Wiz Defend is Here: Threat detection and response for cloud

Wiz Defend is Here: Threat detection and response born for the cloud

Empower SecOps teams to stop incidents before they become breaches

6 minutes read

Today, we’re excited to announce the public preview of Wiz Defend, the future of cloud detection and response (CDR). Defend marks the latest addition to our platform to help organizations secure their cloud at cloud speed.

With Wiz Cloud, we empowered cloud security and development teams to burn down their most critical risks fast. With Wiz Code, we enabled development and application security teams to rapidly build securely from the first line of code. Now, Wiz Defend brings SecOps teams into the cloud operating model and gives them context to make the right decisions faster. Security Analysts, Incident Responders, and Threat Hunters gain precise detections that remove noise, real-time protection and automations that resolve threats 10x faster, and improved resilience from addressing the root cause of contained incidents in code.

Wiz Defend has transformed our approach to cloud detection and response by providing accurate detections and the context we needed but never thought possible. The MITRE ATT&CK framework is my North Star, and with the Incident Readiness dashboard automatically mapping our telemetry to the framework, we can quickly identify gaps and focus our efforts on addressing them. Clear workflows and automation help us bridge the skills gap, empowering junior analysts to handle more complex investigations. With Wiz Defend, we’re no longer buried in alert noise—we have the clarity and confidence to respond quickly and effectively to threats.

Susanne Senoff, CISO - PROS

The cloud changes everything for SecOps

SecOps teams have one of the most challenging and stressful sets of jobs within any organization. Every decision carries serious repercussions, and the workload is never-ending. The cloud has only amplified these difficulties:

  • The attack surface has dramatically expanded, forcing teams to monitor for complex threats like lateral movement, container escape, and automated IAM attacks. In response, teams must collect and correlate telemetry across identity, data, network, compute, secrets, and PaaS layers of the cloud environment.

  • Traditional SecOps tools, like SIEM and EDR, were adapted from on-prem and ill-suited for the complexities and sheer volume of activity in the cloud. As a result, detection engineers are saddled with manually writing detection rules with the SANS Cloud Security Survey reporting that “57% of organizations... could not keep pace with the rapidly evolving [cloud] threat landscape.

  • Investigating cloud attacks requires expert domain knowledge in each cloud and architecture in use. And response requires persuading an application development team to take action. As a result, teams must invest in upskilling their personnel or outsourcing to third parties.

SecOps teams have done an incredible job building home grown detection and response processes at the cost of considerable toil. The Gem Security founders, which Wiz acquired in April 2024, lived this pain through decades of incident response and set out on a mission to reinvent threat detection in cloud with a SecOps-first solution. Defend is the result of rebuilding Gem on top of the Wiz Security Graph to enable SecOps teams of all sizes and maturities to effectively manage the full incident response cycle in cloud.

Context and automation for SecOps

Wiz Defend is a complete suite of detection, investigation, and response capabilities for SecOps to protect their cloud environments from threats.

  • Prepare to detect and investigate a breach: Continuously close visibility gaps by identifying missing telemetry, incomplete runtime coverage, and providing actionable recommendations, aligned to the MITRE ATT&CK framework.

  • Detect high-fidelity threats across the attack kill chain: Trigger precise cross-layer threat detections, powered by our Wiz Research Team, to reduce noise and wasted effort. Thousands of built-in detections combining the cloud control plane, data, network, identity, infrastructure SaaS, workload runtime via the eBPF-based Sensor , behavioral baselines provide wide coverage for the breadth of existing and emerging cloud threats.  

  • Investigate faster with context and AI: Significantly accelerate root cause analysis and reduce Mean Time To Respond (MTTR) with a simplified, unified, and visual storyline that lets you focus on investigation rather than data gathering and manual correlation. The AskAI copilot generates rich Incident Stories that explain the progression of an attack and potential impact in natural human language. It goes a step further to automatically answer the next investigation questions that a SecOps analyst would have, such as “How did the attacker gain access to this principal?” or “What else might the attacker have done in the environment?”

  • Respond and contain fast: Stop incidents before business impact by blocking threats at runtime or running one-click containment playbooks from threat issues. Use AI to generate remediation and response steps based on the course of action your IR team would like to take. Integrate with your SIEM or SOAR to streamline workflows for your SecOps team.

Defend in practice: a real-world example

So how does this really work? Let’s examine SeleniumGreed – a cloud-native attack, first documented in January 2024 by the Wiz research team. It exploits vulnerabilities in the Selenium application testing framework, estimated to be present in 30% of cloud environments, to achieve remote code execution.

Imagine an attacker targeting a Selenium service running in an AWS Kubernetes environment. The attacker would exploit the Selenium service to open a reverse shell and establish a foothold on the compromised host. From there, the attacker locates and exfiltrates AWS credentials from the host to move laterally to the control plane, finally exfiltrating data from a sensitive AWS S3 bucket.

Wiz Defend flags this threat at every phase of the attack lifecycle, enabling teams to contain the threat actor at each stage. The Wiz Sensor deployed on the node detects the reverse shell immediately and raises an alert to the security operations team. Running in blocking mode, the sensor would even kill the malicious process immediately and stop the attack. But if blocking was not enabled for reverse shell and the attack continued, Defend would detect each subsequent phase of the attack as well.

As the attacker shifts to the control plane, Wiz correlates the keys used in the exfiltration attempt to the compute node targeted in the original attack, and presents both detections in a single timeline and graph to the SecOps team, together with actionable recommendations for containment (kill the malicious process, rotate the compromised credentials, and remediate the misconfigured Selenium service.

Instead of requiring tedious manual querying in a SIEM and endless click-ops in the EDR, Wiz provides a seamless experience across the entire cloud environment. SecOps teams detect the threat in real-time and get the context they need to investigate and respond immediately – all in a single platform.

WIN-ing together with the SecOps ecosystem

The Wiz Integration Network (WIN) features 100+ integrations, enabling customers to embed Wiz bi-directionally into their existing security workflows. With the launch of Wiz Defend, we’re extending WIN to support SecOps teams, delivering Defend’s threat context directly into their workflows—democratizing data, providing cloud threat insights where SecOps teams work, and maximizing the value of existing tools.

WIN includes integrations with essential components of SecOps workflows, such as SIEM, SOAR, MDR, and Threat Detection & Intelligence tools. For the Defend launch, we’re proud to partner with leading vendors that empower SecOps teams: Cribl, Exabeam, Expel, Panther Labs, ReliaQuest, Tamnoon, Tines, and Torq.

Through these integrations, Wiz Defend delivers critical threat context directly into the tools SecOps teams rely on, streamlining detection, investigation, and remediation..

The future of cloud detection and response is here now

Wiz Defend offers an opportunity to replace toil and legacy tools with automation and context, so SecOps can act faster and focus on higher-value initiatives.

Wiz Defend has brought data across our event sources together to help investigate detections from start to finish. From our identity provider logs pinpointing the actor to Wiz's runtime events illustrating the individual process execution and network activity. From Wiz Defend, we have confidence in our detection and investigation capabilities with better insight to our cloud activity thanks to their new VPC log sources. The latter has given us the opportunity to move away from costly detection services, providing a clearer detection strategy and more control over our detection logic

Nate Stevens, Cloud Security Engineer - Matillion  

Effective cloud security requires a new operating model—one that promotes collaboration, builds shared context, and democratizes security. This model unlocks a security flywheel: CloudSec proactively reduces the attack surface, SecOps monitors for residual risk and responds to threats, and Devs fix the root cause in code. No more siloes, just holistic security that moves at the pace of cloud innovation.

Wiz Defend is the bridge between Developers, CloudSec, and SecOps—it breaks down organizational silos bringing together the teams required for effective cloud security. Defend is the latest example of consolidating an entire product segment into the Wiz platform. Wiz is offering a leading solution that addresses the challenges modern SecOps teams face in the cloud

Tyler Shields, Principal Analyst - Enterprise Strategy Group.

Join us in shaping the future of cloud security. We invite you to experience Wiz Defend, now in public preview. Sign up for a live demo today or join our upcoming webinar to see how Wiz Defend can transform your SecOps.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management