From Writing Code to Orchestrating It
The way software gets built has fundamentally changed. Developers are no longer writing every line of code, they're orchestrating AI coding agents that iterate on production code for them. Most security tooling wasn't built for this world, and the gap between how fast software is produced and how fast it gets secured grows wider every day.
That gap becomes even more urgent when frontier models like Anthropic's Claude Mythos Preview can autonomously discover and exploit zero-day vulnerabilities, collapsing the window between discovery and exploitation from months to minutes. When Mythos was announced, we shared our recommendations: the future belongs to organizations that democratize security to fix vulnerabilities at the speed they're found. To stay ahead, the only defensible response is to equip developers with inherently security-aware AI, embedded directly into the AI-SDLC flow. This ensures security at inception, catching vulnerabilities before they ever get committed.
Today, we're bringing Wiz's knowledge directly into AI-native IDEs and coding agents through Wiz Code plugins and skills, powered by the Wiz MCP server and WizCLI. This enables real-time scanning and fixing of AI-generated code inside AI-native IDEs and copilots. Developers' coding agents now gain the same security context your security team sees in the Wiz portal, applying remediation guidance to fix issues at the source.
The result is a closed loop: security teams remediate critical findings without leaving Wiz, and developers catch and fix issues without leaving their IDE. Both teams, working from the same intelligence, at the speed these new models demand.
From Findings to Fixes
We built the Green Agent so its analysis is available where teams work, so there are two direct ways to take advantage of it.
For security teams in Wiz: When a critical issue surfaces, security teams no longer need to find the right developer, explain the context, submit a ticket, and wait. Instead, they can trigger remediation directly from a Wiz issue. The Green Agent uses the full context around that issue – including the attack path, the ownership data, historical remediation patterns, code-to-cloud tracing – to build an effective remediation plan to share with a coding agent. The agent then uses it to make the fix and submit a pull request for review. Remediation that once took days can now take minutes.
For developers in their IDEs: Using Wiz Code plugins, developers can pull active Wiz issues, including validated issues from Wiz ASM, directly into their IDE. They get full context on the risk, its impact from the Security Graph, and how to address it. Their coding agent can then apply the Green Agent’s remediation guidance and commit it to source control without the developer ever leaving their workflow.
Preventing Risks At Code Inception
Automated remediation is powerful. But the most impactful thing any security team can do is prevent vulnerabilities from being introduced in the first place. That means moving security all the way to the left, to the moment code gets generated by the AI model.
Imagine a developer using Claude Code to build a new microservice. As the AI agent generates infrastructure files and application code, the Wiz plugin is already watching. At the natural boundaries of the development workflow, like file save, pre-commit, and pre-push, the plugin automatically runs a security scan. If it finds any of the following, it surfaces the finding immediately in the IDE, before the code can reach the repository:
A hardcoded API secret or credential
An IaC misconfiguration (an S3 bucket open to the internet, an overly permissive IAM role, etc…)
A CVE in a vulnerable dependency
Malware embedded in a container layer
Findings are surfaced as warnings by default, meaning developers are informed and guided without being blocked. Teams that require additional code scrutiny can configure block mode, where critical or high-severity findings stop a commit or push from proceeding.
This matters especially in the agentic era. AI coding agents can operate in fully autonomous modes, committing code without surfacing permission prompts. Wiz Code plugins fire at the git lifecycle boundary regardless, so even in fully autonomous operation, the security guardrails hold. Governance doesn’t evaporate when a human isn’t watching.
How It Works in Practice
A backend engineer asks their AI coding agent to scaffold a new API service. The agent generates an infrastructure template, a container configuration, and the application code, creating dozens of files in minutes. Without security guardrails, that code gets committed and eventually deployed carrying a misconfigured IAM role, a hardcoded secret, and a vulnerable dependency.
With Wiz Code's plugin in place:
As the agent wraps up and the developer runs git commit, the pre-commit gate fires automatically, scanning staged files.
It surfaces three findings: an overly permissive IAM policy, a hardcoded API key, and a vulnerable library.
The developer applies the fixes in their IDE, guided by the Green Agent’s recommendations, and recommits.
The code reaches the repository without carrying the vulnerabilities with it.
Meanwhile, a security engineer reviewing the Wiz portal sees that a different service has a critical CVE on an active attack path, validated by Wiz’s attack surface scanner as reachable from the internet. They view the Green Agent remediation steps, and choose the “Send to Coding Agent” option. Minutes later, a pull request lands in the service’s repository with the fix applied. They review it, approve it, and the finding is resolved before it can be exploited.
That is what it means to have security that moves at agent speed.
Where We’re Headed
This launch is the beginning, not the destination. We'll be continuously expanding support for additional AI coding tools and agents as the ecosystem evolves, because securing AI-generated code can't be a solution that only works for one tool or one team's setup.
We're also deepening the capabilities of the plugins themselves. Expect to see:
Expanded guardrails that give security and platform teams more centralized control over how AI coding agents operate within enterprise environments
Deeper integrations that connect the development workflow even more tightly to Wiz's cloud security graph, so the context informing every scan and every remediation gets richer over time
Embedding security in the code generation process itself, establishing secure foundations and organizational guardrails earlier in the process, so that secure code is the natural output of how agents are instructed to work from the very beginning
The broader commitment is straightforward: as AI becomes the primary way software gets written, Wiz is investing to make sure security keeps pace. Every engineering team should be able to move fast with AI and stay secure doing it. That's what we're building toward.
Built for the Agentic Era
AI changed how fast software gets built. Wiz Code is built to make sure security keeps pace, catching issues the moment they're introduced, helping teams close existing gaps fast, and giving organizations a clear strategy for securing AI-generated code as the tools and agents continue to evolve. Because in the agentic era, security that happens after the fact isn't a strategy. It's a delay your adversaries are counting on.
To see Wiz work within your agentic development loop, schedule a demo.
