Wiz
Blog

Introducing Wiz ASM: Context-Driven Attack Surface Management

Wiz launches Attack Surface Scanner to bring context, ownership, and prioritization to every exposure, anywhere.

Get a demo
Mika Maymon, Alon Weiss, Gal Nagli, Shaked Rotlevi

Modern environments span cloud, AI, on-premises, SaaS, APIs, and more - each introduces potential exposures that make the attack surface wider, more dynamic, and harder to manage. Many organizations lack a unified view across all of these environments, making it challenging to manage exposures consistently and understand context around risk.

In addition, attack surface management in the era of cloud and AI isn’t just about monitoring known DNS records anymore. The Wiz Research Team found that 39% of cloud environments had at least one significant exploitable risk in the past 6 months, putting them at imminent danger of being exploited by threat actors.

In the cloud, many internet-facing resources receive dynamic addresses assigned by the cloud provider. Unless these are explicitly tied to known DNS entries, traditional approaches to external scanning won’t catch them, and they remain as shadow cloud assets and blind spots. This type of internet scanning (contextless scanning) lacks environment visibility, creates blind spots, and provides only a partial view with limited context into what is the true impact of the exposure on your business.

This leaves security teams struggling to answer:

1. What's publicly exposed across my entire environment? Common cloud resources, like storage buckets, receive public addresses such as https://name.s3.us-east-2.amazonaws.com. These addresses are not part of your organization’s known domain space, making it hard to monitor and manage the attack surface.

2. Which exposures actually matter? Not all internet-facing assets carry the same level of risk. For example, an exposed AI deployment in a test environment could be considered a low-priority, but if we know it is connected to production sensitive data it becomes a critical risk. Lack of context results in a long list of risks with no prioritization.

3. Who owns this exposure and how do we fix it? Figuring out who’s responsible for an exposure in your environment can take days. Security teams lack the context to map risk to its root cause and the developer, which leaves critical exposures open and easily exploitable by attackers.

Wiz ASM: New attack surface scanner to prioritize the exposures that matter, everywhere 

Wiz is centered around the deep context delivered through the Wiz Security Graph, helping organizations truly prioritize risks in their environment. We are excited to extend the same approach to Attack Surface Management with Wiz ASM, launching a new type of Wiz scanner that helps teams effectively prioritize and remediate exposures across cloud, AI, on-premises, and SaaS environments with context.

The Wiz ASM Scanner takes a new approach to Attack Surface Management by leveraging a  context-based scanning. At the core of Wiz ASM is the Wiz Security Graph, which we use to discover all exposures, analyze their potential impact, and identify the right owners for remediation. This is done by combining external scanning with inside cloud visibility and context - correlating what’s externally exposed with what’s actually at risk inside the environment. Wiz gives teams a way to drive effective action, helping them prioritize and remediate critical exposure risks before they escalate to security incidents.

Wiz ASM enabled us to gain clear visibility into our external attack surface, mapping all exposed assets and highlighting those that could potentially affect our corporate reputation. With this context, we were able to prioritize exploitable risks and take timely action against emerging threats.

Asaf Feigenbaum, Director of Offensive Security Research

How does Wiz ASM Work?

Wiz Attack Surface Management (ASM) gives teams a clear, validated, and prioritized view of every external exposure across Cloud, AI, SaaS, and on-prem environments. It continuously discovers external-facing assets - domains, IP addresses, and API endpoints - detects exploitable risk, and enriches them with context to understand their impact and who should fix them, enabling teams to act on exploitable critical exposure fast.

Wiz ASM empowers teams to: 

  • Eliminate blind spots & discover exposures anywhere - Wiz’s ASM Scanner discovers exposures everywhere - cloud, AI, on-premises, and SaaS environments. Customers don’t need to configure anything, Wiz ASM leverages Security Graph context and our cloud network analysis from our agentless scanner to detect both known and shadow exposures automatically. Wiz ASM extends coverage to any environment by allowing customers to bring their own assets to be analyzed for exploitable risks.

  • Prioritize what’s truly exploitable, with context - Wiz ASM simulates an attacker’s perspective by exploiting vulnerabilities and misconfigurations as well as validating the exposure of sensitive data and secrets. Combined with internal context on the Wiz Security Graph, our ASM solution identifies attack paths and highlights exposures with true business impact, such as ones leading to sensitive data or privilege escalation, so you can prioritize the ones that matter.

  • Accelerate response with ownership and AI guidance - It’s not enough to detect a critical exposure if you don’t know how to fix it. Wiz ASM identifies the right owner including the infrastructure, application, and business unit, and even the developer who introduced the risk in code. It provides AI-powered remediation guidance, and integrates with tools so teams can use their existing workflows to resolve exposures faster and reduce MTTR.

The Wiz ASM Scanner has helped customers remediate and prevent hundreds of potential security incidents covering critical risks such as Remote Code Execution through default credentials on critical CI/CD systems, highly privileged cloud and AI keys that were publicly exposed in Javascript files, and publicly facing buckets with proprietary AI training data.

Let’s see this in action

Wiz and CTEM: Defining Continuous Exposure Management for the Cloud Era

We’re excited to take another major step toward our vision of continuous threat exposure management. With new ASM capabilities, Wiz transforms into a native cloud CTEM platform - unifying deep cloud and code context from Wiz Cloud and Wiz Code with new Wiz UVM capabilities and Sensor coverage that extends Wiz risk analysis to any environment. The launch of Wiz ASM adds the critical outside-in validation layer, helping teams identify which exposures are truly exploitable and understand their impact. Together, these capabilities connect discovery, validation, prioritization, and remediation across every environment, empowering organizations to continuously manage and reduce real risk - the foundation of an effective CTEM program.

Remove exploitable exposures now. Reduce your attack surface with Wiz ASM 

By connecting external visibility with deep internal context, Wiz ASM transforms Attack Surface Management into a clear and actionable risk solution. Ready to take control of your external attack surface? Wiz customers can start using the new capabilities by opting in via the Preview & Migration Hub. Learn more in the Wiz Docs (login required) or book a live demo.

Tags
#Product

Weiterlesen

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch tatsächlich ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement
Demo anfordern