TTechclick ⚡ XP 0% All lessons
Wiz · CNAPP · Interview Q&AInteractive · L1 / L2 / L3

Wiz CNAPP Interview Questions — Security Graph, Agentless & Cloud Security Answers

Whether you are interviewing for a Wiz-focused cloud-security role or want to speak fluently about CNAPP architecture, interviewers test the same four clusters: the Security Graph and its unified data model, agentless scanning with CSPM and CWPP capabilities, attack path analysis with CIEM and DSPM, and Kubernetes security with practical scenario-based questions. This lesson works through 16 interview questions — the Security Graph and how Wiz correlates risk, agentless scanning versus agent-based approaches, CSPM and CWPP at depth, attack paths and toxic combinations, CIEM for identity risk, DSPM for data exposure, and Kubernetes admission and runtime — with crisp, scenario-led model answers grounded in Wiz's 2026 CNAPP architecture.

📅 2026-06-20 · ⏱ 20 min · 16 interview Q&As · live scenario · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Prepare for a Wiz CNAPP cloud-security engineer interview with 16 real questions and model answers covering the Security Graph, agentless scanning, CSPM, CWPP, attack paths, CIEM, DSPM, and Kubernetes security scenarios.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Security Graph

What Wiz ingests, relationships, risk correlation.

 2

Agentless, CSPM & CWPP

Connector model, misconfigs, workload vulnerabilities.

 3

Attack Paths & CIEM/DSPM

Toxic combos, identity risk, data exposure.

 4

K8s & Scenarios

Admission, image scan, runtime, live scenarios.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What is the central data structure that powers Wiz's ability to correlate cloud risk across layers?

Answered in Security Graph.

2. How does Wiz scan workloads for vulnerabilities and secrets without installing an agent?

Answered in Agentless, CSPM & CWPP.

3. What is a Wiz attack path?

Answered in Attack Paths & CIEM/DSPM.

Common interview slip

Many candidates say Wiz is 'just a CSPM tool' or that it 'needs an agent on every VM'. Both slips cost marks in a Wiz interview.

Wiz is a full CNAPP — Cloud-Native Application Protection Platform — not only a misconfiguration scanner. Its agentless model means it reads cloud APIs and mounts ephemeral snapshots of volumes to scan OS, container layers, secrets and vulnerabilities without touching running workloads. And the real differentiator is the Security Graph: Wiz ingests every cloud-layer resource (compute, identity, network, data, code) and models the relationships between them, so it can surface toxic combinations — a publicly reachable VM running an unpatched package whose execution role can write to a sensitive S3 bucket — that no single-layer scanner would ever find. Knowing these three pillars — agentless, Security Graph, toxic-combination prioritisation — is exactly what interviewers probe.

① CNAPP & the Security Graph — what Wiz is and how it correlates risk

Q: What is Wiz and how does it differ from a traditional CSPM tool?

Model answer: Wiz is a CNAPP — Cloud-Native Application Protection Platform — that unifies CSPM, CWPP, CIEM, DSPM and container/Kubernetes security in a single agentless platform. A traditional CSPM tool checks cloud control-plane misconfigurations (e.g. public S3 bucket, open security group) in isolation. Wiz goes further by ingesting every cloud layer — IAM identities, compute instances, container images, serverless functions, network topology, managed data stores and code pipeline artefacts — into a Security Graph that models relationships. A misconfiguration alone may be low severity; the Security Graph surfaces it as critical when it is chained with a vulnerable workload and an overprivileged identity — a toxic combination no single-layer scanner finds.

Q: What does the Wiz Security Graph ingest and how does it model cloud resources?

Model answer: The Security Graph reads cloud provider APIs via a read-only connector (no agents, no network probes). It ingests: compute (VMs, containers, serverless), identity (IAM roles, service accounts, permissions), network (VPCs, security groups, public IPs, load balancers), data (S3 buckets, managed databases, secrets stores), and code pipeline resources (CI/CD configs, container registries). Each resource becomes a node; relationships (e.g. 'this EC2 instance has this IAM role which can list this S3 bucket') become edges. Risk findings from CSPM, CWPP, CIEM and DSPM are also attached as nodes, so the graph can traverse edges to compute an attack path and a blast-radius estimate.

Q: What is a toxic combination in Wiz, and why is it more useful than a list of individual findings?

Model answer: A toxic combination is a Wiz query result that chains multiple individually low-or-medium findings into a single ranked critical risk. Classic example: public internet exposure (network edge) + critical CVE in OS package (CWPP finding) + IAM role with write access to a sensitive data store (CIEM finding) = a workload reachable from the internet where an attacker could exploit the CVE, assume the instance role, and exfiltrate data. Individually each finding might be filed and forgotten. As a toxic combination the graph proves the chain is feasible and ranks it high. This is the core interview point: the Security Graph turns a noise-heavy finding list into a short, prioritised set of truly critical risks.

Figure 1 — Wiz Security Graph
The Security Graph ingests every cloud layer and models relationships so it can surface toxic combinations no single scanner finds.Wiz Security GraphSecurity Graphrisk correlation engineIAM & identitiesCompute & VMsContainers & K8sNetwork topologyData storesCode & CI/CD
The Security Graph ingests every cloud layer and models relationships so it can surface toxic combinations no single scanner finds.
Name all three pillars in one breath

When asked 'what is Wiz?', answer with three clean pillars: 'Wiz is an agentless CNAPP — it reads cloud APIs and ephemeral snapshots without agents, builds a Security Graph that models relationships across every cloud layer, and surfaces toxic combinations and ranked attack paths that no single-layer scanner finds.' That single answer covers agentless, Security Graph and prioritisation — exactly what interviewers want to hear.

Quick check · Q1 of 10 · Understand

What makes the Wiz Security Graph able to surface risks that a traditional CSPM scanner cannot?

Correct: b. The Security Graph models relationships (edges) between cloud resource nodes across all layers — compute, identity, network, data and code. This lets it traverse the graph to find feasible attack chains (toxic combinations) that no single-layer scanner sees. Agents, SIEMs and network blocking are not the Security Graph differentiator.
👉 So far: Wiz = agentless CNAPP. Security Graph ingests compute, IAM, network, data and code layers; models relationships; surfaces toxic combinations — multiple low findings chained into one critical feasible path — that single-layer scanners miss.

② Agentless scanning, CSPM & CWPP — how Wiz sees inside workloads without agents

Q: How does Wiz agentless scanning work technically?

Model answer: Wiz uses a read-only cloud API connector — an IAM role (AWS) or service principal (Azure/GCP) with minimal permissions — and does not install agents or open inbound firewall rules. For workload scanning it takes ephemeral snapshots of disk volumes, mounts them in Wiz's own cloud environment, and scans the OS package list, installed files, secrets, container layers and misconfigurations — then discards the snapshot. Running workloads are never touched. This means near-zero operational overhead and no risk of a scanner causing a production incident. The trade-off: you cannot get real-time runtime behaviour (process spawning, network connections in progress) from snapshots alone; for that you add a Wiz Sensor (eBPF-based, lightweight) for runtime telemetry on specific workloads.

Q: What does CSPM cover in Wiz, and what frameworks does it map to?

Model answer: CSPM — Cloud Security Posture Management in Wiz checks the cloud control plane: IAM policies, network security groups, storage access controls, encryption settings, logging, and service-level configurations across AWS, Azure, GCP and OCI. Findings are mapped to compliance frameworks — CIS Benchmarks, SOC 2, PCI-DSS, ISO 27001, NIST CSF, HIPAA and custom policies — and appear as rules with severity, affected resource and remediation guidance. CSPM in Wiz also checks IaC templates (Terraform, CloudFormation, Bicep) in CI/CD so misconfigurations are caught before deploy.

Q: What does CWPP cover, and how does Wiz scan container images and running clusters?

Model answer: CWPP — Cloud Workload Protection Platform in Wiz covers the data plane inside workloads: OS package vulnerabilities (CVEs matched against NVD and vendor advisories), application-layer packages (npm, pip, Maven), secrets (hard-coded API keys, credentials in files and environment variables), malware (known-bad files), and misconfigurations inside the OS. For containers, Wiz scans registry images and Kubernetes cluster nodes via the agentless snapshot approach and via the Kubernetes API (pod specs, RBAC, admission configuration). The Security Graph then ties the CVE finding to the running workload, its network exposure and its IAM role — the cross-layer link is what CWPP alone cannot give you.

Q: When would you use the Wiz Sensor instead of pure agentless scanning?

Model answer: Pure agentless scanning gives excellent coverage for posture, vulnerabilities and secrets but it is point-in-time (snapshot-based). You add the Wiz Sensor when you need: real-time runtime detection (unusual process spawning, a crypto-miner starting, a shell launched inside a container), network connection visibility at the process level, or file-integrity monitoring on sensitive paths. The Sensor is eBPF-based so it has minimal performance impact and does not require privileged kernel modules. In practice, most organisations start with agentless for broad coverage and add the Sensor on crown-jewel workloads or where compliance mandates runtime detection.

Figure 2 — CSPM vs CWPP in Wiz
CSPM covers the cloud control plane; CWPP covers the workload data plane. Wiz delivers both agentlessly.CSPM vs CWPP in WizCSPM (control plane)Cloud misconfigurationsIAM policy analysisNetwork exposure checksCompliance frameworksCWPP (data plane)OS & app CVEsSecrets in files / envMalware detectionContainer image scan
CSPM covers the cloud control plane; CWPP covers the workload data plane. Wiz delivers both agentlessly.
Figure 3 — Agentless scan flow
Wiz reads cloud APIs and mounts ephemeral snapshots to scan workloads without touching running instances.Agentless scan flowCloud APIsread-only connectorSnapshotephemeral disk copyScan engineCVE + secretsSecurity Graphrisk correlationFindingsranked by impact
Wiz reads cloud APIs and mounts ephemeral snapshots to scan workloads without touching running instances.
🕸
Security Graph
tap to flip

Wiz's cloud resource graph that ingests compute, identity, network, data and code layers and models relationships. It powers toxic-combination detection and attack path prioritisation that no single-layer scanner can match.

📸
Agentless scanning
tap to flip

Wiz uses a read-only cloud API connector and ephemeral disk snapshots to scan OS packages, app libraries, secrets and malware — without installing agents or touching running workloads. Add the Wiz Sensor (eBPF) for real-time runtime telemetry.

Toxic combination
tap to flip

A Security Graph query result that chains multiple individually low findings — public exposure + critical CVE + overprivileged IAM role — into a single ranked critical risk showing a feasible attack path with blast radius.

🆔
CIEM & DSPM
tap to flip

CIEM surfaces excessive permissions and privilege-escalation paths for every cloud identity. DSPM discovers and classifies sensitive data stores (PII, PAN, PHI) and attaches them as target nodes in attack paths so blast-radius estimates are data-specific, not abstract.

'Wiz is just a CSPM' mistake

Calling Wiz only a CSPM tool is a common slip. CSPM is one component — it checks the cloud control plane for misconfigurations. Wiz also does CWPP (vulnerabilities and secrets inside workloads via agentless snapshots), CIEM (effective IAM permissions and privilege-escalation paths), DSPM (sensitive data discovery and classification), and Kubernetes security. The Security Graph combines all of them. Naming the full CNAPP scope in your answer signals you understand the platform.

Quick check · Q2 of 10 · Apply

A customer says they cannot install agents on any production workload. What Wiz scanning capability covers OS vulnerabilities and secrets on those VMs?

Correct: a. Wiz's agentless scanning mounts ephemeral disk snapshots in Wiz's own cloud environment to scan OS packages, app libraries and secrets — no agent installed, running workload untouched. CIEM analyses IAM; the Sensor adds runtime telemetry; the admission webhook gates Kubernetes deployments.
👉 So far: Agentless = read-only cloud API connector + ephemeral disk snapshots, no agent installed, running workload untouched. CSPM = control-plane misconfigs + compliance. CWPP = OS and app CVEs + secrets + malware inside workloads. Wiz Sensor (eBPF) adds real-time runtime telemetry when needed.

③ Attack paths, CIEM & DSPM — identity risk and data exposure in the Security Graph

Q: How does Wiz compute and rank attack paths?

Model answer: An attack path in Wiz is a Security Graph query that traverses edges from an internet-facing entry point (public IP, open port, public cloud storage) through exploitable conditions (unpatched CVE, misconfiguration, overprivileged role) to a high-value target (sensitive data store, admin credentials, another account). Wiz scores each path by blast radius — how many sensitive resources are reachable at the end of the chain — and by the feasibility of each step. The result is a short ranked list where the top items are feasible, high-impact chains. The interview one-liner: attack paths turn the Security Graph into a prioritised to-do list for the security team, not a flat list of thousands of findings.

Q: What is CIEM and what specific risks does it surface in Wiz?

Model answer: CIEM — Cloud Infrastructure Entitlement Management in Wiz analyses every IAM identity (human users, service accounts, instance profiles, Lambda execution roles, federated identities) and computes their effective permissions — what they can actually do given all policy layers, SCPs, resource policies and permission boundaries. Wiz surfaces: excessive permissions (roles that can do far more than their workload needs, violating least privilege), privilege-escalation paths (a role that can attach policies to itself or create new roles with broader scope), cross-account access chains (role A in Account 1 can assume Role B in Account 2 which can read Account 3 data), and unused high-privilege identities (admin credentials inactive for many months — stale blast radius). The Security Graph makes CIEM findings actionable by showing which specific workloads hold each risky identity and which data they can reach.

Q: What is DSPM and how does it integrate with the Security Graph?

Model answer: DSPM — Data Security Posture Management in Wiz discovers and classifies sensitive data stores across the cloud estate: S3 buckets, RDS/Aurora instances, Blob Storage, BigQuery datasets, Redshift clusters and more. It uses a combination of metadata analysis (bucket names, tags, ACLs) and content sampling (scanning a representative set of objects for PII, PAN, PHI, credentials) to apply a data classification label (e.g. 'contains credit card numbers', 'contains health records'). Once labelled, the Security Graph can traverse edges and ask: 'Is this sensitive data store reachable from the public internet? Does an overprivileged role have access? Is it encrypted? Does it have retention logging?' DSPM makes data the final node in a Wiz attack path — so the answer to 'what is the blast radius?' is a specific data asset and its classification, not an abstract cloud resource ID.

Figure 4 — Attack path traversal
The Security Graph chains entry point, exploitable condition and sensitive target into a ranked critical path.Attack path traversalEntry pointpublic IP or portVuln or miscfgCVE or open policyIAM pivotoverprivileged roleSensitive targetdata or adminBlast radiusscope of impact
The Security Graph chains entry point, exploitable condition and sensitive target into a ranked critical path.
Prioritisation = attack path + blast radius

When asked how Wiz prioritises findings, always name the attack path and blast radius together. 'Wiz ranks findings by whether they form a feasible attack path — entry point reachable, exploitable condition present, overprivileged identity available — and scores each by blast radius: how many sensitive data assets are reachable at the end. That combination is why a single Critical path in Wiz is worth fixing before fifty Medium misconfigs that have no feasible chain.'

▶ Watch the Security Graph surface an attack path — and see what breaks it

Step through how Wiz correlates a public EC2 instance, a critical CVE and an overprivileged IAM role into a ranked attack path. Press Play for the healthy detection flow, then Break it to see what happens when the IAM role is incorrectly scoped.

① Cloud API ingestWiz connector reads EC2 metadata, security groups, IAM instance profiles and S3 bucket policies from AWS APIs — no agent required.
② CWPP snapshot scanWiz mounts an ephemeral EBS snapshot and finds a critical OS CVE (CVSS 9.8) with a public exploit in the running AMI.
③ Security Graph linkThe graph edges the EC2 node (network-exposed) to the CVE finding node, then traverses the IAM role edge to discover the role has s3:GetObject on a DSPM-classified PAN bucket.
④ Attack path rankedWiz surfaces the chain as a Critical attack path with blast radius showing the PAN data bucket. The security team gets one prioritised finding, not three isolated alerts.
Press Play to step through Wiz detecting a toxic combination. Then press Break it.
Quick check · Q3 of 10 · Analyze

Which Wiz feature would you use to discover that a Lambda execution role can read an S3 bucket tagged as containing PII even though no human has accessed it?

Correct: c. CIEM computes effective permissions for every identity including Lambda execution roles; DSPM classifies data stores by content and attaches labels. The Security Graph combines both: the role CAN read the PII-tagged bucket, even if it has not yet done so. A CSPM check covers control-plane misconfigs; image scanning is for CVEs; the Sensor captures runtime events.
👉 So far: Attack path = Security Graph traversal from entry point through exploitable conditions to sensitive target, ranked by blast radius. CIEM = effective IAM permissions, excessive entitlements, privilege-escalation paths. DSPM = sensitive data discovery + classification so the target node in an attack path is data-specific, not abstract.

④ Kubernetes & scenarios — container security, admission control and real-world drill

Q: How does Wiz integrate with Kubernetes security — admission control, image scanning and runtime?

Model answer: Wiz integrates with Kubernetes at three layers. Image scanning: Wiz scans container images in any registry (ECR, ACR, GCR, Docker Hub) and in Kubernetes node snapshots for OS CVEs, app-package CVEs, secrets and malware, surfacing results in the Security Graph alongside the running pod. Admission control: Wiz can act as a validating or mutating webhook (or integrate with OPA Gatekeeper / Kyverno) to block or warn on deployments that violate policy — e.g. a pod running as root, using a privileged security context, or pulling an image with critical unpatched vulnerabilities. Runtime: the Wiz Sensor (eBPF) on Kubernetes nodes captures process, network and file events, and the Security Graph correlates a runtime anomaly (unexpected shell in a container) with that pod's CVE profile and its service-account permissions to compute whether the anomaly represents a credible attack path. The interview point: Wiz covers Kubernetes shift-left (image + IaC), shift-right (admission), and runtime — all connected through the Security Graph.

Q: Walk through a real scenario: a developer in your company accidentally pushed an IAM access key into a public GitHub repository. How would Wiz help?

Model answer: Wiz's DSPM and CWPP secret detection scans code repositories (via the CI/CD integration) and cloud workload snapshots for exposed credentials. If the key is in a committed file, Wiz flags it as a secret exposure finding. More importantly, the Security Graph immediately answers: which IAM identity does this key belong to? What are its effective permissions? Does it have access to sensitive data stores? Is it currently attached to a running workload? — producing a ranked blast-radius estimate in minutes, not days of manual investigation. The remediation path in Wiz links directly to the affected identity so the responder can rotate the key, tighten the policy and verify the fix — all within the same workflow.

Q: A Wiz scan returns a 'Critical' attack path but the security team disputes the severity. How do you evaluate it?

Model answer: Walk the attack path step by step in the Security Graph: confirm each edge is feasible (e.g. is the security group actually open to 0.0.0.0/0, or is there a NACl blocking it? Is the CVE exploitable remotely or only locally?), check the IAM effective permissions (does the role actually have Write on that bucket, or does a resource policy deny it?), and verify the data classification of the target (is it really sensitive or a test bucket?). If any step in the chain is not feasible the path severity should be downgraded. Wiz allows security exceptions with a justification and expiry so disputed findings can be acknowledged without spamming the queue. The interview one-liner: validate every edge, not just the headline severity — the Security Graph shows you the evidence, so use it.

Figure 5 — Wiz Kubernetes layers
Wiz secures Kubernetes from image scanning through admission control to runtime detection, all fed into the Security Graph.Wiz Kubernetes layersRuntime (Wiz Sensor)eBPF process, network, file eventsAdmission controlwebhook — block policy violationsImage scanningregistry CVEs, secrets, malwareIaC + CI/CD shift-leftcatch misconfigs pre-deploy
Wiz secures Kubernetes from image scanning through admission control to runtime detection, all fed into the Security Graph.

Priya at FinStack in Bengaluru faces this

FinStack is a fintech running on AWS. Their Wiz dashboard surfaces a Critical attack path: an EC2 instance in a public subnet has a critical-severity CVE in its OS package, and its instance profile allows s3:GetObject on a bucket that Wiz DSPM has classified as containing PAN data. The instance was deployed by a developer who used a broad IAM role for convenience.

Likely cause

Three findings chain into a toxic combination: the EC2's security group allows inbound traffic on a public port (network exposure), the OS package has a remotely exploitable CVE (CWPP finding), and the instance IAM role has s3:GetObject on the PAN data bucket (CIEM finding). Individually each is medium severity; together they form a feasible exfiltration path.

Diagnosis

In the Wiz Security Graph, Priya opens the attack path and walks each edge: the security group rule is confirmed open to 0.0.0.0/0, the CVE has a public PoC and a CVSS score above 9, and the IAM effective permissions confirm unrestricted s3:GetObject. The DSPM node shows the bucket holds credit card numbers scoped to PCI-DSS.

Wiz Console ▸ Issues ▸ Attack Paths ▸ open the Critical path ▸ inspect each edge in the Security Graph
Fix

Immediate: restrict the EC2 security group to known CIDRs only, and apply a resource policy on the S3 bucket denying the instance role until the CVE is patched. Long-term: patch the OS package, right-size the IAM role to only the specific S3 prefix it needs, and add a Wiz policy rule blocking broad S3 access from compute in public subnets.

Verify

Re-run the Wiz scan: the attack path no longer appears because the network exposure edge is removed. The CVE finding still shows but is now isolated — no longer part of a feasible chain to sensitive data. The DSPM classification remains so the bucket stays monitored.

Quick check · Q4 of 10 · Apply

You want to prevent a container image with critical unpatched CVEs from being deployed to your Kubernetes cluster. Which Wiz capability enforces this before the pod starts?

Correct: b. Wiz admission control acts as a Kubernetes validating webhook and blocks (or warns on) pod deployments that violate defined policies — including an image containing critical CVEs. DSPM classifies data; CIEM handles identity; attack-path ranking prioritises findings but does not enforce deployment gates.
👉 So far: Wiz Kubernetes: image scanning (registry + node snapshots), admission control (validating webhook — block bad images and privileged pods), runtime detection (Wiz Sensor eBPF), all connected through the Security Graph so a runtime anomaly is immediately correlated with that pod's CVE profile and IAM role.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the name of Wiz's core data structure that models relationships between cloud resources across all layers?

Correct: b. The Security Graph is Wiz's proprietary cloud resource graph that ingests and models every cloud layer — compute, identity, network, data and code — and their relationships, enabling cross-layer risk correlation and attack path discovery. A SIEM aggregates logs; a dependency tree tracks software libraries; a CASB catalog manages SaaS access.
Q6 · Understand

Why does Wiz agentless scanning NOT require you to open inbound firewall rules or install software on your VMs?

Correct: c. Wiz's agentless model uses a read-only cloud API connector (IAM role or service principal) and takes ephemeral snapshots of disk volumes that are mounted and scanned in Wiz's infrastructure. Running workloads are never contacted; no inbound ports are opened. The Wiz Sensor (eBPF) is an optional add-on for runtime telemetry but is not required for vulnerability or secret scanning.
Q7 · Apply

A Wiz attack path shows: public EC2 → critical CVE → IAM role → S3 bucket (PAN data). Which immediate mitigation reduces the blast radius the fastest without patching the CVE?

Correct: a. Restricting the security group removes the public-exposure edge — the first link in the attack chain — so the path is no longer feasible even with the CVE unpatched. DSPM re-classification does not reduce access; deleting a finding is not a fix; adding instances increases attack surface.
Q8 · Analyze

CIEM analysis shows a Lambda function's execution role has s3:* on all buckets in the account, but the function only ever writes to one specific prefix. What is the risk and what should you recommend?

Correct: d. An overprivileged Lambda role violates least-privilege: if the function is compromised (e.g. via a vulnerable dependency), the attacker inherits the broad s3:* permission and can read, overwrite or delete any bucket. The correct remediation is to scope the IAM policy to the specific bucket and prefix the function actually needs, using resource-level conditions. Lambda IAM roles persist across invocations; disabling CIEM is not a fix; moving to a container does not remove the IAM risk.
Q9 · Evaluate

Your security team receives 2,000 medium-severity Wiz findings and 3 Critical attack paths this week. Where should they start and why?

Correct: c. Wiz's Critical attack paths represent feasible chains from a reachable entry point through exploitable conditions to sensitive data — the highest actual risk. Individually the underlying findings may be medium, but their combination is Critical and actionable now. Alphabetical triage of 2,000 mediums wastes resources; ignoring findings is negligent; disabling detection removes visibility.
Q10 · Evaluate

A customer argues Wiz's agentless approach misses threats because it cannot see real-time process activity. What is the complete and accurate answer?

Correct: b. The customer's concern is partially valid but overstated. Agentless snapshot scanning gives broad, zero-footprint coverage of vulnerabilities, secrets and malware but is point-in-time. For real-time runtime behavioural detection (process, network, file events) you add the Wiz Sensor (eBPF-based, lightweight, no kernel module needed). Most organisations use agentless broadly and add the Sensor on crown-jewel workloads. Options a, c and d are incorrect characterisations of Wiz's capabilities.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the Wiz Security Graph, and why can it surface risks that a CSPM scanner alone cannot? Then compare with the expert version.

Expert version: The Wiz Security Graph ingests every cloud layer — compute, identity (IAM), network, managed data stores and CI/CD artefacts — via a read-only API connector and models the relationships between them as a graph of nodes and edges. Because it knows that this EC2 instance (with a critical CVE) is network-exposed, has an IAM role (CIEM) that can read an S3 bucket classified by DSPM as containing PAN data, it can chain those three findings into a single Critical attack path with a concrete blast-radius estimate. A traditional CSPM tool checks the control plane in isolation — it would flag the open security group and the S3 bucket policy separately, but it has no way to connect them to the vulnerable workload and its effective permissions. The Security Graph makes those connections, turning thousands of isolated findings into a short prioritised list of truly feasible, high-impact risks.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CNAPP
Cloud-Native Application Protection Platform — a unified platform (like Wiz) that combines CSPM, CWPP, CIEM and DSPM plus container and Kubernetes security in a single agentless tool.
Security Graph
Wiz's cloud resource graph that ingests compute, identity, network, data and code layers and models relationships as nodes and edges, enabling cross-layer risk correlation and attack path discovery.
Agentless scanning
Wiz's approach: read-only cloud API connector + ephemeral disk snapshots scanned in Wiz's own environment. No software installed on running workloads; add the Wiz Sensor for real-time runtime telemetry.
Toxic combination
A Security Graph query result that chains multiple individually low findings — public exposure + critical CVE + overprivileged IAM role — into a single ranked critical risk showing a feasible attack chain with blast radius.
CSPM
Cloud Security Posture Management — checks the cloud control plane for misconfigurations, IAM over-permissiveness, public storage access and compliance against frameworks like CIS, PCI-DSS and SOC 2.
CWPP
Cloud Workload Protection Platform — scans the data plane inside workloads for OS and app CVEs, hard-coded secrets, malware and container-image vulnerabilities via agentless ephemeral snapshots.
CIEM
Cloud Infrastructure Entitlement Management — computes effective permissions for every cloud identity and surfaces excessive entitlements, privilege-escalation paths and cross-account access chains.
DSPM
Data Security Posture Management — discovers and classifies cloud data stores (PII, PAN, PHI, credentials) so attack-path blast-radius estimates name specific sensitive datasets, not abstract resource IDs.
Attack path
A Security Graph traversal from an internet-facing entry point through exploitable conditions and an overprivileged identity to a sensitive target node, ranked by feasibility and blast radius.
Wiz Sensor
Wiz's optional lightweight eBPF-based runtime probe that captures real-time process, network and file events on Kubernetes nodes and VMs, feeding data back into the Security Graph for runtime-anomaly correlation.

📚 Sources

  1. Wiz — CNAPP platform overview: Security Graph, agentless scanning and unified cloud security. wiz.io/platform
  2. Wiz — CSPM: cloud security posture management and compliance framework mapping. wiz.io/solutions/cspm
  3. Wiz — CWPP: agentless workload vulnerability and secret scanning via ephemeral snapshots. wiz.io/solutions/cwpp
  4. Wiz — CIEM: effective permissions, privilege escalation and cloud identity risk. wiz.io/solutions/ciem
  5. Wiz — DSPM: data security posture management — discover, classify and protect cloud data. wiz.io/solutions/dspm
  6. Wiz — Kubernetes security: image scanning, admission control and runtime detection with the Wiz Sensor. wiz.io/solutions/kubernetes-security

What's next?

Done with the interview prep? Go deeper on Wiz CNAPP design — the Security Graph data model, agentless connector architecture, CSPM policy framework, attack-path prioritisation logic, CIEM and DSPM, and integrating Wiz into a CI/CD pipeline.

Next · All interview lessons → Practice on exam.techclick.in →