TTechclick ⚡ XP 0% All lessons
Wiz · Cloud Security · CNAPPInteractive · L1 / L2 / L3

Wiz CNAPP — Agentless Scanning, the Graph & Toxic Combinations

Wiz is one agentless platform that connects to your cloud by API, scans the whole stack without installing software, and feeds everything into a Security Graph. That graph correlates misconfigurations, vulnerabilities, identities, exposure and secrets into attack paths — so instead of ten thousand CVEs you see the handful of toxic combinations an attacker could actually walk through.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live attack-path demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Wiz CNAPP (2026): agentless snapshot / side-scanning across AWS, Azure, GCP and Kubernetes; the Wiz Security Graph that correlates misconfigurations, vulnerabilities, identities, exposure and secrets; the convergence of CSPM + CWPP + CIEM + DSPM in one platform; and how attack paths and toxic combinations cut alert fatigue by showing what is actually exploitable.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Agentless scanning

Snapshot / side-scanning by API, no agents.

 2

The Security Graph

One graph correlating five signals.

 3

Four pillars in one

CSPM + CWPP + CIEM + DSPM converge.

 4

Attack paths & fixes

Toxic combinations, priority, cloud-to-code.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. How does Wiz get visibility into your cloud?

Answered in Agentless scanning.

2. What does the Wiz Security Graph do?

Answered in The Security Graph.

3. What is a 'toxic combination'?

Answered in Attack paths & fixes.

Most engineers think…

Most people picture cloud security as 'install a scanner agent on every workload, then chase the giant list of CVEs it spits out'. That model misses real attacks and buries the SOC in noise.

Wiz is a CNAPP: it connects agentlessly to your cloud by API, scans the whole stack from snapshots, and feeds everything into the Wiz Security Graph. The graph correlates misconfigurations, vulnerabilities, identities, exposure, data sensitivity and secrets to surface attack paths and toxic combinations — the few chains an attacker could actually exploit. That is what lets you converge CSPM, CWPP, CIEM and DSPM into one platform and prioritise the handful of risks that truly reach your crown-jewel data.

① Agentless scanning — how Wiz sees everything without agents

The first big idea: Wiz gets visibility without installing software on workloads. It connects by cloud API with read-only permissions, takes disk snapshots for VMs and scans those volumes out-of-band — an approach often called snapshot or side-scanning. Container images are read straight from registries (ECR, ACR, GCR, Docker Hub).

Because it works at the cloud-API and hypervisor level, Wiz reaches the whole stack — VMs, containers, serverless and PaaS — across AWS, Azure, GCP and Kubernetes with no deployment friction and no performance hit on the workload. The classic agent problem is coverage gaps: agents fail to install, get uninstalled, or never reach shadow resources. Agentless removes that gap, so what Wiz sees is closer to everything you actually run. A lightweight runtime sensor is optional for real-time detection, but the baseline scan needs no agent at all.

Figure 1 — How agentless scanning works
Wiz connects by API, snapshots disks out-of-band and reads registries — no agent on the workload.How agentless scanning worksConnectread-only cloud APIInventoryevery resource seenSnapshotside-scan disksAnalysevulns, misconfig,secretsGraphfeed Security Graph
Wiz connects by API, snapshots disks out-of-band and reads registries — no agent on the workload.
Quick check · Q1 of 10 · Understand

How does Wiz achieve broad coverage without agents?

Correct: b. Wiz connects with read-only API permissions, takes disk snapshots and scans them out-of-band (snapshot / side-scanning) and reads container registries — so it covers the whole stack without agents on the workload.
👉 So far: Wiz is agentless: it connects by read-only cloud API and side-scans disk snapshots out-of-band across AWS, Azure, GCP and Kubernetes — full coverage, no agent on the workload.

② The Security Graph — context, not a flat CVE list

Scanning is only half the story. Every finding flows into the Wiz Security Graph, which maps your cloud as connected nodes — resources, identities, networks and data — and correlates five signals: misconfigurations, vulnerabilities, identities and entitlements, network exposure, and secrets / data sensitivity.

Why the graph matters

A flat scanner gives you a list: 9,000 CVEs, no ranking, no idea which one matters. The graph instead asks can these issues be chained together to reach something valuable? It turns siloed alerts into relationships, so a public VM + a critical vuln + an over-privileged role + access to a sensitive bucket becomes one ranked attack path, not four unrelated tickets. That context is exactly what cuts alert fatigue — you fix the chain, not the noise.

Figure 2 — Five signals the graph correlates
The Wiz Security Graph fuses these five layers into one view of real, contextual risk.Five signals the graph correlatesMisconfigurationsopen buckets, weak settings (CSPM)VulnerabilitiesCVEs on VMs, containers, serverlessIdentitiesroles and effective permissions (CIEM)Exposureinternet reachability and network pathSecrets & dataleaked keys and sensitive data (DSPM)
The Wiz Security Graph fuses these five layers into one view of real, contextual risk.
🔌
Agentless scanning
tap to flip

Connects by read-only cloud API and side-scans disk snapshots out-of-band — full stack coverage with no agent on the workload.

🕸️
Security Graph
tap to flip

Maps cloud resources, identities, exposure and data as connected nodes, correlating five signals into ranked attack paths.

☠️
Toxic combination
tap to flip

Several findings, each minor alone, that together create a critical exploitable risk — a real route to crown-jewel data.

🔁
Cloud-to-code
tap to flip

Traces a running risk back to the exact IaC template, repo or owner so the fix lands at the source and stops recurrence.

Say 'context', not 'count'

In an interview, never brag about how many CVEs a tool finds. The Wiz answer is context: the Security Graph correlates misconfig, vulnerabilities, identity, exposure and data to rank attack paths. You are measured on the risk you removed, not the alerts you generated.

Quick check · Q2 of 10 · Remember

Which set best describes the signals the Wiz Security Graph correlates?

Correct: c. The graph fuses misconfigurations, vulnerabilities, identities/entitlements, network exposure and secrets/data sensitivity — that correlation is what turns isolated findings into attack paths.
👉 So far: The Security Graph correlates five signals — misconfig, vulnerabilities, identities, exposure and secrets/data — turning siloed alerts into ranked attack paths instead of a flat CVE list.

③ Four pillars in one — CSPM, CWPP, CIEM and DSPM converge

Wiz as a CNAPP unifies four capabilities that used to be separate tools. CSPM (Cloud Security Posture Management) finds misconfigurations across IaaS/PaaS/SaaS. CWPP (Cloud Workload Protection) covers vulnerabilities and threats on VMs, containers and serverless. CIEM (Cloud Infrastructure Entitlement Management) maps identities and effective permissions. DSPM (Data Security Posture Management) discovers where sensitive data actually lives.

The interview line: the value is the convergence, not any single pillar. A misconfiguration is boring on its own — but the graph knows it sits on a workload with a critical vuln, attached to an over-privileged identity, exposed to the internet, next to sensitive data. Four pillars, one graph, one verdict on what is truly exploitable. IaC scanning extends the same checks left into code before deploy.

Figure 3 — One graph, four pillars
CSPM, CWPP, CIEM and DSPM all feed the same Security Graph, so risk is judged in full context.One graph, four pillarsSecurity Graphone platformCSPM (config)CWPP (workload)CIEM (identity)DSPM (data)IaC scanningExposure
CSPM, CWPP, CIEM and DSPM all feed the same Security Graph, so risk is judged in full context.
Figure 4 — Flat scanner vs graph context
A flat scanner lists everything; the graph ranks the few risks that are actually exploitable.Flat scanner vs graph contextFlat CVE scannerThousands of unranked alertsNo idea which reaches dataSiloed, per-tool ticketsAlert fatigue, real risk missedWiz Security GraphFindings correlated into pathsRanks by real exploitabilityToxic combinations surfacedShort, high-signal worklist
A flat scanner lists everything; the graph ranks the few risks that are actually exploitable.
'Wiz is just a CSPM' under-sell

CSPM only finds misconfigurations. Wiz as a CNAPP also covers workloads (CWPP), identities (CIEM) and data (DSPM) and fuses them in one graph. Calling it 'just a CSPM' misses the whole reason it can find a toxic combination across all four pillars.

Quick check · Q3 of 10 · Apply

A team has separate tools for posture, workloads, identity and data and still misses real risk. What does a CNAPP like Wiz change?

Correct: a. The point of a CNAPP is convergence: CSPM, CWPP, CIEM and DSPM feed one Security Graph, so a misconfig is judged together with the vuln, identity, exposure and data around it — not in a silo.
👉 So far: Wiz as a CNAPP converges CSPM (config), CWPP (workload), CIEM (identity) and DSPM (data) into one graph, so risk is judged in full context, not per-tool silos.

④ Attack paths & toxic combinations — prioritise, then fix at the source

This is the payoff. An attack path is a chain the graph computes from an internet-exposed entry point, through a vulnerability or weak identity, to a high-value target like sensitive data. A toxic combination is a set of findings that are each low-or-medium severity alone but together create a critical, exploitable risk — for example public exposure + a remote-code-execution vuln + an admin role + access to a customer database.

From priority to remediation

Because the graph ranks by real exploitability, you triage a short list of attack paths instead of an endless CVE feed. Then cloud-to-code remediation traces a running risk back to the exact IaC template, repository or owner that introduced it, so the fix lands at the source and stops the issue recurring. The failure mode to avoid is treating Wiz like a scanner and chasing raw CVE counts — that throws away the whole point of the graph.

Figure 5 — A toxic combination becomes one fix
Four minor findings chain into a critical attack path — fixed once, at the source, via cloud-to-code.A toxic combination becomes one fixExposedpublic-facing VMVulnerablecritical RCE CVEPrivilegedadmin IAM roleReaches datasensitive bucketFix at sourcecloud-to-code IaC
Four minor findings chain into a critical attack path — fixed once, at the source, via cloud-to-code.

Priya, a cloud engineer at a Pune fintech, faces this

The new vulnerability scanner reports 11,000 CVEs across the AWS estate and the security team has no idea where to start; criticals are everywhere.

Likely cause

The tool produces a flat, unranked list with no context about exposure, identity or data — every CVE looks equally urgent.

Diagnosis

Open the Wiz Security Graph: of those 11,000 findings, only a handful sit on internet-exposed workloads that also hold an over-privileged role with a path to a customer-data bucket.

Wiz ▸ Security Graph ▸ Attack Paths ▸ Toxic Combinations
Fix

Triage the ranked attack paths first; for the top toxic combination, use cloud-to-code to trace it to the IaC template that opened the security group and remove the over-privileged role at the source.

Verify

Re-check the graph: the critical attack path is gone, the data is no longer reachable, and the team works a short, high-signal list instead of 11,000 alerts.

Prove it from the attack path, not a hunch

Don't close a cloud risk on 'looks low'. Open the attack path in the graph: it shows the exposed entry point, the vuln, the identity used to pivot and the data it reaches. That single view tells you whether a finding is truly exploitable before you spend effort on it.

▶ Watch four minor findings become one critical attack path

How the Security Graph chains a toxic combination end-to-end. Press Play for the path, then Break it to see what defeats the graph.

① Exposed entryA VM is left internet-facing because an IaC template opened the security group to 0.0.0.0/0 — minor on its own.
② Vulnerable hostThat same VM runs a package with a critical remote-code-execution CVE — also 'just another CVE' in a flat list.
③ Identity pivotThe VM's instance role is over-privileged, granting far more than it needs — a CIEM finding by itself.
④ Reaches dataThose permissions allow read access to a bucket of customer PII — the graph chains all four into one critical attack path.
Press Play to step through how the graph chains the toxic combination. Then press Break it.
Quick check · Q4 of 10 · Analyze

Why does graph context reduce alert fatigue compared to a flat CVE list?

Correct: d. A flat list gives thousands of unranked findings; the graph correlates them into a short list of attack paths and toxic combinations ranked by real exploitability, so you fix the chains that matter, not the noise.
👉 So far: A toxic combination chains minor findings into one critical attack path; rank by real exploitability and fix at the source with cloud-to-code — never just chase raw CVE counts.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What core technique lets Wiz scan workloads without installing software on them?

Correct: b. Wiz connects with read-only API permissions and side-scans disk snapshots out-of-band, plus reads container registries — agentless coverage of the whole stack with no workload software.
Q6 · Understand

Which best captures what the Wiz Security Graph adds over a flat scanner?

Correct: a. The graph's job is correlation: it links misconfig, vulns, identity, exposure and data into attack paths ranked by exploitability, which is fundamentally different from a longer flat list.
Q7 · Apply

You must explain which Wiz pillar tells you a workload's instance role can read a sensitive bucket. Which is it?

Correct: c. CIEM maps identities and effective permissions; combined in the graph with DSPM (where sensitive data lives) it shows that the role can actually reach the bucket — that cross-pillar link is the toxic combination.
Q8 · Analyze

Why can four individually low-severity findings still be a critical risk in Wiz?

Correct: b. A toxic combination is exactly this: exposure + vuln + over-privileged identity + reachable sensitive data chain into a single critical attack path even though each finding is minor alone.
Q9 · Evaluate

An interviewer asks how Wiz cuts alert fatigue. Best answer?

Correct: d. The combination of near-complete agentless data and graph-based prioritisation produces a short list of real attack paths and toxic combinations — that context, not muting alerts, is what reduces fatigue.
Q10 · Evaluate

What is the strongest reason to fix a cloud risk via cloud-to-code rather than patching the running resource only?

Correct: c. Cloud-to-code links the running risk back to the template, repository, commit or owner that introduced it, so remediation lands at the source and prevents recurrence — patching only the live resource lets the next deploy reintroduce it.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Wiz's agentless graph beat a flat CVE scanner for cloud risk? Then compare with the expert version.

Expert version: Because Wiz combines two things a flat scanner lacks. First, agentless coverage — it connects by read-only API and side-scans snapshots, so it sees the whole stack across AWS, Azure, GCP and Kubernetes without agent gaps. Second, the Security Graph correlates misconfig, vulnerabilities, identities, exposure and secrets/data into ranked attack paths and toxic combinations, instead of dumping thousands of unconnected CVEs. That converges CSPM, CWPP, CIEM and DSPM in one place and lets you fix the few chains that actually reach your data — at the source via cloud-to-code — which is exactly how it cuts alert fatigue.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CNAPP
Cloud-Native Application Protection Platform — one platform that unifies CSPM, CWPP, CIEM and DSPM (plus IaC scanning) for cloud security.
Agentless scanning
Getting visibility by connecting to cloud APIs with read-only access and side-scanning disk snapshots out-of-band, with no software installed on the workload.
Snapshot / side-scanning
Taking a copy (snapshot) of a workload's disk and scanning it out-of-band for vulnerabilities, misconfig, secrets and malware without touching the live workload.
Wiz Security Graph
The core engine mapping cloud resources, identities, exposure and data as connected nodes, correlating five signals into ranked attack paths.
Attack path
A chain the graph computes from an internet-exposed entry point, through a vulnerability or weak identity, to a high-value target like sensitive data.
Toxic combination
A set of findings, each minor in isolation, that together create a critical, exploitable risk — surfaced as one high-priority attack path.
CSPM / CWPP / CIEM / DSPM
The four converged pillars: posture/config, workload protection, identity entitlements, and data security posture — all feeding the same graph.
Cloud-to-code
Tracing a runtime risk back to the IaC template, repository, commit or owner that introduced it, so the fix lands at the source and stops recurring.

📚 Sources

  1. Wiz — Agentless Scanning vs Agent-Based Scanning: how snapshot / side-scanning works via cloud APIs. wiz.io/academy/cloud-security/agentless-scanning-vs-agent-based-scanning
  2. Wiz — What is CSPM? CSPM as a foundational capability within CNAPP (CWPP, CIEM, DSPM). wiz.io/academy/cloud-security/what-is-cloud-security-posture-management-cspm
  3. Wiz — CNAPP vs CSPM: graph context, toxic combinations and prioritising exploitable risk. wiz.io/academy/cloud-security/cnapp-vs-cspm
  4. Wiz — Agentless Scanning Best Practices: coverage across AWS, Azure, GCP and Kubernetes. wiz.io/academy/cloud-security/agentless-scanning
  5. Wiz — CSPM vs DSPM: misconfigurations vs sensitive-data exposure in the cloud. wiz.io/academy/cloud-security/cspm-vs-dspm
  6. Wiz — Wiz Cloud Security Platform & CWPP: unified agentless CNAPP with the Security Graph. wiz.io/solutions/cwpp

What's next?

Got the platform? Next, go deeper on cloud identity risk — CIEM, over-privileged roles, effective permissions and how a single risky IAM policy becomes the pivot in an attack path.

Next · All interview lessons → Practice on exam.techclick.in →