TTechclick ⚡ XP 0% All lessons
Wiz · Cloud Security · CWPPInteractive · L1 / L2 / L3

Wiz CWPP — Workload Vulnerability Management & Container Scanning

Wiz CWPP gives you full-stack visibility into every workload — VMs, containers and serverless — without installing agents. It surfaces OS and library CVEs, scans container images, detects hardcoded secrets and malware, and checks host configurations, then layers everything through the Wiz Security Graph to show only the risks that truly matter.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Wiz CWPP workload vulnerability management (2026): agentless OS and library CVE scanning, container image analysis, secrets detection, malware, and host configuration — all prioritised via the Wiz Security Graph.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

How it scans

Agentless snapshot side-scanning — no agent needed.

 2

Finding types

OS CVEs, library CVEs, secrets, malware, host config.

 3

Container scanning

Registry, image layers, CI/CD gates.

 4

Risk prioritisation

Security Graph, attack paths, fix first.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Wiz CWPP require an agent installed on every workload?

Answered in How it scans.

2. Which Wiz component turns individual CVE findings into prioritised attack paths?

Answered in Risk prioritisation.

3. Where does Wiz scan container images for vulnerabilities?

Answered in Container scanning.

Most engineers think…

Most people picture workload security as 'install an agent on every server, hope it stays current, patch the agent every quarter'. That model is expensive, fragile, and leaves coverage gaps everywhere a new container spins up before the agent gets deployed.

Wiz CWPP flips the model: it mounts read-only snapshots of your volumes and container images, runs full OS and library CVE analysis, secrets scanning, malware detection and host-config checks — all without touching your running workloads. Every finding then flows into the Wiz Security Graph, which adds internet exposure, identity permissions and data sensitivity before surfacing only the risks that form a genuine attack path. That is why Wiz can say 'fix these three CVEs first' instead of handing you a 50,000-row spreadsheet.

① How Wiz CWPP scans workloads — agentless snapshot side-scanning

Wiz CWPP connects to your cloud provider APIs (AWS, Azure, GCP, OCI) and, for each VM or container host, creates a read-only snapshot of the volume. An ephemeral Wiz runner mounts that snapshot in an isolated environment — your production workload is never touched, never paused, never slowed down. The runner then inspects every layer of the file system: installed packages, open-source libraries, configuration files, environment variables and binary contents.

This SideScanning approach means coverage is instant and complete — every VM, every container and every serverless function that Wiz can reach through your cloud API is scanned, including ephemeral workloads that exist for only a few minutes. There is no agent drift, no version mismatch, no patch window for the scanner itself.

The scan output feeds directly into the Wiz Security Graph, where each finding is enriched with context: is this workload internet-facing? What IAM role does it run under? Does that role have access to a sensitive S3 bucket? That enrichment is what turns a raw CVE list into a ranked risk queue.

Figure 1 — Wiz CWPP agentless scan pipeline
Every workload scan follows this pipeline — snapshot, mount, analyse, graph — without touching the running workload.Wiz CWPP agentless scan pipelineAPI connectcloud provider APISnapshotread-only volume copySideScanOS, libs, secrets,malwareSecurity Graphenrich with contextRisk queueranked attack paths
Every workload scan follows this pipeline — snapshot, mount, analyse, graph — without touching the running workload.
Agentless does not mean incomplete

Interviewers sometimes ask 'but what about ephemeral containers that spin up and down?' — Wiz answers this by scanning the image at registry registration and correlating with runtime data via the cloud API. You get coverage for short-lived workloads without needing an agent that never had time to start.

Quick check · Q1 of 10 · Understand

How does Wiz CWPP scan workloads without installing an agent?

Correct: d. Wiz SideScanning creates a read-only volume snapshot and mounts it in an ephemeral isolated runner. The production workload is never touched, no agent is installed, and all analysis happens on the copy.
👉 So far: Wiz CWPP scans agentlessly via read-only volume snapshots (SideScanning) — no agent, no production impact, full coverage including ephemeral workloads.

② CWPP finding types — OS, libraries, secrets, malware and host config

Wiz CWPP surfaces five categories of workload risk. OS vulnerabilities are CVEs in the base operating system packages — kernel, glibc, OpenSSL, SSH daemon — drawn from vendor advisories and the National Vulnerability Database. Library vulnerabilities are CVEs in application-layer packages: npm, pip, Maven, Go modules, Ruby gems. Wiz parses package manifests and installed binaries to detect both.

Secrets, malware and host configuration

Secrets detection searches the file system and environment variable exports for high-entropy strings matching known patterns: AWS Access Key IDs, private key headers, database connection strings and OAuth tokens. A hardcoded secret is typically higher priority than a medium CVE because it grants direct access with no exploit required. Malware detection scans binary contents against known-bad signatures and heuristics. Host configuration checks the OS and daemon settings against CIS Benchmark controls — SSH permitted root login, world-writable directories, unencrypted listening services — and flags every deviation.

Figure 2 — Five CWPP finding layers
Wiz CWPP inspects every layer of a workload from the OS up to application libraries and runtime config.Five CWPP finding layersHost configurationCIS Benchmark deviationsMalwareknown-bad binaries, heuristicsSecretskeys, tokens, connection stringsLibrary CVEsnpm, pip, Maven, Go, gemsOS CVEskernel, glibc, OpenSSL, SSH
Wiz CWPP inspects every layer of a workload from the OS up to application libraries and runtime config.
📸
SideScanning
tap to flip

Wiz mounts a read-only snapshot of your volume in an isolated runner. No agent installed, no production workload touched — full visibility with zero footprint.

🔑
Secrets detection
tap to flip

The scanner searches file systems and env exports for high-entropy strings: AWS keys, private key headers, database passwords, OAuth tokens. A secret beats most CVEs for urgency.

🧩
Security Graph
tap to flip

A continuously updated graph that links every CVE, secret, identity, network path and data store. The graph turns a raw finding into a ranked attack path.

📦
Container image scan
tap to flip

Wiz analyses every image layer — base OS, app libraries, COPY-embedded secrets — at registry, runtime and CI/CD pipeline stages, with context from the running pod.

Treating secrets as low-priority

A hardcoded AWS Access Key ID in a container image is often more dangerous than a Critical CVE because it requires no exploit — just a credential and an API call. Always triage secrets separately and rotate them the same day they are found, regardless of CVE workload.

Quick check · Q2 of 10 · Remember

Which CWPP finding type typically needs rotation rather than a patch?

Correct: c. Hardcoded secrets — API keys, database passwords, OAuth tokens — cannot be 'patched'; they must be rotated and removed from the code or file system. CVEs and misconfigurations are fixed by update or reconfiguration.
👉 So far: Five finding types: OS CVEs, library CVEs, hardcoded secrets, malware, and host configuration deviations — secrets need rotation, not patching.

③ Container image scanning — registry, running containers and CI/CD gates

Container security in Wiz CWPP spans three stages. At the registry, Wiz connects to ECR, GCR, ACR, Docker Hub and private registries, pulls each image layer by layer, and runs the full finding-type analysis: OS packages in the base layer, application libraries in upper layers, secrets embedded in COPY instructions, and known-bad binaries. Findings are tied to the image tag and digest so you always know exactly which version is affected.

For running containers, Wiz correlates the image findings with runtime context: is this container actually running? Is it internet-facing? Does its pod service account have cluster-admin rights? A critical CVE in an image that is never deployed scores differently from the same CVE in a running, internet-exposed pod.

In the CI/CD pipeline, the Wiz CLI or GitHub/GitLab integration scans images at build time and can be configured to fail the pipeline if findings exceed a defined threshold — shifting the security gate left before a vulnerable image ever reaches the registry. This three-stage approach means a vulnerability caught in the pipeline never reaches production, but one that slips through is still caught at the registry or running-container layer.

Figure 3 — Container image scanning — three stages
Wiz scans at build, registry and runtime so a vulnerable image is caught before it reaches production — and still caught if it slips through.Container image scanning — three stagesCI/CD gatescan at build timeRegistry scanlayer-by-layeranalysisRuntime checkrunning containercontextGraph enrichexposure + identityPrioritiseattack path ranking
Wiz scans at build, registry and runtime so a vulnerable image is caught before it reaches production — and still caught if it slips through.
Confirm the image digest, not just the tag

Image tags like 'latest' are mutable — the same tag can point to a different digest after a rebuild. When verifying a container fix in Wiz, always confirm by image digest (sha256:…) not by tag, so you are certain the scanned image is the one now running in the cluster.

▶ Watch Wiz catch a vulnerable container before it reaches production

A developer pushes an image with a CVE and a hardcoded secret. Step through the Wiz detection flow, then Break it to see the classic coverage gap.

① Image pushA developer pushes a new container image to ECR. The image contains a base OS with an unpatched CVE and a hardcoded AWS key in an ENV instruction.
② Registry scanWiz detects the new image via the cloud API, pulls each layer read-only, and finds the CVE in the base OS packages and the AWS key in the environment variables.
③ Graph enrichmentThe Security Graph checks: is this image deployed? The running pod is internet-facing and its IAM role can write to a production S3 bucket — instant Critical attack path.
④ Alert + blockWiz raises a Critical finding with the attack path visualised. The CI/CD integration is configured to block promotion to production until the CVE is patched and the secret rotated.
Press Play to step through the healthy detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

A container image has a critical CVE but the container is never actually deployed to any cluster. How does Wiz rank this finding?

Correct: a. Wiz correlates image findings with runtime context. A CVE in an undeployed image has no running workload, no network exposure and no identity path — so the Security Graph downgrades its urgency compared with the same CVE in a running, internet-facing pod.
👉 So far: Container scanning spans three stages: CI/CD pipeline gate, registry layer analysis, and running-container runtime context — catch it early, confirm it live.

④ Risk prioritisation — the Security Graph, attack paths and fix-first logic

Raw CVE counts are useless without context. Wiz addresses this through the Wiz Security Graph: a continuously updated graph database that maps every cloud resource, identity, network path, vulnerability and secret into a single model. When a CVE is found on a workload, the graph asks: is the workload internet-facing? Does it run under an over-privileged IAM role? Is that role able to reach a sensitive data store? If yes to all three, that CVE is part of a toxic combination and rises to the top of the queue.

Wiz expresses these chains as attack paths — visual graphs showing the exact steps an attacker would follow from internet exposure through the CVE to the blast-radius target. Each attack path has a criticality score and a one-click remediation guide. The practical result: instead of patching 2,000 medium CVEs in arbitrary order, a team patches the ten that actually lead somewhere dangerous, and the rest can wait for the next maintenance window.

Practical fix-first workflow

Start with Critical attack paths that combine internet exposure + a CVE with a known public exploit + an overprivileged identity. Next, sweep hardcoded secrets — they need rotation, not a patch. Then work host-config deviations by CIS priority. Container image findings should be fixed at the source (the Dockerfile or base image) so every rebuild is clean.

Figure 4 — CVE with vs without Security Graph context
The same CVE score changes priority dramatically once Wiz adds network exposure, identity and data sensitivity.CVE with vs without Security Graph contextCVE without contextCVSS 7.5 — medium-highOne of thousands in queueNo exposure or identity infoPatch order: arbitraryCVE with Security GraphInternet-facing workloadPublic exploit availableIAM role reaches S3 bucketTop-1 attack path: patch now
The same CVE score changes priority dramatically once Wiz adds network exposure, identity and data sensitivity.

Priya at a Mumbai fintech faces this

Wiz surfaces 1,800 medium CVEs across the production Kubernetes cluster. The security team does not know where to start and the engineering lead refuses to halt sprints for a mass-patch exercise.

Likely cause

The team is treating CVE count as the metric rather than using the Wiz Security Graph to filter by attack path, internet exposure and identity.

Diagnosis

Open Wiz ▸ Vulnerabilities ▸ filter by 'Has attack path' + 'Internet exposed' + 'Exploitable'. The 1,800 collapses to eleven findings across three nodes.

Wiz Console ▸ Vulnerabilities ▸ Attack Paths ▸ Filter: Internet Exposed + Has Public Exploit
Fix

Patch the eleven CVEs on those three nodes in one maintenance window. Rotate the two hardcoded AWS secrets found in the same scan. Schedule the remaining medium CVEs in the next sprint cycle using the Wiz ticketing integration.

Verify

Re-run the attack path filter — zero critical paths remain. The 1,800 medium CVEs are now visible but none form a dangerous chain, confirming the right prioritisation.

Quick check · Q4 of 10 · Analyze

A CVSS 7.5 CVE on a VM ranks as the top-1 attack path in Wiz. What most likely explains this?

Correct: b. The Security Graph elevates a moderate CVE to top priority when internet exposure + a public exploit + an overprivileged identity path to sensitive data combine. That toxic combination makes exploitation straightforward and the blast radius large.
👉 So far: The Security Graph turns raw CVEs into ranked attack paths. Fix internet-exposed + exploitable + overprivileged CVEs first; the rest can wait for the next sprint.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Wiz scanning method avoids installing any agent on the workload?

Correct: d. Wiz SideScanning mounts a read-only copy of the workload volume in an ephemeral isolated runner. No agent is installed, no production workload is touched, and coverage extends to ephemeral containers scanned via the image at registry registration.
Q6 · Understand

A critical CVE is found on a container that has never been deployed. How should it be triaged?

Correct: a. The Wiz Security Graph enriches findings with runtime context. Without a running workload, there is no internet exposure and no identity path, so there is no attack path. The finding is still tracked but ranked below CVEs on live, internet-exposed containers.
Q7 · Apply

You find 1,500 medium CVEs in your Kubernetes cluster. What is the fastest way to identify which ones to patch first using Wiz?

Correct: c. The Wiz Security Graph attack-path filter combines internet exposure, exploitability and identity to surface the small subset of CVEs that actually pose an immediate risk. Sorting by CVSS alone ignores context and leads to wasted effort on unexploitable findings.
Q8 · Analyze

A hardcoded AWS Access Key ID is found in a container image ENV layer. Why is this typically more urgent than a CVSS 8.0 CVE on the same image?

Correct: d. A hardcoded credential can be used immediately via a standard API call — no exploit, no shellcode, no race condition. Wiz flags secrets for same-day rotation because the time-to-exploitation is effectively zero once the secret is discovered.
Q9 · Evaluate

Your team wants to block vulnerable container images before they reach production. Which Wiz integration achieves this?

Correct: b. The Wiz CLI and VCS integrations (GitHub/GitLab Actions) scan the image at build time and can be configured to fail the pipeline if findings exceed a severity threshold — shifting the gate left so vulnerable images never reach the registry or production.
Q10 · Evaluate

What makes a toxic combination in the Wiz Security Graph?

Correct: c. A toxic combination is the convergence of internet exposure, an exploitable CVE and an overprivileged identity path to sensitive data. CVSS score alone does not create a toxic combination — the Security Graph context is what elevates a finding to top priority.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Wiz CWPP rank CVEs differently from a plain CVSS score? Then compare with the expert version.

Expert version: Wiz CWPP adds Security Graph context to every CVE: is the workload internet-facing? Does a public exploit exist? Does the workload identity have access to sensitive data? When all three combine, even a CVSS 7.5 finding becomes a top-priority attack path, while a CVSS 9.8 CVE on an isolated, never-deployed image sits far down the queue. That context-first model is what prevents the '50,000 CVE spreadsheet' problem.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SideScanning
Wiz's agentless scan method: mount a read-only snapshot of a workload volume in an isolated ephemeral runner, analyse it fully, then discard. No agent is installed on the target workload.
Security Graph
A continuously updated graph database mapping every CVE, secret, identity, network path and data store. It computes attack paths by combining findings with exposure and identity context.
Attack path
A chain of vulnerabilities, misconfigurations and access relationships that together let an attacker move from an initial entry point to a high-value target such as sensitive data or full cloud admin.
Toxic combination
When internet exposure, an exploitable CVE and an overprivileged identity path to sensitive data all converge on one workload — the Security Graph elevates this to top priority.
Container image scanning
Analysis of each image layer for OS CVEs, library CVEs, embedded secrets and malware — performed at CI/CD pipeline, registry and running-container stages in Wiz.
Secrets detection
Wiz searches file systems and environment variable exports for high-entropy strings matching known secret patterns: API keys, private key headers, database passwords and OAuth tokens.
Host configuration
Checks of OS and daemon settings against CIS Benchmark controls — SSH root login, world-writable directories, unencrypted services. Deviations are surfaced as CWPP findings.
CWPP
Cloud Workload Protection Platform — the pillar of a CNAPP that focuses on vulnerability management, secrets, malware and configuration for VMs, containers and serverless.

📚 Sources

  1. Wiz — CWPP solution page: agentless workload vulnerability management. wiz.io/solutions/cwpp
  2. Wiz Academy — What is a Cloud Workload Protection Platform (CWPP)?. wiz.io/academy/cloud-security/cloud-workload-protection-platforms-cwpp
  3. Wiz — Container and Kubernetes security: image scanning, runtime context and CI/CD gates. wiz.io/solutions/container-and-kubernetes-security
  4. Wiz Blog — CWPP vs CNAPP: an evolution in cloud security (2025). wiz.io/blog/cwpp-vs-cnapp
  5. Wiz Academy — What is a CNAPP? Cloud-Native Application Protection Platform. wiz.io/academy/cloud-security/what-is-a-cloud-native-application-protection-platform-cnapp
  6. CloudQuery — What is CWPP? Cloud Workload Protection explained. cloudquery.io/learning-center/cwpp

What's next?

Got CWPP down? Next, explore Wiz CSPM — how posture misconfigurations in cloud accounts combine with workload vulnerabilities to form the toxic combinations Wiz is famous for surfacing.

Next · All interview lessons → Practice on exam.techclick.in →