Challenge
Expanded risk landscape due to building agentic AI applications; Manual triage of high-fidelity risk signals couldn’t keep pace with a rapidly growing cloud footprint.
Each critical finding consumed 30 minutes to 2 hours of manual investigation and reporting.
Headcount alone couldn’t solve a scaling problem that only got bigger every quarter.
Solution
Cohere connected Wiz to North, their enterprise AI agent platform, via a custom MCP server.
They automated first-pass triage so analysts start every shift with reports already built and tickets already filed.
Reduced
attack path analysis time from up to 120 minutes to 20 seconds
~145
SecOps hours per week eliminated for first-pass triage
24/7
triage logic without human fatigue or overhead
Cohere reduced Toxic Combination Blast Radius analysis from a full morning of senior analyst time to 20 seconds. Cohere builds cutting-edge enterprise LLMs and agentic systems that power some of the most demanding production environments in the world, so when their own cloud footprint started scaling just as fast, their security team felt it immediately. With a global presence and growing rapidly, Cohere faced a problem familiar to any high-velocity engineering org: Wiz was surfacing high-fidelity alerts faster than analysts could manually triage them. A single critical finding could consume two hours of investigation, report writing, and ticket tracking, work that was mechanical, repetitive, and completely unsustainable at scale.
What made it more interesting is how they solved it. Cohere runs their own security operations on North, the same enterprise AI agent platform they sell to customers. That means every efficiency gain they unlock is also a proof point for what North can do in production.
The Challenge: High Signal, Manual Bottlenecks
“Wiz is excellent at surfacing the toxic combinations of risk factors that create critical attack paths—such as an internet-facing VM with a critical vulnerability and high-privilege IAM access,” said Bolaji Agunbiade, Senior Security Engineer at Cohere.
But even when every alert is high-fidelity, acting on it still requires a human touch. For a single critical finding, an analyst had to:
Manually investigate the affected asset and context.
Search for existing tracking tickets.
Draft an Incident Response report.
Update Wiz before notifying stakeholders.
That process sometimes took 30 minutes to 2 hours per finding, with no way to speed it up without adding headcount. For a team trying to stay ahead of a cloud environment that is continuously growing, the pace was simply too slow.
Context on MCP and North
MCP (Model Context Protocol) is an open standard for how AI agents talk to external systems, kind of like a USB-C port for LLMs.
North is Cohere’s enterprise agent platform that allows any custom tooling they build to plug into any North agent or scheduled automation without changing North itself. That way they could build the Wiz integration only once and expose it to every workflow that needs it.
The Solution: A Security Agent that Reads and Writes
The key distinction from most integrations is that the MCP platform doesn’t just pull data from Wiz, it writes back to it. That two-way connection is what makes full automation possible.
Key Capabilities of the Wiz MCP Server:
Lists open issues with severity, status, and type filters
Pulls full asset context for a specific issue
Identifies multi-factor attack paths
Closes the loop by changing status and adding investigation notes
Creates a metrics snapshot for weekly briefs
Provides framework compliance scores
Most security integrations let agents read from the security tool. Ours lets the agent write back [to Wiz].
Bolaji Agunbiade, Senior Security Engineer, Cohere
Three Ways Cohere Automates with Wiz
1. Toxic Combination Blast Radius Analysis
Analysts use North to analyze all critical Toxic Combinations in Wiz. The AI reasons through the attack chain, weighing internet exposure and privilege levels to rank findings by actual blast radius. What used to take a senior analyst a full morning now runs in 20 seconds.
2. End-to-End Incident Response
With a single prompt, a North agent can investigate a critical Wiz issue, check for duplicate tickets in Linear, create a new ticket if needed, and mark the issue as IN_PROGRESS in the Wiz dashboard with a summary note attached. This time-to-action dropped from 2 hours to 20 seconds.
3. Autonomous Weekly Posture Briefs
Every Monday at 3 AM, a scheduled workflow calls Wiz to pull aggregated metrics, active toxic combinations, and CISA KEV vulnerabilities. It generates an executive summary and a prioritized "fix list" for the week, which lands in the team's inbox before they even start their day.
Operational Impact
By leveraging Wiz as the foundational data source for their security team’s AI agents, Cohere has eliminated the first-pass triage loop.
Consistent Triage: The AI agent applies the same logic consistently at 2 AM as it does at 2 PM, without context-switching fatigue.
Faster Human Touch: Analysts no longer start with a raw alert; they start with a populated IR report and a tracked ticket, allowing them to focus on remediation and escalation.
Total Visibility: The automated briefs ensure the team always knows their security posture without manual reporting overhead.
~145 SecOps hours/week of first-pass triage eliminated.
Cohere’s success demonstrates how the combination of Wiz’s deep cloud visibility and AI-driven automation can turn a growing mountain of security data into a streamlined, actionable response pipeline.
