Wiz Reviews

I mostly work with a lot of AI use cases and some data governance use cases where we are focusing on the data because data can reside anywhere in the cloud. It is not limited to some storage. We do have a variety of services where data can reside and it is very crucial to identify those sensitive data and label them. When data is exfiltrated from one resource to another resource, we have to make sure that the DLP policies are fulfilled or enforced.

I have found that Wiz covers all the stages of the software development life cycle. It covers application or code security, DevOps security, and runtime security. It is a full-fledged CNAPP solution. All the areas within the development and the deployment side are covered.

The impact of consolidation on my ability to prioritize critical risks in the cloud environment is all about the correlation and how the technology works at the back end. It picks the data from different sources and correlates and identifies the high-priority risk. It provides visibility, meaning the risk score about the resource where we need to focus on.

Wiz does reduce alert fatigue for our customers, but alert fatigue is the main concern for every organization. If you don't have the proper workflow for each incident, it also depends upon the implementation and the workflow that you have decided. Sometimes it is a very big concern and a big headache for the customer because it finds a lot of findings that could be false positives. We have to fine-tune those alerts as per the infrastructure design. Sometimes some findings could be false positives, so we have to assess all these findings and we have to make sure that all policies are relevant for the environment.

The second point is basically the remediation steps. Sometimes it creates a burden or headache for the customer because the remediation of those kinds of findings are difficult. It may need a dedicated team who can get involved and fix them. Ownership and accountability is the main concern. We have to collaborate with different teams and make them understand the impact of that finding. The workflow also depends upon whether automation should be there. Automation is not for all findings, but for where we can do some kind of alerts where we can do the automation. For example, with IAM, those guys having the extra privilege, we can decide the workflow and we can remediate. But somewhere the service is running, we cannot immediately remediate those findings because it involves a lot of impact. First, we have to analyze each alert and what kind of impact it could be, then based on that, we have to plan whether it will be manual or through automation.

Wiz is currently allowing us to consolidate everything, the findings, the visibility of your environment, and everything is there.

Wiz Code is also covering your secrets and your vulnerabilities inside the IAC. It also provides us the SCA, Software Composition Analysis, and also provides an SBOM report that helps developers to look at the security standpoint while creating or writing any code. There are a lot of other things it is providing, but these are the major things.

Regarding Wiz Defend, the runtime protection, we do have the agent or sensor on the endpoint where it can defend in real time. There are two approaches. Detection is the one capability and protection is the second capability. At some stage, it only provides us the visibility, and at some stage, it also defends the attack.

I find AI security posture management very important in cloud security strategy. Nowadays, every organization is using different kinds of models or enhancing their applications. While they are using the models or they are calling through APIs, maybe sometimes they are using models inside their environment, sometimes they are just buying the APIs for any third-party model. While we are buying any APIs for their application or to integrate the LLM model into their application, it is crucial that we should have the visibility. Whoever kind of prompts the end user is triggering and what kind of data in or out is happening. Such kind of sensitive information may be traversing inside our network. The visibility of these things should be there so that preventive control can be implemented.

I believe Wiz could be improved or enhanced by acknowledging that nowadays a lot of technology is coming. Every solution is now doing the integration at the backend. They are trying to cover more areas in terms of cybersecurity. Definitely, every solution is growing as per the market demand. We can see a couple of more things coming soon, and every technology or technology owner is working behind the scenes. The purpose is basically the baseline foundation. If you talk about the CIA triad, that should be covered properly and everyone is doing the same thing.

I would like Wiz to push backend integration more, but not that much because license and procurement happen through a different team.

I have been working with Wiz for the last three months, during which I deployed this Wiz solution for one of the clients.

The stability and reliability of Wiz are good. I don't feel any issues. It is good because whenever they are planning any activity, they generally inform us prior to implementation.

Regarding the scalability of Wiz, it is good. I don't see or feel any kind of issue on the scalability or the performance. Every solution is running behind most probably on the Kubernetes services, they are using multiple containers and the pods behind those services. In terms of scalability, I don't feel any issues. It totally depends upon the license, how much license you procured. Based on that you can onboard or you can consume those licenses. Even if you go beyond that, you don't see any kind of challenges. It is pretty much good, not limited to Wiz but for all solutions I'm talking about. They are providing 99.99 kind of SLA. I don't see and feel such kind of issues in the past.

I communicate with the technical support at some times when we feel that the technology is not working as expected. The outcome that we suppose is not getting as expected, so we generally raise a ticket with the provider. They assist as they regularly do.

I have found that Wiz covers all the stages of the software development life cycle. It covers your application or code security, also covers DevOps security, and also finally covers the runtime security. It is a full-fledged CNAPP solution. All the areas within the development and the deployment side are covered.

My impression of Wiz Runtime Sensor is quite good. Runtime, as I already mentioned, in the runtime sensor, we are basically deploying the sensor on the endpoint. It could be your EC2 instance, the virtual machine, container, and the Lambda function as well. It detects and blocks in real time and blocks the attack in real time. It is really convenient. Sometimes zero-day vulnerability is not possible in agentless scanning. When I say agentless scanning, we don't have a sensor on the device. But while we are putting the sensor, we have these kinds of visibility and it protects or helps us with zero-day attacks as well. That is really helpful for the organization.

On the ability side of Wiz regarding its ability to achieve zero criticals in its issue queues, there is no doubt. But it also depends upon the use case as well. We have a limited use case for the recent deployment, it is all about the deployment. But as a part of product maturity, we can leverage or we can explore more things.

While deploying any controls, there are a lot of prerequisites and readiness for that. We have to collaborate with different teams. It could be the network team, generally the network team, the cloud team, and the infrastructure team, where we have to explain the use case of that particular control, why we are putting it, and what is the requirement. Once we have a good understanding about the infrastructure and about the technologies, we generally deploy the solution phase-wise. In phase one, we just target one or two test environments where we can provide some ROI against those accounts and resources. Down the line, we are covering in phases, more accounts and resources. That is how the approach we are currently following, and generally every organization is doing the same thing.

Most of the customers prefer a hybrid environment, not limited to the on-prem or cloud. Everyone is using a hybrid environment nowadays. It could be Azure, AWS, and sometimes on-prem. But the capability that the solution is providing is very limited to the on-prem environment. They more focus on the cloud environment first and are limited to the endpoint protection if I talk about the runtime monitoring. The rest of the things cover the cloud environment only, the identity and the access part.

To get the full potential of Wiz, it is good and good for the cloud environment and the hybrid cloud environment. Some part of it is covering the on-prem as well.

I would rate this product a 9 out of 10 based on its comprehensive coverage and capabilities.

Hybrid Cloud

Amazon Web Services (AWS)

My experience with Wiz varies on a case-by-case basis because I don't work on it daily; I engage with it when we need to research something that isn't fully implemented in the organization. Some elements are implemented, but they were done on a POC basis. I have hands-on experience where I've explored the environment extensively, checked vulnerabilities, and shared different findings with team members. So while I've worked with all that, I wouldn't classify it as part of my everyday BAU work, but I've been introduced to it in the last one or two years, max.

We have multiple subscriptions linked to Wiz, and we monitor various aspects including cloud security posture management findings. Compliance is another area we've focused on, where we've created our own compliance framework within Wiz. One feature I particularly appreciate about Wiz is that, similar to other cloud-native security tools like Microsoft's Defender for Cloud, it allows you to define policies as code and deploy them through a version control system with a continuous deployment pipeline. This functionality is also present in Wiz, where their Terraform provider enables complete documentation on controlling aspects directly in the Wiz environment. The major things we've worked on include deploying policies based on CSPM findings detected in Wiz, setting up our own framework and rules within those categories, and we've also worked with inventory management, as Wiz provides an AI-driven inventory that gives visibility into all cloud deployments. Wiz also helps manage vulnerabilities in various environments, such as Kubernetes clusters or Azure container apps.

In different organizational contexts, whether product-based or service-based, the customization of dashboards is highly beneficial. For instance, if I'm a startup or a large company using Wiz for multiple applications, custom dashboards allow me to categorize data from various feeds. Dashboarding becomes effective after managing categorization; I can define a project and add relevant resources or subscriptions under that project. Moving forward in the dashboarding section, I can set up custom widgets to view high-severity CSPM findings or risks, thus visualizing data based on specific filters and categories.

One feature I appreciate about Wiz is the graph controls, which allow for the correlation of multiple findings. For example, if a virtual machine has a critical CVE and is exposed to the internet, this links multiple vulnerabilities such as initial access types. Wiz attempts to categorize these different types of findings, such as CWPP and CSPM, and offers customization through graph controls where we can create our own contextual risk assessments in the cloud environment. Additionally, Wiz allows you to deploy aspects in the tool similarly to the GitHub model, which I appreciate. Its UI is also very smooth and categorized, making it easy to navigate and search through resources efficiently. You can create custom reports and dashboards in your own way, which are some of the major aspects I value in Wiz.

There is definitely room for improvement with Wiz. Given the scope of CNAP technology, which covers the entire SDLC from deployment to monitoring and APIs, it would be beneficial to enhance data integration capabilities. Wiz could partner with leaders in the market, such as Checkmarx, for example; while it currently supports Checkmarx in preview, there still needs to be significant enhancement in contextually mapping risks from pre-deployment scans, such as SAS, SCA, and DAST scanning results. Including these results would elevate contextual risk assessments to a higher level.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

Currently, Wiz doesn't consolidate tools effectively. Though it is starting to move in that direction with Checkmarx integration in preview, it lacks the maturity to fully replace other mature open-source tools. Wiz does offer some capability in SCA via CLI, but it falls short compared to its market counterparts and would benefit from further development in tool consolidation and correlation.

I started using Wiz around two years ago.

During the POC, there were indeed a lot of alerts generated by Wiz. It's important to note that alerts vary in type; there are different classifications for vulnerability alerts, CSPM alerts, and contextual risk alerts. Each category has its own significance, meaning that while there may be a high volume of alerts, they can be beneficial and informative based on the context.

Wiz does encounter some glitches similar to other tools in the market. I remember facing certain challenges, such as problems scanning encrypted disks or discrepancies in the findings from already remediated vulnerabilities not reflecting accurately in the tool. These issues are not indicative of an overarching systemic failure but are worth noting as areas that could be improved upon.

I rate Wiz's scalability a perfect 10 out of 10. During our POC, we successfully linked many subscriptions and could manage them effectively without encountering any scalability issues.

I would rate the vendor's technical support as a nine out of ten. They respond swiftly and provide support when needed; for instance, when we experienced some initial trouble figuring out how to configure CCRs and validate results, the vendor was readily available to assist us over calls, clarifying both technical aspects and theoretical insights.

Positive

I didn't handle the initial installation of Wiz directly; that task fell to the operations team responsible for deploying security tools. However, from what I gather, integrating Wiz into the environment is not complex. It primarily requires the creation of a service account with sufficient permissions for Wiz to access necessary resources, making the overall integration process straightforward. Challenges might arise from organizational dynamics when persuading stakeholders, but technically, the setup doesn't appear to be cumbersome.

Many people participated in the POC phase with Wiz, involving different teams such as the operational team for deployment and others handling various security dimensions. Many teams contributed during the POC phase., focusing primarily on the security specialists without including end users.

I would have appreciated providing a more specific return on investment metric for Wiz, but since my experience with it is based on a POC without full implementation, I cannot precisely track its impact on time or resource savings. It hasn't been operationalized fully yet in our organization.

My understanding of Wiz's pricing suggests it's not cheap. While I may not have direct involvement in pricing discussions due to different teams managing purchasing decisions, feedback indicates that Wiz is among the most expensive tools available. Though there's likely room for adjustment in pricing, it should be noted that, compared to tools such as Microsoft Defender for Cloud, which scales according to subscriptions, Wiz's pricing can be significantly higher when supporting multiple products within larger organizations.

Wiz was implemented as a POC, and while there were many subscriptions linked, I can share examples of its usage. For instance, when Log4j vulnerabilities emerged several years ago, we managed to quickly create a report through the Wiz dashboard, enabling us to identify all workloads impacted by a critical CVE. With resource tagging for ownership, this helped us reach out to the relevant individuals responsible. Although Wiz offers an option for service integrations such as Jira for issue creation if implemented fully, our approach was manual report generation, where we exported findings and alerted personnel to maintain a zero-issues status.

I would rate this review a 9 out of 10 overall.

We are using Wiz for many deployments in terms of vulnerability and also our Microsoft tenants, two different Microsoft tenants. We use it to manage our projects.

Wiz's automated compliance checks are the reason for our use case. I am actually working on the GCCR audit, which is the reason I was looking at it. There are still some things I need clarity on in my own meeting this morning.

I might not be able to give substantial information as I do not use the most valuable features of Wiz day-to-day in full capacity. I can check managing each of my projects and check vulnerabilities across each of those projects across each of the tenants. It allows you to manage your inventories that you have in different subscriptions or different tenants on your technology. Then you can configure different kinds of policies that you use around each of those.

I have not used Wiz in full capacity, so I cannot provide detailed improvement suggestions. I just started fully going through each feature to have a basic, comprehensive understanding of the product itself.

I cannot recommend Wiz to others until I have a clear understanding of its full capacity and benefits. In my organization, we have Rapid7, which is a vulnerability management tool, we have Wiz, and we have Microsoft Defender. I need to understand the reason for that decision in the first place to be able to look at the benefit to my organization.

I started with Wiz some months ago.

I do not know how long it took for us to actually deploy Wiz, as I was not within the corporation when it was deployed.

So far, I would say Wiz is stable to the best of my knowledge.

My thoughts on the scalability of Wiz so far is that it is scalable for me and good for us.

On a scale of one to ten, I would rate the scalability of Wiz as nine.

I rate Wiz's customer service as ten out of ten.

Positive

I find the initial setup of Wiz straightforward in my opinion.

On a scale of one to ten, I would rate how easy it is to set up Wiz as nine, if ten is the easiest.

I do not know how many people it took to deploy Wiz. However, it is always the vendor and probably my director that was in the position which I was before.

I do not know if Wiz has impacted our operational costs related to cloud security or any kind of return on investment or operational impact that it has for us.

I do not really know the main differences between Wiz and other vulnerability management solutions such as Defender, but they perform similar functions.

When comparing Wiz to Defender, I think they do almost the same thing. The only difference is that Defender will give you RISK call. However, Wiz can give you a risk call against your investment because it is not a Microsoft solution.

I work in accounting with Wiz in a large enterprise business.

Wiz does not require a lot of maintenance on our side. It is just ease of use. Wiz maintains most of it.

I have not used Wiz's AI capabilities to enhance our security threat detection as I just started looking at it. I have not really done much with that so far.

Overall, I would rate Wiz as good. I get everything I want, just the same way it is for every other solution, so I am going to rate it nine out of ten.

I rate Wiz a nine out of ten instead of a ten until I use the solution based on use cases and exploitation of the product, and what it gives me. If I am able to do that in full capacity, then I will give it ten. This is just based on what I still see so far. Until I get to see the benefits and everything, then my rating might be different in two weeks' time. At this moment, this is how it is.

RISC call is what I mean by that, RISC (R I S K).

Microsoft Azure

I have used Wiz for security findings, which includes dashboards with the main purpose of Cloud Security Posture Management. Wiz scans all cloud accounts to detect misconfigurations, open ports, publicly exposed resources, and weak IAM permissions. I also utilize it for vulnerability management, such as VMs, containers, serverless functions, and any IAM risky visibilities. I use Wiz for all these things as I work on these areas most of the time. Essentially, it is a cloud risk tool that prioritizes the most critical issues, allowing me to address high-yield issues quickly with the help of Wiz's architecture.

Achieving zero critical issues in Wiz means eliminating all critical severity securities across the cloud platform, which is a significant goal for our cloud security teams. I utilize the Risk Graph to identify real critical issues, prioritizing the resolution of public exposures and patching high and critical CVEs. I track OS-level and package vulnerabilities that need fixing, and sometimes when our OS isn't updated, it flags the errors. My processes involve patching libraries, upgrading AMIs, and removing secrets found in workloads, such as rotating keys for public IPs or un-updated software and databases. It is critical to implement least privilege measures for IAM risks, ensuring admin access is minimized. Moreover, I encrypt all storage and use tags to separate non-production issues according to different environments such as dev, stage, or prod. Utilizing Wiz projects, I segment teams such as network, platform, application, or DevOps so that each team handles their assigned issues, boosting closure speed. I also automate workflows through Jira to create tickets for critical exposures or IAM risks. Thus, achieving zero criticals in Wiz reflects my commitment to eradicating public exposures, patching critical vulnerabilities, and addressing IAM risks, ensuring I adhere to cloud best practices.

I love this interface because it is very clean, neat, and easy to understand. It includes the CNAPP and CSPM security features and extensively uses detection for vulnerabilities and misconfigurations. Everything is present on the dashboard. My personal interest lies in agentless scanning, which I consider the most powerful feature. The unique capability I can highlight is Attack Path Analysis, which identifies the exact path an attacker can exploit by correlating network exposure and any misconfigurations. Additionally, the unified Risk Graph is a very strong feature that helps teams find the most critical issues. I appreciate the accurate prioritization, which saves a great deal of time. Overall, Wiz provides a full CNAPP platform, encompassing CSPM, vulnerability management, IaC scanning, and more. I really appreciate these elements, and the dashboard is also very good.

I do not identify many areas for improvement, but I believe dashboard customization is somewhat limited. While the dashboards are quite good, the variety of widget types is restricted; I cannot fully customize colors or create complex multi-level dashboards. There is also alert noise in larger environments that generates duplicate alerts for the same issues under different categories. Furthermore, remediation automation is limited; Wiz suggests fixes but lacks auto-remediation for many issues. Compared to Prisma, the auto-resolve options are fewer. Although I have heard about deeper container and K8s scanning capabilities, I do not have a clear understanding of what that entails. I perceive that real-time cluster events are also somewhat limited. Regarding the reports, I face limitations in fully customizing PDF reports.

I have been using Wiz for more than eight months.

The setup for Wiz is a one-time configuration, similar to setups in ServiceNow or Ultimatics. This one-time setup ensures proper cloud integration, assessing the type of cloud account, the API permissions in place, and avoiding mistakes during the initial configuration. It highlights any missing requirements, such as IAM roles or permissions, and shows failed connections to allow for quick fixes. Agentless scanning is feasible, so this setup ensures proper configurations are in place. Additionally, it aids the administration in understanding what has been completed versus what remains pending. In summary, it guides onboarding tools to configure cloud accounts, permissions, and integrations accurately and prevents security visibility gaps while reducing onboarding errors.

The deployment time is not measured in days, weeks, or months; rather, it typically takes between five to ten minutes at most. IAM configurations and similar setups may take about two to three minutes.

When comparing Wiz with other solutions on the market, I note that my initial experience was with Prisma Cloud. Wiz stands out for its strengths, particularly in agentless scanning and graph-based risk prioritization, in addition to its comprehensive CNAPP capabilities and multi-cloud coverage. However, I recognize that certain areas, such as runtime threat detection and response, might be handled better by other vendors; while Wiz excels in posture and risk analysis, its runtime protection may not be as advanced as specialized tools designed for workload protection. Other tools might offer better capabilities for behavioral or anomaly detection, as Wiz may not capture the most subtle runtime issues. For instance, scanning public and private buckets requires waiting for scheduled scans or conducting manual scans, which can take significant time to yield updated records. While other vendors might possess better flexibility, the overall effectiveness depends heavily on data size and volume. I observe that legacy security vendor solutions offer mature enterprise support, while newer CNAPP solutions such as Wiz move rapidly but face trade-offs in large regulated enterprises. Overall, Wiz receives high ratings for its innovation and speed, which are great qualities despite some areas requiring improvement. So, in summary, I consider Wiz one of the strongest CNAPP platforms due to its agentless scanning architecture, making it lighter to deploy than competitors such as Prisma Cloud or Lacework. Nonetheless, organizations needing deep runtime protection or specialized identity entitlement management might want to explore other platforms, but I can definitely recommend Wiz for various needs.

For the dashboard itself, it is a very simple and clear function. I generally go to the dashboards to create and add widgets for vulnerability by severity, public exposure, or misconfigurations. I also include widgets such as graphs or tables based on my requirements. I utilize saved views for custom data, which filters the exact information I have in the dashboard, for example, all AWS EC2 instances with critical CVEs or public-facing VMs with secret keys. Multiple sections include critical compliance and posture scores, and I apply filters at the dashboard level too. Essentially, I have almost everything available in terms of customization. I simply need to understand how to use Wiz dashboard in conjunction with my project requirements. Although Wiz is a relatively new tool and I have only worked on a portion of its capabilities, I can refer to the documentation to successfully carry out the needed customizations.

I find the pricing to be cost-effective, as Wiz includes features that many other vendors lack. It seems reasonable when compared to alternatives. Overall, pricing can vary significantly based on Wiz's licensing of workloads, which depends on the number of VMs, containers, and functions I deploy. However, I can request volume-based discounts for larger deployments, especially if managing numerous workloads. Hence, I classify Wiz as cost-effective.

I notice that redeployment is generally very easy compared to other CNAPP tools because it is agentless. The agentless architecture permits multiple operations without the need for redeployment. I only need to connect to the cloud, set up scans, and ensure workload visibility, making the entire process straightforward.

The results from using Wiz have been quite positive; it effectively reduces alert fatigue within my organization. It is clearly a time-efficient solution, which enhances operational efficiency.

I indeed consolidate tools when using Wiz, effectively streamlining processes to enhance focus on critical risks. I would rate this solution a nine out of ten.

I use Wiz to secure code to cloud posture. We are using Wiz and also positioning Wiz to my customers, especially to protect their code environment, runtime environment like DevOps environment, and other code-related vulnerabilities in an automated way. Automating security processes is particularly helpful. We also provide CSPM and CNAPP ability to the customers.

I have created custom dashboards with Wiz for code-to-cloud scenarios, different scenarios, and for our whole infrastructure which is monitored through Wiz.

Wiz is very helpful to achieve a zero critical scenario. Wherever possible, it gives good insights and there is an ability to automate with AI scenarios. Their powerful AI engines also recommend best solutions to apply to identified vulnerabilities and identified gaps related to coding scenarios especially. It also suggests the best way to patch vulnerabilities and other related issues. This is really helpful.

Wiz is very effective and very advanced compared to other solutions. It is helpful to use and user-friendly from the customer's view. It is easy to use, easy to handle, and easy to customize for our scenarios especially.

Pricing in comparison to other solutions is good, but a little bit of discounting and flexibility if Wiz can offer to customers would be helpful. Training, vouchers, and certifications would help position this solution in the market. If Wiz integrates their certifications free with their solution positioning in the market for customers especially, it would be helpful. In comparison to the Microsoft product, it is not as costly, but for other products in comparison to other available players, it is a little bit on the high side.

Wiz may try to ease the connector positions. When integrating multiple clouds like hybrid cloud with Wiz, these processes need to be more user-friendly because more scripting is required in this scenario. Without a coder or without a deep administrator managing things, it is not possible to integrate clouds with Wiz dashboards. Some easy steps are required so that users who are not highly technical can do these things.

I have been using Wiz in my career for approximately one year.

I have not observed stability issues in my scenario, and my customers also have not reported any major crises.

Wiz is very much scalable. It totally depends on the workloads which are working on cloud scenarios, either GCP or Azure or any cloud scenario. It totally depends on your workloads. In cloud scenarios, workloads are always scalable, so Wiz is also scalable and adopts these things easily. There is no challenge.

I have used Microsoft CNAPP and CSPM functionality very frequently, and also used Palo Alto Prisma CNAPP and CWP functionality. I can compare them with these two OEMs.

Wiz is OEM agnostic. It is able to integrate any cloud, either GCP, Azure, or AWS. Similarly, like Palo Alto, Wiz is OEM agnostic. Microsoft is more specific to Azure where it is easy to integrate with Azure and it is a native platform. For other platforms, there may be some complications, like AWS with other GCP and other suites like Oracle OCI cloud. However, Wiz is OEM agnostic, so it is helpful to integrate and manage hybrid cloud scenarios efficiently.

Pricing in comparison to other solutions is good, but a little bit of discounting and flexibility if Wiz can offer to customers would be helpful. Training, vouchers, and certifications would help position this solution in the market. If Wiz integrates their certifications free with their solution positioning in the market for customers especially, it would be helpful. In comparison to the Microsoft product, it is not as costly, but for other products in comparison to other available players, it is a little bit on the high side.

Maintenance is required from time to time, as patching is required. If there are any latest updates available, then we need to just patch those updates. Integrations need to be monitored to ensure there are no gaps in the integration part. If we monitor multiple hybrid clouds, we need to be there and monitor these things also.

We deployed Wiz, but not for our internal use. We are just demoing and practicing scenarios.

I would rate this review a 9 overall.

Hybrid Cloud

Other

As a customer, I use Wiz myself, but because I work for the Commonwealth Bank, it could be a partner with Wiz. I don't have insight into this tool as it is a very large organization and was already in place before I joined, with other people having set it up, so I don't have that background.

So far, I am scanning for vulnerabilities in packages and dependencies. I use Wiz Code a bit.

What I like most about Wiz is that it is similar to other tools. Wiz has integrated with industry standards, such as security protocols and policies like Open OWASP and several others, based on my security standards for scanning packages, finding vulnerabilities, and providing fix versions based on its search and information retrieval.

I think it is at a good price and gives analysis while working well with other testing or pen testing tools that other security teams use to scan software to ensure it aligns with security requirements. Wiz helps because other tools, based on what they detect, usually reflect those fixes or remediations in other tools as well. Wiz gives a very good insight into how secure your software and code are.

Wiz is quite good at consolidating the scanning results.

Wiz is agentless, which is a plus, but the runtime and real-time detection could be limited, as it is not its strength. I could not give details on how limited it is. Its price could be high compared to others, and I feel it is expensive.

I have been using Wiz for one and a half years.

I would give stability a nine because I did not see significant instability.

I feel scalability is good, and I can give it a nine. We have many pipelines running Wiz scanning, and I have not seen Wiz pending or taking too long, which is a good thing.

I rate support from Wiz an eight.

Regarding installation, I just joined and used it, which might not be my area to comment on whether it is easy or difficult.

I see possible ROI with Wiz, but as I mentioned, I am not at that level of use. I just researched Wiz prices, and I got a feeling about it.

I do not have in-depth knowledge to give a detailed pros and cons analysis of Wiz compared to products such as OWASP, SonarQube, or Snyk. However, when comparing Wiz to Dynatrace or Snyk, I see they focus on different areas. Dynatrace focuses on code quality scanning, and Snyk may have more focus on security. Wiz scans artifacts or dependency packages, which is a bit different from SonarQube, as SonarQube scans code. However, Wiz is able to scan code and also manage the artifactory, dependencies, and their versions. This is quite similar to JFrog X-ray scanning.

Wiz Code impacts the development workflow similar to SonarQube. Wiz Code can detect coding quality issues or coding conventions and those kinds of problems. Nowadays, we leverage AI tools for development. As a developer, I probably use AI for initial code, and in most cases, I just review and integrate, with the AI generating code programming. Wiz Code or SonarQube scans those codes and then gives a report. If we instruct the AI or do proper prompting, they usually give very good code that can pass the scanning.

AI security is definitely very important for our security strategy.

AI security posture management is important because if you use an AI tool, you need to protect your data. As a commercial company or even a government organization, you do not want to leak sensitive data such as PII or other organization-related data to the AI, especially in uncontrolled environments. When we use AI tools at the Commonwealth Bank itself, we are only allowed to use internal AI, which means it has many regulations in place, including guardrails, and the deployment environment looks at both input and output, ensuring that data does not go to the internet. This protects organization-level data and filters unnecessary inputs and outputs.

For Wiz Runtime Sensor, I am not quite familiar with it, but I know that this tool is meant to find dynamic analysis at runtime. I probably have little practice with another tool called OWASP ZAP.

I think the alert fatigue from Wiz is quite similar at the same level as the other scanning tools. If it detects any critical or high vulnerabilities, it alerts you. You can set up alerts based on your standards or rules to send alerts. With alerts based on findings, it allows you to set alerts on multiple domains such as vulnerabilities. For example, you might have critical CVEs on an EC2 instance and send an alert. It could also be scanning identity risks and possibly security exposures such as secrets exposure. Wiz covers a lot, including data exposure and attack paths. In alerting, it gives very clear information such as severity, affected resources, risks, and possibly an attack path description explaining how an attacker might use that vulnerability. Wiz includes such information based on severity, affected resources, attack paths, risk descriptions, and possibly remediation guidance.

If I summarize everything about Wiz, it deserves an eight in general.

Amazon Web Services (AWS)

I'm working with Jackson Vision, the track and trace provider, and we have been using Wiz for six years. We use Wiz as a portal similar to an ERP tool, managing customer inventory for security purposes and vulnerability management.

The best features of Wiz are its security capabilities, providing the best security for pharmaceutical products and industries, along with the required dashboard containing customer details and inventory management features.

The runtime sensor in Wiz helps identify threats effectively as it integrates with machines and operates on a hierarchy-based system with different rights for operators and supervisors.

The benefits of using Wiz are significant as we provide a solution based on 21 CFR standards for security and audit purposes, making it the best tool for these needs.

With Wiz, we achieve almost zero downtime and zero fault management in its issue queues.

Using Wiz saves us a significant amount of time and resources, with an almost thirty to forty percent return on investment.

Wiz has significantly reduced alert fatigue in our organization, addressing operator-level mistakes that used to be common in manual processes before we adopted automation.

Wiz has been the best tool for consolidating our solutions.

There is room for improvement in Wiz, particularly in operator management, as general operators may lack the necessary knowledge, requiring an easier-to-understand tool. We also need all tasks and dashboards to show completed activities and next steps along with SOPs for missed steps.

I'm working with Jackson Vision, the track and trace provider, and we have been using Wiz for six years.

I rate the stability of Wiz as almost eight out of ten, indicating good performance with limited downtime, bugs, or glitches.

Wiz is a very scalable product, as we operate in sixty-five countries and serve the pharmaceutical industry well, rating it eight out of ten for scalability.

I rate the technical support of Wiz as eight out of ten.

Positive

We are not currently comparing Wiz with other solutions as we have our research team looking for the best solutions available.

The deployment of Wiz is easy.

Deployment takes almost three to four hours, and our IT teams facilitate this process. We have around two hundred fifty to two hundred eighty customers who work with Wiz, and our team and IT teams are knowledgeable about it.

Using Wiz saves us a significant amount of time and resources, with an almost thirty to forty percent return on investment.

The pricing of Wiz is cost efficient.

I find Wiz to be better compared to other software, and we are currently progressing, rating it seven out of ten against any master product or company.

I have experience with Wiz and can provide a review. We are manufacturers of pharmaceutical machines and provide integrated solutions for track and trace, but we are not partners or resellers.

Wiz requires maintenance including patching and updates; if we encounter issues on-site, we update accordingly.

We purchased Wiz from the AWS marketplace, and many of our customers are utilizing the cloud-based solution we provide them, along with the portal that includes all necessary details for them.

We recommend Wiz to other users, such as Life Pharma in Dubai. I rate this product a nine out of ten.

Hybrid Cloud

Amazon Web Services (AWS)

Wiz serves as our enterprise tool for securing our cloud platform. We use AWS as our cloud platform and have Wiz integrated across multiple accounts for IT, engineering, and other departments. Within IT itself, we have different environments including development, production, and stage accounts. In every account, we have Wiz integrated and use policies based on the environment. For example, the dev environment has a less secure policy while production has a high-security policy. Technically, we use Wiz for securing our cloud platform.

The best feature of Wiz is the ability to detect any security violations across multi-cloud platforms and the ability to integrate for creating security incidents and vulnerability incidents. It works very well for scanning the environment, detecting vulnerabilities, and reporting them based on our requirements. It can generate reports via email or create ServiceNow incidents. It has helped me identify threats more easily. When it comes to the Kubernetes cluster, we do not have any other option for detecting vulnerabilities. This is the only way we observe our Kubernetes clusters to determine whether they are secured or not. Regarding speed, I cannot compare it with other solutions, but so far, we are happy with the way it works.

Wiz has improved our business in many ways. While I do not know in numbers how it has helped the business gain more profit, as a technical expert and part of our IT architect team, I would say Wiz has helped tremendously to secure our cloud platform. There were many security vulnerabilities existing before we implemented this solution that were not at all in our attention because there was nothing to scan and report what was wrong. After implementing Wiz, it has helped significantly. There was a program for implementing high-security measures in our environment, and Wiz has contributed substantially to that program.

I feel there is a delay in detection, though I am uncertain whether this is due to our implementation disadvantage. Wiz can detect all the issues, threats, and security vulnerabilities, but the delay may be due to the time taken for running a scan because we have a 24-hour scan cycle. When I checked with the team, there was no on-demand scanning possibility. We still see improvement scopes in this area. It does the work, but we are not seeing the changes very fast. Once you get a threat and fix it, to see that fix reflected in Wiz, you have to wait 24 hours. That is something I am not happy with.

One improvement that I am looking for in Wiz is the capability for on-demand scanning. That should be available. Second, we should be able to see the fixes faster. Once a threat is detected and we apply the fix, we want to see that result updated in the dashboard or portal as soon as possible. If Wiz can detect it faster and update it in the portal, that would be beneficial.

I have been using Wiz for more than two years, approximately two years and four months.

Regarding stability, it is stable. I would rate it nine out of ten.

Regarding scalability, I would also rate it nine out of ten.

I would rate the technical support of Wiz eight out of ten on a scale from one to ten, with ten being the best.

Positive

When comparing Wiz with other software, I did not use any other software similar to Wiz for the same purpose. A similar tool was Qualys, but we used Qualys for a different use case. We used it for vulnerability scanning of our servers, not end-user devices. For securing or detecting threats from cloud accounts, I do not have any other tool that I am aware of. Qualys is another vulnerability management tool, but the use cases are different, so I do not have the expertise to compare.

Deployment took approximately three months.

From one to ten, with one being cheap and ten being expensive, I would rate the implementation cost a seven.

Wiz does require some maintenance.

Wiz does require some maintenance.

My thoughts on the pricing of Wiz are that it is not cheap, but it is cost-efficient. From one to ten, with one being cheap and ten being expensive, I would rate it a seven.

I would recommend Wiz to anyone. If anyone wants to secure their infrastructure, cloud environment, or Kubernetes cluster, I would strongly recommend Wiz as a tool because it is easy to use and user-friendly. It has tight integration with many tools out-of-the-box for sending alerts, creating emails, and creating incidents.

My advice to others looking to implement Wiz is that when you implement Wiz, if your hybrid environment is not managed properly, it will be difficult to implement. It is better to make some cleanup and ensure that the environment you are going to implement meets Wiz standards. If you do not take care of that and simply implement Wiz, you will encounter many issues being reported by the system. It is better to follow the prerequisite standards of your cloud account and then implement the solution. Otherwise, you will see many issues being reported.

Regarding whether Wiz has helped reduce alert fatigue, I do not have a definitive answer because we do not see that much decrease in the alerts. Initially, when we implemented Wiz, since we were not using any tool like that before, there were too many alerts. Because it was the first implementation, it started sending too many alerts. Later on, the alerts decreased, but this decrease was not because of Wiz itself. Rather, it was because we implemented security fixes wherever Wiz reported threats or vulnerabilities. That is how the number of alerts got reduced. I feel we can also customize the Wiz policy to reduce the number of alerts, but I am not at that level here, so I do not have that expertise.

My overall rating for this solution is eight out of ten.