Dazz Unified Remediation Platform

I have been using Wiz Code for the past one and a half years.

The main use case for Wiz Code is to write the security guardrails for our environment. For example, I need to write infrastructure guardrails such as S3 buckets must not be public, security groups must not allow 0.0.0.0 on SSH port 22, and RDS databases must have encryption enabled. These are examples for which we use Wiz Code to write these guardrails.

We also use Wiz Code to write Identity and Access Management guardrails such as detecting overly permissive permissions. For instance, no IAM policy should contain action star, and no role should have administrator access unless approved. Cross-account trust relationships must be justified.

Some of the best features Wiz Code offers is code-to-cloud mapping. Most tools will tell us that you have a vulnerable package, but Wiz tells us this vulnerable package is running in a production workload that is internet-facing and has access to sensitive data. This context dramatically improves the prioritization because I can focus on exploitable risk instead of thousands of theoretical findings. For AWS environments, this is extremely useful. Wiz Code can scan Terraform, CloudFormation, Kubernetes manifests, and can catch issues before deployment such as public S3 buckets, unencrypted databases, overly permissive security groups, containers running as root, and hardcoded secrets. This is where I can codify architecture standards into enforceable controls. The ability to define guardrails and fail builds is a major strength.

One of the best features I have been using day to day, which is the lowest effort win, is finding AWS keys, tokens, passwords, and certificates before they hit GitHub or production, which prevents many incidents. There is a unique capability in Wiz Code that instead of viewing cloud findings, vulnerability findings, IAM findings, and code findings in separate tools, Wiz Code correlates them through its security graph, allowing us to trace an issue from code all the way to the business impact. This is where I think Wiz Code is the strongest.

Wiz Code provides a unified developer experience where developers can see findings in IDEs, pull requests in GitHub, and in CI/CD pipelines, which reduces the back-and-forth effort. Wiz Code has impacted the organization positively by providing these features, the ease of work, and all these security graph correlation, unified developer experience, secrets detection, and security policies that block bad deployments. With all these, it has actually helped us prevent a lot of vulnerabilities in the environment, which has had a positive impact on the organization. The incident count has reduced almost 35 to 40 percent with the Wiz Code guardrails that we have been using for a long time now.

First, Wiz Code's areas of improvement can be better architecture-aware analysis. Today, most findings are resource-centric; for example, a security group is public, an IAM role is over-permissive, or an S3 bucket is exposed. What architects want is for Wiz Code to understand that this design violates the organization's reference architecture and to identify deviations from approved patterns such as hub-and-spoke networking and shared services. It would be beneficial to move from configuration review to architecture review.

Another improvement area is that many organizations struggle to translate security standards into policies, so Wiz Code could generate and validate the policy automatically. That would actually benefit the organization in faster guardrail creation and maintenance. Imagine uploading Terraform architecture diagrams and design documents and asking Wiz Code to review this architecture against enterprise security standards; the output could include risks, missing controls, compensating controls, and recommended guardrails, bridging architecture governance and automated security. This point needs to be worked on and improved by Wiz Code.

From Wiz Code's AI capabilities, I would say Wiz Code has been investing heavily in AI-driven workflows, security agents, remediation, guidance, and AI-powered investigation. I appreciate that AI recommendations are grounded in actual cloud context, and they can trace risk from code to cloud to resource to exposure. There are areas of improvement; more architecture-level reasoning is required, better explanations of why a design violates the enterprise standards, and more what-if analysis before deployment. Governance is the area where Wiz Code actually shines; for large enterprises, governance is not just finding vulnerabilities; it includes ownership, accountability, exceptions, policies, risk acceptance, and auditability. For a financial bank, the most valuable governance capabilities are mapping risk to business owners, consistent guardrails across cloud accounts, evidence for auditors, policy-driven enforcement, and risk prioritization based on context. Security is, again, Wiz Code's strongest area.

I rate the accuracy and reliability as good, but not yet at a level where I trust it without validation. It does well with security explanations; the AI is quite good at explaining why a finding matters, potential attack paths, impact to cloud resources, and security best practices. For example, if it finds a public S3 bucket, overly permissive IAM roles, or public security group, the explanations are usually accurate and aligned with security principles. The remediation suggestions for common issues such as restricting IAM permissions, enabling encryption, and removing public exposure save engineers time because they do not have to research the fix themselves. However, I am cautious with least privilege recommendations because the AI may suggest removing permissions or tightening IAM policies, but it does not always fully understand business requirements, operational dependencies, and future use cases. As an architect, I never approve IAM changes solely based on AI output. Additionally, complex architecture decisions such as shared VPC models can be problematic; AI often lacks the broader organizational context needed to judge whether a design is appropriate, and it might recommend practices that do not align with organization-approved patterns.

I have been using Wiz Code for the past one and a half years.

Wiz Code is really stable.

Wiz Code scales quite well from an enterprise perspective, and I would consider scalability one of its stronger attributes. When evaluating scalability, I look at repository scalability; Wiz Code is designed to integrate with major SCM platforms and can scan thousands of repositories across multiple business units and development teams. Secondly, in terms of cloud environment scalability, this is where Wiz Code generally excels, being built to handle thousands of AWS accounts, multi-cloud environments, and millions of cloud resources. The code-to-cloud correlation capability benefits from this large-scale architecture.

Customer support is really helpful with immediate responses and quick turnaround times.

Before Wiz Code, the security team manually correlated the cloud assets, vulnerabilities, IAM permissions, and internet exposure, with critical issues identified in five days. Now, with the security graph automatically correlating findings, critical issues are identified in 30 minutes, resulting in a 90 percent plus reduction in investigation effort. There is also a reduction in security review effort relevant to the architecture review role, where previously three hours were needed for security review and 20 manual checks; now, Wiz Code validates all this and does it for us.

I was not actively involved in the setup cost and licensing, but I definitely know the pricing was something good given the usage and benefits it provides. I would say the pricing is not too high.

My team evaluated Palo Alto Networks Prisma Cloud, Microsoft Defender for Cloud, Checkmarx One, and Snyk when choosing Wiz Code.

One must give some time to using Wiz Code initially, and they will definitely have a positive experience with using it. Wiz Code was purchased through the AWS Marketplace. Wiz Code is deployed in my organization on public cloud. AWS is our cloud provider. I rate this product 8 out of 10.

My main use case for Wiz Code is for application security, to scan vulnerabilities and prioritize the vulnerabilities based on results.

When a new vulnerability is published, I review the findings from Wiz Code and see if we are exposed with our versions we are using, and if we need to upgrade, what version, and what priority it needs to be based on the risk there.

The best features Wiz Code offers are the threat vulnerability picture and view by repository.

I value the vulnerability picture and the repository view because they help me to see all the vulnerabilities we have and to prioritize them.

Wiz Code has positively impacted our organization as it helped us to maintain a healthy application security side of the company and to remediate our vulnerabilities. Since using Wiz Code, we have reduced the number of our vulnerabilities by 50%, criticals by 90%, so we are very satisfied with it.

Wiz Code could be improved by showing us the dependencies that are affecting us; if we are upgrading one dependency, it would be helpful to know if down the road that's going to cause any problems with other dependencies.

I have been using Wiz Code for more than six months.

Regarding Wiz Code's AI capabilities, I think its governance and security are very good; we are satisfied with the green and red events.

I think the accuracy and reliability of output from Wiz Code is approximately 95% accurate. I would rate this review a 9.

Wiz Code is designed for scanning code repositories for vulnerabilities, whether through static scans, dynamic security scans, or by identifying vulnerabilities in third-party libraries. Overall, it's a complete package that can help scan code repositories and code bases while flagging findings that are not beneficial for organizations.

We have integrated Wiz Code with our GitHub repositories and have been tracking the findings. With real-time code tracking, developers and security engineers from our team are able to see findings and misconfigurations within the code in real-time, and they can reach out to specific developers for remediation of those findings.

Automated code reviews are something we have in process. We have developed a CI/CD pipeline automation that can be integrated with the code repository and utilize Wiz Code for this purpose, so that pull requests can be triggered to lead to automatic remediation. However, this is specific to organizational needs. Some teams do require prior review before implementing any changes, whether minor or major, and they do require proper peer review for those pull requests. As far as automations are concerned, we have tested this within our environment, but it is specific to developer and team needs.

Wiz Code is itself a feature. Apart from Wiz, these are the specific features that Wiz Code has introduced. Earlier it was a single bundle package, but once Wiz was acquired by Google, they have separate SKUs, and Wiz Code is one of them. The feature itself is for code repositories.

As far as innovations are concerned, getting security on a single platform with respect to all findings, whether static findings, dynamic findings, secrets findings, or third-party library dependency findings, helps at a broader level when it comes to innovation. As a developer, I do not need to use different tools. Earlier in a traditional method, I used to rely on different tools for third-party library dependency findings, static findings, and dynamic findings. Wiz Code is a platform that serves most of these features as a single entity, which has definitely reduced the time for triaging the security aspects of vulnerabilities and helps in overall innovation for the team.

Every tool has some sort of improvement required. No tool can be said to be one hundred percent secure, so there's always a scope for improvement. When it comes to Wiz Code, how they are ingesting the metadata with respect to the integrated platform is something they can improve upon. In fact, they have already started working on this and are continuously improving those data ingestion parts with the integrated platform, whether GitHub, Bitbucket, or GitLab. Whatever information the platform is ingesting can be further used for automation as well. If I want to create some sort of policy by ingesting those data, I can do that. However, that requires visibility to the API that can support these integrations. In summary, there is a good scope for improvement for this platform.

Metadata ingestion and probably the integration of Wiz Code platform is something which is missing. They are already working on that. With the advancement of GenAI and AI, most vendors are in the AI race, and they want to make sure they are supportable for other platforms that are currently used in vibe coding. This is something I think Wiz Code can work on, making those integrations accessible for vendors available in the market.

I have been working with Wiz Code for approximately one year.

I haven't used much technical support specific to Wiz Code, but overall, as far as technical support and customer success interaction are concerned, I would say it is good. I do not have a very bad experience with those folks.

The initial setup for Wiz Code is most straightforward.

The topic of their pricing is confidential, which I'm not authorized to share. However, it is a bit expensive, but that depends on how broad your organization is and what your use case is. If you are a small scale enterprise organization, you probably would not pay such a hefty amount of money to protect your organization. However, if you're a big organization, if the organization is a large-scale enterprise organization and it's a reputable organization, then probably if you get most of the things in a single platform, then you do some trade-offs. In summary, it depends on where or what organization you're from and what your use case is.

I'm working with Wiz Code as well, but I just wanted to understand why you are asking these specific questions. Do you want a review on a certain product?

There are some Check Point products still used in my company, but that would be specific.

I would rate this review at eight point five out of ten.

The main use case for Wiz Code is its unique selling proposition, which is the dashboarding. What you want is to see what is wrong within your environment, and that is where Wiz Code picks up the market value with a unified dashboard for all your code-to-cloud issues under a single umbrella, something missing in other products like Prisma Cloud or Aquasec. Aquasec does not have DAST and does not compete with the entire solution, while Prisma Cloud does DAST but lacks in dashboarding and recategorization of the vulnerabilities, which is the USP of Wiz Code.

The best features of Wiz Code that I appreciate the most include their entire dashboarding and the seamless integration with different DevOps tooling like GitHub or Azure DevOps. It seamlessly integrates, allowing you to run scanners directly onto the machines without consuming too many resources, and the recategorization of vulnerabilities is absolutely wonderful, giving you a complete attack path, which is something I love about Wiz Code because it details the entire lateral movement of the issue, whether it is a complete shift-left or shift-right, serving as the differentiators compared to other tools in the market.

When I talk about ROI with Wiz Code, it almost cuts you down to 20% to 25% of the daily effort needed in terms of FTE. If you are working with around 100 developers or engineers, you might come down to 60 to 70 engineers, with the rest completely automated by removing false positives, showcasing where the USP comes in.

The areas that have room for improvement in Wiz Code are their IaC policies, which require a little more maturity. When discussing IaC policies, you want to ensure engineers cannot merge anything non-compliant to your environment, and they need to streamline these with different cloud service providers, as every cloud has its own policies, such as Azure's policies. They need to mature their IaC policies and provide more custom policies for better integration.

Aside from the policies, that is the main area for improvement.

I started using Wiz Code as part of one of the client engagements where they wanted to do some market research around the SaaS, DAST, IaC, and container scanning tools. From that point in time, I have been using this for more than a year.

In terms of stability, I rate it a nine, as I did not observe any instability within the product. The best part is that their entire solution is built on APIs, allowing for easy integration without a codeless approach.

For scalability, I rate it nine.

I would rate the technical support of Wiz Code an eight. It is not bad, but the response time or RTO is longer than expected, indicating where they need to improve.

In terms of deployment, I would not say there were any challenges. The documentation is absolutely excellent and easy to follow, although they have locked the documentation, requiring minimum access called document reader, which is available only if you take a solution from them.

The deployment took just a day. You only need to be ready with your service principal to authenticate your environment, and then you can onboard the entire system, where results typically need at least 24 to 48 hours to start populating on the dashboard, but integration is quite seamless.

During my POC, I observed that the automated code reviews reduce human error by approximately 47%, which is the exact number we found out, reflecting a 50-50 ratio.

Regarding pricing, I would say that the pricing model is a little bit hefty on the pocket. For instance, Wiz Code scans your containers twice, first during runtime and then during shift-left when you build the Kubernetes manifest, which causes Wiz Code to charge separately for running the agent on the containers to give runtime posture, as well as for scanning images in the environment during shift-left, which I feel is not good for the client, although I understand it is a marketing strategy.

My thoughts on Wiz Code's error detection feature is that it is an add-on that makes life easier. Though I personally did not find it a path-breaking solution, it adds value where you are already getting the ROI of the product.

My thoughts on the real-time code tracking in Wiz Code is that it is very important because you cannot expect developers to use a repo on a daily basis, as there can be a release cycle for each application causing some days when the repo is dormant, making shift-left only applicable when you trigger the pipeline. That is where agentless scanning comes into play to ensure you have a continuous state of your repository, especially for picking up zero-day vulnerabilities which can pop up within 15 to 20 days.

If you ask me for advice regarding Wiz Code, I would definitely recommend it. Google already bought Wiz Code in a 32 billion dollar deal, improving it significantly, but it still depends on how customers choose to use it. If you want a single view of your entire code-to-cloud, then Wiz Code is the product, but for more mature needs in CSPM, CWPP, ASPM, or DSPM, you may need a POC to determine the best fit for your environment.

Approximately, we had a team strength of about 2,000 to 2,500 developers using Wiz Code.

Wiz Code does not require any maintenance unless it is an on-prem solution where you are managing the underlying machine within your environment.

I would rate this review overall a 9.5.

My main use case for Wiz Code is to find vulnerabilities in my code. I perform penetration testing on my code to find any issues like SQL injection with Wiz Code. Penetration testing and finding vulnerabilities is the main focus for me when using Wiz Code.

In my opinion, all the security features Wiz Code offers are the best. The security feature that stands out the most to me is the automated scanning in Wiz Code. Automated scanning is my top pick when it comes to Wiz Code features. Wiz Code has not yet positively impacted my organization or changed anything in my workflow or results. I expect to see strong security for our applications and secure applications in my workflow or results as I continue using Wiz Code.

There is nothing I wish worked better or features I would like to see for improving Wiz Code. There is nothing that comes to mind about needed improvements for Wiz Code.

I have been using Wiz Code for three months.

I think Wiz Code is reliable; I have not experienced any issues with stability.

I have no idea if I previously used a different solution before Wiz Code; I am fairly new to this.

I am not sure if I have seen a return on investment from using Wiz Code.

I have no idea about the pricing, setup cost, and licensing for Wiz Code.

I have no idea if I evaluated other options before choosing Wiz Code.

My advice to others looking into using Wiz Code is to proceed with caution. I gave this review a rating of 10.