AI is changing not just how we build — but how security operates.
AI-generated code, autonomous agents, and dynamic applications are increasing both the speed and complexity of modern environments. Traditionally, this created an asymmetry: defenders had to secure everything, while attackers only needed to find one weak point.
But AI is beginning to shift that balance.
AI is now accessible to both attackers and defenders — but its effectiveness depends on one thing: context. Defenders have it.
Across code, cloud, and runtime, security teams sit on the richest source of context about how systems are built, how they behave, and where risk actually exists. And more importantly, Wiz brings that context together.
Security teams are no longer limited by a lack of data, but by the ability to act on it. They are still forced to manually investigate alerts, stitch together signals across tools, and validate risk before taking action. As risk increases in speed and scale, response remains constrained by human capacity.
This is the bottleneck.
Today, we’re introducing Wiz Agents and Workflows — bringing autonomous reasoning and action into the Wiz platform as a force multiplier for security teams, helping them operate at the speed of AI.
Meet the Agents: Red, Blue, and Green
We built three specialized agents to operate across the entire security lifecycle. These aren’t simple assistants — they are intelligent systems that can reason, investigate, and take action, grounded in the Wiz Security Graph.
Red Agent (Offensive)
Your AI-powered attacker. Red Agent reasons through application logic to uncover complex logic-driven vulnerabilities typically left hidden. It acts like a sophisticated security researcher- but with AI speed and scale- reasoning about application behavior, adapting its approach in real time, and validating exploitable risks across your web applications and APIs, empowering you to stay one step ahead of attackers. Learn more about the Red Agent in this blog.
Blue Agent (Defensive)
Your built-in threat investigator. When a threat is triggered, Blue Agent gathers evidence across cloud telemetry, runtime signals, and identity context to comprehensively investigate the threat and produce a clear verdict on its severity. It approaches threat investigation as a seasoned incident responder would, providing its full investigation logic so you can resolve threats with confidence and speed. Learn more about the Blue Agent in this blog.
Green Agent (Resolution)
Your path to “zero criticals”. Green Agent acts as a built-in investigation and remediation engine, continuously analyzing your highest-risk Issues to close the gap between detection and resolution. Like a seasoned security engineer, it synthesizes context from across Wiz - including the Security Graph, code-to-cloud relationships, identity ownership, and historical remediation patterns - to identify the true root cause of a risk and the safest, most effective resolution. Teams get environment-specific, step-by-step remediation guidance so fixes are durable.
Together, they form a continuous loop of validation, investigation, and resolution — all grounded in real context across your environment.
Introducing Agents in Workflows
Teams now have rich context, clear prioritization, and AI-driven analysis — but the challenge is operationalizing that insight into consistent, scalable action.
That's where Workflows come in, allowing teams to define how AI operates within their environment.
Workflows extend Wiz from insight to action — turning the platform’s context, prioritization, and AI-driven analysis into programmatic, repeatable workflows that scale how security teams operate.
Wiz Workflows introduces a new hub for orchestrating cloud and AI security within Wiz. It brings together the rich context of Wiz, analysis from Wiz AI agents, and a flexible drag-and-drop interface. Together, this enables security teams to define and customize how work gets done, from when and how agents act to where human input is required. For example, teams can:
Pull the Blue Agent analysis for a suspicious login Threat, message the user in Slack to validate the activity, and escalate to SecOps if it’s not recognized.
Automatically trigger remediation actions when the Green Agent reaches a high-confidence remediation verdict, such as blocking public S3 access or patching a vulnerable workload, and send a summary from MikaAI of the remediation to cloud security in Slack.
Route lower-confidence remediation verdicts from the Green Agent to a developer in Slack for approval, for example confirming a code change to a production workload before triggering remediation.
This creates a flexible model where AI acts as a force multiplier, accelerating execution and pushing teams toward greater autonomy where it makes sense. Agents in Workflows help make operational processes more efficient, and elevate teams’ roles away from manual work and toward defining processes, overseeing execution, and evaluating key decision points. Learn more about Workflows in this blog.
See Them in Action: From Zero-Day to Zero Critical
🔴 Red Agent — Finds the Risk
In this case, the Red Agent proactively discovers an authentication bypass in an externally exposed AI chatbot. By reasoning through the application's logic, it identifies an unauthorized access vulnerability, allowing it to send natural language prompts to the chatbot and exfiltrate sensitive backend data, including PII and financial data. Red Agent validates the exploitability and provides concrete proof and reasoning, demonstrating a real, critical risk requiring immediate attention.
🟢 Green Agent — Drives the Fix
Once the risk is identified, the Green Agent investigates it in context — tracing the issue back to its root cause and identifying the most efficient fix from remediation history.
It maps ownership to the right developer and generates clear, environment-specific remediation steps, ensuring the fix is both actionable and durable.
⚙️ Agent-Led Workflows — Orchestrate the Response
Simultaneously, agents in Workflows determine how the organization responds.
For high-confidence risks, remediation can be triggered automatically — such as automatically restricting public access to a virtual machine. In other cases, the Workflow can route through a human approval step, providing full context and a clear recommendation before taking an action like triggering remediation or creating a Jira ticket with context for a developer.
This allows teams to scale responses while remaining oversight and control.
🔵 Blue Agent — Detects and Investigates
In parallel, the Blue Agent detects suspicious activity on the host container supporting the chatbot and investigates it in real time.
It correlates signals across runtime, identity, and cloud telemetry to map the full path of the activity, understand its impact, and determine whether it represents active exploitation.
This ensures teams aren’t just fixing a vulnerability, but fully understanding the threat in context.
Summary
What would traditionally require multiple tools, manual investigation, and hours of effort becomes a coordinated sequence — from discovery to remediation to continuous validation.
Each step builds on the last, removing the bottlenecks that slow security teams down.
Built on Context, Designed for Action
Effective security decisions require context.
Understanding whether something is truly risky depends on how identities, workloads, applications, and data are connected — not just on isolated signals.
Wiz Agents are grounded in the Wiz Security Graph, giving them the ability to reason across the full environment. This allows them to move beyond summarizing findings and instead validate risk, understand impact, and drive precise remediation.
This combination — deep context with action-oriented execution — is what enables agents to reduce noise, prioritize what matters, and eliminate the bottlenecks that slow teams down.
Security Built on Trust
For autonomous systems to be adopted, they must be trusted.
Wiz Agents are designed with that in mind:
Transparent — every action is backed by visible evidence
Explainable — decisions are clearly reasoned and easy to understand
Actionable — outputs are designed to drive real outcomes
Combined with human-in-the-loop workflows, this ensures teams can adopt AI at their own pace — with confidence in every step.
The Future: From Bottlenecks to Velocity
Security teams have always been constrained by time.
Too many alerts, too much manual work, and not enough capacity to act.
Wiz Agents and Workflows change that.
By removing investigation bottlenecks and accelerating remediation, they allow teams to shift from reacting to risk — to staying ahead of it.
This shift isn’t just about speed — it’s about measurable impact.
Organizations see faster investigation and remediation cycles, reduced manual effort across teams, consolidation of fragmented tools, and a clearer focus on the risks that actually matter. In some cases, teams report cutting MTTR by an order of magnitude — moving from hours to minutes.
The result is a more efficient operating model — where security scales with the business, not against it.
Our north star is simple:
Investigate and remediate every validated risk at the speed of AI.
