Today, we are excited to launch the Wiz Red Agent- reimagining how organizations secure the modern attack surface. The Red Agent is our new AI-powered intelligent attacker that enables you to discover and fix complex logic-driven vulnerabilities in proprietary APIs and AI-generated code- that were out of reach before the advancements in frontier AI models. It does so by leveraging AI-powered exploitation that reasons about application behavior, adapts its approach in real time, and validates exploitable risks across your web applications and APIs, empowering you to stay one step ahead of attackers.
In early testing with design partners, Red Agent has already identified critical vulnerabilities that remained undetected despite extensive manual research, penetration testing, and active bug bounty programs:
Red Agent finds what humans miss. It caught critical authorization flaws across services where traditional testing and our bug bounty program came up short. We had continuous AI-powered attack surface testing on our roadmap. Wiz got there first, and did it better than we would have.
Emil Vaagland, Head of Product Security, Vend
Was this discovered entirely by AI? So far, I've seen very mediocre reports from AI tools, so if this was an AI find, I'd be super impressed.
Private Bug Bounty Program Manager, HackerOne
Why we created the Red Agent
The attack surface has changed as organizations ship code faster than ever. Teams are building AI-generated apps and custom APIs at a pace that exceeds security reviews, often leaving them publicly exposed. Attackers are capitalizing on this speed, targeting logic flaws in custom applications that go far beyond known exploits.
These types of logic flaws are impossible to find with traditional scanning approaches, as typically they rely on fixed patterns and signatures and therefore cannot reason with custom application logic. This has created a widening gap between what defenders can test and what attackers can find within the custom-built, rapidly deployed software in today’s external attack surface.
We built the Red Agent to close that gap- bringing what was only possible through manual security research into something that runs autonomously, continuously, and at scale with the power of AI.
Get to know the Red Agent: What makes it different
Now in Private Preview as part of Wiz Attack Surface Management (ASM), the Red Agent acts as an autonomous, world-class security researcher designed to uncover complex vulnerabilities. It does so by combining three unique advantages:
Deep Cloud context - The Red Agent's attack scope is built from assets discovered through agentless disk analysis, cloud configuration analysis, runtime data based on the Wiz Sensor, and exposed API specifications- covering services that belong to your organization that other tools don’t have visibility into. Being a part of the Wiz platform, it doesn’t just understand the application layer, but also the cloud infrastructure behind it- which services are internet-facing, what infra they run on, and how an API vulnerability connects to a broader lateral movement path in the cloud. This context allows you to truly understand impact and prioritize:
World-class attacker expertise - The Red Agent's reasoning engine was built by Wiz's Research team - security researchers with deep expertise in uncovering major vulnerabilities across AI systems, enterprise environments, critical infrastructure, and widely-used open source projects. That expertise is encoded directly into how the agent reasons about targets.
Adaptive, reasoning-based exploitation - Rather than using static lists to send predetermined payloads, the Red Agent analyzes API specifications to understand what each endpoint does, reasons about how it could be exploited, and dynamically adapts based on what it observes. It chains multi-step attack sequences the way a skilled pentester would - and when it finds something, it validates it with concrete proof.
How the Red Agent works
The Red Agent combines two new AI-powered components - an intelligent web crawler for discovery and an AI-powered attacker engine for exploitation. This is how the Red Agent uncovers exploitable risk:
Discover: The Red Agent maps your full API attack surface by aggregating endpoints from Cloud APIs, Swagger and OpenAPI documentation, the Wiz Runtime Sensor, and its own AI-powered web crawler. The crawler analyzes client-side code to uncover shadow APIs, forgotten test services, and undocumented endpoints that aren't visible through traditional scanning.
AI-powered exploitation: Red Agent performs safe, context-aware, and intelligent exploitation to uncover complex risks. For each targeted host, it analyzes API specifications to understand expected behavior and parameters, reasons about application logic to identify potential vulnerabilities, and dynamically adapts its attack patterns based on observed responses - chaining multi-step exploits to uncover complex risks that signature-based tools miss. This enables the Red Agent to find vulnerability classes that traditional scanners structurally cannot detect - from OWASP API Top 10 issues like broken authorization and improper authentication, to business logic flaws, injection vulnerabilities, and multi-step attack chains in custom and AI-generated applications.
Prioritize: Red Agent High and Critical findings generate Wiz Issues that have validated impact and the risk is proven to be exploitable from the outside, so teams can prioritize them immediately. Findings are correlated with context from the Wiz Security Graph- connecting application-layer risks to cloud infrastructure, identity, data and lateral movement paths - to help you prioritize with context.
Remediate: You can leverage the Green Agent to accelerate remediation and easily identify the right owner and get remediation guidance to assign and fix fast. The Green Agent synthesizes context from across Wiz - including the Security Graph, code-to-cloud relationships, identity ownership, and historical remediation patterns - to identify the true root cause of a risk and the safest, most effective resolution.
Real World Impact
Over the past months, we ran the Red Agent against production environments that had already been battle-tested for years by security vendors, bug bounty programs, and penetration testing teams. Even with these defenses in place, Red Agent identified hundreds of critical, exploitable risks that had remained unseen. In this blog, we will cover one example of such real-world impact, and will cover more deep dives in an upcoming Red Agent blog series.
Red Agent's first 0-day discovery - Authentication bypass on a popular SaaS community platform
The Red Agent discovered an authentication bypass on a community platform configured to restrict all access to logged-in members only- uncovering access to thousands of member records, internal discussions, employee identities, and downloadable file attachments. Here's how it reasoned through the attack:
Leveraging the AI-powered web crawler, the Red Agent first crawled the application's public login page, and identified a significant amount of client-side code in public JavaScript files. It analyzed this logic to discover valuable API endpoints and gain significant application context.
It then probed internal headless API endpoints without credentials- receiving a 401 Unauthorized error indicating that a "Tenant ID" was required to authenticate.
The Red Agent then extracted a tenant UUID from the public login page HTML and identified a custom
x-tn-idauthentication header in the platform's client-side JavaScriptIt then tested using the leaked UUID as the
x-tn-idheader to bypass authentication on/api/internal/headless/members- and it worked, returning the full member list.It then also confirmed that the bypass extended across additional endpoints, successfully querying for posts, comments, and file attachments which should have been gated.
Finally, it validated tenant isolation to determine if the exploit allowed for universal access, and assessed the full blast radius -confirming unauthorized access to thousands of member records with PII, internal discussions, employee identities, and the full customer base of the login-gated community.
This kind of attack chain is impossible to discover leveraging traditional scanning - and would be easy to miss even for a world-class pentester. It requires probing internal nested APIs, extracting a credential from a separate page, connecting it to a custom authentication header, and assembling a full bypass from what it learned. The Red Agent did all of this in a single scan - and all it took was 5 minutes.
Another example: authentication bypass and full database exfiltration via an AI chatbot
Here, the Red Agent discovered a critical multi-step attack chain on a vibe-coded publicly facing AI Chatbot that was never intended to be exposed:
Authentication Bypass: The agent identified that the server accepted dummy "Bearer" tokens without validation, granting it access to the chatbot’s internal tools.
Schema Mapping: Using the chatbot’s own messaging tool, the agent prompted the AI to enumerate database tables and extract sensitive data- proving the complete trust boundary was based on an authentication flow that was inherently misconfigured.
Full Exfiltration: The Red Agent successfully extracted live PII (names, addresses) and proprietary sensitive company information by simply asking the AI to retrieve them.
The Red Agent doesn't just find isolated vulnerabilities- it understands how they correlate to your environment context on the Wiz Security Graph. This context includes the internet-facing application endpoint, underlying EC2 instance, IAM role, and the RDS PostgreSQL database with the sensitive data. This gives you the full picture of the blast radius- from initial entry point to the data that's actually at risk-, enabling you to truly prioritize based on the impact to your business.
Looking ahead: The role of AI-powered attacker in modern Attack Surface Management
The Red Agent extends Wiz ASM from scanning for known exploits such as CVEs, public exploits, and common misconfigurations to discovering vulnerabilities no public exploit or static signature will be able to find- authentication bypasses, business logic flaws, prompt injection, and multi-step attack chains in custom applications and APIs.
Together, ASM and the Red Agent provide complete attack surface risk assessment, from known exploits to unknown logic flaws. Looking ahead, APIs are the first step for the Red Agent, and we are actively working on extending the Red Agent to use cases we never thought could be fully automated and cover every dimension of the attack surface.
Get started now
Attackers have always had the advantage of creativity and persistence. With the Red Agent, defenders get both- and continuously, across their entire attack surface, fueled by proprietary context. Get started now with the Red Agent. It is available now in private preview as part of Wiz Attack Surface Management. Interested in seeing the Red Agent in action? book a live demo with our team.
