TTechclick ⚡ XP 0% All lessons
Wiz · Cloud Security · Attack PathsInteractive · L1 / L2 / L3

Wiz Attack Paths & Toxic Combinations in CNAPP

Wiz reduces tens of thousands of cloud findings to a handful of truly critical attack paths — combinations where public exposure, an unpatched vulnerability, excessive privilege, and sensitive data all meet on the same resource. This lesson maps every step: how the Security Graph models risk chains, what makes a combination 'toxic', how to prioritize and eliminate them, and how to write the attack-path queries that surface them in seconds.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Wiz attack-path analysis in 2026: learn how toxic combinations (public exposure plus critical vuln plus high privilege plus sensitive data) are found, prioritized, and eliminated using the Wiz Security Graph.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

Toxic combinations and why four factors matter.

 2

Security Graph

How Wiz models risk chains across cloud resources.

 3

Prioritization

Scoring, critical assets, and what to fix first.

 4

Queries & fix

Attack-path queries and breaking the chain.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Why does Wiz talk about 'toxic combinations' rather than just CVE counts?

Answered in What it is.

2. What technology does Wiz use to connect resources and surface attack paths?

Answered in Security Graph.

3. How do you stop a toxic combination without patching the CVE immediately?

Answered in Queries & fix.

Most engineers think…

Most people treat cloud security as a CVE leaderboard: fix the highest CVSS score first, repeat. That approach drowns the SOC in noise and misses the threats that actually matter.

Wiz reframes the question. A critical vulnerability on an internal, non-privileged instance with no sensitive data attached is not urgent. The same vulnerability on a publicly reachable workload running under an over-privileged identity that can read a production database is a five-alarm fire. The difference is the combination of conditions — and finding those combinations fast, at scale, is exactly what the Wiz Security Graph is built to do.

① What a toxic combination actually is — four conditions, one critical path

A toxic combination in Wiz is a chain of findings on the same cloud resource where all four risk factors are present simultaneously: the resource is publicly exposed, it carries a critical or high-severity vulnerability, it runs under an over-privileged identity, and it has a path to sensitive data. Remove any one factor and the path collapses to low-risk.

The insight Wiz is built on: risk is combinatorial, not additive. A critical CVE alone scores high on paper but low in practice if the instance is internal and unprivileged. Public exposure alone matters only if an attacker can do something useful once inside. Privilege alone is interesting only if data worth reaching exists. The Security Graph is the engine that finds the intersections — in real time, without agents.

Figure 1 — The toxic-combination chain
All four conditions must align on one resource for the path to be truly critical. Remove any link and the risk collapses.The toxic-combination chainPublic Exposureinternet-reachableportCritical CVEunpatchedvulnerabilityHigh Privilegeover-permissive IAMroleSensitive DataPII/creds at path end
All four conditions must align on one resource for the path to be truly critical. Remove any link and the risk collapses.
Quick check · Q1 of 10 · Understand

What makes a combination 'toxic' in Wiz's definition?

Correct: c. Wiz defines a toxic combination as the intersection of all four factors on the same resource. A critical CVE alone is not enough — it must be on a publicly reachable, over-privileged resource with sensitive data in reach.
👉 So far: A toxic combination = public exposure + critical CVE + high IAM privilege + sensitive data on the same resource. Break any single link and the path collapses.

② The Wiz Security Graph — how risk chains are modelled

Wiz uses an agentless Security Graph — a continuously updated, relationship-aware map of every resource, identity, workload, data store, network connection, vulnerability and security finding across a cloud environment. Instead of a flat list of alerts, the graph stores edges between nodes: this EC2 instance is reachable from the internet; this role is attached to that instance; that role can read this S3 bucket; that bucket contains PII data — all traversable in a single query.

Why graph matters for attack paths

Graph traversal lets Wiz answer the question an attacker would ask: starting from the internet, which chain of steps leads to sensitive data? The engine prunes paths that are theoretically possible but blocked by a compensating control, and surfaces only validated, exploitable attack paths. A typical large cloud environment might generate tens of thousands of individual findings; the Security Graph collapses those to dozens of genuinely critical toxic combinations.

Figure 2 — Wiz Security Graph layers
The Security Graph stacks network, identity, vulnerability and data findings into one traversable model.Wiz Security Graph layersNetwork Layerreachability — public IPs, SGs, firewall rulesIdentity LayerIAM roles, service accounts, permissionsVuln & Config LayerCVEs, misconfigs, secrets in codeData Layersensitive data stores, classification, tagging
The Security Graph stacks network, identity, vulnerability and data findings into one traversable model.
☠️
Toxic Combination
tap to flip

A chain where public exposure + critical CVE + high IAM privilege + sensitive data all align on one resource. Removing any single condition collapses the path to low-risk.

🕸️
Security Graph
tap to flip

Wiz's agentless, continuously updated graph that models every resource, identity, network edge and data store — enabling graph traversal to find exploitable attack paths.

👑
Critical Asset (Crown Jewel)
tap to flip

A resource tagged in Wiz as high-value (prod DB, credential store, PII bucket). Any attack path ending at a crown jewel is auto-elevated in priority regardless of intermediate scores.

🔍
Graph Explorer Query
tap to flip

Wiz's built-in query interface for the Security Graph. Filter by public exposure, CVE severity, IAM privilege level and data sensitivity to surface toxic combinations in one pass.

Agentless is the key differentiator

Wiz builds the Security Graph without installing agents. It uses cloud-provider APIs (AWS, Azure, GCP, OCI) to read configuration, scan workload disk snapshots, and pull IAM policies — so every resource appears in the graph within minutes of provisioning, even if the team never touched a security tool.

Quick check · Q2 of 10 · Remember

What is the key advantage of a graph model over a flat findings list?

Correct: b. The graph stores edges (relationships) between nodes — reachability, identity attachment, data access — so Wiz can traverse chains an attacker would follow. A flat list cannot express these multi-hop relationships.
👉 So far: The Wiz Security Graph models relationships — network reachability, identity, vulnerability, data — so attack chains can be traversed as an attacker would walk them.

③ Prioritizing attack paths — what to fix first and why

Wiz assigns each attack path a risk score that weighs the severity of the vulnerability, the reachability of the resource (internet-facing vs internal), the blast radius of the attached identity (can it admin your whole cloud?), and the sensitivity of the data at the end of the path. Paths that score in the critical band are surfaced as Issue cards in the Wiz console and can be routed to Jira, ServiceNow, Slack, or PagerDuty automatically.

The prioritization heuristic: fix the shortest path to the most sensitive data first. A one-hop path (internet ▸ vulnerable instance with DB credentials) beats a three-hop path even if the three-hop path has a higher CVSS score on one of its nodes. Wiz also lets you tag resources as critical assets (crown jewels), so any path leading to them is automatically elevated regardless of intermediate scores.

Figure 3 — Risk scoring inputs
Wiz combines four signals to score each attack path — the resource at the center, evaluated against each spoke.Risk scoring inputsAttack Pathrisk scoreVuln severityPublic reachabilityIAM blast radiusData sensitivityCrown-jewel tag
Wiz combines four signals to score each attack path — the resource at the center, evaluated against each spoke.
Fixing by CVSS score alone

The classic mistake: sort by CVSS, patch the top 10, declare victory. In Wiz's model, a CVSS 9.8 CVE on an isolated internal instance with no privilege and no sensitive data is lower priority than a CVSS 7.5 CVE that is part of a complete toxic combination. Always filter by the full combination, not raw severity.

▶ Watch Wiz surface and collapse a toxic combination

Step through how an internet request reaches sensitive data via four exploitable links. Press Play for the attack path, then Break it to see the missing control.

① Internet AccessAn attacker probes a cloud workload reachable on port 443 — the security group allows 0.0.0.0/0 inbound.
② Exploit CVEThe workload runs an unpatched library with a critical deserialization CVE. The attacker sends a crafted payload and gains code execution.
③ Abuse IAM RoleThe workload's attached IAM role has overly broad S3 permissions. The attacker lists and reads all buckets under that role.
④ Reach PII DataOne of those S3 buckets is tagged as sensitive (PII). The attacker exfiltrates customer records — a complete data breach.
Press Play to step through the four-link attack path. Then press Break it to see how removing one link stops the breach.
Quick check · Q3 of 10 · Apply

Two attack paths exist: Path A has a CVSS 9.8 CVE on an internal, unprivileged instance. Path B has a CVSS 7.5 CVE on an internet-facing instance with admin IAM access to a PII database. Which should you fix first?

Correct: c. Wiz prioritizes by the full combination, not raw CVSS. Path B is internet-reachable, over-privileged, and terminates at sensitive data — it is a complete toxic combination. Path A's high CVSS is diluted by the lack of public exposure and sensitive data.
👉 So far: Prioritize by the full combination, not CVSS alone. Shortest path to the most sensitive data (crown jewel) wins. Tag critical assets to auto-elevate any path reaching them.

④ Attack-path queries and breaking the toxic chain

Wiz exposes its graph through a query language accessible in the Security Graph Explorer. A typical toxic-combination query filters for resources that are publicly exposed AND have a critical or high CVE AND run under an identity with write access to a sensitive data store. Wiz ships built-in query templates for the most common toxic-combination patterns — internet-facing-VM-with-crit-vuln-and-privileged-role is one click.

Breaking the chain — remediation that works

You do not need to fix all four conditions to eliminate the path. Breaking any single link collapses the toxic combination. The fastest mitigations in order of typical speed: (1) remove public exposure — tighten the security-group rule or move the load balancer behind a WAF; (2) revoke excess privilege — scope the IAM role to least-privilege; (3) patch or virtually patch the CVE — apply the vendor fix or add a WAF rule; (4) restrict data access — add a bucket policy or data-perimeter control. After any of these, re-run the query in Wiz — the attack path should disappear from the critical list.

Figure 4 — Break the chain — four remediation options
You only need to fix one link to collapse the toxic combination. Choose the fastest available option.Break the chain — four remediation optionsFast to fix (hours)Remove public exposure (tighten SGRevoke excess IAM privilege (scopeAdd a WAF rule as virtual patchThorough (days–weeks)Patch or upgrade the vulnerableApply a data-perimeter / bucketRedesign the workload to least
You only need to fix one link to collapse the toxic combination. Choose the fastest available option.

Priya at a Pune fintech faces this

Wiz surfaces a critical attack path: an EC2 instance running an old Java service is reachable from the internet on port 443, has a critical deserialization CVE, is attached to an IAM role with full S3 read access, and that S3 bucket holds customer PAN card data.

Likely cause

The instance was a dev sandbox promoted to production without tightening the security group or scoping the IAM role. The Java dependency was never upgraded after the original CVE was disclosed.

Diagnosis

Wiz Security Graph Explorer shows the full chain: internet ▸ EC2 (CVE-XXXX, critical) ▸ IAM role (S3:GetObject on *) ▸ S3 bucket tagged PII.

Wiz Console ▸ Issues ▸ Critical Attack Paths ▸ Graph View
Fix

Immediate: revoke the wildcard S3 permission, scope the role to only the specific bucket prefix needed. Same day: add an inbound SG rule to restrict port 443 to the internal load balancer only. Sprint: upgrade the Java dependency to patch the CVE. Re-run the query in Graph Explorer — path disappears from the critical list.

Verify

Re-run the Wiz attack-path query for this instance — it no longer appears in the critical band. The PII bucket's Issues tab shows zero critical paths leading to it.

Confirm the path is gone in Graph Explorer

After any remediation, re-run the exact attack-path query that surfaced the issue. The path should disappear from Wiz's critical-issues list. If it remains, one link in the chain is still active — check the reachability edge (SG rules take minutes to propagate) or the IAM policy cache (allow a few minutes for Wiz's re-scan after a policy change).

Quick check · Q4 of 10 · Analyze

You cannot patch a critical CVE for two weeks. Which action best reduces the toxic combination risk immediately?

Correct: a. Removing public exposure breaks the first link in the chain and immediately collapses the toxic combination in Wiz — even before the CVE is patched. Tightening the security-group rule or restricting inbound access is typically faster than a patch cycle.
👉 So far: Break the chain by the fastest available fix — remove public exposure first, then revoke excess privilege, then patch. Re-run the query to confirm the path is gone.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which four factors define a Wiz toxic combination?

Correct: b. Wiz defines a toxic combination as the intersection of four specific factors: the resource is publicly exposed, carries a critical or high vulnerability, runs under an over-privileged identity, and has a path to sensitive data. All four must align for the combination to be critical.
Q6 · Understand

Why does Wiz use a graph model instead of a flat list of findings?

Correct: c. A graph stores edges (relationships) between nodes — reachability, IAM attachment, data access. This lets Wiz traverse the chain an attacker would follow across multiple hops. A flat list of findings cannot represent these multi-resource relationships.
Q7 · Apply

You want to find all internet-facing EC2 instances with a critical CVE that also have S3 access to PII buckets. What do you use in Wiz?

Correct: c. The Wiz Graph Explorer is designed exactly for this: a single query can filter for public exposure AND critical CVE AND sensitive-data access in one pass, using the Security Graph's relationship model. Manual spreadsheet work or external scanning cannot correlate across these three dimensions simultaneously.
Q8 · Analyze

A CVE with CVSS 9.8 exists on an internal instance with no internet exposure, a tightly-scoped IAM role, and no sensitive data nearby. How should Wiz score this?

Correct: b. Wiz's risk score combines all four toxic-combination factors. Without public exposure and without sensitive data in reach, even a CVSS 9.8 CVE is not part of a complete toxic combination and ranks below a lower-CVSS CVE that IS on a publicly reachable, over-privileged resource with PII access.
Q9 · Evaluate

You cannot patch a critical CVE on a production instance for 14 days. Which action most effectively reduces the attack-path risk right now?

Correct: d. Removing public exposure by tightening the security-group rule breaks the first link in the toxic-combination chain. Wiz immediately removes the path from its critical list even though the CVE is still present. This is typically the fastest mitigation available — faster than a patch cycle and more impactful than logging alone.
Q10 · Evaluate

An interviewer asks: 'How does Wiz cut 10,000 cloud findings down to a handful of critical items?' Best answer?

Correct: a. Wiz's Security Graph correlates findings across four dimensions simultaneously. Only resources where all four toxic-combination factors align are surfaced as critical attack paths. This graph-based intersection is what collapses 10,000+ findings to dozens of genuinely exploitable paths.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: explain why two separate CVSS 9.8 CVEs might have different priority in Wiz. Then compare with the expert version.

Expert version: In Wiz, priority is determined by the full toxic combination, not the CVE score alone. A CVSS 9.8 on an internet-facing, over-privileged instance with a path to sensitive PII is a five-alarm critical attack path. The same CVSS 9.8 on an internal, isolated, least-privilege instance with no sensitive data nearby is a genuine vulnerability — but not an immediately exploitable attack path. Wiz's Security Graph surfaces the first as critical and ranks the second lower, directing engineering effort where it reduces actual breach risk rather than where the numbers look scary.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Toxic Combination
A Wiz finding where all four risk factors — public exposure, critical vulnerability, high IAM privilege, and sensitive data — align on the same cloud resource, creating a critical, exploitable attack path.
Security Graph
Wiz's agentless, continuously updated graph database that models every cloud resource, identity, network edge, vulnerability and data store as nodes and edges — enabling attack-path traversal.
Attack Path
A chain of exploitable steps through the Security Graph that an attacker could follow to reach a critical asset, from initial access (public exposure) to impact (data exfiltration).
Critical Asset (Crown Jewel)
A resource tagged in Wiz as high-value (production DB, secrets store, PII bucket). Any attack path terminating at a crown jewel is automatically elevated to critical priority.
Graph Explorer
Wiz's query interface for the Security Graph, used to filter for toxic combinations by combining reachability, CVE severity, IAM privilege, and data-sensitivity conditions in one query.
Public Exposure
A cloud resource reachable from the internet — typically via a permissive security-group inbound rule, a public IP, or an open load-balancer listener.
IAM Blast Radius
How much damage an attached IAM role or service account can do if compromised — measured by the scope and sensitivity of resources it can access or administer.
Virtual Patch
A compensating control — such as a WAF rule — that blocks exploitation of a known CVE without requiring the underlying package to be upgraded or replaced immediately.

📚 Sources

  1. Wiz — What is Attack Path Analysis? wiz.io/academy/detection-and-response/attack-path-analysis
  2. Wiz Blog — The anatomy of a toxic combination of risk in cloud security. wiz.io/blog/the-anatomy-of-a-toxic-combination-of-risk
  3. Wiz — Wiz Cloud: Manage Security Posture — Security Graph and attack-path prioritization. wiz.io/platform/wiz-cloud
  4. Google Cloud Architecture Center — Identify and prioritize security risks with Wiz Security Graph and Google Cloud. docs.cloud.google.com/architecture/partners/id-prioritize-security-risks-with-wiz
  5. Wiz — AI CNAPP: Unified Cloud and AI Security — contextual risk for AI systems. wiz.io/academy/cloud-security/ai-cnapp
  6. Security Scientist — 12 Questions and Answers About Wiz Security Graph. securityscientist.net/blog/12-questions-and-answers-about-wiz-security-graph-wiz

What's next?

Mastered attack paths? Next, go deep on Wiz CSPM — misconfigurations, compliance frameworks, and how Wiz maps findings to CIS, NIST, and custom benchmarks.

Next · All interview lessons → Practice on exam.techclick.in →