Today, we're excited to announce the public preview of Wiz Defend, the future of cloud detection and response (CDR). Defend represents the latest addition to our platform to help organizations secure their cloud at the speed of the cloud.
With Wiz Cloud, we enable cloud security and development teams to quickly eliminate the most critical risks. With Wiz Code, we empower development and application security teams to quickly build securely from the first line of code. Now, Wiz Defend brings SecOps teams into the cloud operating model and gives them the context needed to make the right decisions faster. Security analysts, incident responders, and threat hunters get accurate detections that eliminate noise, real-time protection, automation that resolves threats 10x faster, and improved resiliency from addressing the root cause of incidents contained in code.
Wiz Defend has transformed our approach to cloud detection and response by providing the precise detections and context we needed but never thought possible. The MITRE ATT&CK framework is my north star, and with an incident preparedness dashboard that automatically maps our telemetry to the framework, we can quickly identify gaps and focus our efforts on addressing them. Clear workflows and automation help us close the skills gap, enabling junior analysts to tackle more complex investigations. With Wiz Defend, we're no longer buried in alert noise – we have the clarity and confidence to respond quickly and effectively to threats.
Susan Sinoff, CISO – PROS
SecOps teams have one of the most challenging and stressful sets of jobs within any organization. Every decision carries serious repercussions, and the workload never ends. The cloud has magnified these difficulties:
The attack surface has expanded dramatically, forcing teams to monitor complex threats such as lateral movement, container escapes, and automated IAM attacks. In response, teams must collect and correlate telemetry across the identity, data, network, compute, secrets, and PaaS layers in the cloud.
Traditional SecOps tools, such as SIEM and EDR, have been adapted from on-premises tools and are not suited to the complexity and sheer volume of activity in the cloud. As a result, detection engineers were burdened with manually writing detection rules with the SANS Cloud Security Survey reporting that “57% of organizations… were unable to keep up with the rapidly evolving (cloud) threat landscape.
Investigating cloud attacks requires specialized domain knowledge of each cloud and architecture used. Responding requires convincing the application development team to take action. As a result, teams must invest in upskilling their employees or outsource to third parties.
SecOps teams have done a great job of building local detection and response operations at the cost of significant effort. The founders of Gem Security, which Wiz acquired in April 2024, have lived this pain through decades of incident response and set out on a mission to reinvent threat detection in the cloud with a SecOps-first solution. Defense is the result of Gem rebuilding on top of the Wiz Security Graph to enable SecOps teams of all sizes and maturity dates to effectively manage the full incident response cycle in the cloud.
Wiz Defend is a complete suite of detection, investigation and response capabilities for SecOps to protect their cloud environments from threats.
Prepare for breach detection and investigation: Continuously close visibility gaps by identifying missing telemetry, incomplete uptime coverage, and providing actionable recommendations, aligned with the MITER ATT&CK framework.
High-accuracy threat detection across the attack kill chain: Run granular cross-layer threat detection, powered by our Wiz Research team, to reduce noise and wasted effort. Thousands of built-in detections that combine cloud control plane, data, network, identity, SaaS infrastructure, and workload runtime via eBPF-based sensor, behavioral baselines provide broad coverage of the breadth of current and emerging cloud threats.
Investigate faster with context and AI: Dramatically accelerate root cause analysis and reduce mean time to response (MTTR) with a simplified, unified and visual story that lets you focus on the investigation rather than manual data collection and correlation. AskAI Copilot creates rich incident stories that explain the evolution of the attack and its potential impact in natural human language. It goes further to automatically answer the next investigative questions a SecOps analyst might ask, such as “How did the attacker gain access to this principle?” or “What else might the attacker do in the environment?”
Respond and contain quickly: Stop incidents before they impact the business by blocking threats at runtime or triggering one-click containment guides of threat issues. Use AI to create remediation and response steps based on the course of action your IR team wants to take. You can integrate with SIEM or SOAR to streamline workflow for your SecOps team.
So how does this really work? Let's examine SeleniumGreed – a cloud-native attack, first documented in January 2024 by the Wiz research team. It exploits vulnerabilities in the Selenium application testing framework, estimated to exist in 30% of cloud environments, to achieve remote code execution.
Imagine an attacker targeting a Selenium service running in an AWS Kubernetes environment. The attacker will exploit the Selenium service to open a reverse shell and establish a foothold on the compromised host. From there, the attacker locates the AWS credentials and exfiltrates them from the host to move horizontally to the control plane, and finally exfiltrates data from the sensitive AWS S3 bucket.
Wiz Defend flags this threat at every stage of the attack lifecycle, enabling teams to contain the threat actor at every stage. The Wiz sensor deployed on the node immediately detects the reverse shell and sends an alert to the security operations team. By running it in blocking mode, the sensor kills the malicious process immediately and stops the attack. But if blocking is not enabled for backfire and the attack continues, the defense will detect each subsequent phase of the attack as well.
When the attacker moves to the control plane, Wiz links the keys used in the exfiltration attempt to the compute node targeted in the original attack, and presents both detections in a single timeline and graph to the SecOps team, along with actionable recommendations for containment (kill the malicious process, rotate compromised credentials, And fix misconfigured Selenium service.
Instead of tedious manual querying in SIEM and endless click-throughs in EDR, Wiz provides a seamless experience across the entire cloud environment. SecOps teams detect the threat in real-time and get the context they need to investigate and respond immediately – all in one platform.
The Wiz Integration Network (WIN) features more than 100 integrations, enabling customers to bi-directionally embed Wiz into their existing security workflow. With the launch of Wiz Defend, we are expanding the scope of WIN to support SecOps teams, bringing Defend's threat context directly into their workflow – democratizing data, providing insights into cloud threats where SecOps teams operate, and maximizing the value of existing tools.
WIN includes integrations with core components of the SecOps workflow, such as SIEM, SOAR, MDR, and threat detection and intelligence tools. For the Defend launch, we are proud to partner with leading vendors empowering SecOps teams: Cribl, Exabeam, Expel, Panther Labs, ReliaQuest, Tamnoon, Tines, and Torq.
Through these integrations, Wiz Defend delivers critical threat context directly into the tools that SecOps teams rely on, simplifying the detection, investigation, and remediation process.
Wiz Defend provides an opportunity to replace drudgery and legacy tools with automation and context, so SecOps can act faster and focus on higher-value initiatives.
Wiz Defend has brought data across our event sources together to help investigate detections from start to finish. From our Identity Provider logs that identify the actor to Wiz runtime events that show individual process execution and network activity. From Wiz Defend, we have confidence in our detection and investigation capabilities with better visibility into our cloud activity thanks to their new VPC log sources. The latter gave us the opportunity to move away from costly detection services, providing a clearer detection strategy and more control over our detection logic.
Nate Stevens, Cloud Security Architect – Maleon
Effective cloud security requires a new operating model — one that fosters collaboration, builds shared context, and democratizes security. This model opens the security flywheel: CloudSec proactively reduces the attack surface, SecOps monitors remaining risks and responds to threats, and developers fix the root cause in the code. No more isolation, just end-to-end security that moves at the pace of cloud innovation.
Wiz Defend is the bridge between Developers, CloudSec, and SecOps, breaking down the organizational silos that bring together the teams required to achieve effective cloud security. Defense is the latest example of the product segment being fully integrated into the Wiz platform. Wiz offers a leading solution that addresses the challenges modern SecOps teams face in the cloud
Tyler Shields, Principal Analyst – Enterprise Strategy Group.
Join us in shaping the future of cloud security. We invite you to try Wiz Defend, now in public preview. Register for a live demo today, see Defense in action with the latest PAN-OS exploit, or join our upcoming webinar to see how Wiz Defend can transform your SecOps.
