Getting comprehensive visibility into your cloud environment starts with agentless inventory and risk analysis. Wiz builds a complete picture of your attack surface and the attack paths created by toxic combinations of risk across your cloud. And it does this without requiring you to deploy agents.
Agentless visibility gives you the map - every vulnerability, misconfiguration, and risk across your environment. Once you know what exists, the next step is understanding what’s actively connected. Which of those risks have a live network path to your most sensitive resources right now? Which connections are happening that weren’t expected or intended? That’s where runtime signals come in.
Today, we're adding a new layer of runtime telemetry on top of that foundational risk analysis. The Wiz Runtime Sensor now takes the live network signals it collects directly from your workloads - the active connections between containers, DNS queries to databases, AI workloads communicating with remote MCP servers and feeds this context into the Wiz Security Graph. The result: attack paths that were never visible before, surfaced as critical Issues alongside the risk analysis Wiz's Security Graph already gives you, so security teams always know what's active, what's connected, and what needs to be prioritized to fix now.
The Connection Is the Attack Path
In most environments, the vulnerability and the sensitive destination exist long before anyone notices the risk. What creates the exploitable path is the connection between them - and that connection is sometimes only visible at runtime.
Consider an internet facing AI chatbot running in your environment. Agentless scanning already tells you it’s publicly exposed, that the container has vulnerabilities, and that the underlying AI agent has access to a Bedrock knowledge base and sensitive data. That’s a risk combination worth addressing on it’s own.
What agentless scanning can’t tell you is that at runtime, the same AI agent is actively making connections to a remote MCP server. That connection wasn’t defined in any configuration. It wasn’t in any policy. It only exists because code is executing right now - and without runtime visibility, it’s completely invisible to your security team.
That runtime connection changes the picture entirely. An internet facing chatbot with a known vulnerability, access to sensitive data, and an active connection to an external MCP server isn’t three separate findings - it’s a single attack path to data exfiltration through an AI system your team didn’t know was reaching outside your environment.
We found that for 1 in every 6 environments we monitor at runtime, adding runtime risk context surfaced a high- or critical-severity attack path that prior analysis had missed - an internet-exposed or vulnerable workload with a real, observed network connection to a sensitive destination such as a database, a secrets vault, or a storage location holding sensitive data.
That’s the gap runtime signals correlated with risk findings closes. By observing live network connections from your workloads and layering them into the existing risk context in the Wiz Security Graph, this runtime context connects risk findings with runtime signals to identify complete, validated attack paths - and surfaces them to defenders before an attacker finds them first.
The Runtime signals now correlated with risk
The Wiz Runtime Sensor is lightweight, deployed on your workloads, and observes live network activity as it happens. Already used by Wiz customers for threat detection today, the Sensor captures every DNS query a workload makes, every active connection to another container, database, or external service, in real time. Now, that same runtime telemetry feeds directly into the Wiz Security Graph to provide runtime risk context.
The Sensor layers that runtime context on top of existing risk findings: connections that only exist because code is actively executing right now - a container querying a database, a Pod with a known vulnerability communicating with a highly privileged workload, an AI workload reaching out to a remote MCP server.
Finding and prioritizing risks with runtime context
When that runtime context intersects with existing risk findings, Wiz surfaces them as a single critical Issue. Here’s what that looks like in practice. The Security Graph shows an internet facing Kubernetes container with vulnerabilities - that’s already visible through agentless scanning. What the runtime layer adds is a confirmed live network connection to an S3 bucket containing sensitive PII data. Without runtime signals, the container risk and the sensitive data exist as separate findings. With them, Wiz maps the complete path from the internet to your most sensitive data in a single view.
Remediating the risks with AI analysis
Because Wiz has the full picture, the vulnerability, the internet exposure, and the live runtime connection, the remediation recommendation we provide is specific to all three. For the security engineer or developer who picks this up the Wiz Green Agent does the investigation for an active network connection to secrets in Vault - tracing the attack path across the container, it’s exposure, and the runtime connection to Vault and hands you specific, actionable remediation steps ready to execute. No manual triage, no guessing at where to make the fix.
AI Workloads and the MCP Blind Spot
AI workloads are becoming a common place in cloud environments. Containers running AI agents, copilots, and automated pipelines are increasingly connecting to external services - and one of the most common protocols enabling those connections is MCP, which enables AI agents to interact with external tools and data sources.
Most security teams have no visibility into these connections. Which containers in your environment are communicating with remote MCP servers? When did that behavior start? Which of those containers also have access to sensitive data? These are visibility blindspots today.
The Wiz Runtime Sensor observes these connections as they happen. When a container makes a DNS query to a remote MCP server, that connection surfaces in the Security Graph, giving security teams visibility into AI workload behavior that was previously invisible. Which containers are reaching out to external MCP servers? Are those servers trusted? Does that container also have access to sensitive data? For most teams today, these questions have no answer. Runtime context answers them.
Connect runtime context to your risk findings
We’re excited to continue to bring more Runtime context from the Wiz Sensor to help Cloud Security and Development teams prioritize and fix the most critical Issues in their environment.
As of today Wiz Cloud and Runtime Sensor customers both automatically have access to runtime context across Graph Controls and Issues in their environment today. Find more information on this capability in our docs (login required) and if you’re not a Wiz customer and interested in seeing this in action please request a demo.
