<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Wiz on Tarragon</title><link>https://tarrragon.github.io/blog/tags/wiz/</link><description>Recent content in Wiz on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/wiz/index.xml" rel="self" type="application/rss+xml"/><item><title>Wiz</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/wiz/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/wiz/</guid><description>&lt;p>Wiz 是 &lt;em>agentless CNAPP&lt;/em>（Cloud-Native Application Protection Platform）的代表、用 &lt;em>cloud API + snapshot scan&lt;/em> 從外面看雲、不在 workload 上裝 agent。2020 年由前 Microsoft Cloud Security Group 創辦人成立、2024 估值約 $12B、是 CNAPP 賽道的後起黑馬。它跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &amp;#43; Code (SAST) &amp;#43; Container &amp;#43; IaC &amp;#43; Cloud (CSPM)、Reachability analysis">Snyk&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &amp;#43; Secret &amp;#43; License &amp;#43; SBOM、Apache 2.0、CI 友善">Trivy&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security&lt;/a> 的差異在 &lt;em>風險優先級的組合方式&lt;/em>、vulnerability 掃描能力本身都具備 — Wiz 用 &lt;em>Security Graph + Toxic Combination&lt;/em> 把多個 low-risk finding 串成 &lt;em>attack path&lt;/em>、而不是給你 10000 個獨立 CVE。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Wiz 的核心定位是 &lt;em>agentless cloud posture + workload protection platform&lt;/em>、把 CSPM（Cloud Security Posture Management）/ CWP（Cloud Workload Protection）/ CIEM（Cloud Infrastructure Entitlement Management）/ KSPM（Kubernetes Security Posture Management）/ DSPM（Data Security Posture Management）整合在同一個 Security Graph 上面。底層是 &lt;em>Connector&lt;/em>（讀 AWS / GCP / Azure / OCI / K8s 的 read-only API + snapshot scan）、頂層是 &lt;em>Issues + Projects + Toxic Combination rules&lt;/em>。&lt;/p>
&lt;p>跟 Prisma Cloud / Lacework 比、Wiz 走 &lt;em>graph-first&lt;/em> — 把 resource / IAM / vulnerability / secret / network exposure 連成圖（跳過 finding list 層）、可以用 query 問「哪些 EC2 有 RCE CVE 且 IMDS v1 且能 assume 跨帳戶 admin role」。跟 CrowdStrike Falcon Cloud Security 比、Wiz 是 &lt;em>agentless-first&lt;/em>（CWP 才用 sensor、posture / 漏洞掃描 0 agent）、Falcon CS 走 &lt;em>endpoint agent 延伸到雲&lt;/em>。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security&lt;/a> CSPM 比、Datadog 是 &lt;em>observability platform 上的 security view&lt;/em>、Wiz 是 &lt;em>security-first CNAPP&lt;/em>、Wiz 的 graph 跟 toxic combination 深度大幅領先、但獨立 SIEM / log 能力不如 Datadog / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &amp;#43; indexer &amp;#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk&lt;/a>。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &amp;#43; Code (SAST) &amp;#43; Container &amp;#43; IaC &amp;#43; Cloud (CSPM)、Reachability analysis">Snyk&lt;/a> 比、Snyk 走 &lt;em>developer-first SAST + SCA + container&lt;/em>、Wiz 走 &lt;em>cloud posture + agentless workload scan&lt;/em>、兩者場景互補不替代 — 多數客戶 Snyk 管 left-shift dev 階段、Wiz 管 runtime cloud。&lt;/p></description><content:encoded><![CDATA[<p>Wiz 是 <em>agentless CNAPP</em>（Cloud-Native Application Protection Platform）的代表、用 <em>cloud API + snapshot scan</em> 從外面看雲、不在 workload 上裝 agent。2020 年由前 Microsoft Cloud Security Group 創辦人成立、2024 估值約 $12B、是 CNAPP 賽道的後起黑馬。它跟 <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 的差異在 <em>風險優先級的組合方式</em>、vulnerability 掃描能力本身都具備 — Wiz 用 <em>Security Graph + Toxic Combination</em> 把多個 low-risk finding 串成 <em>attack path</em>、而不是給你 10000 個獨立 CVE。</p>
<h2 id="服務定位">服務定位</h2>
<p>Wiz 的核心定位是 <em>agentless cloud posture + workload protection platform</em>、把 CSPM（Cloud Security Posture Management）/ CWP（Cloud Workload Protection）/ CIEM（Cloud Infrastructure Entitlement Management）/ KSPM（Kubernetes Security Posture Management）/ DSPM（Data Security Posture Management）整合在同一個 Security Graph 上面。底層是 <em>Connector</em>（讀 AWS / GCP / Azure / OCI / K8s 的 read-only API + snapshot scan）、頂層是 <em>Issues + Projects + Toxic Combination rules</em>。</p>
<p>跟 Prisma Cloud / Lacework 比、Wiz 走 <em>graph-first</em> — 把 resource / IAM / vulnerability / secret / network exposure 連成圖（跳過 finding list 層）、可以用 query 問「哪些 EC2 有 RCE CVE 且 IMDS v1 且能 assume 跨帳戶 admin role」。跟 CrowdStrike Falcon Cloud Security 比、Wiz 是 <em>agentless-first</em>（CWP 才用 sensor、posture / 漏洞掃描 0 agent）、Falcon CS 走 <em>endpoint agent 延伸到雲</em>。跟 <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> CSPM 比、Datadog 是 <em>observability platform 上的 security view</em>、Wiz 是 <em>security-first CNAPP</em>、Wiz 的 graph 跟 toxic combination 深度大幅領先、但獨立 SIEM / log 能力不如 Datadog / <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a>。跟 <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> 比、Snyk 走 <em>developer-first SAST + SCA + container</em>、Wiz 走 <em>cloud posture + agentless workload scan</em>、兩者場景互補不替代 — 多數客戶 Snyk 管 left-shift dev 階段、Wiz 管 runtime cloud。</p>
<p>關鍵張力：<em>agentless + multi-cloud + Security Graph</em> ↔ <em>單一 workload count 計費 + 多模組組合容易踩 sticker shock</em>。Wiz 的價值前提是組織夠大、cloud account / workload 夠多到 <em>toxic combination</em> 比 <em>單點 CVE list</em> 更有意義；小型團隊 + 單一雲 + 預算敏感、用 Wiz 等於買保時捷送外賣。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Wiz 在 cloud security stack 中承擔哪一段（CSPM / CWP / CIEM / KSPM / DSPM / Wiz Code）、哪些要外接（<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> 等 SIEM 接 Issues、<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> 是否要保留 dev-time scan）</li>
<li>Security Graph query 跟 Toxic Combination rule 的 ownership 設計（誰寫 rule、誰 triage Issue、誰調 Project scope）</li>
<li>Agentless scan 的可見性邊界（snapshot 能看到 / 看不到什麼、需不需要 Wiz Sensor / Defend 補 runtime）</li>
<li>何時用 Wiz、何時走 Prisma Cloud / Lacework / CrowdStrike Falcon CS / Datadog CSPM 的取捨</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Wiz deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Connector 覆蓋率</strong>：所有 prod cloud account（AWS / GCP / Azure / OCI）跟 K8s cluster 是否都接上、IAM role 是否最小權限（Wiz 給的 CloudFormation / Terraform template 不要自己加權限）、snapshot scan 是否涵蓋所有 region / disk type</li>
<li><strong>Toxic Combination rule 設計</strong>：是不是只開預設 rule、有沒有針對自家環境 anti-pattern 寫 custom rule（例如 <em>cross-account assume + payment service + secret access</em>）、rule 走不走 PR review</li>
<li><strong>Issue triage SLA</strong>：critical / high Issue 的 mean-time-to-resolve、是否跟 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / Jira / Slack 整合、Project scope 是否依 service owner 切（不是丟整包給 SecOps）</li>
<li><strong>Wiz Code / Wiz Defend coverage 邊界</strong>：IaC scan 跟 dev-time CI 是 Wiz Code 還是 <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>、runtime detection 是 Wiz Defend 還是 Falco / CrowdStrike、不要兩邊都裝又都沒人 triage</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.3 入口治理與伺服器防護</a> 跟 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a> 的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Connector 跟 agentless scan</strong>：Wiz 透過 <em>Connector</em>（每個 cloud account 一個 IAM role）讀 cloud control plane API、定期 snapshot EBS / Persistent Disk / Managed Disk、在 Wiz 自家環境裡 mount snapshot 做 vulnerability / secret / malware scan。對 workload 0 影響、不需要在 EC2 / GKE node / VM 裡裝任何 agent。代價是 <em>runtime 行為看不到</em>（process / network connection / syscall）— 那段要 Wiz Defend / Wiz Sensor 或外接 Falco / CrowdStrike。</p>
<p><strong>Security Graph</strong>：Wiz 把所有 resource（compute / storage / IAM principal / network / secret / vulnerability finding）建成 graph、用 GraphQL-like query 跨類型查詢。Security Graph 是 first-class concept、不只是 visualization — Toxic Combination rule、Issue correlation、blast radius 估算都走 graph。寫 SPL / KQL 跟寫 Wiz query 的 mindset 不一樣 — Wiz query 是 <em>relationship-first</em>（從 resource A 走幾跳到 resource B）、SPL 是 <em>event-first</em>（時間序列上的 log）。</p>
<p><strong>Toxic Combination</strong>：CNAPP vs 傳統 vulnerability scanner 的根本差異。單一 finding 是 low risk（一個 CVE / 一條 over-permission / 一個 public S3）、組合起來是 critical attack path（<em>public-facing EC2 + RCE CVE + IMDS v1 + assume admin role + 觸碰 customer PII bucket</em>）。Wiz 預設帶幾十條 toxic combination rule（attack-path-style）、organization 應該加自家 anti-pattern。對應 <a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a> 跟 <a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.5 應用層風險</a> 的跨 control 整合。</p>
<p><strong>Issues + Projects</strong>：finding 進 Wiz 後變 <em>Issue</em>、按 <em>Project</em> 路由 — Project 是邏輯切分（按 BU / service / 環境）、每個 Project 有 owner、Issue 自動分派。反例是 <em>單一 default Project 收所有 Issue</em>、SecOps 一天看 5000 個 Issue 看不完、跟 <a href="/blog/backend/07-security-data-protection/blue-team/alert-fatigue-and-signal-quality/" data-link-title="7.B10 Alert Fatigue and Signal Quality" data-link-desc="建立告警疲勞治理方法，讓訊號品質、分級一致性與處置效率同步提升">Alert Fatigue and Signal Quality</a> 同樣模式。production 要 Project scope 對齊 service ownership、跟 Jira / Slack / <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> 整合自動建 ticket。</p>
<p><strong>Wiz Code</strong>：dev-time / IaC scan、覆蓋 Terraform / CloudFormation / K8s manifest / Helm + container image build-time scan + SCA、跟 <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> Code/IaC 跟 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> Config 重疊。多數客戶選一邊用、不會雙開。Wiz Code 的賣點是 <em>跟 runtime Wiz finding 同一個 graph</em> — 在 IDE / PR 階段就能看到「這條 IaC 改動會在 prod 產生哪條 toxic combination」。</p>
<p><strong>Wiz Defend (Gem)</strong>：2024 收購 Gem Security 整合 runtime detection / cloud detection、補 Wiz 早期缺的 runtime 層。Wiz Defend 走 <em>cloud-native log + Wiz Sensor</em>（K8s eBPF sensor）混合、跟 CrowdStrike Falcon EDR / Falco 競爭。產品成熟度仍在跟進、2024-2025 才大量 GA、不要假設它已經是 CrowdStrike / SentinelOne 等級的 EDR 替代品。</p>
<p><strong>Wiz Sensor</strong>：K8s admission controller + eBPF runtime sensor、補 agentless 看不到的 runtime 行為（container process / network connection / file integrity）。是 <em>選配</em>、不裝 Wiz 仍能做 posture / vulnerability scan、裝了才有 runtime detection。資源開銷比 Falco 大、跟 CrowdStrike Falcon container sensor 競爭。</p>
<p><strong>SIEM 整合</strong>：Wiz Issues / Detections 可推到 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a> 走 SOAR playbook。常見 pattern：Wiz 偵測到 toxic combination → 推 Issue 到 Splunk → SOAR playbook 自動 isolate workload 或 rotate credential、走 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a> API。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Wiz</th>
          <th>Prisma Cloud (Palo Alto)</th>
          <th>Lacework</th>
          <th>CrowdStrike Falcon CS</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>部署模型</td>
          <td>Agentless-first（snapshot scan）+ 選配 Sensor</td>
          <td>Agent + agentless 混合</td>
          <td>Agent + agentless 混合、Polygraph behavior-base</td>
          <td>Agent-first（Falcon sensor 延伸）</td>
      </tr>
      <tr>
          <td>核心 concept</td>
          <td>Security Graph + Toxic Combination</td>
          <td>Cloud Security 套件（CSPM/CWP/CIEM/DSPM)</td>
          <td>Polygraph（ML behavior model）</td>
          <td>Falcon platform（EDR + cloud workload）</td>
      </tr>
      <tr>
          <td>計費模型</td>
          <td>Per workload + module</td>
          <td>Credit-based（modular）</td>
          <td>Per workload + data ingestion</td>
          <td>Per endpoint + module</td>
      </tr>
      <tr>
          <td>Multi-cloud</td>
          <td>強（AWS/GCP/Azure/OCI/K8s）</td>
          <td>強</td>
          <td>強</td>
          <td>強（但 Falcon-first 文化）</td>
      </tr>
      <tr>
          <td>Runtime 偵測</td>
          <td>Wiz Defend（2024+、成熟度仍在跟進）</td>
          <td>Prisma Cloud Defender（成熟）</td>
          <td>Polygraph 行為偵測（成熟）</td>
          <td>業界最強（EDR 出身）</td>
      </tr>
      <tr>
          <td>Developer 整合</td>
          <td>Wiz Code（IaC/SCA/PR scan）</td>
          <td>Prisma Cloud Code Security</td>
          <td>弱</td>
          <td>弱</td>
      </tr>
      <tr>
          <td>學習曲線</td>
          <td>中 — Graph query 是新語法但結構清楚</td>
          <td>陡 — 模組多、UX 較重</td>
          <td>中</td>
          <td>中 — Falcon UI 一致</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>Multi-cloud + 大型 org + 看重 attack path</td>
          <td>已用 Palo Alto 生態、需要 NGFW 整合</td>
          <td>ML-first 偵測、不想自己寫 rule</td>
          <td>已用 Falcon EDR、想擴到 cloud workload</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>中 — Graph query / Toxic Combination 量大</td>
          <td>高 — 跟 Palo Alto 生態耦合</td>
          <td>中</td>
          <td>高 — Falcon sensor 已大規模部署很難換</td>
      </tr>
  </tbody>
</table>
<p>選 Wiz 的核心訴求：<em>multi-cloud + 中大型組織 + 願意接受 agentless 的 runtime 邊界 + 重視 toxic combination 的優先級</em>。如果組織已重度使用 CrowdStrike Falcon EDR、走 Falcon CS 延伸更一致；如果已重度 Palo Alto、走 Prisma Cloud 整合更深。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Security Graph query language</strong>：類 GraphQL 的 query syntax、可以寫「找所有 public-facing EC2、有 CVE-2024-XXX、能 assume role 到 admin account、且該 role 可讀 prod-pii bucket」這種 5-hop query。production 用法：把高頻 query 存成 <em>Saved Query</em> + alert、把 attack pattern 寫成 <em>Toxic Combination rule</em>。Graph query 寫得好不好直接決定 <em>attack path 是否被涵蓋</em>、跟 SPL 寫 correlation rule 是同一個 ownership 議題。</p>
<p><strong>Toxic Combination 設計</strong>：預設 rule 是 <em>generic 雲安全 anti-pattern</em>（public + vulnerable + over-permission）、organization 應該補 <em>industry-specific</em> 跟 <em>organization-specific</em> anti-pattern — 金融業要看「payment workload + cross-region replication + non-encrypted snapshot」、SaaS 多租戶要看「tenant-A workload + assume tenant-B role + 跨 tenant data access」。Toxic combination rule 走 PR review + staging tenant 驗證、跟 <a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a> 同流程。</p>
<p><strong>Wiz AI (2024+)</strong>：LLM-assisted investigation — 用自然語言查 graph（「show me all critical issues touching prod payment service」翻譯成 graph query）、Issue triage 自動 summarize attack path、根因建議。實務上是 query 翻譯 + summarize、不是替代 analyst 判讀；高 stake 決策仍要人類 review。</p>
<p><strong>Agentless secret scan</strong>：Wiz snapshot scan disk 時也掃 hardcoded secret（AWS access key / API token / private key）、跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a> / <a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager</a> 整合做 rotation 路由。對應 <a href="/blog/backend/07-security-data-protection/secrets-and-machine-credential-governance/" data-link-title="7.6 秘密管理與機器憑證治理" data-link-desc="以問題驅動方式整理 secret、token、key 與機器身份治理">7.6 秘密管理與機器憑證治理</a> 的偵測層。</p>
<p><strong>Sigstore / SBOM 整合</strong>：Wiz 可消費 SBOM（<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft / Grype</a> 或 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> 產出）+ verify Cosign / Sigstore 簽章、把 <em>artifact trust</em> 接進 Security Graph。對應 <a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性與工件信任</a> 的 build-to-runtime 證據鏈。</p>
<p><strong>Wiz for AI</strong>：2024+ 新 module、針對 AI workload（LLM model storage / training dataset / inference endpoint）做 posture scan、找 misconfigured model bucket / exposed inference endpoint / training data leak。早期產品、定位是 <em>AI workload 的 CSPM 延伸</em>、不是替代 <a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">AI red team / prompt injection 偵測</a> 工具。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Issue 爆炸 / 沒人 triage</strong>：default Project 收所有 finding、沒對齊 service ownership — 切 Project 給每個 BU / service、autoclose 已知 accepted risk、跟 Jira / Slack 整合自動分派</li>
<li><strong>Toxic Combination 沒命中真實 incident</strong>：只開預設 rule、沒寫 organization-specific rule — 從 <a href="/blog/backend/07-security-data-protection/red-team/" data-link-title="7.1 攻擊者視角（紅隊）與攻擊面驗證" data-link-desc="從攻擊者角度盤點暴露面、邊界、濫用路徑與資料外洩風險">red team case 庫</a> 反推自家環境的 attack path、寫成 custom rule</li>
<li><strong>Snapshot scan 漏掉 ephemeral workload</strong>：scan 間隔 12-24hr、短命 Lambda / Fargate task 沒掃到 — 補 Wiz runtime sensor 或外接 Falco；ephemeral workload 改用 build-time scan（<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / Wiz Code）</li>
<li><strong>Connector IAM role 權限漂移</strong>：自己加了權限結果踩 over-permission — Connector role 用 Wiz 提供的 CloudFormation / Terraform template、走 <a href="/blog/backend/05-deployment-platform/vendors/terraform/" data-link-title="Terraform / OpenTofu" data-link-desc="Infrastructure as Code 主流工具">Terraform</a> 版控、不手改</li>
<li><strong>Sticker shock / 計費爆炸</strong>：開了所有 module（CSPM + CWP + CIEM + KSPM + DSPM + Wiz Code + Defend）、workload count 暴衝 — 只開核心 module、ephemeral workload 走 sampling、enterprise contract 談 cap</li>
<li><strong>Wiz Code 跟 Snyk / Trivy 雙開</strong>：dev team 用 Snyk、SecOps 用 Wiz Code、PR 兩邊 finding 重複 — 選一邊做 dev-time gate、另一邊只當 visibility、不要兩邊都 block PR</li>
<li><strong>Wiz Defend 當 EDR 用結果偵測能力不夠</strong>：runtime detection 期待 CrowdStrike 等級 — Wiz Defend 仍在跟進、純 EDR 需求保留 CrowdStrike / SentinelOne、Wiz Defend 補 cloud context 層</li>
<li><strong>Audit log retention 不夠</strong>：Wiz 預設 audit retention 偏短、incident 回查時資料缺 — push Issue 跟 audit log 到 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog</a> 做長期保存</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>已用 Palo Alto NGFW / Prisma 生態</td>
          <td>Prisma Cloud</td>
      </tr>
      <tr>
          <td>已用 CrowdStrike Falcon EDR</td>
          <td>Falcon Cloud Security</td>
      </tr>
      <tr>
          <td>ML-first 偵測 / 不想寫 rule</td>
          <td>Lacework</td>
      </tr>
      <tr>
          <td>小型 / 單一雲 / 預算敏感</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> + cloud-native scanner（AWS Inspector / GCP SCC）</td>
      </tr>
      <tr>
          <td>Developer-first SAST + SCA</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/github-advanced-security/" data-link-title="GitHub Advanced Security" data-link-desc="GitHub 內建 4 大模組：Code Scanning (CodeQL) &#43; Secret Scanning &#43; Dependency Review &#43; Dependabot、跟 PR / Security tab 深度整合">GitHub Advanced Security</a></td>
      </tr>
      <tr>
          <td>Observability 已用 Datadog、不想再買 CNAPP</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security CSPM</a></td>
      </tr>
      <tr>
          <td>SIEM / 跨 source correlation</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a></td>
      </tr>
      <tr>
          <td>Runtime container 行為偵測 (OSS)</td>
          <td>Falco / Cilium Tetragon</td>
      </tr>
      <tr>
          <td>Incident routing</td>
          <td><a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Security Graph query syntax 完整 reference 跟所有 built-in toxic combination rule 清單</li>
<li>Wiz Defend / Wiz Sensor 的 eBPF 內部實作細節</li>
<li>Wiz Code 跟 IDE plugin（VSCode / JetBrains）的具體設定</li>
<li>Cloud-native scanner（AWS Inspector / GCP Security Command Center / Azure Defender）的對照細節</li>
<li>Wiz API 的具體 SDK 用法跟 Terraform Provider 配置</li>
<li>CNAPP 市場的完整 vendor 比較（Gartner Magic Quadrant 等）</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Wiz 在 07 案例庫沒有直接 vendor-level 事件、但多個 case 是 CNAPP 風險組合的對照：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Wiz 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/data-exfiltration/snowflake-2024-credential-abuse/" data-link-title="7.R7.4.2 Snowflake 2024：憑證濫用與資料竊取" data-link-desc="外洩憑證與 MFA 缺口如何在資料平台形成高風險外送事件">Snowflake 2024 Credential Abuse</a></td>
          <td>Security Graph 可關聯「leaked credential + 過寬 IAM + 缺 MFA + 大量 data egress」四個 low-risk finding 成 toxic combination、提前 alert</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/data-exfiltration/lastpass-2022-backup-chain/" data-link-title="7.R7.4.1 LastPass 2022：備份路徑與鏈式入侵" data-link-desc="開發環境資訊外流如何沿著備份路徑擴大成資料風險">LastPass 2022 Backup Chain</a></td>
          <td>Wiz 可掃 S3 bucket public exposure + sensitive data + IAM scope、發現 backup bucket 配置漂移、對應 DSPM 場景</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>Agentless snapshot scan 在 Log4Shell 期間可秒級回答「哪些 prod workload 有 log4j-core vulnerable version」、不需 endpoint agent rollout</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>Wiz Code + Sigstore 整合可驗證 build artifact 來源、Security Graph 可串「signed artifact + 異常 runtime behavior」</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.3 入口治理與伺服器防護 (section)</a></td>
          <td>Network exposure scan + IAM analysis 對應 section 原則、把「public + over-permission + sensitive」串成 toxic combination</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性 (section)</a></td>
          <td>Wiz Code IaC scan + image scan + SBOM 消費對應 build-to-runtime 證據鏈</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.3 入口治理與伺服器防護</a>、<a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a>、<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a>（dev-first SAST/SCA）、<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>（OSS scanner）、<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>（observability + CSPM）</li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a>（Issues → SIEM）、<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>（SOAR 自動 rotation）、<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft / Grype</a>（SBOM 接 Wiz Code）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-cloud-iam/" data-link-title="Google Cloud IAM" data-link-desc="GCP cloud resource permission engine、Role Binding / Service Account / Workload Identity Federation、resource hierarchy 為核心的權限治理">Google Cloud IAM</a> / <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC</a>（CIEM 分析對象）、<a href="/blog/backend/05-deployment-platform/vendors/terraform/" data-link-title="Terraform / OpenTofu" data-link-desc="Infrastructure as Code 主流工具">Terraform</a>（Connector / IaC 版控）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（Toxic combination → IR routing）、<a href="/blog/backend/05-deployment-platform/" data-link-title="模組五：部署平台與網路入口" data-link-desc="整理 Kubernetes、systemd、load balancer、container 與服務生命週期合約">5 部署平台</a>（cloud account / K8s onboarding）</li>
<li>官方：<a href="https://docs.wiz.io/">Wiz Documentation</a></li>
</ul>
]]></content:encoded></item></channel></rss>