CloudSecurity

Wiz ProdSec Team’s Cloud Security Playbook

Inside the ProdSec Playbook: Operationalizing Wiz for End-to-End Cloud Security

Modern Product Security teams face a unique challenge: how do you secure rapidly evolving cloud environments without slowing down engineering? For high-performing teams, the answer lies in moving beyond reactive posture management and deeply integrating security tooling into both the developer workflow and the infrastructure fabric.

Here is an inside look at how Wiz’s very own ProdSec team is pushing the boundaries of Wiz, turning it into a comprehensive toolkit for custom threat detection, CI/CD guardrails, and proactive threat modeling.

Securing the Pipeline: Shift-Left with CLI Scanning

You cannot secure what you cannot see, and you cannot fix what’s already been deployed without causing friction. To catch vulnerabilities and misconfigurations at the source, ProdSec embeds the Wiz CLI directly into developer workflows.

By integrating Wiz CLI scanning in CI/CD pipelines, engineering teams can automate security checks on every pull request. On top of that, a version control system (VCS) integrates with Github to scan pull requests, secrets, infrastructure-as-code (IaC), and block merges.

Cloud Configuration Rules (CCRs) are Wiz’s way of performing posture checks in the cloud. Each rule evaluates a resource against a secure baseline and raises a finding when it drifts. Wiz ships an extensive catalog of built-in CCRs covering well-known resource types across the major cloud providers. Organizations may also have unique resources or compliance needs, so where a gap exists, custom Rego policy-as-code rules can be written in Wiz to address these requirements.

Beyond checking deployed cloud resources for misconfiguration, CCRs can also scan IaC and build artifacts (Kubernetes manifests, Terraform/CloudFormation, Dockerfiles, etc.) as checks in CI pipelines and pull requests by identifying risky configurations and stopping them before they create misconfigured cloud resources. CCRs can also be used in conjunction with Kubernetes Admission Controllers to enforce frameworks such as Pod Security Standards, restricting or blocking requests to deploy non-compliant configurations into clusters.

Automated Threat Detection and Response

Cloud threats continue to increase in both volume and sophistication. To keep pace, the Product Security team relies on a dynamic catalog of detection rules informed by real-world incidents, active threat intelligence, and continuous research.

Given the size and scope of that telemetry, automation is an essential cornerstone of security operations. The ProdSec team relies on the Wiz Blue Agent to investigate new detections and perform initial triage and assessment: for every threat, it mimics a human investigation across Wiz’s telemetry, findings, and risk context, then returns a verdict, a confidence level, and its reasoning. That consistent first pass keeps humans focused on the highest-priority alerts and the detections most likely to represent true positives.

Detection accuracy compounds over time as well, as Wiz’s detection engine builds behavioral baselines of all activity. Wiz’s built-in capabilities cover the majority of use cases. For the remainder, they are written and curated by teams of experts in the fields of threat research and detection and response.

In addition to the built-in capabilities of Wiz Defend, the ProdSec team needs custom detections that are specific to Wiz’s environment which, similarly to CCR, can be defined as code and used to identify environment-specific anomalies. For example, they may have resources which under normal circumstances are never accessed or created except through automation or machine identities with unique identifiers that only Wiz staff possesses knowledge of. When access patterns deviate from current well-known baselines, they rely on custom alerting to catch these edge cases which integrate seamlessly with the rest of the platform, support custom correlation, and take advantage of the same AI-based analysis and notification rules.

Contextualizing Alerts for Specialized Infrastructure

Standard alerting is great for standard environments, but modern cloud footprints often include highly specialized, bespoke infrastructure. ProdSec takes the lead in establishing dedicated alerting frameworks for these unique environments. By tuning Wiz to understand the specific risks and baseline behaviors of specialized infrastructure, ProdSec ensures that no dark corners of Wiz’s multi-cloud infrastructure go unmonitored.

With the combination of CCRs and TDRs, ProdSec monitors the Issues that are being created in Wiz. These Issues represent toxic combinations that may include vulnerabilities, misconfigurations, and other risk factors that need to be addressed based on severity. Through Wiz Workflows, each Issue triggers automation to put the work in Jira for triaging, assessment, and SLA tracking. 

Threat Modeling & Secure Design

Before new product features or infrastructure changes are ever committed to code, ProdSec executes rigorous security review workflows. This is where proactive threat modeling comes into play. By identifying trust boundaries, evaluating risks, and understanding the potential blast radius during the design phase, ProdSec maps out exactly which Wiz controls (like new CCRs or TDRs) will need to be implemented before the feature goes live.

To scale this process without proportionally growing the team, ProdSec has built an AI-driven security review agent that assists engineers through the design phase. The agent draws on live Wiz context, such as existing CCRs and TDRs, the security graph, current findings, and resource relationships, to give reviewers an accurate picture of what controls are already in place, what gaps a proposed change would introduce, and what the blast radius looks like before a single line of code is written.

Pressure-Testing the Tooling: The ProdSec QA Loop

Finally, a mature ProdSec team does not only consume security tools; the ProdSec team actively pressure-tests them, often acting as an internal quality assurance function for Wiz’s own security stack. By aggressively testing security guardrails and simulating attacks, they hunt for edge cases where controls might break or fail to trigger. 

A concrete example of this partnership is Red Agent, Wiz’s AI-powered attack simulation feature, where ProdSec works directly with the product team to test, validate, and refine its detection capabilities against Wiz’s own infrastructure before broader release. This continuous feedback loop helps identify blind spots in detection coverage, allowing the team to iterate on their Wiz deployments, refine their rules, and ensure the organization’s cloud security posture is actually as strong as it looks on paper.

Securing the cloud is not a one-time setup; it is an ongoing engineering practice. By leveraging Wiz for everything from early–stage code scanning to runtime custom threat detection, Wiz’s ProdSec team built a scalable, automated security program that moves at the speed of the cloud.

Want to learn more about building custom rules and securing your cloud native environments?

Get a Wiz demo



Source link