Trackr.Live The landing site for Trackr Services
§ Trackr.Live

Wiz

The first thing to get straight about Wiz in 2026 is who owns it. As of March 11, 2026, Wiz is a Google Cloud company. Google (Alphabet) closed its roughly $32 billion all-cash acquisition that day, almost exactly a year after announcing it, and it is the largest acquisition in Google’s history by a wide margin. The deal ran the full regulatory gauntlet first: U.S. clearance landed in November 2025, the EU Commission signed off in February 2026, with separate approvals across Australia, Israel, and a handful of other jurisdictions. So if your reference material still says “Google’s pending acquisition of Wiz,” it’s stale. It’s done.

That ownership change is not trivia for a federal audience. It’s the load-bearing fact. You are now evaluating a multi-cloud scanner owned by one of the three hyperscalers it scans. Google has said publicly that Wiz keeps its brand and keeps supporting AWS, Azure, and Oracle Cloud alongside GCP. Worth being precise here: that’s a stated commercial intent, not a binding regulatory condition. The EU cleared the deal unconditionally, with no remedies attached. Its reasoning was that AWS and Azure already put strong competitive pressure on Google Cloud and that credible alternatives to Wiz exist for customers to switch to if cross-cloud support ever degrades. So the multi-cloud story rests on market competition, not on anything a regulator can enforce. As of the close that support holds. Whether it holds in three years is the part nobody can sign for, and I’ll come back to it.

An abstract cloud security graph: nodes for resources, identities, and data linked by edges, with a single attack path lighting up from an exposed node through to a sensitive data store.

What it actually is

Wiz is an agentless cloud-native application protection platform. CNAPP, if you want the analyst-bucket term. The short version: it connects to your cloud accounts through a read-only role, scans the control plane and the workloads via cloud APIs and snapshots, and builds everything it finds into one graph. Resources, identities, network paths, vulnerabilities, secrets, exposed data. The graph is the product. Individual findings are cheap; what Wiz sells is correlation, the ability to say “this internet-facing container has a critical CVE, runs as an identity with admin on the account, and that account can reach a bucket holding PII” as a single connected path rather than four disconnected alerts in four different consoles.

Wiz calls those paths attack paths, and the marketing word for the dangerous ones is “toxic combinations.” Strip the branding and it’s reachability analysis over a normalized cloud inventory. It works because a misconfiguration that’s harmless in isolation (a public subnet) becomes a finding the moment the graph shows what’s reachable through it. That framing is genuinely useful for prioritization, and it’s the reason Wiz ate so much of this market before Google bought them.

The agentless part is the deployment story, and it’s the thing to understand plainly because it changes both how you stand it up and how it shows up in your RA-5 evidence. No per-host agent fleet. You grant a connector role per cloud account or subscription, Wiz enumerates and scans, and you’re collecting findings across hundreds of accounts in an afternoon instead of chasing agent rollout across a fleet that never quite hits 100% coverage. The honest asterisk: agentless means snapshot-and-API visibility, not live in-host runtime. For runtime you add the Wiz Runtime Sensor, an eBPF sensor that is the one optional agent in an otherwise agentless pitch. Worth saying out loud, because “agentless” gets oversold and the sensor is where the deep runtime detection actually lives.

The three modules

Post-acquisition the platform is still organized as three modules over the Wiz Security Graph. Naming has held through the close, though Google rebrands are always a question on the next release.

Module What it does Federal control families it feeds
Wiz Cloud Agentless CSPM, CWPP, CIEM, and DSPM across cloud infra. Posture, vuln scanning, identity risk, data exposure, all in the graph. RA-5, CM-6, SI-2, CA-7
Wiz Code Shift-left ASPM. Scans IaC, container images, OSS dependencies, and secrets in CI/CD and the IDE, and traces a live cloud risk back to the line of code that introduced it. SA-11, SA-15, SR
Wiz Defend Runtime threat detection. eBPF sensor, malware / lateral-movement / cryptojacking detection, enriched with graph context so the SOC gets blast radius and owner, not just an alert. SI-4, IR-4

There’s also Wiz Go, the all-in-one SMB bundle, which is not what a federal ISSO is buying but exists if someone asks. The thing tying all three together is the graph, and the reason the modules are worth more bought together than apart is that Code can point at the exact commit behind a Cloud finding, and Defend can tell you that the attack path Cloud flagged as theoretical is being walked right now.

Where it sits in federal

Wiz for Government is FedRAMP High authorized. That uplift was announced September 26, 2025, roughly a year after the initial FedRAMP Moderate authorization in August 2024. It’s built on AWS GovCloud (US), and DSPM and CI/CD pipeline security were folded into the federal boundary during the High uplift rather than being commercial-only carve-outs. Wiz markets it against FISMA, FedRAMP, CMMC, and ITAR obligations.

On DoD: I did not find any published DoD Impact Level authorization (IL4/IL5/IL6) or DoD APL listing for Wiz as of writing. FedRAMP High on AWS GovCloud is what’s authorized. If your boundary needs an IL, don’t assume FedRAMP High carries you there, and don’t let a vendor SE imply it does. [NEEDS VERIFICATION] if your acquisition timeline is far enough out that this could have moved.

RA-5 is the spine of the control story. Wiz’s continuous agentless vulnerability scanning and posture monitoring is, in practice, what an assessor will look at when you claim automated vuln identification across your cloud footprint. It pairs naturally with SI-2 for flaw remediation tracking, CM-6 for the misconfiguration-against-benchmark side, and CA-7 for the always-on continuous-monitoring posture (the graph is, by design, never not running). On the build side, Wiz Code maps to SA-11 and SA-15 for developer and process testing, and the OSS-dependency and container-provenance work touches SR. Don’t stretch it into AC or the CA assessment machinery itself; the ties above are the defensible ones.

Deeper: agentless scanning changes your RA-5 evidence, not just your deployment. With agent-based vuln scanning you produce a per-host scan record, the artifact assessors are used to seeing. Wiz produces a graph-derived finding set built from API snapshots, which is broader (it sees the misconfigured-but-unscanned ephemeral container that a once-a-week agent scan misses entirely) but shaped differently. An assessor expecting Nessus-style per-host output may push back on “the graph says so.” The fix is showing the scan cadence, the account coverage, and the snapshot freshness, not a host list. And for true in-host runtime evidence you’re back to the Wiz Runtime Sensor, because the agentless layer doesn’t give you what a host-resident agent gives you. Agentless buys coverage and speed; it does not buy depth-on-host for free.

What people actually complain about

Pricing, first and loudest. Wiz is expensive, billed roughly on resource count, and it produces sticker shock at scale. A few hundred accounts with heavy workload counts adds up fast, and the number on renewal is rarely the number from the first quote.

The eMASS problem is the federal-specific one. There is no native eMASS connector. Findings get exported and transformed before they reach a POA&M, which means somebody owns a pipeline (or a spreadsheet) between Wiz and your authorization record, and that seam is exactly where findings go to die. Wiz integrates cleanly enough with SIEM/SOAR, Jira, and ServiceNow, and the CI/CD plugins for Code are fine. eMASS is the gap, and it’s been the gap since the federal offering launched.

Beyond cost and eMASS: attack-path output still needs tuning, or your “critical” list is noise by week two. The GovCloud tenant lags the commercial one on the newest features, which is normal for GovCloud-hosted products but bites when a capability you saw demoed isn’t in your boundary yet. And the agentless runtime gap is real if you skip the sensor.

Here’s the flag I’ll plant. A Google-owned multi-cloud CNAPP is a strategic bet most federal multi-cloud shops have not actually priced. Today Wiz scans your AWS and Azure as well as it ever did, and Google has every regulatory and commercial reason to keep it that way. But you are now depending on Google Cloud to invest, at parity, in scanning its two largest competitors’ clouds, indefinitely, for your benefit. Maybe they will. Don’t lean on the EU clearance as a guarantee, though: it was unconditional, with no enforceable multi-cloud remedy attached. The regulator’s bet was that competition keeps Google honest, which is a market argument, not a contract you can hold them to. I wouldn’t build a five-year multi-cloud authorization strategy on the assumption that AWS and Azure coverage stays a first-class Google priority without writing the contingency down somewhere. Name the lock-in question in your acquisition package now, while it’s cheap to ask.

For an AWS-heavy or Azure-heavy federal shop, Wiz remains one of the strongest agentless posture-and-vuln plays on the market. Just go in with the ownership reality on the table, not in the footnotes.

Sources

Adjacent material on this site