Wiz
Blog

Introducing Penetration Test Findings: Unified Offensive Security in Wiz

Streamline pen-testing by unifying findings from bug bounties, manual audits, and Wiz Red Agent into a single, context-rich view.

Eyal Golombek, Shaked Rotlevi

The goal of any offensive security team is to find the "open doors" before an attacker does. However, in most organizations, the results of these efforts are scattered across a fragmented landscape: you might be using a bug bounty program like HackerOne, a collection of reports from third-party pen-testers, and internal spreadsheets from manual red-team exercises.

This fragmentation creates a visibility gap, and when findings live in silos, it is challenging to track remediation progress, prioritize based on actual cloud impact, or report on all findings to stakeholders. This results in manual overhead and time wasted reviewing multiple reports and manually mapping results to environment context to identify the right owners.

To solve this, we are excited to introduce Penetration Test Findings in Wiz (now in Public Preview). We are giving offensive security teams a single, unified home for all pen-test results- regardless of their source- enriched with the power of the Wiz Security Graph.

A unified place for all your pen-test findings

The new Penetration Test Findings page in Wiz acts as your offensive security one-stop shop. It is purpose-built for offensive security teams and designed to centralize and enrich findings from across the entire security ecosystem. Teams get one table, covering every source:

  1. Bug Bounty Programs: Seamlessly integrate with Bug Bounty programs to pull in external bug-bounty findings. Wiz provides out-of-the-box integration with HackerOne.

  2. External audits: Upload and parse manual reports from third-party pen-testers. Wiz acts as the central collaboration hub between your internal hunters and external testers.

  3. Internal pen-tests: Your offensive security team can track their findings within Wiz and benefit from the Security Graph mapping to better prioritize.

  4. AI assessment: If your team leverages AI analysis like Mythos for automated exploitation, you can ingest those findings into Wiz. With the new Claude Skill, you can upload your AI-generated pen-test report directly from Claude and Wiz will create pen-test findings based on the AI-generated report.

Built for Offensive Teams

The new pen-test findings page is purpose-built to support offensive security teams’ workflows and help them accelerate existing processes:

  • Rich metadata: Pen-test findings are enriched with specific metadata crucial for red teams’ operations, such as the reporter information, severity, steps to reproduce the findings, and related attachments.

  • Unified reporting: Generate a single, comprehensive report across all sources to give leadership and auditors a clear state of your environment.

  • Ownership mapping: For any resource already scanned by Wiz, we automatically map the finding to the underlying infrastructure and its owner, so you can accelerate remediation.

  • AI-triage: Use Mika AI to triage pen-test findings and identify and remove duplicate findings across external tools and Wiz.

  • Prioritize with context: The pen-test findings are mapped directly to your cloud resources on the Security Graph, giving you cloud context needed for prioritization alongside your other Wiz findings including data, permissions, network exposure, secrets, and more.

  • Track remediation SLAs: Monitor the status of every pen-test finding regardless of its source in a centralized place, and create posture policies to establish pen-test findings remediation SLAs.

  • AI-powered remediation agent: Leverage the Green Agent for remediation guidance to identify the most efficient path to remediation, including code-to-cloud mapping and ownership suggestion to quickly address critical risk.

Contextualize your pen-testing findings

Centralizing findings in Wiz does more than just break down silos-it adds a layer of context that static reports simply can’t provide. When a test is performed on a resource that Wiz is already scanning, Wiz automatically enriches that finding on the Security Graph with context from Wiz’s native scanners.  Instead of a standalone finding, you gain context including: the screenshot of the exposed application, the network paths, underlying infrastructure, associated security risks, code-to-cloud mapping - all on the Security Graph.

By correlating these external findings with our native scanners, Wiz helps you answer the most critical questions:

  • Is this asset in production?

  • Does this finding create a lateral movement path to sensitive data in my environment?

  • Who is the actual owner responsible for fixing this?

  • How do I fix it at the source?

Close the door on attackers

By unifying offensive findings with cloud context, Wiz enables offensive security teams to move faster, eliminate manual toil, and- most importantly-close the doors on attackers before they can even reach for the handle. Ready to see your pen-test findings in context? Learn more in the Wiz Docs (login required) or reach out for a live demo

Etiquetas
#Product

Continuar leyendo

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades
Solicita una demo