Traditional incident response models were never built with cloud-native architectures in mind. They often rely on retrofitted tools and processes that can’t keep pace with how fast modern environments move. This becomes a big challenge when a cloud incident strikes, and when speed and clarity are of utmost importance. Wiz is tackling this challenge with
Wiz Incident Response (IR), a service built from the ground up for the cloud and delivered by a team of specialists who live and breathe cloud forensics.
Moving Beyond Legacy Approaches
The market is full of established IR providers, but most started in the on-premises world and later adapted their playbooks for the cloud. That adaptation often creates blind spots. Wiz IR takes a different approach.
“Wiz IR is purpose-built for the cloud, unlike traditional IR firms that were originally designed for on-prem environments and later adapted,” said
Shaked Tanchuma, Director of Incident Response at Wiz told MSSP Alert.
"Because our IR offering is built directly on the Wiz Security Graph, Wiz Defend, and runtime sensors, we have full context into the customer’s environment - from infrastructure to runtime. This gives us a deep understanding of asset relationships, exposure paths, and potential blast radius, all in real time. Combined with a team of cloud IR experts, Wiz IR provides a faster, more informed, and cloud-optimized incident response experience that established providers can’t match," said Tanchuma.
That direct integration with Wiz’s existing detection and runtime capabilities gives the IR team a unique vantage point. Rather than piecing together logs from disparate sources, they can trace incidents end to end with immediate visibility into how threats unfold across the stack.
Responding to the Expanding Cloud Attack Surface
Modern cloud incidents rarely stay confined to one system. They spill across Kubernetes clusters, SaaS applications, and increasingly into AI-driven environments where new risks emerge almost daily.
“The Wiz IR team has hands-on experience investigating incidents across Kubernetes, SaaS, and AI environments,” Tanchuma explained. “Our expertise is continuously sharpened by working alongside Wiz Research, the same team that has uncovered vulnerabilities like NVIDIAScape, IngressNightmare, and DeepLeak. This direct research involvement keeps us ahead of emerging threats and ensures we understand how today’s attacks play out across modern stacks. We also leverage the Wiz platform to automatically surface risk across these diverse environments, giving the IR team a clear starting point for investigation and response.”
That combination of cutting-edge research, platform context, and practitioner expertise, means Wiz IR is not only responding to incidents but also helping customers understand the broader threat picture shaping today’s cloud environments.
Accelerating Containment With Expert-Led Guidance
For existing Wiz customers, the IR service adds a new layer of value on top of Wiz Defend and runtime detection. Where those products surface and contextualize alerts, Wiz IR goes further by embedding expert practitioners into the customer’s response process.
“For organizations already using Wiz Defend and runtime detection, Wiz IR adds expert-led investigation, containment, and recovery during live incidents,” Tanchuma said.
“Rather than just surfacing alerts, we actively partner with customers to scope the incident, build the timeline of activity, and guide real-time remediation. As the incident unfolds, we continue to hunt for new malicious behavior, helping the customer stay ahead of attackers and avoid reinfection. Wiz IR also acts as a strategic advisor, keeping teams aligned and leadership informed throughout the process. The net result is a faster, more coordinated response that minimizes damage and helps teams move forward with clarity.”
By embedding itself into the customer’s response workflow, Wiz IR effectively shortens the distance between detection and containment. It also ensures that leadership teams get a clear, business-level view of what’s happening, a critical element when managing risk at the board or executive level.
Opening Doors for Partners
Incident response is also a channel opportunity. Most MSPs and MSSPs do not have the scale to build full IR practices internally, yet their customers expect them to provide guidance when crises hit. Wiz IR is designed to fill that gap.
“Wiz IR will be available as part of Wiz’s broader partner strategy,” Tanchuma said. “By combining their own customer relationships with our IR expertise, platform context and runtime data, partners can act as trusted advisors during incidents, even for customers without large in-house security teams. This allows partners to scale their value, differentiate their services, and strengthen customer loyalty by helping organizations respond effectively when it matters most. With Wiz IR, partners don’t need to build incident response capabilities from scratch, they can extend Wiz’s expertise directly to their customers.”
For partners, this creates a new way to deepen stickiness with customers: not only delivering proactive cloud security, but standing by them in their most critical moments.
Wiz Incident Response is now in public preview and open to organizations that need immediate support during a cloud security incident. The launch reflects a broader shift in focus for Wiz, from simply detecting threats to actively guiding customers through the response and recovery process in real time.