Google Cloud Run has become one of the most widely adopted platforms for deploying containerized workloads without managing infrastructure. Teams across industries use it to run APIs, event-driven pipelines, AI inference endpoints, and production services at scale. But as Cloud Run adoption grows, security teams face a persistent challenge: detecting threats, malicious processes, and active attacks inside containers while they're running.
Today, we're excited to announce that Wiz Runtime Sensor support for Google Cloud Run Containers is now generally available (GA). Teams running workloads on Cloud Run can now get continuous, real-time visibility into what's executing inside their containers, investigate with the help of the Wiz Blue Agent and respond automatically when something malicious is detected.
This release completes Wiz's serverless container coverage alongside AWS Fargate and Azure Container Apps, bringing the same runtime threat detection and response experience to Google Cloud.
Closing the Serverless Runtime Gap
Cloud Run's managed nature means Google handles the underlying infrastructure. Everything above that layer is your security team's responsibility: the container images you deploy, the IAM permissions your services run with, how they're exposed to the internet, and whether malicious activity is occurring inside those containers at runtime.
Wiz already provides agentless security coverage for Cloud Run as part of the core platform. With the Wiz GCP Connector, Wiz discovers and inventories every Cloud Run Service and Revision across your GCP projects, surfaces misconfigurations through built-in cloud configuration rules, identifies network and identity risk per revision, detects vulnerabilities at the package level with SBOM, surfaces attack paths through the Wiz Security Graph, and traces issues back to source via Code to Cloud.
With this release, Wiz now also provides runtime visibility, detection, and response capabilities for your Cloud Run containers: knowing what code is actually executing, identifying active threats as they unfold, and responding before damage is done.
Real-Time Threat Detection and Response for Cloud Run
Real-Time Threat Detection
The sensor continuously monitors process execution, system calls, and runtime behavior inside your Cloud Run containers. When suspicious activity is detected, such as a binary executing that wasn't present in the original image, a reverse shell being initiated, or a DNS query to a known malicious domain, Wiz surfaces a detection immediately. Each detection is enriched with cloud context from the Security Graph: what IAM permissions the revision holds, what data it can reach, and what other resources are at risk. The Wiz Runtime Sensor ships with 2000+ built-in threat detection rules. Customers can extend the detection library with their own rules tailored to their environment and application behavior.
Correlating Detections into a Threat
Rather than surfacing individual alerts for every suspicious event, Wiz correlates related detections across the workload layer into a single consolidated threat. This is powered by Wiz's Detection Engine, which uses Correlation Threat Detection Rules to evaluate related events across a time window and group signals from different origins into one threat. A cryptomining attack on your Cloud Run Container, for example, may trigger multiple detections in quick succession: a file associated with a known cryptominer, a DNS query to a known mining pool, a cryptominer command line argument, and reverse shell activity. Instead of your team triaging each of those signals separately, Wiz groups them into one threat with all the underlying detections in a single view. Your team sees the full picture of what happened, with MITRE ATT&CK context for each detection, without the noise of managing every signal independently.
AI-Powered Threat Investigation with Wiz Blue Agent
When a threat is identified, the Wiz Blue Agent automatically investigates the threat end to end. Using specialized sub-agents for forensics and code analysis, it correlates runtime detections with cloud context and source code, surfaces a transparent chain of reasoning behind every verdict, and recommends response actions — reducing the manual triage burden on your security team.
Runtime Response Policies
Configure automated responses to detections: terminating a malicious process, blocking specific runtime behavior, or triggering a workflow. For ephemeral Cloud Run containers that may disappear before a human can respond, automated response closes the gap between detection and containment.
Start protecting your serverless container environments today
To deploy the Wiz Runtime Sensor on Google Cloud Run, see the Install Runtime Sensor for Google Cloud Run guide in Wiz Docs (login required). To test the sensor against a realistic attack scenario before deploying to production, see the Simulate a Live Attack for Google Cloud Run Sensor guide.
To review your existing Cloud Run posture without the Sensor, connect your GCP environment to Wiz and navigate to your Wiz Inventory today.
Want to see it in action? Schedule a demo.
