Which Wiz DSPM data category is scoped primarily to HIPAA compliance?

Correct: b. PHI (Protected Health Information) covers medical record numbers, diagnoses, and health plan IDs and maps directly to HIPAA requirements. PCI is for PCI DSS, PII is for GDPR/privacy laws, and secrets is a separate category for credentials.

Why does a 'publicly accessible S3 bucket' finding get higher priority in Wiz when DSPM is enabled?

Correct: b. DSPM enriches the Security Graph node with a data-type label (e.g. PII:high). The graph engine then correlates that label with the public-ACL edge, producing a single high-priority toxic-combination finding instead of a low-priority isolated misconfiguration.

A developer stored an AWS secret access key inside a DynamoDB table that Wiz scans. Which DSPM category fires?

Correct: d. Wiz DSPM has a dedicated 'Secrets' classifier for API keys, access tokens, and private keys found in data stores. An AWS secret access key stored in DynamoDB is a secrets finding, not PCI, PHI or PII.

Wiz DSPM shows a bucket as 'contains PII' but the finding priority is Medium, not Critical. What is the most likely explanation?

Correct: c. Wiz prioritises by toxic combination. PII data in a private, properly-permissioned bucket with no public path and no lateral-movement route is Medium — the data is sensitive but not imminently exploitable. Severity rises when exposure, identity, or vulnerability edges join the node.

An interviewer asks: 'What is the difference between Wiz DSPM and a traditional DLP gateway?' Best answer?

Correct: c. DSPM covers data at rest in cloud data stores and provides posture context (who can reach this data and by which path). DLP gateways intercept data in motion (email, web uploads, endpoint transfers). They are complementary, not identical.

The Wiz DSPM scan shows a bucket with PII but no attack path in the Security Graph. What is the correct next action?

Correct: c. No current attack path means the data is not imminently exploitable, but it still requires good hygiene: confirm least-privilege access and encryption at rest. A notification policy ensures you catch any future mis-configuration that would create an attack path — proactive posture management, not just reactive triage.

Wiz DSPM: Sensitive-Data Discovery, Classification & Attack Paths

Q: What is the primary advantage of Wiz DSPM being native to the CNAPP rather than a standalone scanner?

Correct: b. Native CNAPP integration means the DSPM data label lives on the same Security Graph node as the CSPM misconfiguration. Attack paths are automatically data-aware — no manual correlation between separate tools is needed.

Q: Which of the following data categories does Wiz DSPM classify by default?

Correct: a. Wiz ships four built-in classifier categories: PII (personal data), PHI (health data), PCI (card data) and secrets (API keys, tokens). Custom classifiers can be added for proprietary data types.

Q: A Wiz finding shows: 'RDS instance with PHI is reachable from the internet via an EC2 instance with a critical CVE.' What makes this a toxic combination?

Correct: b. A toxic combination requires multiple correlated risk signals on connected nodes: here, data sensitivity (PHI), network exposure (internet-reachable compute), and a critical vulnerability all combine to make the data actually exploitable — that is what the Security Graph surfaces.

Q: After restricting access to a publicly exposed PII bucket, how do you confirm the Wiz finding is resolved?

Correct: c. Wiz re-evaluates resources on its scan cycle. Resolution is confirmed when the finding status moves to Resolved and the Security Graph no longer shows a public-internet-to-PII edge — proving the exposure path, not just the misconfiguration, is closed.

Most engineers think…

Most people treat DSPM as a separate, standalone scanner that emails a weekly CSV of sensitive files — something the DLP team runs, not the cloud security team.

Wiz DSPM is built directly into the CNAPP. It does not install agents; it uses the same read-only cloud API calls that Wiz already makes for CSPM. What it adds is a data-awareness layer on the Wiz Security Graph: once a bucket or database is tagged as containing PII, that context flows to every attack-path calculation — so a 'publicly accessible S3 bucket' finding jumps in priority the moment Wiz sees it holds real customer records. That integration is the whole point, and it is what distinguishes native CNAPP-DSPM from a bolt-on scanner.

① What Wiz DSPM is — data security inside a CNAPP

DSPM stands for Data Security Posture Management. The core idea is simple: you cannot protect data you cannot see. Wiz DSPM answers three questions for every cloud data store — What sensitive data is here? Who can reach it? What is the exposure path? — and then feeds those answers into the same Security Graph that powers the rest of the Wiz CNAPP.

The key integration advantage: a misconfigured S3 bucket finding from CSPM and a 'bucket contains PII' finding from DSPM are the same node on the Security Graph. Wiz can therefore surface a single, prioritised finding: 'This publicly accessible bucket holds 40,000 customer records and is reachable from the internet via an over-permissioned IAM role.' A standalone DSPM scanner gives you two separate alerts; Wiz gives you one toxic combination with a clear remediation path.

Wiz DSPM covers the major cloud data stores agentlessly: S3, Azure Blob Storage, GCS (object storage), RDS, Azure SQL, Cloud SQL (relational databases), BigQuery, Redshift, Snowflake (data warehouses), and DBaaS broadly. Discovery is continuous and read-only.

Figure 1 — DSPM inside CNAPP — the four-step loop

Wiz DSPM runs a continuous agentless loop: discover data stores, classify content, enrich the Security Graph, surface findings.

Quick check · Q1 of 10 · Understand

What is the primary advantage of Wiz DSPM being native to the CNAPP rather than a standalone scanner?

a) It is faster to deploy as a SaaS productb) It shares the Security Graph, so data sensitivity context enriches every attack-path calculation automaticallyc) It requires fewer API permissionsd) It replaces the need for a DLP gateway

Correct: b. Native CNAPP integration means the DSPM data label lives on the same Security Graph node as the CSPM misconfiguration. Attack paths are automatically data-aware — no manual correlation between separate tools is needed.

👉 So far: Wiz DSPM is a native CNAPP capability — agentless, continuous, and graph-integrated — that answers: what sensitive data is here, who can reach it, and by which path?

② How discovery & classification work — from raw scan to a finding

Wiz DSPM uses agentless, read-only API access — the same mechanism as Wiz CSPM. No agent is installed; Wiz calls cloud provider APIs to enumerate data stores, then performs content sampling to detect sensitive data patterns. The process has four steps: enumerate (find all data stores in scope), sample (read a representative subset of content), classify (run classifiers against the sample), and publish (write the data type labels back to the Wiz Security Graph node for that resource).

Built-in and custom classifiers

Wiz ships built-in classifiers for the four main sensitive-data categories. PII (Personally Identifiable Information): names, email addresses, national ID numbers, passport numbers, phone numbers. PHI (Protected Health Information): diagnosis codes, medical record numbers, health plan IDs — relevant to HIPAA compliance. PCI (Payment Card Industry): primary account numbers (PANs), CVVs, card-holder data scoped to PCI DSS. Secrets: API keys, access tokens, private keys, and credentials stored in data stores. You can also define custom classifiers using regex or keyword lists for proprietary data types.

A DSPM finding contains: the resource identifier, the data types detected, an estimated volume, a sensitivity label (high/medium/low), and the timestamp of last scan. This enriches the CSPM node so every downstream attack-path query can filter by data sensitivity.

Figure 2 — Four sensitive-data categories Wiz classifies

Each category maps to a compliance framework and a built-in classifier set. Custom classifiers extend coverage for proprietary data.

🗂️

Agentless discovery

tap to flip

Wiz DSPM uses read-only cloud API calls — no agent required. It enumerates S3, Blob, RDS, BigQuery and other data stores, samples their content, then classifies without touching your workloads.

🏷️

Built-in classifiers

tap to flip

Wiz ships classifiers for PII, PHI, PCI and secrets out of the box, covering GDPR, HIPAA and PCI DSS scopes. Custom classifiers using regex or keyword lists handle proprietary data types.

🕸️

Security Graph node

tap to flip

After classification, the data store node in the Wiz Security Graph is labelled with detected data types. Every attack-path query can now filter by data sensitivity — 'show paths to PII only'.

⚠️

Toxic combination

tap to flip

A toxic combination is when DSPM data context + public exposure + over-permissioned identity + a vulnerability all appear on connected graph nodes. Wiz surfaces these as a single high-priority finding.

Name the four classifier categories in interviews

Interviewers testing DSPM knowledge expect you to list PII, PHI, PCI and secrets — and briefly explain the compliance driver behind each (GDPR, HIPAA, PCI DSS, and general secrets hygiene). Mentioning custom classifiers shows you understand real-world extension beyond built-ins.

Quick check · Q2 of 10 · Remember

Which of the following data categories does Wiz DSPM classify by default?

a) PII, PHI, PCI and secretsb) Only PII and PCIc) Log files and audit trailsd) Only encrypted data at rest

Correct: a. Wiz ships four built-in classifier categories: PII (personal data), PHI (health data), PCI (card data) and secrets (API keys, tokens). Custom classifiers can be added for proprietary data types.

👉 So far: Discovery = agentless API scan; classification = PII / PHI / PCI / secrets (built-in) + custom classifiers; the result enriches the Security Graph node for that data store.

③ How DSPM joins the Security Graph — data-aware attack paths

The Wiz Security Graph is a graph database of every resource in your cloud estate: compute instances, storage buckets, identities, network paths, vulnerabilities, and — after DSPM runs — data sensitivity labels. Nodes represent resources; edges represent relationships (access, network reachability, identity entitlements). DSPM adds a data node property to any storage or database resource it classifies.

Once a bucket has a 'contains PII' label, the Security Graph can answer queries like: Show me all data stores containing PII that are reachable from the internet AND accessed by an over-permissioned role AND have a known vulnerability on the associated compute instance. That combination — called a toxic combination — surfaces as a high-priority attack path finding.

The interview line: DSPM without graph context tells you what data you have; DSPM inside a CNAPP tells you which data is actually at risk and by which route. The graph correlates public exposure, lateral-movement paths, weak authentication, and data sensitivity in a single finding — so the SOC triages by real impact rather than by the count of isolated misconfigs.

Figure 3 — Wiz Security Graph — data-aware attack path signals

The Security Graph correlates DSPM data labels with exposure, identity, network, and vulnerability signals to surface toxic combinations.

'DSPM is just a data inventory' under-sell

Saying 'DSPM tells you where your sensitive data is' misses half the picture. Inside Wiz, DSPM findings are graph nodes — they combine with exposure, identity and vulnerability edges to produce attack paths. The value is not the inventory; it is the prioritised risk that emerges when the inventory is graph-connected.

▶ Watch a PII finding surface and get resolved

How Wiz DSPM detects a publicly exposed S3 bucket holding customer PII and surfaces an attack path. Press Play for the healthy detection path, then Break it to see the silent-failure mode.

① DiscoverWiz enumerates S3 buckets in the AWS account using read-only API calls — no agent needed. It finds prod-customer-exports.

▼

② ClassifyWiz samples the bucket content and runs built-in PII classifiers. Finds: 40,000 email addresses and national ID numbers — high-confidence PII.

▼

③ Graph enrichThe Security Graph node for the bucket is labelled 'PII: high'. The graph now queries: is this node reachable from the internet?

▼

④ Attack path + findingGraph traversal finds a public ACL edge. Wiz raises: 'Publicly accessible bucket with PII — 40,000 records, direct internet access, no auth required.' Priority: Critical.

Press Play to step through how Wiz DSPM surfaces a PII finding. Then press Break it.

Quick check · Q3 of 10 · Analyze

A Wiz finding shows: 'RDS instance with PHI is reachable from the internet via an EC2 instance with a critical CVE.' What makes this a toxic combination?

a) The RDS instance is in a private subnetb) Three risk factors — PHI data, public exposure via compute, and an unpatched vulnerability — converge on connected graph nodesc) The finding was generated by CSPM, not DSPMd) The CVE is on the database, not the compute instance

Correct: b. A toxic combination requires multiple correlated risk signals on connected nodes: here, data sensitivity (PHI), network exposure (internet-reachable compute), and a critical vulnerability all combine to make the data actually exploitable — that is what the Security Graph surfaces.

👉 So far: DSPM labels on the Security Graph power data-aware attack paths — toxic combinations of public exposure, identity entitlements, vulnerabilities, and sensitive data that would be invisible to a standalone scanner.

④ Triaging & remediating exposed-data findings end-to-end

An exposed-data finding in Wiz typically looks like: 'S3 bucket prod-customer-exports is publicly accessible and contains PII (estimated 12,000 records).' The triage workflow has clear steps. First, confirm exposure — open the finding in the Wiz console, verify the bucket ACL or bucket policy shows public access, and check the Security Graph for the attack path that reaches it. Second, scope the data — review the DSPM evidence: which classifier fired, how many records, what data types. Third, restrict access — apply the remediation (remove public ACL, enable Block Public Access, tighten the bucket policy). Wiz provides one-click IaC remediation snippets (Terraform, CloudFormation) for common fixes.

Verifying resolution

After remediation, the finding moves to Resolved once Wiz re-evaluates the resource on its next scan cycle (typically within hours for critical findings). Verify by checking that the attack path no longer shows a public-internet-to-PII edge in the Security Graph and that the finding severity drops. Set a notification policy to alert on any future re-exposure of high-sensitivity data stores — this closes the loop on accidental regression.

Figure 4 — Standalone DSPM scanner vs Wiz native DSPM

Native CNAPP integration turns isolated data findings into prioritised, actionable attack paths with full cloud context.

Priya at a Pune-based fintech faces this

A Wiz finding appears: 'S3 bucket prod-loan-applications is publicly accessible and contains PII (estimated 80,000 records).' The security team is unsure whether the data is truly sensitive or just test data.

Likely cause

A developer enabled public access on the bucket for a temporary data-sharing task and never reverted it. The bucket also holds real customer loan application forms, not test data.

Diagnosis

Open the Wiz finding, expand the DSPM evidence tab — the classifier shows 'PII: national ID numbers, phone numbers' with high confidence. The Security Graph shows a direct public-internet-to-bucket edge with no authentication required.

Wiz Console ▸ Findings ▸ Exposed Data ▸ DSPM Evidence + Security Graph Attack Path

Fix

Apply 'Block Public Access' on the S3 bucket via the Wiz one-click remediation snippet (AWS CLI or Terraform). Verify the bucket policy has no public principal. Enable S3 Object Ownership to prevent future ACL overrides.

Verify

Re-check the Wiz finding within the next scan cycle — the attack path edge should be absent and the finding should move to Resolved. Set a notification policy to alert immediately if public access is re-enabled on any bucket containing PII.

Always check the attack path, not just the misconfiguration

Closing 'public bucket ACL' without checking the Security Graph may miss a second exposure route — for example, a Lambda function with a public URL that reads from the same bucket. Always verify the attack path edge is removed in the graph, not just the isolated misconfiguration.

Quick check · Q4 of 10 · Apply

After restricting access to a publicly exposed PII bucket, how do you confirm the Wiz finding is resolved?

a) Delete and recreate the bucket with a new nameb) Manually mark the finding closed without checking the graphc) Wait for Wiz to re-evaluate the resource; verify the public-to-PII attack path edge is gone and the finding moves to Resolvedd) Re-run the DSPM classifier immediately from the CLI

Correct: c. Wiz re-evaluates resources on its scan cycle. Resolution is confirmed when the finding status moves to Resolved and the Security Graph no longer shows a public-internet-to-PII edge — proving the exposure path, not just the misconfiguration, is closed.

👉 So far: Remediate by fixing the exposure path, then verify in Wiz that the attack-path edge is gone and the finding moves to Resolved — then set a notification policy to catch re-exposure.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: how does Wiz DSPM differ from simply turning on S3 server-access logging? Then compare with the expert version.

Expert version: S3 server-access logging records who accessed which objects after the fact — it is a detective control for forensics. Wiz DSPM proactively classifies what sensitive data those objects contain, labels the bucket node on the Security Graph, and correlates that data context with exposure, identity, and vulnerability signals to surface attack paths before a breach. Logging tells you what happened; DSPM tells you what is at risk and by which route.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Wiz at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

DSPM: Data Security Posture Management — continuous discovery, classification and risk assessment of sensitive data in cloud environments.
Agentless discovery: Wiz reads cloud APIs without installing software in data stores or workloads — read-only, zero-footprint enumeration and content sampling.
PII: Personally Identifiable Information: names, email addresses, national IDs, passports — GDPR-relevant. A core Wiz DSPM classifier category.
PHI: Protected Health Information: medical record numbers, diagnoses, health plan IDs — scoped to HIPAA compliance.
Toxic combination: A Wiz Security Graph finding where multiple risk signals (public exposure, over-permissioned identity, vulnerability, and sensitive data) converge on connected nodes.
Security Graph: Wiz's graph database of all cloud resources, identities, network paths, vulnerabilities, and data labels — used to surface attack paths and toxic combinations.
Data-aware attack path: A Security Graph traversal result showing a route from a threat origin to a sensitive data store, incorporating data-type labels for prioritisation.
Custom classifier: An organisation-specific regex or keyword pattern added to Wiz DSPM to detect proprietary sensitive data types beyond the built-in PII/PHI/PCI/secrets categories.

📚 Sources

Wiz — Wiz DSPM: Protect Your Most Critical Cloud Data. wiz.io/solutions/dspm
Wiz Blog — Wiz becomes the first CNAPP to deliver integrated Data Security Posture Management. wiz.io/blog/wiz-becomes-first-cnapp-to-deliver-integrated-data-security-posture-management
Wiz Academy — Data Security Posture Management (DSPM): A complete guide. wiz.io/academy/data-security/data-security-posture-management-dspm
Wiz Academy — 8 DSPM Use Cases Every CISO Should Know. wiz.io/academy/data-security/dspm-use-cases
Wiz Academy — DSPM for AI: Best Practices and Implementation Guide. wiz.io/academy/ai-security/dspm-for-ai
Wiz Blog — Why data security capabilities should be integrated with CNAPP. wiz.io/blog/why-data-security-capabilities-should-be-integrated-with-cnapp

What's next?

Understand the data layer? Next, go deep on the Wiz Security Graph: how nodes (resources, identities, data stores, vulnerabilities) and edges (access, exposure, network paths) combine to surface the toxic combinations that matter most.

Next · All interview lessons → Practice on exam.techclick.in →

Wiz DSPM — Sensitive-Data Discovery, Classification & Attack Paths

🎯 By the end you will be able to

Pick where you want to start

What DSPM is

Discovery & classify

Security Graph link

Triage & remediate

① What Wiz DSPM is — data security inside a CNAPP

② How discovery & classification work — from raw scan to a finding

Built-in and custom classifiers

③ How DSPM joins the Security Graph — data-aware attack paths

▶ Watch a PII finding surface and get resolved

④ Triaging & remediating exposed-data findings end-to-end

Verifying resolution

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?