How do we get started with Wiz onboarding using cloud API connections, and how long until we see full inventory and prioritized risks?

Quick Answer: You connect Wiz to your cloud accounts via read-only cloud API connections, not heavy agents. Most teams see a complete cloud inventory and first wave of prioritized risks within 30–60 minutes of initial onboarding, with larger multi-cloud estates typically mapped within a few hours.

The Quick Overview

• What It Is: An agentless, cloud API–driven onboarding flow that connects your AWS, Azure, GCP, and other environments to the Wiz Security Graph, giving you full inventory and contextual, prioritized risks fast.
• Who It Is For: Security, cloud, and platform teams that need to replace fragmented tools and manual spreadsheets with a single, context-rich view of cloud and AI environments.
• Core Problem Solved: Traditional tools require agents, per-service configs, and weeks of tuning before you see value. Wiz uses cloud API connections and a unified security graph so you get an accurate inventory and prioritized, exploitable risks in hours—not months.

How It Works

Onboarding with Wiz centers on secure cloud API connections. You grant Wiz least-privilege access to your cloud control planes; Wiz then automatically discovers resources, pulls configuration and identity data, and builds your environment inside the Wiz Security Graph. That graph connects code, cloud resources, identities, network paths, data, and runtime telemetry so you don’t just see “issues”—you see real attack paths and exactly who should fix them.

From there, Wiz continuously updates your inventory and risk landscape without agents to deploy or maintain.

1. Attack Surface Scanning:
   Wiz uses cloud APIs to map every account, subscription, project, and external-facing asset. It identifies what’s actually reachable from the internet and where new risk can enter.
2. Deep Internal Analysis:
   Wiz ingests metadata about configurations, vulnerabilities, IAM permissions, secrets, data locations, and network relationships, then correlates them in the Wiz Security Graph to model lateral movement, privilege escalation, and data access chains.
3. FIX AT SCALE IN CODE / DETECT AND BLOCK:
   Using graph context, Wiz prioritizes truly exploitable risks and routes them to the right owners. Wiz Green can open PRs with code and IaC fixes; Wiz Red models attack paths; Wiz Blue validates and investigates real threats with runtime and log data.

Most organizations see:

• Initial inventory and high-level risk view: within 30–60 minutes of making the first cloud API connection.
• Broad multi-account inventory and prioritized risks: often within a few hours, even in large, multi-cloud estates.

Features & Benefits Breakdown

Core Feature	What It Does	Primary Benefit
Agentless Cloud API Onboarding	Connects to AWS, Azure, GCP, on‑prem, SaaS, and AI environments via cloud APIs with least-privilege roles.	Fast, low-friction deployment with visibility in minutes, not weeks of agent rollout.
Wiz Security Graph	Correlates resources, configurations, vulnerabilities, identities, network paths, data, secrets, and external exposure signals.	Converts raw findings into real attack paths so you can prioritize by exploitable risk, not just CVSS.
Automated Risk Prioritization & Ownership Mapping	Ranks issues by internet exposure, identity paths, blast radius, and exploitability; maps them to the right teams, repos, and services.	Turns onboarding data into actionable queues engineering can own, eliminating spreadsheet-driven triage.

Ideal Use Cases

• Best for multi-cloud onboarding after tool sprawl: Because Wiz can connect to multiple clouds agentlessly and consolidate 10+ fragmented tools into a single security graph, you get a unified, prioritized risk picture quickly.
• Best for rapid response to “Log4J-style” events: Because Wiz immediately maps where vulnerable components live, how they’re reachable, which identities can access them, and what data is at risk—so you can hunt and remediate in hours instead of sifting through static reports.

Step-by-Step: Getting Started with Wiz via Cloud API Connections

1. Prepare Your Environment and Access

Before you create connections, align the stakeholders:

• Security / Cloud team: Drives the Wiz rollout and defines what “success in week 1” looks like (e.g., “surface all internet-exposed critical vulns and misconfigs across production accounts”).
• Cloud platform / SRE: Owns IAM, policies, and often account structures; they’ll create the roles and service principals Wiz needs.
• Engineering leads: Helpful early to align on ownership mapping and how you’ll route issues (Jira, ServiceNow, etc.).

Decide where to start:

• A representative subset of accounts (e.g., prod + one critical shared services account) for a quick proof point, or
• Broad read-only discovery across all accounts/subscriptions/projects to immediately see the full blast radius.

2. Create Cloud API Connections (Agentless)

The exact clicks vary by provider, but the pattern is consistent: Wiz gives you a least-privilege template; you create a role/service principal; you paste or accept IDs; and the connection comes online.

At a high level:

• AWS:

  • Use CloudFormation or Terraform templates provided by Wiz to create an IAM role with a trust relationship to Wiz.
  • Assign read-only permissions for EC2, EKS, RDS, IAM, S3, and other core services, plus required APIs for inventory, configuration, and logs.
  • Copy the role ARN into Wiz to finalize the connection.

• Azure:

  • Register Wiz as an application (service principal) in Azure AD.
  • Assign Reader (and where needed, Security Reader) roles at the subscription or management group level.
  • Provide subscription IDs and directory details to Wiz.

• GCP:

  • Create a service account and grant it Viewer and Security Reviewer–style permissions at the organization/folder/project level.
  • Download the key or configure workload identity, then link it to Wiz.

You can repeat this for additional accounts, subscriptions, and projects. Because the architecture is primarily agentless and API-driven, there’s no waiting on host-level agents to roll out before you see results.

3. Let Wiz Run Attack Surface Scanning

Once the cloud API connections are live:

• Wiz immediately starts attack surface scanning:
  • Enumerates all connected accounts, regions, subscriptions, and projects.
  • Identifies externally reachable assets and calculates effective internet exposure, not just “has a public IP.”
  • Discovers resources across compute, containers, serverless, databases, storage, and PaaS services.

Time to value: In my experience, within the first 30–60 minutes you’ll already see:

• A populated inventory for connected environments.
• Initial findings for misconfigurations and exposure (e.g., public storage buckets with sensitive data, overly permissive security groups).

4. Enable Deep Internal Analysis

As Wiz continues scanning, it enriches the inventory:

• Pulling configurations and security controls (encryption, network rules, security groups, NSGs, etc.).
• Discovering vulnerabilities in workloads and images (using agentless techniques where possible).
• Mapping identity permissions (IAM roles, service principals, groups) and where they can move.
• Locating data and secrets (databases, storage accounts, secret managers).
• Correlating all of it into the Wiz Security Graph.

That graph lets Wiz answer questions like:

• “This vulnerable VM is actually:
  • Internet-exposed,
  • Running in a production VPC,
  • Reachable from a compromised identity,
  • With access to a sensitive database.”

This is where prioritization starts to differentiate from traditional CSPM:

• It’s not “show me all critical CVEs.”
• It’s “show me the small set of critical, exploitable paths where an attacker can actually get in and move laterally to data.”

Time to value: Within a few hours of the first connection, you’ll typically see:

• A rich inventory across clouds (accounts, services, workloads, data).
• Risk views that combine exposure, identity, and vulnerabilities—not just raw counts.

5. Turn Findings into Action with Ownership Mapping

Fast onboarding is pointless if it ends in a spreadsheet no one wants to own. This is where the operating model matters:

• Configure ownership mapping:

  • Map cloud tags, account names, or resource groups to teams, repos, and services.
  • Sync with your identity provider, CMDB, or internal ownership registry if you have one.

• Integrate with ticketing/dev workflows:

  • Connect Wiz to Jira, ServiceNow, or similar.
  • Set rules like “internet-exposed critical vulns in production” → auto-create tickets for the owning team.

• Enable self-remediation:

  • Engineers see findings in the context of their own services, not a generic global queue.
  • Because findings are backed by the Wiz Security Graph, they come with indisputable evidence of exploitability and blast radius, not just a severity label.

This is where the Wiz Green agent can start to shine:

• Automatically generates PRs for code and IaC fixes when possible.
• Sends those PRs to the right repos and owners, turning “you have a risk” into “here is the exact fix already written.”

6. Close the Loop with Runtime Validation

As you mature beyond initial onboarding:

• Deploy the Wiz eBPF Runtime Sensor where you need runtime visibility and protection.
• Integrate cloud and SaaS logs to give Wiz Blue a complete picture of what’s actually happening.

Now the operating model looks like this:

1. From Exposure: Discovered via cloud APIs and attack surface scanning.
2. To Code Fix: Routed to owners, with PRs from Wiz Green where possible.
3. To Runtime Validation: Verified and protected via Wiz Blue and runtime telemetry.

This is where you move from “we have a list of findings” to “we have a closed loop from detection to code-level fix and runtime confirmation.”

How Long Until You See Full Inventory and Prioritized Risks?

The exact timeline depends on the size and complexity of your estate, but the common pattern across large enterprises (including those with 200+ accounts) is:

• Within 30–60 minutes of connecting your first cloud:

  • Initial inventory for that environment.
  • Early high-impact misconfigurations and internet-exposed resources.

• Within a few hours of broad cloud API onboarding:

  • Comprehensive multi-cloud inventory (accounts, subscriptions, projects, core services).
  • Contextual risk views that combine exposure, identities, and vulnerabilities.
  • Ability to slice by environment (prod vs. non-prod), business unit, or critical app.

• Within the first week:

  • Ownership mapping and ticketing workflows live.
  • Engineering teams receiving actionable, scoped queues instead of a 3,500-row spreadsheet.
  • Initial remediation cycles underway, with measurable reduction in exploitable blast radius.

This is consistent with stories like:

• Deploying Wiz to ~200 accounts within hours and discovering orders of magnitude more exposure than legacy tools showed.
• Achieving 0 criticals in targeted environments after aligning on exploitability-based SLAs.

Limitations & Considerations

• Cloud API permissions scope:
  If you grant Wiz only a narrow set of permissions or restrict it to a limited subset of accounts, your inventory and attack path modeling will be incomplete.
  Workaround: Start with at least read-only access across your primary production and shared-services environments so the Security Graph can see real lateral movement paths.

• Ownership data quality:
  Wiz can infer a lot, but if your tags, account naming, or CMDB are inconsistent, initial ownership mapping may be noisy.
  Workaround: Use onboarding as a forcing function to standardize tags and align on a clear ownership model; iterate quickly on mapping rules before you turn on auto-ticketing at scale.

Pricing & Plans

Wiz is sold as an enterprise cloud security platform (CNAPP), typically licensed based on the size of your environment and the modules you use (e.g., attack surface management, CNAPP, runtime/XDR).

Common patterns:

• Core CNAPP / Cloud Security Graph:
  Designed for organizations that want agentless cloud API onboarding, full inventory, and contextual, prioritized risks across multi-cloud. Ideal if you’re consolidating multiple point tools and want to operationalize “exposure to code fix” workflows.

• Full Platform with Security Agents (Green/Red/Blue) and Runtime:
  Best for teams that need the complete code-to-cloud-to-runtime model: PR-based remediation (Wiz Green), automated attack path discovery (Wiz Red), and threat detection and investigation with runtime sensors and log ingestion (Wiz Blue).

For detailed pricing, volume tiers, and plan specifics, you’ll need to speak directly with Wiz, since contracts are tailored to environment size and modules in scope.

• Foundational Cloud Graph Plan: Best for security and platform teams needing fast, agentless onboarding, complete inventory, and high-fidelity, contextual risk prioritization.
• Advanced Code-to-Runtime Plan: Best for organizations needing to automate remediation via PRs, validate threats with runtime data, and run a unified SecOps program across cloud and SaaS.

Frequently Asked Questions

How many clouds and accounts should we connect in the first phase?

Short Answer: Start with enough scope to see real attack paths—usually your primary production accounts and key shared services—then expand quickly.

Details:
If you only connect one non-critical dev account, you’ll get a nice demo, but not the real risk picture. I recommend:

• Phase 1 (Day 1–2): Onboard core production accounts/subscriptions/projects plus shared services (identity, networking, logging).
• Phase 2 (Week 1): Expand to the rest of production and high-value dev/test environments.
• Phase 3 (Weeks 2–4): Bring in remaining accounts and SaaS/AI environments so the Security Graph can model organization-wide blast radius and lateral movement.

This phased, but fast, approach keeps change manageable while still letting the Wiz Security Graph “see” realistic paths an attacker could take.

Do we need to deploy agents before we see prioritized risks?

Short Answer: No. You’ll see full inventory and contextual, prioritized risks from cloud API onboarding alone; runtime agents are an optional enhancement.

Details:
Wiz is primarily agentless and cloud API–driven:

• Inventory, misconfigurations, identity analysis, and many vulnerability and data exposure insights come straight from your cloud APIs and metadata.
• The Wiz Security Graph can model attack paths—initial access, lateral movement, privilege escalation, and data access chains—without first deploying host agents.

You add eBPF runtime sensors later where you want live process and network telemetry, as well as the ability to detect and block exploitation attempts in progress. That’s additive; it’s not a precondition for getting value from onboarding.

Summary

Getting started with Wiz via cloud API connections is intentionally fast and low-friction: you create least-privilege roles/service principals, connect your accounts to Wiz, and within 30–60 minutes you’re looking at a live inventory and real, exploitable risks. The Wiz Security Graph connects code, cloud, identities, network, data, and runtime so you’re not just counting issues—you’re understanding attack paths, blast radius, and ownership. From there, ownership mapping and automation (PRs, tickets, runtime validation) turn onboarding from “new dashboard” into a new operating model for cloud security.

Next Step

Get Started