In the cloud, time is the real adversary. Workloads are ephemeral, spinning up, executing code, and disappearing in minutes.
For SecOps teams, this changes everything. The traditional forensics model - isolate the server, pull the drive, and analyze it bit-by-bit - operates at human speed. The cloud runs at machine speed. When a container lives for only minutes, waiting for a human to react means the evidence is already gone.
A Tiered Approach to Forensic Visibility
At Wiz, we believe closing the gap between detection and investigation requires an adaptive approach to forensics. We think about forensic visibility as a tiered spectrum. Baseline monitoring and full snapshot analysis are available in the platform today, with context-aware forensics capture in public preview as of today.
Baseline monitoring
For most environments, Wiz utilizes a lightweight, agentless approach. Machine logs are automatically captured during routine scans and made available instantly, directly within the platform.
Context-aware forensics capture
When specific threat detections fire, indicating potentially suspicious activity, the Wiz Sensor captures targeted, full-context evidence from the affected container and the underlying host without the cost or friction of full disk imaging. This feature is in public preview as of today
Full snapshot analysis
For confirmed high-severity incidents, teams can take full snapshots directly from the platform into a preconfigured cloud forensics account, enabling deeper investigation when it matters most.
This model keeps forensics proportional, fast, and practical at cloud scale.
Contextualized and Automated Collection, Powered by AI
Context-aware forensics, captured by the Wiz Sensor and powered by AI, is now in public preview, and brings our forensics approach to life at runtime. In the cloud, evidence disappears by attacker design, and traditional infrastructure makes it harder to retrieve the evidence that teams need. Still, SOC analysts still need to quickly decide whether an alert is real, and DFIR teams still need the right evidence to investigate, even as those tasks have become more complex. This functionality is built to help them meet that challenge.
When the Wiz Sensor detects suspicious behavior, like anomalous process trees, unexpected binaries, or unusual network activity, it automatically captures a focused forensic package. Relevant files, scripts, binaries, and execution context are collected and attributed to the exact workload and process involved.
But capturing data is only the first step. The real challenge is turning evidence into answers quickly. That is where AI comes in to analyze the raw forensic data and surface clear conclusions. Those insights feed directly into the AI threat investigation, improving verdict accuracy, strengthening cloud correlation rules, and further reducing the time needed to investigate complex attacks.
Our forensics capabilities are built to help SOC and DFIR teams work faster and with confidence. With forensics on the Wiz platform, SOC teams can better triage alerts with comprehensive evidence, while DFIR teams can answer investigation questions clearly and quickly with less operational overhead. The result is less back and forth, shorter response times, and clear, evidence based decisions that hold up under pressure.
Let’s See it in Action
Let's consider a scenario where, as part of a cloud attack, an attacker uses a fileless execution attack technique in a container.
In cloud native environments, containers may run for minutes and leave little behind. By the time a traditional alert fires, memory only payloads are gone, system files may already be modified, and teams are left piecing together incomplete signals.
With Wiz forensics, the story looks different:
1. The sensor detected a fileless execution. Since the VM had Wiz Sensor installed, container-aware forensic collection was automatically triggered at runtime based on the detection.
2. The forensics package preserved the in memory payload and execution script, revealing an encoded credential harvesting script designed to evade detection
3. SOC team members triaged the related threat quickly, immediately understanding the malicious intent of the executed script and identifying the related threat as a true positive. The AI forensic analysis increased the analysts’ confidence in the assessment and sped up triage.
4. After quick triage, DFIR team members used the memory-only payload and comprehensive package from the detection time to reconstruct the attack and confirm coordinated malicious intent.
With this context captured automatically, what could have been an ambiguous threat became a clear, high severity incident, investigated faster and with confidence.
What Comes Next?
This launch adds new capabilities, but more importantly, it reflects how we think cloud forensics should work: context driven, proportional to risk, and enhanced by AI.
Looking ahead, we’re working toward more autonomous investigations. Imagine an AI agent that doesn’t just analyze evidence, but adapts to it. If new file paths or processes are discovered during analysis, the agent can decide to trigger additional collection, make decisions and proactively investigate, further enhancing the workflows of SecOps teams.
Our new forensics functionality is now available in public preview. You can sign up through the Preview Hub (login required) to try it out and see what's coming next.
