Full Report
Wiz Sensor Workload Scanner brings runtime visibility and context to hybrid environments—cloud, on-prem, and edge—all in a single platform.
Analysis Summary
# Tool/Technique: Wiz Sensor Workload Scanner
## Overview
Wiz Sensor Workload Scanner is a new capability introduced as part of **Wiz for Exposure Management**. Its primary purpose is to extend deep workload visibility and security context to private cloud, on-premises, and edge environments, complementing its existing cloud security capabilities. It focuses on runtime validation of vulnerabilities to prioritize exploitable risks across hybrid infrastructure.
## Technical Details
- Type: Tool (Security Scanning/Posture Management)
- Platform: Linux and Windows virtual machines (in private cloud environments like VMware, OpenStack), self-hosted Kubernetes clusters (e.g., OpenShift), bare metal, and edge workloads.
- Capabilities: Agentless/sensor-based scanning, runtime vulnerability validation, workload inspection (including memory), SBOM generation, context integration from platform APIs (VMware, K8s, OpenStack), and unified policy enforcement.
- First Seen: Recently announced (context implies recent launch/preview).
## MITRE ATT&CK Mapping
The described capabilities primarily focus on **Defense Evasion** (by accurately identifying risks that bypass traditional static scanning) and **Reconnaissance/Discovery** (by mapping assets and vulnerabilities), though the tool itself is a defensive security solution. Specific ATT&CK techniques relate to the *threat visibility gaps* it addresses:
- TA0001 - Initial Access (Indirectly, by exposing potential cloud/on-prem paths)
- TA0003 - Persistence (Indirectly, by identifying configurations that allow persistence)
- TA0005 - Defense Evasion (By focusing on runtime context rather than static signatures)
- T1027 - Obfuscated Files or Information (By validating true exposure, filtering noise)
- TA0007 - Discovery
- T1082 - System Information Discovery (Inventory and inspection of running workloads)
## Functionality
### Core Capabilities
- **Hybrid Environment Scanning:** Enables scanning across Linux and Windows VMs in private cloud environments (VMware, OpenStack) and self-hosted Kubernetes clusters.
- **Edge Coverage:** Reaches bare metal and edge workloads.
- **Runtime Validation:** Validates identified vulnerabilities against what is actively running in memory, filtering out potentially irrelevant or inactive CVEs present only on disk.
- **Unified Policy Enforcement:** Applies consistent posture and compliance rules (e.g., CIS benchmarks) across cloud, private workloads, and container clusters.
### Advanced Features
- **Security Graph Correlation:** Links findings (vulnerabilities) to broader context such as internet exposure, possession of sensitive data, and integration within cross-environment threat paths (e.g., linking an on-prem vulnerability to a cloud-connected service).
- **Platform Context Integration:** Injects posture details like network exposure, identity access, and compliance status by integrating with infrastructure platforms (VMware, Kubernetes, OpenStack).
- **SBOM Generation:** Builds Software Bill of Materials (SBOMs) during inspection.
## Indicators of Compromise
This entry describes a legitimate security tool, not malware. Therefore, standard IoCs related to compromise are not applicable. The "indicators" here relate to the environment being monitored.
- File Hashes: N/A (Sensor/Agent related metadata, not provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The tool establishes communication with Wiz infrastructure, but this is expected administrative traffic)
- Behavioral Indicators: Lightweight sensor optimized for resource efficiency; behavior involves inspecting running workloads and communicating posture data.
## Associated Threat Actors
Wiz Sensor Workload Scanner is a commercial security product. No threat actors are associated with its use other than WIZ customers seeking defense.
## Detection Methods
As a security tool, detection focuses on verifying correct deployment and operation, rather than malicious activity detection.
- Signature-based detection: N/A
- Behavioral detection: N/A
- YARA rules if available: N/A
## Mitigation Strategies
The product itself is a mitigation strategy designed to address the "Hybrid Security Problem."
- Prevention measures: Adopting unified security platforms that provide end-to-end visibility; prioritizing risks based on runtime context rather than static CVE lists.
- Hardening recommendations: Utilizing the tool to enforce consistent posture and compliance rules across all hybrid environments.
## Related Tools/Techniques
This tool is designed to replace or integrate disjointed processes traditionally handled by:
- Traditional Vulnerability Scanners (On-prem focused)
- Endpoint Detection and Response (EDR) Agents (Used for some workload visibility)
- Separate Cloud-Native Security Platforms (CSPM/CWPP)
- Manual risk stitching/correlation activities.
- Related Wiz Products (Wiz for Exposure Management).