Wiz CNAPP: Platform Overview, Architecture, and Honest Review for 2026

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Wiz reached $500 million in annual recurring revenue faster than any enterprise software company in history and became the most talked-about name in cloud security without shipping an agent. That is not a marketing line. It is the architectural thesis: if you can connect to cloud APIs with read-only credentials, take workload snapshots, and build a graph of every resource relationship in an environment, you can identify real attack paths without touching production workloads.
This review covers what Wiz actually does at the platform level, how the Security Graph works and why it matters, where agentless architecture creates real gaps, what the pricing looks like for mid-size and enterprise deployments, and how it compares to Prisma Cloud and Orca for organizations evaluating CNAPP options in 2026.
What Wiz Is: The Agentless CNAPP Model
Wiz is a cloud-native application protection platform that covers the full CNAPP capability stack: cloud security posture management (CSPM), cloud workload protection (CWPP), cloud identity and entitlement management (CIEM), data security posture management (DSPM), cloud detection and response (CDR), and infrastructure-as-code scanning.
The architectural differentiator is how it collects data. Traditional CWPP tools deploy agents inside workloads to collect process telemetry, file integrity data, and network connections in real time. Wiz connects to cloud provider APIs (AWS, Azure, GCP, OCI) with read-only credentials, takes snapshots of VM disks and container images, and scans those snapshots out-of-band. No agent is installed in any production workload.
The practical implication is deployment speed. A security team can connect Wiz to an AWS organization in under two hours and see scan results within 24 hours across all accounts and regions. There is no agent rollout, no compatibility testing with production workloads, no performance overhead on running instances. For organizations with thousands of workloads across multiple cloud accounts, this is not a small advantage.
Wiz supports AWS, Azure, GCP, OCI, Alibaba Cloud, and Kubernetes clusters across all three major cloud providers. It scans virtual machines, containers, serverless functions, databases, storage buckets, and cloud-managed services from a single console.
Core CNAPP Capabilities
Wiz delivers six primary security capabilities from a single platform.
CSPM (Cloud Security Posture Management): Continuous scanning of cloud resource configurations against CIS Benchmarks, NIST, SOC 2, PCI DSS, HIPAA, and custom policy frameworks. Wiz detects misconfigured S3 buckets, overly permissive security groups, unencrypted databases, and public-facing storage. Configuration findings feed directly into the Security Graph for correlation with other risk factors.
CWPP (Cloud Workload Protection): Agentless vulnerability scanning of OS packages, application dependencies, and container images. Wiz scans VM disk snapshots and container registries for known CVEs, ranks them by exploitability and network exposure rather than raw CVSS score, and surfaces the vulnerabilities that are actually reachable by an attacker given the current network topology.
CIEM (Cloud Identity and Entitlement Management): Analysis of IAM roles, policies, and permission assignments across cloud accounts. Wiz identifies overprivileged identities, unused permissions, cross-account access paths, and privilege escalation routes. CIEM findings integrate with the Security Graph to show which identities can reach which resources and whether those paths represent attack vectors.
DSPM (Data Security Posture Management): Discovery and classification of sensitive data across cloud storage, databases, and data pipelines. Wiz identifies buckets and databases containing PII, credentials, or regulated data, then correlates that data location with access controls and network exposure to surface high-priority data risk.
CDR (Cloud Detection and Response): Runtime threat detection using cloud provider logs (CloudTrail, Azure Activity Log, GCP Audit Logs) and Kubernetes audit logs. Wiz CDR detects anomalous API activity, lateral movement attempts, and known attack patterns without requiring an agent. Coverage is log-based rather than process-level, which has implications for detection depth discussed in the limitations section.
IaC Scanning: Integration with Terraform, CloudFormation, ARM templates, and Kubernetes manifests via CI/CD pipeline plugins (GitHub Actions, GitLab, Jenkins). Wiz flags misconfigurations before they reach production and maps IaC findings to the same policy framework used for runtime posture checks.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Security Graph: Why It Matters
The Security Graph is Wiz's core architectural differentiator and the reason the platform resonated so quickly with security teams that had already deployed point solutions.
Most CNAPP and CSPM tools produce findings in isolation. A vulnerability scanner reports a critical CVE on an EC2 instance. A CSPM tool reports that the instance has a public IP and an overly permissive security group. A CIEM tool reports that the instance profile has administrator-level IAM permissions. These are three separate findings in three separate dashboards, and none of them individually communicates the severity of the combined situation.
The Security Graph connects these findings. It builds a graph model of every resource in a cloud environment: compute instances, containers, databases, storage buckets, IAM roles, network interfaces, secrets, and the relationships between them. When a critical CVE appears on an EC2 instance that is directly reachable from the internet with a security group allowing port 22 inbound, and that instance has an IAM instance profile with AdministratorAccess, the Security Graph surfaces this as a single high-severity attack path: internet-exposed, exploitable, with admin-level blast radius.
This combination-based prioritization is the Security Graph's primary value. Rather than asking security teams to manually correlate findings across tools, Wiz computes which configurations represent paths an attacker could actually walk from an initial access point to a high-value target. In environments with thousands of resources and hundreds of individual findings, this contextual prioritization dramatically reduces the triage burden.
The graph also models lateral movement paths. If a compromised container can reach a database via internal networking, and that database contains sensitive data, Wiz surfaces the full path from initial compromise vector to data exposure, not just the individual misconfigurations along it.
Agentless Architecture: Benefits and Real Tradeoffs
Agentless scanning via cloud API and disk snapshot is Wiz's defining architectural choice. It enables fast deployment, eliminates agent compatibility and overhead concerns, and provides broad coverage across any cloud workload type. But it introduces genuine limitations that security teams need to account for before treating Wiz as a complete workload security solution.
What agentless does well: Configuration and vulnerability scanning at cloud scale without operational overhead. Wiz reads disk snapshots, so it can scan for CVEs, hardcoded secrets, and misconfigurations in workloads that cannot run agents (legacy OS versions, managed Kubernetes nodes, serverless functions, database services). Coverage breadth across heterogeneous cloud environments is a genuine advantage over agent-based tools that require per-workload compatibility testing.
What agentless cannot do: Real-time runtime protection. Because Wiz does not run in the workload, it cannot block malicious processes, intercept system calls, or enforce runtime policies at the process level. If malware executes on a VM, Wiz will detect indicators in CloudTrail logs after the fact, not in real time during execution. There is also a detection latency window between when a new workload is deployed and when Wiz scans its snapshot, typically measured in hours.
The runtime gap: Organizations that require runtime workload blocking, file integrity monitoring at the kernel level, or sub-minute detection latency for in-process threats need an agent-based CWPP alongside Wiz. CrowdStrike Falcon, Sysdig Secure, and Aqua Security all provide agent-based runtime protection that complements Wiz's agentless posture management. Wiz has acknowledged this gap and acquired Gem Security in 2024 to deepen CDR capabilities, but the core runtime blocking limitation remains architectural.
Practical guidance: For most cloud-native organizations without a requirement for kernel-level runtime enforcement, the agentless tradeoff is acceptable. The posture management, vulnerability prioritization, and identity risk capabilities that Wiz delivers agentlessly outweigh the runtime limitation for organizations that have accepted cloud provider managed services as their primary workload model.
Pricing: What It Actually Costs
Wiz does not publish list pricing. Contracts are negotiated, and pricing varies significantly based on workload count, contract term, and negotiating position.
Based on market reporting and practitioner-shared data, typical Wiz pricing for mid-size deployments (1,000 to 5,000 workloads) runs approximately $15 to $25 per workload per month, which translates to $180,000 to $1.5 million annually depending on environment size. Enterprise deployments with thousands of workloads often negotiate per-unit rates below $15 through multi-year commitments.
Wiz counts workloads broadly: virtual machines, container nodes, serverless functions, and cloud-managed database instances all typically count as billable workloads. In containerized environments where nodes run dozens of pods, the node count rather than the pod count typically drives pricing, but this is negotiable.
The pricing model creates a meaningful adoption barrier for organizations at scale. A company running 10,000 cloud workloads is looking at a seven-figure annual spend even at aggressive negotiated rates. For organizations with mature existing CSPM tooling from cloud providers (AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center), the incremental value of Wiz needs to justify a significant premium over native tooling that may already be included in enterprise cloud agreements.
Where Wiz pricing tends to be justified: organizations running multi-cloud environments where native cloud security tools lack cross-cloud correlation, security teams that have tried to build the Security Graph manually with SIEM correlation rules and found the operational overhead unsustainable, and companies in regulated industries where consolidated audit evidence from a single platform has compliance value.
Who Wiz Is Best For
Wiz is most clearly the right platform for cloud-native organizations that have the following characteristics.
Multi-cloud or large-scale single-cloud environments: The Security Graph delivers its highest ROI when it is correlating risk across thousands of resources. Small environments with fewer than 200 workloads get less value from graph-based prioritization because manual review of individual findings is feasible at that scale.
Security teams that want deployment speed: Organizations rebuilding cloud security programs after a breach, or new security teams standing up coverage quickly, benefit from Wiz's ability to produce comprehensive scan results within 24 to 48 hours of connecting cloud accounts. Agent-based platforms that require rollout coordination with infrastructure teams often take months to achieve equivalent coverage.
Organizations running AWS, Azure, GCP, or OCI natively: Wiz is built for cloud-provider API integration. It does not support on-premises infrastructure, VMware vSphere without a cloud layer, or private data centers. Organizations with significant on-premises workloads need to assess whether their on-prem coverage requirements can be met separately.
Kubernetes-heavy environments: Wiz's Kubernetes scanning covers cluster configurations, RBAC permissions, container image vulnerabilities, and network policies. For organizations running large Kubernetes footprints across multiple cloud providers, the unified Kubernetes view across clusters is a significant operational advantage.
Security teams without dedicated agent management capacity: Smaller security teams that cannot operationally support agent rollout, compatibility testing, and version management across thousands of workloads benefit from eliminating that overhead entirely.
Limitations to Know Before Buying
Three limitations should be evaluated explicitly before committing to Wiz.
No on-premises support: Wiz is a cloud-only platform. Organizations with hybrid or on-premises workloads need separate tooling for those environments. There is no Wiz agent, no Wiz on-premises scanner, and no path to extending Wiz coverage to bare-metal or VMware workloads. If a significant portion of your workload footprint is on-premises, Wiz covers only part of your attack surface.
No runtime workload blocking: As described in the architecture section, Wiz cannot block malicious processes at runtime. CDR capabilities provide log-based detection of anomalous cloud API activity, but there is no in-workload enforcement. For compliance frameworks that require active runtime protection (PCI DSS 6.3.2 anti-malware requirements, for example), Wiz alone does not satisfy the control.
Cost at scale: The per-workload pricing model scales linearly with infrastructure growth. Organizations with aggressive cloud expansion plans should model their workload trajectory over a three-year contract period carefully. Workload counts in Kubernetes environments can grow significantly through containerization without corresponding business value growth, which inflates Wiz licensing costs without proportional security benefit.
Scan latency: Agentless scanning means new workloads are not immediately scanned. The typical scan cycle produces results within a few hours of workload deployment. In environments where short-lived workloads spin up, run for 30 to 60 minutes, and terminate, Wiz may never scan them at all. Ephemeral workload coverage requires either accepting the gap or supplementing with image registry scanning in the CI/CD pipeline.
Honest Comparison: Wiz vs. Prisma Cloud vs. Orca
Three platforms dominate enterprise CNAPP evaluations in 2026: Wiz, Palo Alto Networks Prisma Cloud, and Orca Security. Here is an honest comparison across the dimensions that matter most.
Wiz vs. Prisma Cloud: Prisma Cloud is the incumbent enterprise platform with deeper policy control, broader compliance framework coverage out of the box, and tighter integration with Palo Alto Networks' broader security portfolio (XSIAM, Cortex XDR). Prisma Cloud supports hybrid and on-premises workloads through agent-based scanning and has more mature runtime workload protection capabilities.
Wiz is simpler to deploy, faster to produce value, and has a significantly better user interface for investigation workflows. The Security Graph is more intuitive than Prisma Cloud's attack path visualization, and the false positive rate on prioritized findings is lower in practitioner comparisons. Organizations already running Palo Alto products get more integration value from Prisma Cloud. Organizations without Palo Alto investments typically find Wiz faster to operationalize and easier to maintain.
Wiz vs. Orca Security: This is the closest head-to-head comparison. Both are agentless CNAPP platforms with Security Graph-style risk correlation. The architectural approaches are nearly identical: both use cloud API access and snapshot scanning.
Orcal is typically priced 20 to 30 percent lower than Wiz for equivalent workload counts, which matters significantly at scale. Wiz has broader enterprise brand recognition and a larger customer base, which translates to better practitioner community resources and more third-party integration development. Orca's SideScanning technology is technically equivalent to Wiz's snapshot approach.
For organizations where Wiz's pricing is prohibitive, Orca delivers comparable CNAPP coverage at lower cost. For organizations where vendor stability, support quality, and ecosystem integrations are the primary decision criteria, Wiz's larger installed base and $300 million funding runway (before the Google acquisition) justify the premium.
The Google acquisition context: Google announced its intent to acquire Wiz for $32 billion in 2024. The acquisition is expected to close in 2025-2026. Organizations evaluating Wiz should assess their comfort with Google Cloud as an eventual parent company and consider how platform integration with Google Cloud services may affect multi-cloud neutrality over time.
The bottom line
Wiz earns its market position by solving the real operational problem that CNAPP buyers face: not a lack of security findings, but too many disconnected findings to triage effectively. The Security Graph's ability to surface a publicly exposed, unpatched, over-privileged instance as a single prioritized attack path rather than three separate alerts is a genuine operational improvement over alert-per-finding tools. For cloud-native organizations running AWS, Azure, or GCP at scale with security teams that cannot absorb agent management overhead, Wiz is the default-correct CNAPP choice in 2026. The pricing requires careful workload count modeling over contract duration, the runtime blocking gap requires either accepting the limitation or pairing Wiz with an agent-based CWPP for enforcement-sensitive environments, and the pending Google acquisition is a vendor risk factor worth acknowledging in multi-year procurement decisions.
Frequently asked questions
What is Wiz CNAPP?
Wiz is a cloud-native application protection platform (CNAPP) that uses agentless architecture to secure cloud environments. It connects to AWS, Azure, GCP, OCI, and Kubernetes via read-only cloud APIs, scans workload snapshots without deploying agents, and builds a Security Graph that correlates misconfigurations, vulnerabilities, identity permissions, network exposure, and secrets to surface complete attack paths. Wiz covers CSPM, CWPP, CIEM, DSPM, CDR, and IaC scanning from a single platform.
How does Wiz's Security Graph work?
The Wiz Security Graph is a graph database model of every resource in a cloud environment and the relationships between them. Instead of reporting misconfigurations, vulnerabilities, and identity issues as separate findings, the graph connects them to identify which combinations represent actual attack paths. For example, an internet-exposed EC2 instance with a critical unpatched CVE and an admin IAM role is surfaced as a single high-severity toxic combination rather than three separate alerts. This correlation-based prioritization reduces the triage burden by surfacing the configurations an attacker can realistically exploit rather than every individual policy violation.
What is agentless cloud security and what are its tradeoffs?
Agentless cloud security means Wiz collects data by connecting to cloud provider APIs and reading workload disk snapshots rather than deploying software agents inside production workloads. Benefits include fast deployment (hours rather than weeks), no agent compatibility or performance overhead, and coverage across workload types that cannot run agents. The primary tradeoff is that agentless scanning cannot provide real-time runtime blocking. Wiz detects threats through cloud log analysis rather than in-workload process monitoring, so it cannot intercept malicious processes during execution. Organizations that require runtime workload blocking need an agent-based CWPP alongside Wiz.
How much does Wiz cost?
Wiz prices by workload count and does not publish list pricing. Mid-size deployments of 1,000 to 5,000 workloads typically run $15 to $25 per workload per month based on practitioner-reported deal data, translating to roughly $180,000 to $1.5 million annually. Enterprise deployments with multi-year commitments often negotiate below $15 per workload. Wiz counts virtual machines, container nodes, serverless functions, and cloud-managed database instances as billable workloads. Pricing is negotiated and varies significantly based on environment size and contract terms.
How does Wiz compare to Prisma Cloud and Orca?
Wiz versus Prisma Cloud: Wiz is simpler to deploy and has better attack path visualization. Prisma Cloud has deeper policy controls, supports on-premises workloads via agents, and integrates with the broader Palo Alto Networks security portfolio. Organizations already running Palo Alto tools often prefer Prisma Cloud for integration continuity. Wiz versus Orca: Both are agentless CNAPP platforms with very similar technical approaches. Orca is typically 20 to 30 percent cheaper for equivalent workload counts. Wiz has a larger enterprise installed base and more third-party integrations. For price-sensitive buyers, Orca delivers comparable coverage at lower cost.
How do security teams operationalize Wiz Security Graph findings without drowning in attack paths?
The most effective operationalization approach is a severity-tiered triage policy built around three criteria: internet exposure, exploitability, and blast radius. Configure Wiz to surface as Priority 1 only those attack paths where all three are present simultaneously -- a workload directly reachable from the internet, with a Critical or High CVE that has a known public exploit, and with an IAM role or service account that has write or admin access to sensitive resources. That combination is typically a small fraction of total Security Graph findings and represents your actual highest-risk attack surface. Use Wiz's JIRA or ServiceNow integration to auto-create tickets for Priority 1 paths with a defined SLA, typically 24 to 72 hours for remediation or compensating control documentation. For the broader pool of medium-severity findings, run a weekly graph review in which the cloud security engineer filters by resource type -- exposed storage buckets, overprivileged Lambda execution roles, unencrypted databases with public endpoints -- and batches remediation by fix owner rather than processing each finding individually. Establish a baseline graph snapshot at each quarter to track whether your toxic combination count is decreasing over time, which is more meaningful as a security metric than total finding count.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
