Inside the ProdSec Playbook: Operationalizing Wiz for End-to-End Cloud SecurityModern Product Security teams face a unique challenge: how do you secure rapidly evolving cloud environments without slowing down engineering? For high-performing teams, the answer lies in moving beyond reactive posture management and deeply integrating security tooling into both the developer workflow and the infrastructure fabric.
Here is an inside look at how Wiz’s very own ProdSec team is pushing the boundaries of Wiz, turning it into a comprehensive toolkit for custom threat detection, CI/CD guardrails, and proactive threat modeling.
Securing the Pipeline: Shift-Left with CLI ScanningYou cannot secure what you cannot see, and you cannot fix what's already been deployed without causing friction. To catch vulnerabilities and misconfigurations at the source, ProdSec embeds the Wiz CLI directly into developer workflows.
By integrating Wiz CLI scanning in CI/CD pipelines, engineering teams can automate security checks on every pull request. On top of that, a version control system (VCS) integrates with Github to scan pull requests, secrets, infrastructure-as-code (IaC), and block merges.
Cloud Configuration Rules (CCRs) are Wiz's way of performing posture checks in the cloud. Each rule evaluates a resource against a secure baseline and raises a finding when it drifts. Wiz ships an extensive catalog of built-in CCRs covering well-known resource types across the major cloud providers. Organizations may also have unique resources or compliance needs, so where a gap exists, custom Rego policy-as-code rules can be written in Wiz to address these requirements.
Beyond checking deployed cloud resources for misconfiguration, CCRs can also scan IaC and build artifacts (Kubernetes manifests, Terraform/CloudFormation, Dockerfiles, etc.) as checks in CI pipelines and pull requests by identifying risky configurations and stopping them before they create misconfigured cloud resources. CCRs can also be used in conjunction with Kubernetes Admission Controllers to enforce frameworks such as Pod Security Standards, restricting or blocking requests to deploy non-compliant configurations into clusters.
Automated Threat Detection and ResponseCloud threats continue to increase in both volume and sophistication. To keep pace, the Product Security team relies on a dynamic catalog of detection rules informed by real-world incidents, active threat intelligence, and continuous research.
Given the size and scope of that telemetry, automation is an essential cornerstone of security operations. The ProdSec team relies on the Wiz Blue Agent to investigate new detections and perform initial triage and assessment: for every threat, it mimics a human investigation across Wiz’s telemetry, findings, and risk context, then returns a verdict, a confidence level, and its reasoning. That consistent first pass keeps humans focused on the highest-priority alerts and the detections most likely to represent true positives.
Detection accuracy compounds over time as well, as Wiz’s detection engine builds behavioral baselines of all activity. Wiz’s built-in capabilities cover the majority of use cases. For the remainder, they are written and curated by teams of experts in the fields of threat research and detection and response.
In addition to the built-in capabilities of Wiz Defend, the ProdSec team needs custom detections that are specific to Wiz’s environment which, similarly to CCR, can be defined as code and used to identify environment-specific anomalies. For example, they may have resources which under normal circumstances are never accessed or created except through automation or machine identities with unique identifiers that only Wiz staff possesses knowledge of. When access patterns deviate from current well-known baselines, they rely on custom alerting to catch these edge cases which integrate seamlessly with the rest of the platform, support custom correlation, and take advantage of the same AI-based analysis and notification rules.
Contextualizing Alerts for Specialized InfrastructureStandard alerting is great for standard environments, but modern cloud footprints often include highly specialized, bespoke infrastructure. ProdSec takes the lead in establishing dedicated alerting frameworks for these unique environments. By tuning Wiz to understand the specific risks and baseline behaviors of specialized infrastructure, ProdSec ensures that no dark corners of Wiz’s multi-cloud infrastructure go unmonitored.
With the combination of CCRs and TDRs, ProdSec monitors the Issues that are being created in Wiz. These Issues represent toxic combinations that may include vulnerabilities, misconfigurations, and other risk factors that need to be addressed based on severity. Through Wiz Workflows, each Issue triggers automation to put the work in Jira for triaging, assessment, and SLA tracking.
Threat Modeling & Secure DesignBefore new product features or infrastructure changes are ever committed to code, ProdSec executes rigorous security review workflows. This is where proactive threat modeling comes into play. By identifying trust boundaries, evaluating risks, and understanding the potential blast radius during the design phase, ProdSec maps out exactly which Wiz controls (like new CCRs or TDRs) will need to be implemented before the feature goes live.
To scale this process without proportionally growing the team, ProdSec has built an AI-driven security review agent that assists engineers through the design phase. The agent draws on live Wiz context, such as existing CCRs and TDRs, the security graph, current findings, and resource relationships, to give reviewers an accurate picture of what controls are already in place, what gaps a proposed change would introduce, and what the blast radius looks like before a single line of code is written.
Pressure-Testing the Tooling: The ProdSec QA LoopFinally, a mature ProdSec team does not only consume security tools; the ProdSec team actively pressure-tests them, often acting as an internal quality assurance function for Wiz’s own security stack. By aggressively testing security guardrails and simulating attacks, they hunt for edge cases where controls might break or fail to trigger.
A concrete example of this partnership is Red Agent, Wiz's AI-powered attack simulation feature, where ProdSec works directly with the product team to test, validate, and refine its detection capabilities against Wiz’s own infrastructure before broader release. This continuous feedback loop helps identify blind spots in detection coverage, allowing the team to iterate on their Wiz deployments, refine their rules, and ensure the organization's cloud security posture is actually as strong as it looks on paper.
The TakeawaySecuring the cloud is not a one-time setup; it is an ongoing engineering practice. By leveraging Wiz for everything from early–stage code scanning to runtime custom threat detection, Wiz’s ProdSec team built a scalable, automated security program that moves at the speed of the cloud.
Want to learn more about building custom rules and securing your cloud native environments?
Get a Wiz demo
Facts Only
* ProdSec embeds the Wiz CLI into developer workflows for scanning pull requests.
* VCS integrates with Github to scan pull requests, secrets, IaC, and block merges.
* Cloud Configuration Rules (CCRs) evaluate cloud resources against a secure baseline.
* CCRs scan IaC and build artifacts (Kubernetes manifests, Terraform, Dockerfiles).
* CCRs can integrate with Kubernetes Admission Controllers to enforce standards like Pod Security Standards.
* The Wiz Blue Agent investigates new detections by mimicking human investigation across telemetry for triage and assessment.
* Custom detections can be defined as code to identify environment-specific anomalies.
* Dedicated alerting frameworks are established for specialized infrastructure environments.
* Issues created in Wiz, combining vulnerabilities and misconfigurations, trigger automation to Jira for tracking.
* An AI-driven security review agent assists engineers in the design phase by assessing existing controls and potential risk before code is written.
* Red Agent simulates attacks to test and refine detection capabilities against Wiz's infrastructure.
Executive Summary
Product Security teams are integrating Wiz into their workflow to secure rapidly evolving cloud environments by shifting security left. This involves embedding the Wiz CLI into CI/CD pipelines for automated scanning of pull requests, secrets, and Infrastructure-as-Code (IaC). Cloud Configuration Rules (CCRs) are used to check deployed resources against a secure baseline, extending to scanning IaC artifacts like Terraform and Kubernetes manifests to prevent misconfigurations before deployment.
Threat detection relies on automation using the Wiz Blue Agent to perform initial triage and assessment of new detections by mimicking human investigation across telemetry. Custom threat detections can be created as code to identify environment-specific anomalies that fall outside standard baselines. For specialized infrastructure, dedicated alerting frameworks are established to monitor unique risk behaviors. Workflows combine findings from Configuration Rules and Threat Detection Rules (TDRs) to automate the process of creating Jira tickets for triage and SLA tracking.
Proactive security is achieved through threat modeling during the design phase, utilizing an AI-driven agent that assesses existing controls and potential blast radius based on live Wiz context before code is written. Finally, a continuous feedback loop is established via pressure-testing tools like Red Agent to validate detection capabilities against the platform itself, ensuring guardrails remain effective.
Full Take
The narrative describes a strategic shift where security tooling is transformed from a post-deployment check into an integrated, preventative engineering practice, driven by the velocity of cloud development. The system moves towards embedding security checks—via CCRs applied to IaC and artifacts—directly into the developer feedback loop, addressing the principle that security must scale with engineering speed rather than lagging it.
The reliance on automation for triage via the Blue Agent establishes a functional mechanism for handling high-volume telemetry, but the transition from automated detection to expert-driven custom rule creation (both CCRs and custom detections) reveals an inherent tension between generalized, built-in capabilities and the necessity of bespoke knowledge for complex environments. This implies that while systemic security is possible through automation, achieving true security requires a layered approach where machine learning handles the baseline, but human expertise shapes the edge cases.
The implementation of proactive threat modeling via an AI agent attempting to map controls before coding suggests a move towards treating risk as a design constraint rather than an afterthought. However, this places significant weight on the accuracy and completeness of the underlying Wiz context (CCRs and TDRs) fed into the agent. The pressure-testing loop with Red Agent is crucial because it validates the system's self-awareness—ensuring that automated control mechanisms do not introduce new blind spots or fail under adversarial stress, thereby protecting against the risk of over-reliance on the reported posture.
What assumptions about the efficiency of AI-assisted review and the trustworthiness of layered rules are driving this adoption? How does the effort required to build and maintain custom detection logic scale relative to the benefit gained by securing highly specialized infrastructure? What are the long-term implications for separating security ownership from pure operational execution?
Sentinel — Human
The text reads as an experienced internal analysis detailing a specific operational framework, exhibiting high coherence and specialized vocabulary typical of human subject matter experts.
