TTechclick ⚡ XP 0% All lessons
Wiz · CNAPP · CSPM & ComplianceInteractive · L1 / L2 / L3

Wiz CSPM & Compliance — Misconfigurations, Baselines & Frameworks

Wiz CSPM continuously scans every cloud account — AWS, Azure, GCP and beyond — against 100+ compliance frameworks and thousands of configuration rules, then surfaces the findings that actually matter using the Security Graph. This lesson maps how Wiz detects misconfigurations, enforces multi-cloud baselines, scores compliance posture across CIS/PCI/HIPAA/NIST, and guides you from a finding to a verified fix.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Wiz CSPM in 2026: multi-cloud misconfiguration detection, 100+ compliance frameworks (CIS, PCI-DSS, HIPAA, NIST), configuration findings, the Security Graph, and guided remediation workflows — all in one interactive Techclick lesson.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What CSPM is

Agentless scanning, Security Graph, multi-cloud.

 2

Compliance frameworks

CIS, PCI, HIPAA, NIST, SOC 2 — how Wiz applies them.

 3

Finding lifecycle

Detection, scoring, context, remediation.

 4

Operations & drift

Dashboards, policies, drift alerts, audit exports.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Wiz CSPM require an agent installed on every cloud resource?

Answered in What CSPM is.

2. What is the Wiz Security Graph?

Answered in What CSPM is.

3. Which compliance frameworks does Wiz support out of the box?

Answered in Compliance frameworks.

Most engineers think…

A lot of teams picture CSPM as 'a scanner that flags open S3 buckets' — you run it once a month, export a CSV, and hand it to the auditor. In interviews and in production, that mental model will fail you.

Wiz CSPM is continuous and contextual. It connects to cloud provider APIs agentlessly, builds a live Security Graph across every account, and scores findings not just by severity but by whether the misconfiguration sits on an exploitable path. An open port is low priority if the resource has no internet route; it is critical if the Security Graph shows a direct path from internet to sensitive data through that port. Understanding that context-first model is the thing interviewers test.

① What Wiz CSPM actually is — agentless, continuous, contextual

Wiz CSPM is Wiz's cloud security posture management capability — one of the pillars of its CNAPP platform. It connects to your cloud accounts (AWS, Azure, GCP, OCI, and more) through native cloud APIs and reads the configuration of every resource: buckets, virtual machines, databases, IAM roles, network rules, Kubernetes clusters, serverless functions. No agent is installed. No traffic is intercepted. The scan is agentless and continuous.

The raw configuration data feeds the Wiz Security Graph — a unified graph model that links every resource to its network exposure, the identities that can access it, the vulnerabilities on it, and the sensitive data it holds. This is the key difference from legacy CSPM tools: Wiz does not just tell you 'this S3 bucket is public'. It tells you 'this public bucket is readable by a role that can also write to a production database, and there are customer PII files in it' — that is a toxic combination worth dropping everything for.

Configuration rules are evaluated continuously: whenever Wiz detects a resource change via cloud-event streams, the affected rules re-evaluate within minutes. Findings appear in the Wiz console as configuration issues with a severity, the impacted resource, the violated rule, and a direct link to the compliance frameworks that mandate the control.

Figure 1 — Wiz CSPM end-to-end flow
Wiz scans cloud APIs agentlessly, builds the Security Graph, evaluates rules, raises findings, and tracks remediation — all continuously.Wiz CSPM end-to-end flowCloud APIsagentless ingestionSecurity Graphlinks resources &riskRule eval1000s of config rulesFindingseverity + contextRemediatefix, verify, close
Wiz scans cloud APIs agentlessly, builds the Security Graph, evaluates rules, raises findings, and tracks remediation — all continuously.
Quick check · Q1 of 10 · Understand

How does Wiz CSPM access cloud resources for scanning?

Correct: b. Wiz CSPM is agentless by design — it reads configuration state directly from cloud APIs (AWS, Azure, GCP, etc.) without deploying any software on the resources it scans.
👉 So far: Wiz CSPM = agentless API scanning + Security Graph that links misconfigurations to exposure, identities, vulnerabilities and data to surface the ones that matter.

② Compliance frameworks — CIS, PCI-DSS, HIPAA, NIST, SOC 2 and beyond

Wiz ships with 100+ built-in compliance frameworks mapped to its configuration rules. When you enable a framework for an account or resource scope, Wiz automatically evaluates every applicable rule and shows you the pass/fail posture as a percentage. Frameworks you will encounter in interviews and on the job include CIS Benchmarks (AWS/Azure/GCP specific, level 1 and level 2), PCI-DSS (for card-data environments), HIPAA (for health data), NIST CSF and SP 800-53, SOC 2, ISO 27001, GDPR and cloud-specific ones like AWS Well-Architected Framework.

How baselines work in Wiz

Each framework maps to a set of Wiz cloud configuration rules. A rule defines the expected state (e.g. 'encryption at rest enabled on all RDS instances') and the remediation if it fails. Wiz evaluates thousands of such rules across all supported providers. You can also create custom frameworks and custom rules if your organisation has bespoke standards — useful when a regulator in India or the Middle East adds controls not covered by global frameworks.

Figure 2 — Compliance framework layers in Wiz
Wiz maps thousands of configuration rules to 100+ frameworks, letting one rule satisfy many controls at once.Compliance framework layers in WizCustom frameworksorg-specific or regional regulator standardsCloud-provider specificsAWS Well-Architected, Azure Security BenchmarkIndustry regulationsPCI-DSS, HIPAA, GDPR, SOC 2, ISO 27001Foundational baselinesCIS Benchmarks L1/L2 for AWS, Azure, GCP
Wiz maps thousands of configuration rules to 100+ frameworks, letting one rule satisfy many controls at once.
🔍
Agentless scanning
tap to flip

Wiz connects to cloud APIs directly — no agent, no network tap. It reads resource configurations across AWS, Azure, GCP and others in minutes and re-evaluates continuously on resource change.

🕸️
Security Graph
tap to flip

A graph model linking every cloud resource to its network exposure, IAM identities, vulnerabilities and sensitive data. Misconfigurations that sit on an attack path are auto-promoted in priority.

📋
Compliance framework
tap to flip

100+ built-in frameworks in Wiz (CIS, PCI-DSS, HIPAA, NIST, SOC 2, ISO 27001, GDPR). Each framework maps to specific configuration rules; pass/fail posture is shown as a percentage per account.

🛠️
Guided remediation
tap to flip

Each Wiz finding links to step-by-step console or CLI fix instructions, and Wiz Code can open a fix pull request in your repository. After a fix, Wiz re-scans automatically and closes the finding.

One rule, many frameworks

In Wiz, a single configuration rule — for example 'S3 bucket public access block enabled' — can satisfy controls in CIS AWS, PCI-DSS, NIST and SOC 2 simultaneously. Fixing one misconfiguration can improve your posture score across multiple frameworks at once. That cross-mapping is a favourite interview question.

Quick check · Q2 of 10 · Remember

Which of the following is NOT a built-in compliance framework Wiz supports out of the box?

Correct: c. Wiz's 100+ built-in frameworks cover cloud and workload standards: CIS, PCI-DSS, HIPAA, NIST, SOC 2, ISO 27001, GDPR and more. The Cisco IOS Hardening Guide is a network-device standard — not a cloud compliance framework Wiz evaluates.
👉 So far: 100+ built-in frameworks (CIS, PCI-DSS, HIPAA, NIST, SOC 2, ISO 27001) — one Wiz rule can satisfy controls across multiple frameworks at once.

③ Finding lifecycle — from detection to verified fix

When a configuration rule fails, Wiz raises a finding. Each finding carries: the affected resource and cloud account, the violated rule and its description, the mapped compliance frameworks, a severity (Critical / High / Medium / Low / Informational), and the Security Graph context showing whether the resource is on an attack path. Severity is not just rule-based — the Security Graph can upgrade the effective priority of a Medium finding if the resource is internet-exposed and holds sensitive data.

Remediation in Wiz can be guided or automated. The finding panel shows step-by-step fix instructions (console steps, CLI commands, or IaC code). For teams using Wiz Code, a fix pull request can be generated directly in the source repository. For automated enforcement, Wiz Rules can trigger a notification to Slack, Jira or ServiceNow, or — with the right integration — apply a remediation action via a cloud-native function. After a fix is applied, Wiz re-evaluates the resource automatically: the finding closes and the compliance posture score updates.

The interview line: a finding is not just a flag — it is a context-enriched work item with severity upgraded by graph position, a guided fix, and automated re-validation. That lifecycle is what separates CSPM from a one-off audit script.

Figure 3 — Security Graph — context that upgrades findings
The Security Graph links a misconfiguration to exposure, identity, vulnerabilities and data — showing whether it is a real attack path.Security Graph — context that upgrades findingsSecurity GraphWiz risk engineNetwork exposureIAM identitiesVulnerabilitiesSensitive dataLateral movementConfig findings
The Security Graph links a misconfiguration to exposure, identity, vulnerabilities and data — showing whether it is a real attack path.
'High severity = fix first' is wrong without context

Never triage purely on the rule severity. A High-severity finding on an isolated dev resource with no internet route and no sensitive data is far less urgent than a Medium finding the Security Graph has promoted to Critical because the resource sits on a path from internet to production database. Always look at the Security Graph context before you prioritise.

▶ Watch a public S3 bucket finding get detected and fixed

How Wiz catches a misconfiguration, enriches it with graph context, and closes it after remediation. Press Play for the healthy path, then Break it to see the classic failure.

① API scanWiz reads the S3 bucket configuration via the AWS API — no agent, no traffic mirror. It sees public access block is disabled.
② Rule evalThe rule 'S3 bucket public access block enabled' fails. Wiz checks the Security Graph: the bucket holds PII files and is readable by an overly-permissive IAM role.
③ Finding raisedA Critical finding is created (Medium rule, upgraded by Security Graph context) with the affected resource, violated rule, CIS and PCI-DSS control mappings, and a guided fix.
④ Fix & verifyThe engineer enables public access block on the bucket. Wiz detects the change via cloud event stream, re-evaluates the rule, and automatically closes the finding.
Press Play to step through the healthy detection and remediation path. Then press Break it.
Quick check · Q3 of 10 · Apply

A Wiz finding is rated Medium severity on a VM, but the console shows it as effectively Critical. What most likely caused the upgrade?

Correct: a. Wiz's Security Graph upgrades effective priority when a misconfiguration sits on an exploitable path — for example, a public VM with sensitive data or an excessive IAM role creates a toxic combination that warrants Critical treatment even if the rule severity is Medium.
👉 So far: A finding has severity + Security Graph context that can upgrade effective priority; remediation is guided (steps / fix PR) and Wiz auto-validates after the fix is applied.

④ Operations, drift detection & audit reporting

Wiz CSPM's operational layer is built around compliance dashboards that show posture across every framework, cloud account and resource type — broken down by failing control, severity and trend over time. The 'Zero Criticals' goal — no outstanding critical misconfigurations across production — is a common target teams set in Wiz. Dashboards export as audit-ready PDFs or CSVs for external auditors, compliance officers and regulators.

Drift detection and policy enforcement

Drift is when a resource's configuration changes away from the compliant baseline. Wiz detects drift via continuous scanning and cloud event streams. You can configure security policies to alert on drift immediately or to block non-compliant deployments via IaC scanning in CI/CD pipelines. Wiz integrates with GitHub, GitLab, Terraform Cloud and others to shift CSPM checks left — misconfigurations caught before deploy cost far less than those found in production. New account onboarding uses Wiz connectors that take minutes to set up; the first full scan of a large cloud estate typically completes within hours.

Figure 4 — Legacy audit vs Wiz CSPM
Legacy point-in-time audits miss drift; Wiz CSPM is continuous and context-aware, cutting alert noise dramatically.Legacy audit vs Wiz CSPMLegacy audit scriptMonthly or quarterly scanNo Security Graph contextCSV of all findings, no priorityManual remediation trackingWiz CSPMContinuous, event-drivenGraph upgrades effective severityGuided fix + IaC fix PRAuto re-validates after
Legacy point-in-time audits miss drift; Wiz CSPM is continuous and context-aware, cutting alert noise dramatically.

Priya at a Bengaluru fintech faces this

A routine PCI-DSS compliance report from Wiz shows the organisation dropped from 94% to 71% compliance overnight, with dozens of new Critical findings on RDS instances across the AWS production account.

Likely cause

An automated Terraform pipeline applied a module update that accidentally disabled encryption at rest on all RDS instances in the prod account.

Diagnosis

Open Wiz Compliance ▸ PCI-DSS dashboard, filter by resource type RDS, sort by newest findings. The findings all share the same violated rule: 'RDS instance storage encryption enabled'. The timestamps cluster around last night's Terraform apply.

Wiz Console ▸ Compliance ▸ PCI-DSS ▸ Failing Controls ▸ RDS encryption
Fix

Roll back the Terraform module or apply a patch that re-enables storage encryption on all affected RDS instances. Use Wiz Code to add an IaC policy check in the CI/CD pipeline so this rule is enforced before any future apply.

Verify

After re-applying Terraform with encryption enabled, Wiz re-scans automatically. The findings close, the PCI-DSS posture score returns above 90%, and the 'Zero Criticals' status is restored in the Wiz dashboard.

Don't close tickets manually — let Wiz re-validate

After applying a remediation, do not mark the finding 'resolved' in your ITSM tool until Wiz has re-scanned and closed the finding automatically. Wiz re-evaluates within minutes of detecting a resource change. If the finding stays open after the fix, it means the configuration change was not fully applied — investigate before closing.

Quick check · Q4 of 10 · Analyze

What is 'configuration drift' in Wiz CSPM, and how does Wiz detect it?

Correct: d. Drift is any configuration change that breaks a compliant baseline. Wiz detects it continuously using cloud event streams — re-evaluating affected rules within minutes of a change — so teams are alerted to drift as it happens, not during the next monthly scan.
👉 So far: Drift is continuous — Wiz detects it via cloud event streams within minutes. Dashboards export audit-ready reports; IaC scanning shifts controls left into CI/CD.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which statement best describes how Wiz CSPM accesses cloud resources?

Correct: a. Wiz is agentless: it reads resource configuration directly from cloud provider APIs (AWS, Azure, GCP, etc.) without any agent, daemon or network sensor installed on the target resources.
Q6 · Understand

Why can fixing one Wiz misconfiguration finding improve your score across multiple compliance frameworks simultaneously?

Correct: b. Wiz maps each configuration rule to the controls in every applicable framework. Enabling S3 bucket public access block, for example, satisfies a CIS control, a PCI-DSS control, and a NIST control simultaneously — one fix, multiple framework improvements.
Q7 · Apply

A Wiz finding on a database instance is rated Medium by the rule but appears as Critical in the console. What should you check first?

Correct: c. Wiz upgrades the effective severity of findings when the Security Graph shows the resource sits on an exploitable attack path — for example, publicly reachable, holding PII, or accessible by an over-permissive identity. The Security Graph panel on the finding shows exactly which toxic combination triggered the upgrade.
Q8 · Analyze

Your organisation's PCI-DSS posture in Wiz drops sharply overnight after a Terraform apply. What is the most efficient first step?

Correct: d. Filtering by the affected framework and sorting by timestamp in Wiz quickly shows which rule started failing after the pipeline ran. The shared rule and resource type point directly to the misconfiguration introduced by the Terraform module — far faster than a manual audit or CSV export.
Q9 · Evaluate

Which of the following is the strongest argument for shifting CSPM checks into the CI/CD pipeline with Wiz?

Correct: b. Shifting left with Wiz IaC scanning catches non-compliant resource definitions before they are deployed, which is both cheaper and less disruptive than finding misconfigurations in production. It does not replace runtime scanning — runtime catches drift from manual changes and events that bypass CI/CD.
Q10 · Evaluate

What is the main operational advantage of Wiz auto-closing a finding after remediation rather than requiring manual closure?

Correct: c. Manual ticket closure is error-prone: engineers mark issues resolved before the fix is fully applied. Wiz re-scanning after a resource change and auto-closing only when the rule passes ensures the compliance posture score reflects actual configuration state, not human assertion.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Wiz's Security Graph matter for CSPM, rather than just listing every misconfiguration at the same severity? Then compare with the expert version.

Expert version: Without context, a flat list of misconfigurations buries the critical ones in noise — an open port on an isolated dev box looks the same as an open port on a database holding PII with a path from the internet. The Security Graph links each misconfiguration to network exposure, IAM identities, vulnerabilities and sensitive data, so Wiz can identify toxic combinations: the small number of misconfigurations that lie on a real, exploitable attack path. Those get upgraded in priority; everything else stays at its rule-based severity. The result is that security teams focus remediation effort on findings that can actually be exploited, not on a 2,000-item CSV sorted alphabetically.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CSPM (Cloud Security Posture Management)
Continuous, automated assessment of cloud resource configurations against security rules and compliance frameworks, with finding management and remediation guidance.
Security Graph
Wiz's unified graph model that links cloud resources to their network exposure, IAM identities, vulnerabilities, secrets and sensitive data — used to identify toxic combinations and real attack paths.
Configuration finding (issue)
A Wiz alert raised when a cloud resource's configuration violates a security or compliance rule, carrying severity, resource context, framework mappings and a guided fix.
Compliance framework
A set of security controls mapped to Wiz configuration rules (e.g. CIS Benchmarks, PCI-DSS, HIPAA). Wiz ships 100+ built-in frameworks and supports custom ones.
Configuration drift
A change in a cloud resource's configuration that moves it away from the compliant baseline — detected by Wiz continuously via cloud event streams.
Toxic combination
Wiz's term for multiple risk factors converging on one resource — e.g. a misconfiguration + public exposure + sensitive data — creating a real, exploitable attack path that the Security Graph surfaces.
Wiz connector
The cloud-provider integration (IAM role in AWS, service principal in Azure) that grants Wiz read-only API access to scan an account — setup takes minutes.
Zero Criticals
A Wiz community goal and dashboard status: no outstanding critical misconfigurations, compliance violations or vulnerabilities across production cloud accounts.

📚 Sources

  1. Wiz — CSPM solution page: agentless scanning, Security Graph, 100+ frameworks. wiz.io/solutions/cspm
  2. Wiz — Compliance solution page: continuous compliance, audit-ready dashboards, drift detection. wiz.io/solutions/compliance
  3. Wiz Academy — What is CSPM? definition, capabilities and how to choose a platform (2026). wiz.io/academy/cloud-security/what-is-cloud-security-posture-management-cspm
  4. Wiz Blog — Forrester Wave: Cloud Native Application Protection Solutions, Q1 2026 — Wiz named a Leader. wiz.io/blog/forrester-wave-cnapp-2026
  5. Wiz — CSPM technical whitepaper: Security Graph, configuration rules, compliance mapping. resources.wisdominterface.com/wp-content/uploads/2023/10/Wiz-for-Cloud-Security-Mgt-whitepaper.pdf
  6. Wiz Academy — How to evaluate Wiz: agentless architecture, connector setup, IaC scanning (2026). wiz.io/academy/cloud-security/how-to-evaluate-wiz-faq

What's next?

Got CSPM? Next, go deep on Wiz Cloud Detection & Response (CDR) — how the Security Graph drives real-time threat detection across cloud logs, lateral movement paths and identity abuse.

Next · All interview lessons → Practice on exam.techclick.in →