TTechclick ⚡ XP 0% All lessons
Wiz · Cloud Security · Agentless ScanningInteractive · L1 / L2 / L3

Wiz Agentless Scanning — Snapshots, Coverage & the Runtime Edge

Wiz reads your cloud workloads — VMs, containers, serverless — without ever running code inside them. It takes a snapshot, analyses it in an isolated ephemeral environment, and tears it down. This lesson maps exactly how that snapshot loop works, what it can and cannot catch, and when you should add the lightweight eBPF Wiz Sensor for real-time runtime coverage.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Wiz agentless scanning in 2026: how snapshot-based scanning covers VMs, containers and serverless without agents, coverage vs runtime trade-offs, and when to add the lightweight Wiz Sensor.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What agentless is

No code inside your workload — snapshots and APIs.

 2

Snapshot lifecycle

Trigger, copy, mount, analyse, wipe.

 3

Coverage & gaps

What agentless catches vs misses at runtime.

 4

Adding the Wiz Sensor

eBPF runtime depth for critical workloads.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Wiz agentless scanning install any software inside your VM?

Answered in What agentless is.

2. How often does a default Wiz agentless scan cycle run?

Answered in Coverage & gaps.

3. What does the Wiz Sensor add that pure agentless cannot?

Answered in Adding the Wiz Sensor.

Most engineers think…

Most people assume that 'no agent' means 'shallow scan'. They picture agentless tools reading only surface-level cloud configs, missing packages, secrets and CVEs buried inside a running VM's filesystem.

Wiz flips that assumption. Because agentless scanning mounts a full disk snapshot of your workload in an isolated environment it controls, it can inspect the entire OS layer — installed packages, file system secrets, kernel config, running-process inventory from /proc — as thoroughly as if it had root on the machine. The real trade-off is not depth but time: snapshots are periodic, so a brand-new vulnerability or an active in-memory attack won't appear until the next scan cycle. That's the gap the lightweight Wiz Sensor fills.

① What agentless scanning actually means — no code in your workload

Wiz connects to your cloud accounts (AWS, Azure, GCP, OCI and Alibaba Cloud) via read-only API credentials you provide. It discovers every resource — VMs, container images, serverless functions, storage, databases, networking, identities — and pulls metadata and configuration without ever deploying code into your environment. That single step alone covers posture management, identity entitlements, IaC drift and public exposure.

For workload internals — the packages, secrets and CVEs inside a VM's filesystem — Wiz goes one level deeper via snapshot-based scanning. It uses the cloud provider's own snapshot API to capture a point-in-time copy of the volume, analyses it externally, and deletes it. Your workload never knows the scan happened — there is no agent process, no network tap, no CPU or memory impact on the live instance.

The payoff is 100 % asset coverage from day one: no agent deployment project, no lifecycle management, no version drift across 10 000 nodes. You authenticate, and Wiz starts building a full inventory and risk picture across all connected cloud accounts within hours.

Figure 1 — Wiz agentless scan loop — connect, discover, scan, graph, alert
Every Wiz cloud account connection triggers the same five-step agentless loop against cloud provider APIs and snapshots.Wiz agentless scan loop — connect, discover, scan, graph, alertConnectread-only API credsDiscoverall resources &configsSnapshot scanVM / image / functionSecurity Graphcorrelate all findingsAlert & fixrisk prioritised
Every Wiz cloud account connection triggers the same five-step agentless loop against cloud provider APIs and snapshots.
Quick check · Q1 of 10 · Understand

How does Wiz agentless scanning access the internals of a VM without installing an agent?

Correct: c. Wiz uses the cloud provider's native snapshot API (EBS CreateSnapshot, Azure managed-disk snapshot, GCP persistent-disk snapshot) to capture a point-in-time disk copy, mounts it read-only in an ephemeral scanner in the same region, and wipes it after. No code runs inside the live workload.
👉 So far: Wiz agentless = cloud API credentials + disk snapshots + no agent; 100% asset coverage from day one, zero footprint in your workloads.

② The snapshot lifecycle — trigger, copy, mount, analyse, wipe

The five-step loop is what makes agentless scanning both deep and safe. Trigger: Wiz calls the cloud provider's native snapshot API (e.g. AWS CreateSnapshot for EBS volumes, Azure managed-disk snapshots, GCP persistent-disk snapshots) to capture a consistent, point-in-time copy of the workload volume. Copy: the snapshot is transferred to an ephemeral scanner Wiz spins up inside the same cloud region — no cross-region data movement, no data leaving your cloud jurisdiction.

Mount: the ephemeral runner mounts the snapshot read-only and the analysis engine inspects the OS layer: installed packages and versions, file-system secrets (API keys, credentials, certificates in common paths), kernel configuration, network port inventory from /proc/net, and running-process inventory. Analyse: findings are correlated against vulnerability databases (CVE feeds), secret patterns, and CIS benchmarks; the results are sent to the Wiz Security Graph. Wipe: the snapshot and the ephemeral scanner are cryptographically wiped and destroyed after analysis — typically within 4–15 minutes of creation.

Container images and serverless functions follow a lighter path: Wiz pulls the image or function package via API, analyses the layers or zip for packages and secrets, and discards the local copy. No snapshot is needed because containers are immutable image artefacts.

Figure 2 — Snapshot lifecycle — trigger to wipe
The ephemeral snapshot is created, analysed and destroyed in the same cloud region — your workload never runs scanning code.Snapshot lifecycle — trigger to wipeTriggercloud snapshot APICopysame-region scannerMountread-only analysisAnalysepkgs, CVEs, secretsWipecryptographic delete
The ephemeral snapshot is created, analysed and destroyed in the same cloud region — your workload never runs scanning code.
📸
Snapshot scan
tap to flip

Wiz calls the cloud provider's own snapshot API, mounts the volume copy read-only in an isolated ephemeral scanner in the same region, then cryptographically wipes it after analysis — the live workload is never touched.

🔍
What it finds on disk
tap to flip

OS packages and CVE matches, file-system secrets (API keys, tokens, certs in common paths), kernel configuration, network port inventory and process inventory from /proc — all without an agent.

⏱️
The 24-hour gap
tap to flip

Agentless scans run roughly every 24 hours. A zero-day dropped at 09:00 may not surface until the next cycle. In-memory or fileless attacks leave no disk artefact to find at all.

Wiz Sensor (eBPF)
tap to flip

A lightweight eBPF-based agent for critical workloads that streams real-time process executions, network connections and syscall anomalies into the same Security Graph — no kernel-module loading, minimal overhead.

Name the five stages of the snapshot lifecycle

In an interview or exam, recite: Trigger (cloud snapshot API) → Copy (same-region ephemeral scanner) → Mount (read-only) → Analyse (packages, CVEs, secrets, /proc) → Wipe (cryptographic delete). This shows you understand both how Wiz achieves depth without an agent and why data stays in-jurisdiction.

▶ Watch a VM vulnerability get found — without touching the running instance

Step through how Wiz finds a critical CVE inside a live EC2 instance using a snapshot. Press Play for the clean path, then Break it to see the failure mode.

① API callWiz calls AWS CreateSnapshot on the EC2 instance's root EBS volume — the running VM continues serving traffic and is never interrupted.
② Ephemeral copyThe snapshot is copied to an isolated, ephemeral scanner Wiz spins up inside the same AWS region; no data leaves the region.
③ Mount & scanThe scanner mounts the snapshot read-only and analyses installed packages against CVE feeds, scanning for secrets in file-system paths.
④ Graph & alertA critical OpenSSL CVE is found. The finding is written to the Security Graph, correlated with public exposure and identity context, and surfaced as a prioritised alert.
Press Play to step through the clean snapshot scan. Then press Break it to see what goes wrong.
Quick check · Q2 of 10 · Remember

Why does Wiz copy the snapshot to a scanner in the same cloud region?

Correct: b. Keeping the ephemeral scanner in the same region avoids cross-region egress charges and ensures that sensitive workload data does not leave its cloud jurisdiction — important for data-residency compliance.
👉 So far: Snapshot lifecycle: Trigger (cloud API) → Copy (same-region scanner) → Mount (read-only) → Analyse (CVEs, secrets, /proc) → Wipe (cryptographic delete) — typically 4–15 minutes end-to-end.

③ Coverage and gaps — what agentless catches and what it misses

Agentless scanning gives broad, deep, low-friction coverage for the majority of cloud risk categories: OS and package vulnerabilities, secrets exposed in the filesystem, misconfigurations, identity over-permissions, public exposure, IaC drift and cloud-service posture. Because Wiz reads the full disk, it is not limited to what a running agent could observe — it sees files the agent process might not have permission to read.

The genuine gap is time and runtime fidelity. The default scan cycle is roughly 24 hours, so a zero-day exploit that drops a malicious binary at 09:00 may not surface until the next snapshot cycle at 09:00 the following day. More critically, in-memory or fileless attacks leave no disk artefact for a snapshot to capture at all. Runtime events — a process spawning a shell, a lateral-movement connection, a cryptominer starting up — only exist while the process is running.

The interview line: agentless gives breadth and depth on disk; it cannot see real-time runtime behaviour. For most cloud environments the 24-hour window is an acceptable risk. For regulated workloads — payment processing, healthcare data, financial trading — real-time detection is mandatory, which is where the Wiz Sensor steps in.

Figure 3 — Agentless scanning vs runtime agent (Wiz Sensor)
Agentless gives breadth across all workloads; the Sensor adds real-time depth on critical ones. Both feed the same Security Graph.Agentless scanning vs runtime agent (Wiz Sensor)Agentless (default)100% asset coverage, day oneDeep disk: CVEs, secrets, packagesNo install, no lifecycle overheadScan cycle ~24 hours — notCannot detect in-memory attacksWiz Sensor (eBPF)Real-time process & networkDetects fileless and in-memoryLightweight eBPF, no kernel moduleSelective deployment on criticalEnriches Security Graph with
Agentless gives breadth across all workloads; the Sensor adds real-time depth on critical ones. Both feed the same Security Graph.
'Agentless = shallow scan' is the wrong mental model

Agentless snapshot scanning reads the full OS disk layer — packages, file-system secrets, /proc inventory — as thoroughly as a privileged agent. The gap is not depth; it is time (periodic, not real-time) and runtime visibility (in-memory attacks leave no disk artefact). Don't conflate 'no agent' with 'limited coverage.'

Quick check · Q3 of 10 · Analyze

A cryptominer is running entirely in memory on a cloud VM and writing nothing to disk. Will the next Wiz agentless snapshot scan detect it?

Correct: c. Agentless snapshot scanning reads the disk volume. A process running purely in memory with no files written to disk leaves nothing for the scanner to find. This is the core gap that the Wiz Sensor (eBPF runtime detection) fills.
👉 So far: Agentless gap: scan cycle is roughly 24 hours, and in-memory/fileless attacks leave no disk artefact — this is the real trade-off, not scan depth.

④ The Wiz Sensor — lightweight eBPF runtime depth

The Wiz Sensor is a lightweight, eBPF-based agent that Wiz deploys on specific workloads to add real-time runtime protection. It is purpose-built for cloud: minimal CPU and memory overhead, no kernel-module loading, and a kernel-safe architecture that does not risk crashing the host. The Sensor feeds a continuous stream of runtime events — process executions, network connections, file writes, syscall anomalies — into the same Wiz Security Graph that agentless populates.

What this unlocks

With agentless data plus Sensor data in the same graph, Wiz can correlate a known CVE (found by snapshot) with an active exploit attempt (detected by the Sensor at runtime) and surface a toxic combination: 'this vulnerable package is currently being exploited on this node, by this identity, connecting to this external IP.' That context is impossible from either source alone.

The recommended model is hybrid: deploy agentless scanning across 100 % of your cloud estate for full-breadth posture, vulnerability and secrets coverage, then add the Wiz Sensor selectively on your highest-risk workloads — production databases, payment services, regulated data processors — where sub-second runtime detection is a compliance or SLA requirement. You get universal coverage without a fleet-wide agent deployment project.

Figure 4 — One Security Graph — agentless + Sensor inputs
Agentless snapshots and Sensor runtime events all feed the same Wiz Security Graph so risk is correlated, not siloed.One Security Graph — agentless + Sensor inputsSecurity Graphrisk correlationVM snapshotsContainer imagesServerless pkgsCloud configsSensor eventsIdentity data
Agentless snapshots and Sensor runtime events all feed the same Wiz Security Graph so risk is correlated, not siloed.

Priya at a Pune fintech startup faces this

Wiz flags a critical CVE in an OpenSSL version on a production EC2 instance, but the security team gets the alert 20 hours after the package was installed — and they need to prove to auditors that active exploitation would be caught within minutes, not hours.

Likely cause

The team relies entirely on agentless snapshot scanning, which cycles roughly every 24 hours. The CVE is found on disk, but no runtime signal exists to detect if the vulnerability is being actively exploited between scan cycles.

Diagnosis

Wiz Security Graph ▸ Inventory ▸ select the EC2 instance ▸ check 'Runtime sensor' status — it shows 'Not deployed'. The 24-hour scan gap is a known trade-off of agentless-only coverage.

Wiz Console ▸ Sensors ▸ Deploy Sensor ▸ select the payment-tier node group
Fix

Deploy the Wiz Sensor (eBPF) on the payment-tier EC2 nodes. Agentless scanning continues across all 150 accounts for full posture coverage. The Sensor streams real-time process and network events on critical nodes into the same Security Graph, correlating the known CVE with any exploit attempt the moment it starts.

Verify

Re-test: simulate a process spawning an unexpected shell on the payment node — the Wiz Sensor raises a runtime alert within seconds. The auditor report now shows both periodic posture scans (agentless) and real-time runtime detection (Sensor) on regulated workloads.

Prove the gap before adding the Sensor

Before deploying the Wiz Sensor everywhere, check the Security Graph for your highest-risk nodes: are there active CVEs with known exploits AND no runtime sensor deployed? That toxic combination — critical vulnerability plus real-time detection gap — is the business case for selective Sensor deployment, not a blanket rollout.

Quick check · Q4 of 10 · Apply

Your team runs a payment-processing service on AWS EC2 that must detect active exploits within seconds, but you also need full posture coverage across 200 other accounts with zero agent overhead. Best model?

Correct: d. Wait — option d is a third-party agent, which fragments the Security Graph. The correct hybrid model is option c: agentless across 100% of accounts for universal posture and vulnerability coverage, with the Wiz Sensor selectively on the high-risk payment nodes for sub-second runtime detection — all feeding the same Wiz Security Graph.
👉 So far: Hybrid model = agentless across 100% of cloud estate for breadth + Wiz Sensor (eBPF) on critical workloads for real-time runtime depth — both feed one Security Graph.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which cloud provider API does Wiz call to capture a point-in-time copy of an EC2 instance's root volume?

Correct: b. Wiz uses the native AWS ec2:CreateSnapshot API to take a point-in-time snapshot of the EBS root volume. The live instance keeps running. A similar native API is used for Azure managed disks and GCP persistent disks.
Q6 · Understand

Why does Wiz keep the ephemeral snapshot scanner in the same cloud region as the scanned workload?

Correct: a. Keeping the ephemeral scanner in the same region avoids egress data-transfer costs and ensures that sensitive workload data never leaves its jurisdiction — a critical consideration for GDPR, data-sovereignty, and regulated industries.
Q7 · Apply

A security engineer finds that Wiz is not detecting CVEs on three EC2 instances. The most likely IAM-level cause is:

Correct: b. Wiz requires the connector IAM role to have snapshot permissions (ec2:CreateSnapshot, ec2:CopySnapshot, ec2:DeleteSnapshot etc.). Without them the snapshot API call is denied and the workload scan is silently skipped. The fix is to attach the Wiz-recommended policy, typically deployed via CloudFormation or Terraform.
Q8 · Analyze

An attacker gains a foothold on a Linux node and runs a cryptominer using a reflective in-memory loader — no file is ever written to disk. An agentless scan runs four hours later. What will Wiz report?

Correct: c. Agentless scanning reads the disk volume. A process that runs entirely in memory and writes nothing to disk leaves no artefact in the snapshot. The Wiz Sensor (eBPF) is needed to detect this at runtime by observing the actual process execution events.
Q9 · Evaluate

An interviewer asks: 'Wiz says agentless, but how deep is the workload scan really?' Best answer?

Correct: b. The snapshot mount gives Wiz the same visibility as a privileged local agent for disk-based findings. The real trade-off is time (roughly 24-hour cycle) and the inability to see in-memory-only events — not depth on disk.
Q10 · Evaluate

What is the strongest argument for choosing a hybrid agentless + Wiz Sensor model over agentless-only?

Correct: a. Wait — option a says the Sensor replaces agentless, which is wrong. The correct answer is c: the hybrid model uses agentless for 100% estate-wide breadth and the Sensor selectively for real-time runtime depth on the highest-risk nodes — breadth AND depth from a single Security Graph.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the core trade-off between Wiz agentless scanning and the Wiz Sensor, and when does the Sensor become necessary? Then compare with the expert version.

Expert version: Agentless scanning gives 100% asset coverage across all cloud accounts with zero agent overhead, and reads the full OS disk layer (CVEs, secrets, /proc inventory) via mounted snapshots — but it scans periodically (roughly every 24 hours) and cannot see attacks that exist only in memory. The Wiz Sensor fills that gap: it is a lightweight eBPF-based agent that streams real-time process, network and syscall events into the same Security Graph. The Sensor becomes necessary when a workload hosts regulated or payment-critical data where in-memory attack detection and sub-second alerting are compliance or SLA requirements — you deploy it selectively on those nodes, not across the whole estate.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Agentless scanning
A cloud security approach where the scanner reads workload data via cloud provider APIs and disk snapshots without installing any software inside the running workload.
Snapshot-based scanning
A technique where a point-in-time copy of a VM's disk volume is made using the cloud provider's native snapshot API, mounted in an isolated environment for analysis, then deleted.
Ephemeral scanner
A temporary compute instance spun up by Wiz in the same cloud region as the workload to mount and analyse the snapshot; it is cryptographically wiped after analysis.
Wiz Sensor
A lightweight, eBPF-based runtime agent deployed on specific critical workloads to stream real-time process, network and syscall events into the Wiz Security Graph.
eBPF (Extended Berkeley Packet Filter)
A Linux kernel technology that lets programs run safely in a sandboxed kernel context for observability and security, without loading kernel modules or risking kernel crashes.
Security Graph
Wiz's central data model that maps relationships between all cloud resources, identities, vulnerabilities, configurations and runtime events to surface toxic combinations and attack paths.
In-memory (fileless) attack
An attack technique that runs malicious code entirely in memory without writing files to disk, leaving no artefact for snapshot-based scanners to find.
Toxic combination
A Wiz Security Graph finding that correlates multiple risk factors — e.g. a critical CVE, public exposure and an active runtime exploit — to surface the highest-priority threats.

📚 Sources

  1. Wiz — Agentless Scanning Best Practices. wiz.io/academy/cloud-security/agentless-scanning
  2. Wiz — Agentless Scanning vs Agent-Based Scanning: Comparison. wiz.io/academy/cloud-security/agentless-scanning-vs-agent-based-scanning
  3. Wiz — Agentless vs. Agent-Based Security: Which Is Better?. wiz.io/academy/cloud-security/agentless-vs-agent-based-security
  4. Wiz — Protect any workload and AI application, anywhere — at runtime (Wiz Sensor). wiz.io/solutions/runtime-sensor
  5. Wiz — Cloud Vulnerability Scanning: Definition and Best Practices. wiz.io/academy/vulnerability-management/cloud-vulnerability-scanning
  6. Cytas — Wiz's Agentless Scanning: Revolutionising Cloud Security Management. cytas.io/wizs-agentless-scanning-revolutionizing-cloud-security-management

What's next?

Got agentless scanning? Next, go deep on the Wiz Security Graph — how Wiz correlates misconfigurations, vulnerabilities, exposed secrets and toxic combinations to surface the highest-risk attack paths in your cloud.

Next · All interview lessons → Practice on exam.techclick.in →