Full Report
The Wiz JetBrains IDE plugin is now generally available, enabling developers to fix risks before code leaves their local environment.
Analysis Summary
As a malware analyst and TTPs specialist, I have analyzed the provided context. The article describes the general availability of a security tool integration, **Wiz for JetBrains IDE plugin**, which is designed for "shifting left" security practices. This context does not describe traditional malware, attack frameworks, or specific established attacker TTPs, but rather a defensive security tool and its associated capabilities. Therefore, the summary will focus on this tool and its defensive techniques, mapping them to relevant MITRE ATT&CK categories where applicable (focusing on defensive coverage capabilities).
# Tool/Technique: Wiz JetBrains IDE Plugin
## Overview
The Wiz JetBrains IDE plugin is a security tool that integrates Wiz's cloud security intelligence directly into the JetBrains Integrated Development Environment (IDE). Its purpose is to allow developers to find and fix security risks, such as misconfigurations, vulnerabilities, exposed secrets, and sensitive data, in real-time *before* the code leaves the local development environment.
## Technical Details
- Type: Tool (Defensive Security Platform Integration)
- Platform: JetBrains IDEs (e.g., IntelliJ, GoLand, etc.), developers' local environments, and integrated with the running cloud environment via Wiz Security Graph.
- Capabilities: Real-time security scanning of application code and Infrastructure as Code (IaC), connection of local findings to cloud context, inline remediation suggestions, and enforcement of production security policies.
- First Seen: The general availability (GA) was announced on January 20, 2026 (based on the context date).
## MITRE ATT&CK Mapping
Since this is a defensive tool, the mappings reflect the *defensive coverage* it provides against attacker TTPs.
- **Defensive Capability**: Detection/Remediation integration into the development workflow.
- **Coverage (Example)**: Detects insecure configurations that attackers might exploit for Initial Access or Persistence.
- **Coverage (Example)**: Identifies hardcoded secrets that could lead to Credential Access.
*Note: Direct mapping of a security tool to offensive TTPs is not standard; the tool *mitigates* the following types of techniques, primarily in the Initial Access, Execution, and Persistence phases if code is committed:*
- **TA0001 - Initial Access**
- **T1587 - Develop Capabilities** (Mitigates development of vulnerable/insecure code)
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter** (If IaC errors lead to arbitrary command execution)
- **TA0006 - Credential Access**
- **T1552 - Unsecured Credentials** (Specifically addresses hardcoded secrets)
## Functionality
### Core Capabilities
- **Real-time Scanning:** Scans application code and IaC files upon every file save to identify security risks like hard-coded secrets, IaC misconfigurations, and vulnerable patterns.
- **Workflow Integration:** Security feedback is provided inline within the IDE, eliminating the need to wait for CI/CD pipelines or juggle external dashboards.
- **Policy Enforcement:** Enforces the same security policies used in production environments locally.
### Advanced Features
- **Code-to-Cloud Context:** Utilizes the **Wiz Security Graph** to connect local code findings (e.g., a vulnerable library) to the actual running cloud environment, highlighting risks based on exposure and reachability (e.g., a secret tied to a high-privilege IAM role).
- **Actionable Quick Fixes:** Provides inline, one-click remediation suggestions to resolve complex cloud risks immediately.
- **Validation Loop:** Automatically rescans files after a fix is applied to validate the change.
## Indicators of Compromise
This tool is a defensive product extension; thus, it does not generate traditional Indicators of Compromise (IOCs) associated with malware. Instead, the IOCs relate to the *misconfigurations or flaws* it is designed to detect:
- File Hashes: N/A (It analyzes existing code/files)
- File Names: *Findings relate to issues within:* Application source code files, Infrastructure as Code (IaC) files (e.g., Terraform, YAML, JSON definitions).
- Registry Keys: N/A
- Network Indicators: N/A (The tool connects to the Wiz cloud platform for intelligence but does not exhibit malicious C2 behavior.)
- Behavioral Indicators: *Detected Malicious Behaviors (that the tool flags):*
- Introduction of secrets (passwords, API keys) into source code.
- Creation of insecure cloud resource definitions (e.g., publicly open S3 buckets, overly permissive security group rules).
- Inclusion of known vulnerable software dependencies.
## Associated Threat Actors
N/A. This tool is used by security and development teams (Blue Team) to secure development pipelines.
## Detection Methods
Detection refers to the tool's internal mechanisms for identifying risk:
- **Signature-based detection:** Scanning for known vulnerable code patterns or specific secret formats.
- **Behavioral detection:** Analyzing IaC structure and code dependencies against defined security policies.
- **YARA rules if available:** The article does not specify the use of YARA rules, but the underlying Wiz platform likely uses various scanning techniques comparable to signature matching.
## Mitigation Strategies
The tool itself *is* a mitigation strategy aimed at shifting security left:
- **Prevention measures:** Fixing issues *as they are typed* in the IDE, preventing insecure code from ever reaching version control or CI/CD.
- **Hardening recommendations:** Enforcing consistent, production-aligned security standards at the earliest stage of development. Providing immediate, actionable guidance for secure coding practices.
## Related Tools/Techniques
- Wiz Extend (For integration into cloud services and version control systems)
- Traditional Static Application Security Testing (SAST) tools.
- Cloud Security Posture Management (CSPM) tools (The integration bridges the gap between CSPM context and local code).