run: env secrets, broad IAM, public endpoints, and egress to sensitive stores.
27) Exploit Intelligence
Prioritize actively exploited CVEs and those with public POCs. Defer low-risk packages not in attack paths.
28) Patch & Remediation
Integrate with patch systems; for containers, fix in base image and redeploy. Use exceptions for vendor delays with compensations.
29) Malware Indicators
Correlate suspicious binaries/processes from snapshot/runtime with exposure and credentials to prioritize incident response.
30) Q&A — “Agentless accuracy?”
Answer: Snapshot scans see installed packages/files but not ephemeral runtime behavior. Combine with optional runtime sensors for process/traffic context when needed.
31) CIEM (Identity)
Inventory human and machine identities, enumerate effective permissions, and find overprivileged roles and unused rights.
FIND identity WHERE privilege = "admin" AND last_used > 90d32) Network Paths
Model ingress/egress from internet/VPN/peers to workloads and data. Highlight open management ports and flat networks.
FIND vm WHERE port IN (22,3389) AND exposed_to = "internet"33) Data Stores
Track S3/Blob/GCS, RDS/SQL, NoSQL, and secret managers. Detect public access, weak encryption, and cross-account sharing.
FIND datastore WHERE public=true OR encryption=disabled34) Lateral Movement
Find pivot opportunities: same VPC/subnet, shared instance profiles, shared keys, or peered networks connecting tiers.
35) Conditional Access Gaps
Detect identities without MFA, keys older than policy, or no session constraints—especially when they can reach sensitive data.
36) Public Exposures
Internet-exposed compute, databases, buckets, and services. Validate WAF, auth, and network ACLs.
37) Privilege Escalation
Identify roles with iam:PassRole, policy attachment rights, or wildcard permissions enabling escalation chains.
38) Secrets Hygiene
Keys in user data, AMIs, images, or repos. Enforce rotation and least-privilege access. Prefer secret managers.
39) Data Egress Control
Detect public egress routes from sensitive subnets, unrestricted NATs, and missing VPC endpoints with policies.
40) Q&A — “Fix first: identity, network, or CVE?”
Answer: Break attack paths in order of least effort/highest risk reduction: 1) close public exposure or block path; 2) remove overprivileged access; 3) patch remaining exploitable vulns.
41) Policy-as-Code & Custom Controls
Create custom controls to enforce org standards (naming, tags, encryption). Map to frameworks and SLAs by environment.
CONTROL: "S3 must be encrypted"
IF resource.type="s3" THEN REQUIRE encryption=enabled42) Shift Left (CI/CD)
Scan IaC (Terraform, ARM/Bicep, CloudFormation) and container images in CI. Break build on critical misconfigs/CVEs with approved gates.
Gate: fail if internet_exposed AND has_secret AND critical_cve43) Ticketing & Ownership
Auto-assign issues by tag/owner, set SLAs by severity and data class, and sync status bidirectionally with Jira/ServiceNow.
44) Runbooks & Autofix
Attach step-by-step remediation (CLI/Terraform) and safe automation (e.g., close SG port, detach role). Guardrails and approvals required.
aws ec2 revoke-security-group-ingress --group-id sg-... --port 22 --protocol tcp --cidr 0.0.0.0/045) Reporting & Audits
Export posture reports per framework, evidence trails for auditors, and executive dashboards highlighting risk burn-down.
46) M&A & Third-Party Risk
Quickly onboard new cloud estates, baseline posture, and identify critical exposures before integration.
47) Cost-Aware Security
Tag fixes with business value; prioritize “cheap big wins” (security groups, identity trims) before heavy refactors.
48) Common Pitfalls
Chasing CVEs without context, disabling controls for speed, stale connectors, no owners/tags, and unmanaged exceptions.
49) Quick Start Checklist
Connect all clouds → import tags/owners → enable key policies → create boards & alerts → integrate ticketing → run fix sprint on top 20 attack paths.
50) Interview Q&A — 20 Practical Questions (Expanded)
1) How does Wiz differ from CSPM-only tools? It fuses misconfigs, identities, network exposure, and vulns into a single graph to find exploitable paths.
2) What is a ‘toxic combination’? Multiple benign issues that together enable breach (e.g., public SG + secret on disk + admin role chain).
3) Prioritization logic? Exposure + identity power + data sensitivity + exploit intel, adjusted by compensating controls.
4) Agentless vs agented? Agentless gives broad coverage fast; agents/sensors add runtime depth. Many start agentless, add runtime where needed.
5) CIEM examples? Identities with admin, wildcard actions, PassRole, or unused keys; map effective permissions across assume-role chains.
6) How are network paths computed? From SGs/NSGs, routes, load balancers, peering, endpoints; evaluated against internet/public sources.
7) K8s risks to watch? Privileged pods, broad RBAC, open API server, missing network policies, secrets in env vars.
8) Handling secrets discovered? Rotate keys, move to secret manager, remove from AMIs/images/user-data, and restrict IAM usage.
9) SBOM value? Inventory deps, map CVEs to running images, enforce base image hygiene, and support compliance.
10) What is data classification used for? Elevates priority of issues that can reach sensitive data; drives stricter SLAs.
11) How to reduce alert fatigue? Use attack-path context; suppress noisy standalone CVEs; focus on exploitable combos and ownership routing.
12) Common misconfig examples? Public buckets, unencrypted DBs, 0.0.0.0/0 on SSH/RDP, default creds, disabled logging.
13) Exceptions lifecycle? Time-bound with justification; auto-revalidation on expiry; monitor compensating controls.
14) Shift-left integration? Scan IaC and images in CI; block deploys creating known attack paths; feed results back to PR owners.
15) Evidence for audit? Control tests, issue history, remediation tasks, screenshots/exports of compliant resources.
16) Multi-cloud normalization? Abstracts provider-specific fields into common graph entities and edges.
17) How to measure program success? Fewer exploitable paths, lower time-to-remediate, reduced public exposure, and improved control coverage.
18) What’s ‘effective permission’? Real permissions after policy evaluation and role assumptions, not just attached policies.
19) Typical first month plan? Connect clouds → quick wins on public exposures & secrets → identity right-sizing → top attack paths sprint.
20) Biggest gotcha? Not assigning owners/tags, so issues can’t route; fix tagging first to unlock automation.