Full Report
Let's take a look at how Wiz designed the agentless workload scanner to be modular and scalable, and what security measures Wiz takes to protect sensitive customer data.
Analysis Summary
# Tool/Technique: Wiz Workload Scanner (Agentless Cloud Security Scanning)
## Overview
The Wiz Workload Scanner is a core component of the Wiz security platform, designed to provide agentless, API-based scanning of cloud environments (including VMs, containers, serverless, registries, and databases). Its primary purpose is to analyze multiple layers of risk—network, identity, data, and workloads—without deploying third-party agents into production environments, thereby accelerating deployment and reducing supply chain risk.
## Technical Details
- Type: Tool / Security Platform Component
- Platform: Multi-cloud (AWS, Azure, GCP, etc.)
- Capabilities: Agentless deep scanning across infrastructure layers (network, identity, data, workloads), multi-cloud compatibility, data residency enforcement, stateless design.
- First Seen: Context implies recent adoption/ascension in the cloud security market, replacing legacy agents.
## MITRE ATT&CK Mapping
The tool itself is a defensive security solution, but its operational context maps to defensive security practices within the Enterprise Tactics.
- **TA0001 - Initial Access** (Relevant in denying external access, though the tool focuses on post-deployment visibility)
- **T1190 - Exploit Public-Facing Application** (The visibility gained helps detect misconfigurations exploited via this vector)
- **TA0005 - Defense Evasion** (Tool mitigates evasion by not introducing new executable code/agents)
- **T1077 - Third-Party Software** (Agentless nature avoids dependencies on third-party code execution)
- **TA0007 - Discovery** (Tool performs deep asset and configuration discovery)
- **T1518 - Software Discovery**
- **TA0012 - Collection** (Tool collects configuration and data state)
## Functionality
### Core Capabilities
* **Agentless Scanning:** Utilizes cloud-native APIs to inspect environments (VMs, containers, serverless) without installing third-party agents, ensuring no production code execution.
* **Multi-Layer Analysis:** Analyzes configuration, network posture, identity permissions, and workload context for end-to-end risk analysis.
* **Scalability and Resilience:** Designed to be stateless, leveraging cloud-native autoscaling for resilience and supporting large-scale environments efficiently.
* **Data Residency:** Ensures scanning data remains in the origin cloud region, with only redacted scan results sent to the central tenant.
### Advanced Features
* **Flexible Deployment:** Offers both **Full SaaS (Wiz-hosted scanner)** where Wiz manages the scanner, and **Customer-hosted scanner** where the scanner runs entirely within the customer's infrastructure, minimizing snapshot access for highly regulated environments.
* **Least Privilege Principle:** Scanner operates under assigned privileges, continually assessed to ensure minimal access rights are maintained.
* **Unified Coverage:** A single scanner design supports continuous scanning across diverse assets including VMs, containers, serverless functions, registries, databases, and object buckets.
## Indicators of Compromise
*This section is not applicable as the Wiz Workload Scanner is a legitimate defensive security tool, not malware or an offensive component.*
## Associated Threat Actors
*This section is not applicable as the Wiz Workload Scanner is a defensive security product used by organizations.*
## Detection Methods
*As this is a security tool, detection focuses on validating its secure operation and ensuring misconfiguration avoidance.*
- **Configuration Auditing:** Verification of IAM policies to ensure the scanner adheres to the least privilege model defined by the organization.
- **Behavioral Monitoring:** Monitoring API calls generated by the scanner to ensure they align with expected read/snapshot operations and do not exceed defined permissions scope.
- **Supply Chain Risk Check:** Continuous validation that no unauthorized or outdated scanner versions are being used, mitigating the risk of a "SolarWinds type of attack."
## Mitigation Strategies
- **Least Privilege Enforcement:** Strictly assess and limit the privileges granted to the scanning identity (vendor role) to only what is necessary for scanning operations (read-only access, snapshot creation/deletion where applicable).
- **Deployment Model Selection:** For highly sensitive environments, utilize the **Customer-hosted workload scanner** model to ensure Wiz never directly accesses or stores cloud snapshots.
- **Data Flow Validation:** Verify that only scan results, and not raw sensitive customer data, are transmitted outside the originating cloud region.
## Related Tools/Techniques
* **Agent-based Cloud Security Tools:** Traditional security solutions that require installing software directly onto workloads (contrasted by agentless scanning).
* **CSPM (Cloud Security Posture Management) Tools:** Tools that often focus solely on the configuration layer, unlike Wiz which integrates workload and identity analysis.
* **Cloud Native Security Platform (CNSP) Capabilities.**