In cloud security, the key to proactively managing your attack surface is understanding how different risk factors combine to create attack paths that would lead to significant business impact. In this blog, we’ll explore how cloud security solutions can uncover these "toxic combinations" of risk and why certain tools are better equipped to do so. You’ll learn how to use advanced tools like Security Graphs and agentless solutions to uncover hidden risks and ensure a secure cloud environment for your business.
What is a toxic combination of risk?
In any cloud environment, risk factors like network exposure, unprotected data, and excessive permissions can exist separately. When these elements combine, they form what’s known as a “toxic combination.”
Toxic combinations represent scenarios where multiple risks come together to form a critical severity issue that poses a very real threat to security.
Here’s an example to illustrate what a toxic risk combination might look like. Say you have a database that holds sensitive customer information. That might seem manageable on its own. But what if it’s accessible from a virtual machine that is publicly exposed to the internet and has a critical network vulnerability with a known exploit? Then it presents a serious security issue.
Toxic combinations don’t typically emerge from one single weak spot—they’re a result of interconnected factors that enable an attacker to move laterally from an initial point of compromise to gaining access to an organization’s crown jewels. The good news: if you have a way to easily identify and address these combinations, your security team can use that information to focus their efforts on the most urgent risks and avoid wasting precious resources on minor risks that have minimal impact on security posture.
So now the question is, what’s the best way to find these combinations?
The power of the Security Graph
Many traditional security tools only spot isolated risks – that is, they’ll pinpoint a standalone vulnerability or misconfiguration without putting it in the context of a broader picture, leading to a flood of alerts that is difficult to prioritize.
A Security Graph makes the complex simple by surfacing the relationships between cloud components as first-class citizens. It’s not just a visualization layer, but the database, the normalizing data model, and the analysis layer. The graph often reveals complex relationships between resources, shining a spotlight on combinations that might otherwise go unnoticed. With these insights, any team can quickly prioritize validated attack paths and know that they are taking the most secure action for their cloud environment.
Due to the interconnected nature of cloud environments, relationships are crucial.
How does this risk connect to others, and what does it mean for my organization?
Here's another example of where a graph would be pivotal: If a bucket with sensitive data is being used to train an AI model and there are misconfigurations that expose the model and allow write access to the bucket, a Security Graph will highlight this as an area that needs attention. In this case, an attacker could both exfiltrate the sensitive data as well as poison the model by flooding the bucket with manufactured data.
The agentless approach to identifying toxic combinations
The ability to detect and understand toxic combinations of risk depends not only on visibility but also on the efficiency of the scanning process.
Agentless cloud security solutions create a significant advantage here. (This is something Wiz has long championed; see here for more.) Unlike traditional agent-based systems, which require software to be installed on every resource, agentless tools scan the entire cloud infrastructure without affecting performance. They offer greater coverage of unmanaged or ephemeral resources that can often go unnoticed. With agentless scanning, there’s no need to worry about deployment or blind spots, because the solution provides full visibility across all assets.
Whether it’s virtual machines, containers, or serverless environments, agentless security solutions ensure that organizations have complete visibility, without bothering your developers. And now with 70% of cloud environments already innovating with AI services, agentless solutions ensure full-stack visibility seamlessly extends to the AI applications being built in your cloud.
The path to Zero Criticals
At Wiz, we call these toxic combinations of risks a critical Wiz Issue. They are defined as having:
1. A resource with a very high likelihood of being compromised and
2. A significant business impact if compromised.
For a typical customer, this could mean filtering down from tens of thousands of vulnerabilities down to tens of critical attack paths to focus on. This ruthless prioritization based on context is necessary to align teams to programmatically burn these issues down.
Once a customer has eliminated all critical risks in their environment, we welcome them to the “Zero Criticals” club. This is a significant milestone that we love to celebrate , because it’s the culmination of proactive security posture management that also democratizes remediation to the infrastructure owners. It’s also a prime example of the tangible outcomes that security teams can drive with Wiz’s agentless solution and Security Graph: by honing in on the most urgent risks, they significantly reduce their attack surface, ensuring that cloud infrastructure remains secure and resilient. We’re especially proud that over 40% of our customers are now in the Zero Criticals club!
Conclusion
Whoever said “the only constant is change” might as well have been talking about cloud security.
Few industries evolve as rapidly, and seismic forces like cloud-native and AI have only accelerated that rate of change. For security teams to make the most of existing resources in the face of so much transformation, they must gain comprehensive visibility and be proactive in uncovering toxic combinations. Technology can certainly help – particularly agentless and graph-based solutions, as explained previously – but the crux of the solution hinges on having better processes, clear priorities, and empowering the people who are ultimately responsible for driving the business forward and safeguarding cloud infrastructure against risk.
