Introducing Wiz Incident Response: Your Expert Partner for Cloud Security Incidents

Today, we're excited to introduce the public preview of Wiz Incident Response, our new service offering to help organizations investigate, contain, and recover from cloud security incidents quickly and confidently.

At Wiz, our expert team sees firsthand how cloud attackers operate in modern environments, and has collectively spent thousands of hours analyzing how attackers operate in the cloud. That practical experience is what makes us effective partners when organizations need help responding to cloud incidents. Wiz Incident Response extends our product capabilities in the cloud detection and response space with powerful expertise. Our Wiz Defend and Runtime Sensor deliver complete visibility and threat detection capabilities to alert you when you're under attack, while our team of experts has your back in those critical moments.

Expertise in the moments that matter most

Responding to a cloud incident isn’t the same as responding to a traditional security breach. Cloud environments just behave differently - infrastructure is often ephemeral, meaning critical forensic data can be lost in minutes if responders don’t know where to look. Access is managed through complex IAM configurations, and tracked only in logs that aren’t always enabled by default. Attackers often use different techniques to evade detection, “living off the cloud” to exfiltrate data without deploying malware- and they move fast, taking advantage of every minute of delay to move further across your environment

That’s where Wiz IR experts come in. They have hands-on experience with the realities of cloud investigations, and are well equipped to handle cloud-native incident scoping, forensics, containment and remediation to get your team back on track fast. They’re also experts in Wiz Defend, our real-time threat detection and response engine, and the Wiz Runtime Sensor. With full integration with the entire Wiz platform, our team can surface and prioritize what matters fast and guide response with clarity.

Wiz IR experts, enabled with the right data and tools, help stop incidents quickly and keep impact low, while supporting you every step of the way as a trusted partner.

What you can expect

Our incident response team is here to support your organization in the moments that matter - whether you use Wiz or not. The team is available to help anyone experiencing a true positive incident, or requiring cloud specific expertise to contain a threat. That includes:

Incident intake and scoping: From the first suspicious signal, Wiz helps you quickly separate noise from true incidents and guide early investigation. Using context from your environment, we map the blast radius and prioritize your next steps.
Forensic investigation: Our team identifies the scope of impact and timeline of activities using the cloud-to-runtime context and in depth forensic tooling available in your Wiz environment.
Containment and remediation: As the incident evolves, we help stop the compromise in its tracks. We recommend containment and remediation steps to eradicate the threat and strengthen defenses for the future.
Ongoing incident monitoring: While the incident is ongoing, we stay by your side- proactively identifying new malicious activity related to the incident, ensuring nothing slips through.
Incident management: We don’t just keep teams aligned- we act as strategic partners. Throughout the process, you’ll get clear guidance and regular updates so leadership stays informed and your team can manage business risk to move forward with confidence.

Wiz IR in Action

On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry as part of the s1ngularity supply chain attack. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.

The Wiz team tracked the attack closely. We identified attacker-created repositories, analyzed leaked data, and worked to notify victims throughout the different stages of the campaign. Our direct outreach reached more than 50 major organizations. Since GitHub removed the attacker-created repositories shortly after publication, many impacted teams had little visibility into what was exposed or how far the compromise reached.

For organizations that engaged the Wiz IR team, we partnered directly with their security and engineering teams to:

Understand the full scope of the compromise, including leaked credentials and secrets.
Operationalize Wiz Defend by setting up new connectors and onboarding additional log sources tied to the exposed data.
Build a timeline of unauthorized activity conducted by the threat actor in the teams’ GitHub and cloud environments.
Hunt for unauthorized use of leaked credentials and secrets.
Provide containment guidance to stop ongoing malicious activity.
Develop remediation steps to reduce future risk.

By working side by side, these customers were able to contain the incident quickly and avoid impact from the second wave of the attack discovered a few days later, in which the attacker used previously compromised Github tokens to turn private repositories public.