TTechclick ⚡ XP 0% All lessons
Wiz · Cloud Security · Security GraphInteractive · L1 / L2 / L3

Wiz Security Graph — Context, Queries & Why It Beats Siloed Alerts

The Wiz Security Graph is a continuously updated, relationship-aware map of every resource, identity, workload, data store, vulnerability and network path across your cloud estate — all stitched into a single queryable graph. This lesson explains how the graph is built, why connected context beats alert-per-finding silos, how to write Security Graph queries, and what 'toxic combinations' mean in practice.

📅 2026-06-20 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master the Wiz Security Graph in 2026: how it unifies cloud config, identities, workloads and data into a queryable graph, why graph context beats siloed alerts, and how to write effective Security Graph queries to surface toxic risk combinations.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What the graph is

Nodes, edges and the relationship model.

 2

Four entity classes

Resources, identities, workloads, data.

 3

Toxic combos & queries

Why context beats alerts; writing WQL.

 4

Graph-led triage

Trace exposure end-to-end from a finding.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is the Wiz Security Graph just a list of CVEs?

Answered in What the graph is.

2. What is a 'toxic combination' in the Wiz graph?

Answered in Toxic combos & queries.

3. What do you use to query the Security Graph?

Answered in Toxic combos & queries.

Most engineers think…

Most people picture cloud security as a dashboard full of individual alerts — 'this bucket is public', 'this CVE is critical', 'this IAM role is overprivileged'. Triage becomes whack-a-mole and the real threats hide in noise.

The Wiz Security Graph is a relationship model, not a flat list. It connects a public bucket to the identity that can write to it, the workload running as that identity, and the CVE on that workload — so one query surfaces the entire chain. That is the shift from siloed alerts to context-driven security, and it is what lets a small team triage what actually matters.

① What the Wiz Security Graph actually is — nodes, edges, one model

The Security Graph is Wiz's core data layer: a continuously updated directed graph in which every cloud object — a VM, a bucket, a role, a container image, a secret — is a node, and every relationship between them — 'can assume', 'is exposed to', 'runs on', 'has access to', 'contains' — is an edge. Wiz builds this graph agentlessly by scanning cloud provider APIs (AWS, Azure, GCP, OCI and others) and enriching it with runtime signals from its eBPF sensor.

The key property of a graph model is that reachability is first-class. Instead of asking 'is this resource misconfigured?' you ask 'is this misconfigured resource reachable from the internet and does it have permissions to sensitive data?' Those are relationship questions, and flat alert lists cannot answer them. The graph can, instantly, across your entire cloud estate.

Figure 1 — How Wiz builds the Security Graph
Wiz scans cloud APIs agentlessly and enriches with runtime signals to maintain the graph continuously.How Wiz builds the Security GraphCloud APIsAWS / Azure / GCP /OCIAgentless scansnapshots + API callsGraph ingestnodes & edgesbuiltRuntime enricheBPF sensor signalsQuery layerWQL + visual explorer
Wiz scans cloud APIs agentlessly and enriches with runtime signals to maintain the graph continuously.
Quick check · Q1 of 10 · Understand

What makes the Security Graph different from a flat list of cloud misconfigurations?

Correct: b. The graph models relationships (edges) between cloud objects (nodes), making reachability and path questions answerable in one query. A flat list can only answer 'is this resource misconfigured?' — not 'is this misconfigured resource reachable from the internet with access to sensitive data?'
👉 So far: The Security Graph is a directed graph of cloud nodes (resources, identities, workloads, data) connected by typed relationship edges — built agentlessly from cloud APIs and enriched with runtime signals.

② The four entity classes — resources, identities, workloads, data

The Security Graph organises nodes into four main classes. Resources are cloud infrastructure objects: virtual machines, storage buckets, databases, networks, security groups, Kubernetes clusters and API gateways. Identities are anything that can authenticate and act: cloud IAM roles, service accounts, users and federated identities. Workloads are the running software layer: container images, serverless functions, OS packages and the vulnerabilities (CVEs) found on them. Data is the sensitivity layer: data stores, secrets, personally identifiable information, credentials and the classification labels Wiz assigns to them.

Why four classes?

Each class contributes a different dimension of risk. A workload class node might carry a critical CVE; an identity node might be overprivileged; a data node might hold PII. Only when you connect all four through graph edges do you know whether the CVE-carrying workload is the same one that, through its identity, can reach the PII store. That connection is what the Security Graph makes explicit.

Figure 2 — Four entity classes in the Security Graph
Each class adds a risk dimension; the graph edges connect them into attack paths.Four entity classes in the Security GraphDataPII, secrets, buckets, classification labelsIdentitiesIAM roles, service accounts, usersWorkloadsVMs, containers, functions, CVEsResourcesNetworks, clusters, databases, gateways
Each class adds a risk dimension; the graph edges connect them into attack paths.
🕸️
Security Graph node
tap to flip

Any cloud object: a VM, bucket, IAM role, container image, secret or data store. Nodes carry properties (CVEs, permissions, tags) and are connected by typed edges.

🔗
Graph edge
tap to flip

A directional relationship between nodes: 'can assume', 'is exposed to internet', 'has access to', 'runs on', 'contains'. Edges are what make attack paths queryable.

☠️
Toxic combination
tap to flip

A co-occurring set of risk factors — e.g. internet exposure + critical CVE + admin identity + PII data — that together form a viable attack path, even if each factor alone is only medium severity.

🔍
WQL query
tap to flip

Wiz Query Language: a declarative graph query you write (or build visually) to ask relationship questions like 'which internet-exposed workloads can reach a database tagged PII?'.

Name all four entity classes in interviews

When asked about the Wiz Security Graph, enumerate the four classes — Resources, Identities, Workloads, Data — and explain that the edges between them are what enable attack-path queries. Saying 'it maps relationships across all four entity types' immediately shows graph-level understanding, not just 'it scans for misconfigs'.

Quick check · Q2 of 10 · Remember

Which of the four Security Graph entity classes holds CVEs and OS packages?

Correct: d. Workloads cover the running software layer: container images, serverless functions, OS packages and the vulnerabilities (CVEs) found on them. Resources are infrastructure; Identities are IAM; Data is the sensitivity layer.
👉 So far: Four entity classes: Resources (infrastructure), Identities (IAM/roles), Workloads (VMs/containers/CVEs), Data (PII/secrets). Risk only becomes critical when the graph connects all four.

③ Toxic combinations & Security Graph queries — context beats alerts

A toxic combination is Wiz's term for a co-occurring set of risk factors that together form a viable attack path — even though none of the individual factors alone would be critical. The canonical example: an internet-exposed VM (resource) running as a high-privilege service account (identity) with an unpatched OS vulnerability (workload) that has network access to a database containing customer PII (data). Each factor alone gets a medium severity; together they are a P1.

You surface toxic combinations by querying the graph. Wiz provides a WQL visual explorer where you drag nodes and edges to ask questions like 'show me all internet-exposed VMs where the workload has a critical CVE AND the identity can write to any S3 bucket tagged PII'. That single query replaces days of manual correlation across three separate consoles.

The graph is also the foundation of Wiz attack path analysis. Wiz computes all viable attacker traversal paths from an internet entry point to crown-jewel data assets, ranks them by exploitability and blast radius, and surfaces them as prioritised findings — not as a flat vulnerability list.

Figure 3 — Security Graph at the centre of Wiz CNAPP
Every Wiz capability — CSPM, CWPP, CIEM, KSPM, CDR — reads and writes the same Security Graph.Security Graph at the centre of Wiz CNAPPSecurity Graphunified data layerCSPM postureCWPP workloadsCIEM identitiesKSPM KubernetesCDR detectionAttack paths
Every Wiz capability — CSPM, CWPP, CIEM, KSPM, CDR — reads and writes the same Security Graph.
Figure 4 — Siloed alerts vs graph-based context
The same environment produces hundreds of siloed alerts — or a handful of prioritised toxic combinations via the graph.Siloed alerts vs graph-based contextSiloed alertsHundreds of per-finding alertsNo relationship between findingsCVSS score = the only priorityManual correlation takes daysGraph-based contextToxic combos surface real pathsEdges show blast radius instantlyPriority = exposure + reachabilityOne query answers the triage
The same environment produces hundreds of siloed alerts — or a handful of prioritised toxic combinations via the graph.
'High CVSS = top priority' is wrong in the graph model

A CVE with CVSS 9.8 on an isolated, non-internet-exposed, air-gapped VM with no identity edges to sensitive data is lower priority than a CVSS 7.2 on a public-facing VM with admin credentials to a PII database. The graph-based priority is exposure + reachability + blast radius — never raw CVSS alone.

▶ Watch a toxic combination surface and get traced in the Security Graph

Follow an attacker's potential path from internet exposure to PII data. Press Play for the healthy detection path, then Break it to see the classic failure.

① Graph scanWiz agentlessly scans the AWS account and adds a newly deployed EC2 instance as a node. It adds edges: 'exposed to internet' (from security group rule) and 'runs as' (from the attached IAM role).
② CVE edgeWiz's workload scanner finds a critical CVE in the instance's OS package. A 'has vulnerability' edge is added to the workload node.
③ Toxic comboThe graph engine evaluates all co-occurring edges: internet-exposed + critical CVE + IAM role with s3:PutObject on a PII-tagged bucket. This co-occurrence pattern triggers a toxic combination finding.
④ Triage & fixThe analyst opens the toxic combination, views the graph, sees the three-hop path (internet → EC2 → IAM role → S3 PII bucket), scopes the fix (restrict SG + patch OS + scope IAM), and re-queries to confirm closure.
Press Play to step through the detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

A VM is internet-exposed and runs as a high-privilege service account. Each finding alone is medium severity. Why does Wiz raise a high-priority alert?

Correct: c. A toxic combination is the co-occurrence of multiple risk factors that together form an attack path. Internet exposure + high-privilege identity is a path to data exfiltration even if neither factor alone is critical.
👉 So far: Toxic combination = co-occurring risk factors that together form a viable attack path. Query the graph with WQL or the visual explorer to surface them — do not rely on raw CVSS score alone.

④ Graph-led triage — tracing exposure from a finding to the blast radius

When an alert fires, the graph answers the three questions every analyst needs: how did the attacker get here? (the path from internet to the resource), what can they do from here? (the outbound edges — what identities, data stores, and lateral targets are reachable), and what is the blast radius? (how many resources and data stores are reachable in N hops). Without the graph, each question requires stitching together cloud console lookups, IAM policy exports and network diagrams by hand.

Triage workflow

In Wiz, you open the finding, click 'View in graph', and the visual explorer renders the full context: the exposed node, its identity, the downstream data stores, and any active runtime signals from Wiz Defend. You can pivot from any node to see its edges. The result is a triage that takes minutes rather than hours — and a remediation recommendation that is scoped to the actual exposure, not a blanket 'patch all CVEs' directive.

Figure 5 — Graph-led triage — from alert to remediation
The Security Graph collapses a multi-step manual triage into a single visual traversal.Graph-led triage — from alert to remediationAlert firesfinding raised by WizView in graphvisual explorer opensTrace pathinternet to resourceBlast radiusdownstream edgesRemediatescoped fix, notblanket
The Security Graph collapses a multi-step manual triage into a single visual traversal.

Priya at a Mumbai fintech faces this

Wiz raises a high-priority toxic combination: a Kubernetes pod in the production cluster is internet-exposed, runs as a service account with overly broad IAM permissions, and has a critical CVE in its base image — and the service account has write access to an S3 bucket tagged as containing customer financial records.

Likely cause

The pod's service was exposed via a misconfigured LoadBalancer (no ingress whitelist), the service account inherited a legacy admin policy from a migration two years ago, and the base image was never updated after the original CVE patch was released.

Diagnosis

Security Graph query: internet-exposed workload WITH critical CVE AND identity WITH write access to data tagged PII — Wiz surfaces this as a single toxic combination with a blast-radius view showing three more S3 buckets reachable in one hop.

Wiz Console ▸ Issues ▸ Toxic Combination ▸ View in Graph ▸ Identity edges ▸ Data nodes
Fix

Restrict the LoadBalancer to internal CIDR only; replace the legacy admin policy with a least-privilege scoped IAM role; patch the container image to a fixed base. Verify each step closes the graph edge before promoting to production.

Verify

Re-run the WQL query: zero results. The Wiz issue auto-resolves within the next graph refresh cycle, and the blast-radius view shows no reachable PII buckets from that workload.

Close the graph edge, not just the ticket

After remediating a toxic combination, verify closure by re-running the original WQL query and confirming zero results. A ticket marked 'done' in the ITSM system does not prove the graph edge is gone. Re-query the graph — Wiz will auto-resolve the issue once the relationship no longer exists.

Quick check · Q4 of 10 · Analyze

An analyst opens a Wiz finding and clicks 'View in graph'. What does the graph view reveal that the finding summary does not?

Correct: b. The graph view shows the relationship context: the path from internet to resource, the identity the resource runs as, and the data stores reachable through that identity. The finding summary only shows the individual misconfiguration.
👉 So far: Graph-led triage: open the finding, click 'View in graph', trace the exposure path, assess blast radius, scope the fix to the actual edge. Re-query to confirm the toxic combination is gone.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In the Wiz Security Graph, what is an 'edge'?

Correct: d. Edges are typed directional relationships between nodes (cloud objects). They are what make attack-path and reachability queries possible — without edges, the graph is just a list of resources.
Q6 · Understand

Which entity class in the Security Graph holds IAM roles, service accounts and users?

Correct: c. Identities is the class covering anything that can authenticate and act: cloud IAM roles, service accounts, users and federated identities. Workloads hold CVEs; Data holds PII and secrets; Resources hold infrastructure objects.
Q7 · Apply

A security team wants to find all production workloads that are publicly reachable AND can write to a database tagged 'financial-records'. What is the correct approach in Wiz?

Correct: b. This is a relationship question — reachability + permission + data classification across three entity classes. A WQL graph query traverses those edges in a single operation. Manual methods cannot answer the combined condition at scale.
Q8 · Analyze

A VM has a CVSS 9.8 CVE but no internet exposure and no IAM access to any sensitive data. A second VM has a CVSS 6.5 CVE but is internet-exposed and its service account can read the PII database. Which should be fixed first?

Correct: c. Graph-based priority combines exposure, reachability and blast radius. The isolated CVSS 9.8 VM has no viable attack path; the CVSS 6.5 VM forms a toxic combination (internet exposure + identity + PII access) and is the real risk.
Q9 · Evaluate

An interviewer asks how the Wiz Security Graph reduces alert fatigue. Best answer?

Correct: b. The graph's value is correlation and context: co-occurring factors become toxic combinations, attack paths are ranked by exploitability, and the analyst queue shrinks to what genuinely matters. Suppressing alerts or removing tools is not the mechanism.
Q10 · Evaluate

After remediating a toxic combination (patching the CVE, scoping the IAM role, restricting the security group), what is the correct way to confirm the issue is closed?

Correct: c. Re-querying the graph confirms the edges that formed the toxic combination no longer exist. Wiz auto-resolves the issue on the next graph refresh. Closing the ITSM ticket alone does not prove the graph edge is gone — only a zero-result re-query does.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does a graph model surface toxic combinations that a flat alert list cannot? Then compare with the expert version.

Expert version: A flat alert list answers 'is this resource misconfigured?' — one node at a time. A graph model answers 'is this misconfigured resource reachable from the internet through the identity it runs as, and does that identity have access to sensitive data?' — a multi-hop relationship question. Toxic combinations emerge only when you traverse the edges connecting an internet-exposed resource node to its workload CVE to its identity to its data access. No flat list can express that traversal; the graph does it in a single query.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Security Graph
Wiz's core data layer: a continuously updated directed graph of cloud objects (nodes) and their relationships (edges) across resources, identities, workloads and data.
Node
A cloud object in the Security Graph — a VM, bucket, IAM role, container image, secret or data store — carrying properties like CVEs, permissions and classification tags.
Edge
A typed directional relationship between two graph nodes, such as 'can assume', 'is exposed to internet', 'has access to', 'runs on' or 'contains'.
Toxic combination
A co-occurring set of risk factors connected by graph edges that together form a viable attack path, even if no single factor alone is critical.
WQL (Wiz Query Language)
Wiz's declarative graph query language for expressing relationship conditions across Security Graph nodes and edges — also available as a visual drag-and-drop explorer.
Attack path
A computed sequence of graph edges that describes how an attacker could traverse from an internet entry point to a crown-jewel data asset.
Blast radius
The set of resources and data stores reachable from a compromised node by following outbound graph edges — shown visually in the Wiz graph explorer.
Agentless scanning
Wiz's method of building the Security Graph by reading cloud provider APIs and snapshot data without deploying agents on every resource.

📚 Sources

  1. Wiz — Security Graph overview and CNAPP platform. wiz.io/platform/security-graph
  2. Wiz Academy — AI Security Graphs: contextual risk for cloud and AI systems. wiz.io/academy/ai-security/ai-security-graph
  3. Wiz Blog — Wiz for Microsoft 365: bringing SaaS into the Security Graph. wiz.io/blog/wiz-for-microsoft-365
  4. Security Scientist — 12 questions and answers about the Wiz Security Graph. securityscientist.net/blog/12-questions-and-answers-about-wiz-security-graph-wiz
  5. Futurum Group — At Wizdom 2025, Wiz presents a broader vision of cloud security. futurumgroup.com/insights/at-wizdom-2025-wiz-presents-a-broader-vision-of-cloud-security
  6. Software Analyst — Runtime security in 2025: how Wiz Defend signals the future of cloud security operations. softwareanalyst.substack.com/p/runtime-security-in-2025-how-wiz

What's next?

Got the graph? Next, go deep on Wiz CSPM policies and how to customise built-in rules, write custom controls, and tune the severity model so your team focuses on real exposure.

Next · All interview lessons → Practice on exam.techclick.in →