Wiz Reviews

We are a Wiz user and partner, so we have an environment using Wiz, and our use case is to provide risk analysis. We have dashboards to understand the main risks and categorize them, and we use these to get the baseline and reports. We personalize some reports.

The best features of Wiz are the AI, risk analysis, the framework, and the compliance frameworks, so we can check if our frameworks comply with CCPA or similar regulations, and the toxic combination. We can identify active threats more effectively with granularity in databases, operational systems, and access keys, so the granularity of the Wiz view is the key for this kind of risk analysis.

We can provide an inventory, which is crucial when managing large cloud databases or environments such as AWS, Azure, or Google environments, where it's difficult to have one view for all cloud components. Wiz can accomplish this and easily provide the total inventory in the cloud.

Wiz has helped us analyze critical issues, and it can provide guidance on how to mitigate these issues to resolve them, offering step-by-step instructions.

An area that Wiz can still continue to improve is FinOps.

I have been using Wiz for almost one and a half years.

My experience with Wiz's support has been satisfactory.

We analyzed other options before choosing Wiz. For example, we looked at Orca, which lacks functionality such as toxic combination or resolving issues easily. Wiz can provide a better way to resolve critical issues, while Orca can show the issues but not truly resolve them.

We use Wiz in the cloud with AWS and GCP. We use both AWS and GCP almost equally. The time frame to achieve zero criticals in our issue queues depends on the environment. While we don't achieve zero criticals, some problems can be solved in two or three weeks while others may occur. It's optimal to work toward zero critical issues, but it depends on the installation or the cloud dynamics.

Some customers achieve zero critical issues, and Wiz has a program that rewards this achievement with a puzzle. Wiz offers pricing for both huge and small environments, and customers can purchase it from the Google Marketplace. In my opinion, Wiz has a competitive price.

I rate Wiz between 9 and 10 out of 10.

I use Wiz for both my own company and other companies to detect and investigate vulnerabilities and any type of alerts that pop up. 

I am really enjoying the new Threat Detection that they have set up; it is pretty nice. I appreciate the way that it lays out the data.

For some of my customers, I create custom dashboards, charts, or counters, and they're actually really helpful. It's quite easy. They have extensive technical documentation that guides you through the process. Additionally, there are short videos available in each section that demonstrate how to do things.

Wiz has helped my organization achieve zero criticals in its issue queues after a month. 

It would be better if, when you get an alert type, you are able to view the regex or alert logic without having to dig through all the different options; it is difficult to find where the alert logic is because you have to go to the investigations and then actually find and search for the individual alert. If they just showed the alert logic, that would be really nice. 

Also, if there was an easier way for threats to convert those into issues rather than having to set up a custom rule to pull those in as issues, it would be great.

I have been using Wiz for just under a year.

I have not seen any sort of instability with Wiz; I was curious how their SRE team works because I have not seen a single downtime.

Wiz scales really efficiently; I have worked with some huge companies that have multiple clouds and thousands of workflows, and it all seems to work.

We have account executive people that we talk to for help with Wiz. We talk to them sometimes when new features come out or when we see weird things for the first time. They provide help with writing either new regex alert queries or just helping us figure out how to do something with using the product. They are very helpful and very responsive, and if they cannot get you the answer, then they will find someone to help you; it has been as quick as a turnaround time of one business day, which is really good.

Positive

I have used CrowdStrike, Prisma, and I think that Wiz is the best out of all of them. Wiz is good at conveying the information for the active threats. The way that it shows you is easier to understand as a human. It is about the same quality of detection, but the presentation is better.

It's really easy. It's very user-friendly, and it's very intuitive.

My team had Wiz set up already when I joined, but I have gone through the whole setup process myself; they let me reset it up. I found that to be pretty simple. It only took about an hour and a half to install Wiz because we do not have a super big system.

Once you set up Wiz, it is good to go. As a security engineer, you need to maintain the alerts and keep that stuff moving. Once we have the system in place, I have not noticed it disconnect any of our accounts. It seems once you set it, it is good to go.

One person can deploy Wiz; they just have to have the right access.

I don't know how much we pay, but I do know that Wiz charges a lot. However, they're offering a good product, so it might be fair. I haven't seen the exact numbers.

I would rate Wiz a 10 out of 10. I really like it.

I use the solution for test and demo environments, and then we deploy the platform's last version for our customers. We use the advanced license type, so we have all the features in the platform.

The tool is used for security assessment and maintaining our customers' correct security posture. We have different types of customers, so there are different types of use cases. But in general, the main need is for the maintenance of cloud security posture.

The tool's most valuable feature is its attack path analysis. The feature of the tool for inspecting running containers and the new feature of intelligent artificial intelligence security posture is good. With the attack path analysis, I can see the perfect path of a possible attack, I can see the exposure of different types of resources, and I can stop the attack with the remediation or suggestion of the platform. Regarding the container runtime security, I can see how the container runs and what type of action the container takes during execution. I can take some action to modify the running of the container. For the artificial intelligence security posture, I can see the misconfiguration problem with the security permission that customers give to the platform, like Bedrock or OpenAI, and so on. We can help the customer resolve this problem of data security exposure and so on. All such features are effective in identifying vulnerabilities. The platform allows users to collect information without the need for an install agent. So it's totally agentless, and it is a great feature. I don't need to install an agent, so onboarding the platform is very easy and very speedy.

The tool keeps improving on a weekly basis. Wiz enters into a lot of partnerships with other technologies. I don't have any idea about the improvements needed in the tool at the moment.

For me, Wiz is a very complete product, but it is not the perfect one. Other technologies are better for our customers' specific use cases. A possible way to grow the tool is by introducing new functionality or features.

In the future, the tool can introduce an on-prem infrastructure or platform. Not having an on-prem version can be an obstacle for customers who have a large workload in an on-prem environment.

The onboarding can be done in five minutes or five to ten minutes. Then, there is the configuration, and it depends on the type of the use case of the customer. There is a customer that has simple use cases for whom the onboarding can be done in four to eight hours a day. If there are some customers with a lot of use cases and a lot of different cloud providers, more time is needed. In general, we don't need more than five days to deploy the tool, even in the case of a very complex architecture and hybrid cloud environment.

To deploy the tool, we need to have access to the account of the customer, and Wiz is a stuff that we need to make with the customer. We do the onboarding together. The customer creates the correct authorization in the cloud platform and gives us the key to connect to the platform, and then the platform connector starts and begins to collect information.

I have been using Wiz since 2023. My company is a service integrator and a partner of Wiz. I use the solution's latest version.

It is a stable solution. Stability-wise, I rate the solution an eight to nine out of ten.

Scalability-wise, I rate the solution a ten out of ten.

I don't know the exact number of users because every customer can create a user autonomously on the platform. So, I don't have availability at the moment for the total number of users. We have five customers at the moment, and we have done a lot of PoC during the last two years. I suppose that we will have around 22 different customers. If you need a number, a minimum of 60 users use the tool.

My customers are medium and large enterprises.

The solution's technical support was excellent. We have had excellent communication and availability for any of our needs or questions. They answer quickly, and we have had a great experience with the technical support. I rate the technical support a nine out of ten.

Positive

If one is difficult and ten is easy to set up, I rate the product's initial setup phase a nine out of ten.

The solution is deployed on the cloud. In the future, the tool can introduce an on-prem infrastructure or on-prem platform, but at the moment, it is only cloud.

If one is cheap and ten is expensive, I rate the tool's price as a five out of ten. The pricing depends on the customer and the dimension of the environment, whether the customer is strategic or not. I suppose that it is available at a middle price. In some cases, it has a very aggressive price, so very cheap, in order it's expensive. In particular, if the workload is poor, they can't make grid cells, so the price is high, and it is not in terms of real value but in terms of the budget of the customer.

The tool can be used for all customers who don't have a security structure or security team inside because the platform is very easy to use. It is a very useful tool for developer teams that can use the platform without having security knowledge, and the platform helps the developer of code applications. The tool adapts to a use case in which there is a SOC team because of the rich data that the SOC can correlate and manage.

I recommend the tool to companies that use cloud products. Wiz can be integrated with other customer platforms because it enriches information and makes inaction very valuable in terms of security.

I rate the tool as an eight out of ten.

My main use case for Wiz is that it identifies misconfigurations within the cloud services and misconfiguration within the Kubernetes platform. We also detect vulnerabilities within the runtime from the containers. Once we have those findings in place, we run a cron job within the GitLab pipeline wherein it pulls all vulnerabilities and misconfigurations and then creates tickets to the respective teams through Jira or through ServiceNow. Everything is totally automated. A Python function has been created which pulls all the vulnerabilities, performs data enrichment to identify the ownership, and then assigns the SLA and the SLA breach timeline, based on which it is then posted to the respective groups.

The best features Wiz offers in my experience are the collective findings that you get to see for each resource, which is called something as issues. It combines all findings, whether it is exposed to the internet, whether it has misconfigurations, whether there is encryption in place, or whether there is an IAM issue in place. You get to see all findings for a particular resource in one view, which Prisma or some other tool was not offering at this moment. Wiz is also offering ASPM at a service management level, KSPM, and AI security.

Wiz has positively impacted my organization because with the consequence model, as and when the consequence model triggers, every team goes ahead and mitigates the findings to ensure that it is not escalated to the CEO level. The automation is helping us to drive our platform to be more secure.

I choose eight out of ten because there is always room for improvement. Possibly I am not able to identify it, but definitely there would be some room for improvement. Nothing is perfect in terms of security.

We are in the process of getting to zero-day vulnerabilities.

I have been using Wiz for the past two years, enabling CSPM and CWP mainly, but as of now we have also started with KSPM, which is Kubernetes security posture management and data security posture management as well in my current company.

Wiz is stable in my experience.

Wiz's scalability is good as of now because the attributes we need in terms of identifying vulnerabilities is pretty good compared to Prisma.

Customer support is good. They are really helpful, but it is only the management who gets to interact with the sales team.

Positive

We did evaluate CrowdStrike, Tenable One, and Prisma Cortex.

We create dashboards with the automation, so all the findings being pulled from Wiz are enriched first, and then we store all those findings with the SLA metrics into a Grafana dashboard.

I have seen a return on investment with Wiz, specifically in that we need fewer employees.

I would advise others looking into using Wiz to definitely compare it with all the other tools that are in the market. Wiz is one of the finest tools that I have used so far, and it gives visibility to all the services based resources, which other tools do not give. It also helps to create custom policies based on Rego, which is one of the easiest solutions that anyone can develop. I give this product a rating of eight out of ten and would definitely recommend Wiz.

We are a Wiz user and partner. We have an environment using Wiz, and our use case is to provide risk analysis.

We have dashboards to understand and categorize the main risks. These dashboards help us generate baseline reports, and we have personalized some of these reports.

It can provide an inventory. When you have a large cloud database or environment, Wiz can provide you easily with the total inventory that you have in the cloud. 

Wiz has helped my organization by allowing us to analyze the critical issues and providing the best way to mitigate these issues with step-by-step guidance. We don't achieve zero criticals. This often depends on the environment, as solving some problems can lead to two or three others arising. Therefore, navigating through the critical issues is essential, but it relies on the specific installation you have or the dynamics of your cloud setup. Some customers have successfully reached a state of zero critical issues, and we have a program designed to support this. If they are interested in achieving this goal, we can provide them with materials or insights to help them.

Wiz's best features are the AI risk analysis and the compliance frameworks. We can check if frameworks are compliant, such as CCPA, and the toxic combination.

The Wiz runtime sensor identifies active threats more effectively by allowing us to run the analysis with granularity in databases, in operational systems, and some access keys. The granularity of the Wiz view is the key for this kind of risk analysis.

FinOps is an area where Wiz needs enhancement.

I have been using Wiz for almost one and a half years.

I had experience with Wiz's support, and I would rate it a nine out of ten.

Positive

Wiz can accommodate both huge and small environments. You can purchase Wiz from Google Marketplace, for example. Wiz seems to have a competitive price.

We evaluated other options such as Orca before choosing Wiz. We analyzed Orca because it lacks certain functions, such as toxic combination or resolving issues easily. Wiz performs better at providing the best way to resolve critical issues, while Orca can only show the issues without resolving them.

I would rate Wiz a nine out of ten.

We use Wiz to monitor cloud security across Azure, Oracle OCI, and Google GCP cloud environments. With Wiz implementation we aim to eliminate the security team from security findings communication and triage and allow development, cloud and infrastructure teams direct access to security configuration findings - saving time for everyone involved.

The client has around over 2000 workloads in Azure, and more than 200 in Oracle OCI, as well as small cloud presence in Google GCP.

For the initial deployment, we aim to enable good visibility across all cloud platforms (width), as well as across different levels of visibility (depth) by employing CSPM, CIEM, DSPM, EASM, CDR and other capabilities offered by Wiz. 

Going forward, we plan to implement cloud forensics feature, as well as integrate it into our CI/CD pipelines and code repositories for preventative capabilities.

The integration is still in its early stages, and I will continue to update this report as we move forward. That being said, everything has been excellent so far!

Wiz helped to detect multiple virtual machines in Azure and Oracle OCI cloud environments that had problems, including crypto-miners and malware. Furthermore, Google GCP usage in the company was discovered by Wiz, which the other two CNAPP tools we've tested have missed. 

We also discovered credentials stored on the disk of a virtual machine in the test/dev environment, which could potentially provide access to parts of other cloud environments if compromised (allow lateral movement).

We can confidently say that we now see the full picture of risk across our cloud environments, including internet-exposed, vulnerable (unpatched) and misconfigured cloud assets, as well as sensitive data stored in those cloud assets.

We're currently going through the process of user onboarding to enable time savings for security team and streamline the time to take action to remediate the findings.

The time savings and the many moments of "if I was building a CNAPP, this is how I would do it" were where Wiz had already implemented what I wished for. Wiz also saves time by validating a network misconfiguration by not only looking at the cloud asset configuration but also by testing if a port that is stated to be open is actually open.

The Wiz product team recognises that the world doesn't revolve around Cyber Security teams. This is evident in their emphasis on providing clear and simple remediation advice and offering explanations of the alerts, making it easy for non-security team members to understand what’s happening and why. This was one of the key criteria why Wiz has been selected over the competitors.

My favourite is the EASM/External Exposure view and overall package - full risk visibility. It allows us to prioritize, and I mean truly prioritize, what should be addressed first. We can now see cloud workloads exposed to the internet in case of critical vulnerabilities, and if these workloads hold or can access sensitive data, we can act fast and patch these workloads first, and therefore reduce our overall risk exposure time.

Another favourite feature is the ability to give feedback and quickly raise a support case, as well as the comment option for each finding in Wiz web portal. It enables simple, yet effective collaboration between security, cloud, infrastructure and development teams.

While over the past few years Wiz has improved a lot (and I mean A LOT!), there are some areas that are still lacking.

One of them is runtime security. Coverage of serverless workloads could be improved, though knowing some of the constraints on the cloud provider's side, I do understand this may be challenging. The good news is that I see these gaps being addressed in Wiz' roadmap.

The other point that didn't improve that much is built-in reports. These still have room for improvement, especially the executive summary reports. However, this is compensated by the excellent Dashboards available in Wiz web portal.

I have been using this solution since June 2024. 

With two main cloud platforms fully onboarded, the integration project is still ongoing.

The solution is very stable. We observed a case where some of the newly introduced built-in policies caused minor discrepancies in the alert count, but the Wiz support team promptly resolved the issue.

So far, so good! No issues were observed in scalability.

Support is excellent. We had 10 to 15 TAC cases open; most are addressed, and few that remain open have updates and a clear path towards resolution.

Positive

Previously, I used Check Point's CloudGuard (while it was still called Dome9), Prisma Cloud by Palo Alto Networks, and Microsoft's Defender for Cloud (since 2020, when it was still called Azure Security Center). I have also tested Orca Security CNAPP solution in a PoC setting for about a month.

The setup is straightforward. There were no issues with either cloud connector that I used (Azure, OCI and Kubernetes).

I am a consultant working on this integration - HLD, LLD, integration itself, policy review/triage of findings, and user training/onboarding. The support team has been great! From sales to customer success - it has been a smooth ride. 

The main ROI will be the time savings from not needing to write a basic remediation advisory for the dev team and then send/track it using email.

The sizing script provided by Wiz is fairly accurate. The support team will help you accurately identify the licensing needs. We've done it, and it is spot-on.

We evaluated two other CNAPP solutions.

So far, I really like the solution and the team supporting our integration.

While it's quite early for a full review, we already have the key parts functionality deployed, and I will be updating this review once the integration is finalized next year (code security for CI/CD, cloud incident response and forensics, and automation of preventative capabilities remains on our to-do list).

Disclaimer: I received a typical customer "swag" package (jumper, backpack, thermal cup) from Wiz, but I can confidently say it had no influence on the content of my review of the CNAPP solution.

My use cases for Wiz mostly revolve around cloud security posture management, compliance, internal opex reporting, and shift-left security tooling, centered around compliance and cloud security shift-left.

What I appreciate most about Wiz is that the compliance and CSPM aspects of this cloud-native application protection offering are genuinely better than other products available in the market. Having worked on Prisma, Orca, and Qualys as well, when I compare Wiz with everything else, it definitely has an edge. The graph queries and graph explorer in Wiz are exceptionally well done by their team, giving me a complete view of resources, how they relate to other resources in the account or in other accounts, and how they pose an external threat or risk.

I have created boards in Wiz for internal projects and teams depending on what product line it is, and I have tried creating custom dashboards. My experience with creating custom dashboards is that it is neither easy nor difficult; it is somewhere in between. Obviously, it is not the same as Power BI or any other visualization tool, so I understand it will not be at that level, but it gets the job done. I get a high-level overview of trends of the findings or non-compliant items, and it accomplishes what I need. I also do not expect it to be at that level because that is not what it is built for.

I really cannot think of anything that Wiz can improve, because the use cases I deal with have almost all features that cater to them, so I really do not have anything in mind right now.

One thing Wiz can do better is regarding support for the open-source fork of Terraform called OpenTofu. Many organizations are moving from Terraform to OpenTofu to save costs in licensing, but their documentation does not officially state that they are supporting OpenTofu, so that would be beneficial to have. Since it is just a copy of Terraform, it should not be a difficult addition, but that would be a valuable feature.

I have been using Wiz in my career for close to one and a half years.

I have seen some lagging or downtime a couple of times, but I am not sure why it happened. It was just a couple of times, and it did not impact what I was doing.

Wiz is very scalable.

I have contacted Wiz's technical support. The quality and speed of the support are very good; most of the time, I do get the answers I am looking for, and if not, the team works internally. If there is no feature, they raise a feature request for us, so it has been very good. On a scale from 1 to 10, I would give Wiz's support a 10.

Positive

The initial deployment of Wiz is very easy for me. The first time I deployed Wiz, it took me approximately 10 to 20 minutes, depending on the availability of the other team. When they are available, I usually get it done within 10 or 15 minutes, or even less than that when we have all the prerequisites ready.

Wiz does require some maintenance on my end, but it is minimal. The maintenance involves configuring connectors for Wiz, and it does require a few permissions for Wiz to scan the cloud accounts and other resources. That is the only maintenance needed, such as adding or updating the role in Wiz if other permissions or services introduced by the cloud provider are not covered.

I have used some alternatives and similar solutions to Wiz. I remember the names of those alternatives; one is Palo Alto's Prisma Cloud, and the other was Qualys' tool, which was kind of a makeshift tool, not a full-fledged CSPM, but they called it CSPM. When I compare Wiz to those tools, I prefer Wiz a lot more because it is definitely a couple of notches above all those tools. They have done much better with their UI, which is very organized, whereas Prisma is mostly a lot of acquisitions and a lot of tools stitched together and offered as a SaaS solution. Not saying it is bad, but Wiz does it better than what they have been doing.

I personally have not worked on Wiz Runtime Sensor, so I cannot really comment on whether it has helped identify active threats more effectively compared to any other solutions that I have used. We have plans, but not yet. I would rate this review overall as a 9.

Wiz is an agentless cloud assets vulnerability scanner. You don't need to install anything to use any of the machines. It takes snapshots and then scans it. It is interesting because all other scanners need to install some agent.

This solution is designed to be agentless. This approach saves bandwidth and other resources. Nobody needs to report anything or send packages to the backend. Everything operates as a SaaS solution. They perform snapshots and alerting, converting the data into metadata, which they then analyze and return. Thus, the SaaS solution handles the entire process without requiring additional effort from us.

Wiz is a very powerful and easy-to-use tool. It's highly customizable, allowing us to manage many custom features effectively.

You need to enter numbers manually. Now, everyone has to press to proceed. Wiz still requires managing all the numbers on the web page. Wiz could enhance API integration with ServiceNow and Jira. 

I have been using Wiz for six months.

The initial setup is straightforward and takes two to three weeks to complete.

Wiz is quite expensive. However, having a comprehensive view of your cloud environment is essential. On-premises systems are much easier to track, but managing numerous instances in the cloud requires enhanced visibility.

We are paying 250k per year.

For our business case, we needed Wiz to meet regulatory requirements and quickly identify public exposure vulnerabilities, such as publicly accessible instances or resources. This information immediately helps prevent vulnerabilities within your business environment, providing a cybersecurity advantage. While this doesn't translate to direct financial benefits, it helps prevent potential breaches and escalations, which is invaluable. Like other security tools, Wiz incurs a cost, but its value lies in enhanced security rather than financial gain.

Wiz's scanning and detection capabilities can identify vulnerabilities potentially affecting the cloud or exposure. It's not solely focused on database issues. It performs various tasks effectively. The categorization is excellent, the dashboards are informative, and the reporting features are robust. Additionally, you can create highly customizable reports.

Everything works using a CI/CD pipeline, which is very good because every DevOps engineer can manage it by simply creating some code around the message request. Wiz works fine and is fully compliant with CI/CD. The workflow and the tasks align with industry standards.

We can configure any compliance framework for checking with Wiz. For example, you can select frameworks such as GDPR, AWS Fundamentals, and CI/CD. You can configure the tool based on the recommendations provided by these frameworks. If your company has specific requirements, like allowing an 8-character password while the state requires 12 characters, you can customize the settings accordingly. Wiz will then assess compliance based on these customized parameters, and if everything meets the set criteria, it will confirm that you are compliant.

You have everything in one dashboard. The dashboard and reports are quite literally perfect. Since everything is in one dashboard, you can customize the reports to show only the columns you want to see. For example, you can exclude low-risk items so you don't get notifications about low-risk issues that do not impact your compliance status.

Wiz has some AI features for consolidation, but it's not customizable. What VMware offers is similar, but there's not much to choose between. You either have a batch compliance agreement, or you don't. Wiz's framework complies with requirements, or it doesn't. It's a vulnerability management tool similar to Kangaroo but with better AI documentation features. You can ask questions about how to do something, and the AI will provide the relevant information. This feature is built into the system.

Overall, I rate the solution a ten out of ten.