How can a friendly Eye of Sauron help the Wizards?
Cloud security is evolving beyond silos. Wiz’s meteoric rise has been powered by a fresh approach: an agentless, graph-based view of risk context across the cloud stack that supplanted a number of point solutions and created the Cloud-Native Application Protection Platform category (CNAPP). If you want a refresher on Wiz’s rise, take a look at this excellent write-up from the Cybersecurity Pulse by Darrin Salazar: Wiz’s $32B GTM Playbook: Unpacking the Formula (Part I)
By contrast, at DeepTempo we build foundation LogLMs. We use collective defense via deep learning to help you see, respond to, and recover from attacks with far better precision and recall than prior approaches. If Wiz is the Wizard, helping you to cast protection spells, DeepTempo is like a friendly version of the Eye of Sauron, constantly learning and nearly all-seeing.
In this blog I dive a little bit into how Wiz builds and uses its Security Graph, how it uncovers toxic combinations of risk and prioritizes CVEs and other vulnerabilities by exploitability and context. I build off my recent blogs on the subject of LLM-powered attacks to consider how Wiz might hold up as attackers introduce ever more creative attack paths. I then briefly show how complementary the Eye of Sauron / DeepTempo is to Wiz.
Wiz’s Security Graph: Graph-Powered Cloud Context
Wiz’s core technology is the Security Graph, a knowledge graph that maps resources, configurations, vulnerabilities, identities, and interrelationships. Traditional cloud security tools often report isolated vulnerabilities without context, inundating the security team with far more vulnerabilities than they could ever address, with little to no sense of their importance. Wiz takes a different path. The Security Graph is a graph database that acts as a digital twin of your cloud environment, mirroring your infrastructure and even capturing real-time cloud events (Wiz Security Graph offers root cause analysis for cloud IR | Wiz Blog). In other words, Wiz models the cloud as a web of nodes (resources) and edges (relationships) to understand not just what vulnerabilities exist, but how they connect and what they mean in combination.
This graph-driven context is not just a pretty visualization — it’s the backbone of Wiz’s analysis. “A Security Graph makes the complex simple by surfacing the relationships between cloud components as first-class citizens. It’s not just a visualization layer, but the database, the normalizing data model, and the analysis layer,” Wiz explains (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). For example, the graph might link a container image vulnerability to the running container, the cloud VM it’s on, the IAM role that VM uses, and the sensitive database that role can access — all in one connected view. This contextual graph approach was a game-changer, turning a fragmented set of point solutions into a unified platform. Again, this is why they coined CNAPP — Cloud-Native Application Protection Platform. Wiz’s agentless data collection was key to this unification: by scanning the entire stack via cloud APIs with no agents to deploy, Wiz quickly populates the graph with comprehensive metadata from multicloud environments (The World is a graph: How Wiz reimagines cloud security using a graph in Amazon Neptune | AWS Database Blog). The result is a continuously updated map.
Toxic Combinations: When Multiple Weaknesses Form a Critical Threat
Mapping the cloud in a graph enables Wiz to spot “toxic combinations” of risk — essentially, attack paths that emerge only when multiple risk factors intersect. In isolation, a single misconfiguration or vulnerability might be low severity, but together they can spell disaster. “Toxic combinations represent scenarios where multiple risks come together to form a critical severity issue that poses a very real threat to security,” as one Wiz guide puts it (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). Another example: imagine a database containing sensitive customer data. By itself, that database might be properly encrypted and seem secure. But if that same database is accessible from a virtual machine that is publicly exposed to the internet and that VM has a critical vulnerability with a known exploit, the pieces together create a serious breach risk (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). An attacker could exploit the exposed VM, move to the database, and exfiltrate or destroy critical data. Neither the open VM nor the sensitive database alone would constitute a “critical” incident — it’s the combination that’s toxic.
Wiz’s Security Graph is purpose-built to uncover these hidden linkages. By treating relationships as first-class data, the graph shines a spotlight on chains of weaknesses that would otherwise go unnoticed (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). These are the validated attack paths that Wiz wants your team to fix first. This focus on combined risk allows Wiz to prioritize meaningful threats rather than inundating teams with every theoretical issue. As Wiz emphasizes, toxic combos are how attackers “move laterally from an initial point of compromise to gaining access to an organization’s crown jewels”, so finding those paths early gives defenders a chance to break the kill chain (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog).
Filtering CVEs with Context: Prioritizing What Matters
One of the most valuable outcomes of Wiz’s graph analysis is filtering vulnerability noise into a short list of issues that warrant attention. Modern cloud environments can have tens of thousands of vulnerability findings (CVEs in VMs and containers, library flaws like Log4j, etc.), far more than any team can fix. Wiz tackles this by “ruthless prioritization based on context” — using the Security Graph to whittle a long CVE list into the critical few (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). A typical Wiz customer might start with 10,000+ vulnerabilities detected across their cloud, but end up with only a few dozen critical toxic combinations to focus on (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). This massive reduction is achieved by layering multiple risk factors:
- Public Exposure — Is the vulnerable resource exposed to the internet or an untrusted network? A vulnerability on an internet-facing VM is far more urgent than one deep in a private subnet. “A vulnerable VM with access to the Internet poses a greater risk since it can be more easily exploited by malicious actors,” Wiz notes (Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog). The graph knows which assets are effectively exposed versus isolated.
- High Privileges or Sensitive Access — Does the resource have roles/permissions that grant wide access if compromised? For instance, “a vulnerable VM that can assume an admin IAM role or contains an API key with admin privileges is at much higher risk” to your environment (Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog). Similarly, a vulnerability on a server that has direct access to a production database is more dangerous than on a dev server with no sensitive data. The graph correlates vulnerabilities with identity and data context (like attached IAM roles, keys, and data stores).
- Known Exploits and Threat Intelligence — Is the CVE known to be exploited in the wild and is on CISA’s KEV list? Wiz pulls in threat intel feeds such as CISA Known Exploited Vulnerabilities (KEV), and info from the Exploit Prediction Scoring System, as an extra filter (Agentless Cloud Vulnerability Management | Wiz | Wiz). If a flaw is actively being used by attackers, it’s weighted higher. Interestingly, Wiz found that <1% of the vulns it detects are in the CISA KEV catalog (Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog) (Detect and prioritize CISA Known Exploited Vulnerabilities in the cloud with Wiz | Wiz Blog) — which raises the question of whether the KEV catalog is already falling behind attacks in the field. This filter is becoming less useful.
- Asset Criticality and Business Impact — Would exploiting this vulnerability actually harm the business such as via a data breach or downtime? The presence of sensitive data such as S3 buckets with PII/PCI or otherwise business-critical systems boosts priority. Wiz explicitly prioritizes “resources that pose a real risk… such as resources effectively exposed, with high permissions, or access to critical data” (Agentless Cloud Vulnerability Management | Wiz | Wiz).
By correlating these factors, Wiz’s platform surfaces the vulnerabilities that should be prioritized and hides those that are mere theoretical risks (Agentless Cloud Vulnerability Management | Wiz | Wiz). This context-driven triage turns a mountain of CVEs into a manageable to-do list.
This approach helps teams remediate efficiently. Rather than patching everything blindly, an impossible task, teams patch what matters first. Wiz popularized the idea of a “Zero Criticals” club — celebrating customers who have systematically eliminated all critical toxic combos from their cloud (Uncover Toxic Combination of Risks in Cloud Security | Wiz Blog). Of course, new risks are always emerging, but the goal is to keep knocking critical issues down on an ongoing basis. This is proactive posture management — fix the cracks in the roof before the storm hits. As great as this is, it does not tell you have been attacked via your remaining vulnerabilities or some other attack path; this is where DeepTempo comes in.
LLM-Powered Attackers: New Threats Outside the Graph?
Wiz’s model of security — aggregating known risk signals and contextualizing them — would seem to be the most effective approach to mitigate the risk from “known knowns” of cloud threats. Misconfigurations, unpatched CVEs, overly broad access, and exposed resources, are common culprits.
Wiz largely puts into code operational best practices that already existed; you don’t need Wiz to focus on the most important vulnerabilities, but it makes it much easier than doing it yourself.
However, the threat landscape is not static. As detailed with real code examples in my recent blogs, attackers are beginning to leverage LLMs to devise more diverse and creative attacks. This raises an important question: Can a rules-and-relationships graph model keep up with novel, AI-generated attack patterns?
On one hand, removing weaknesses like the toxic combos Wiz finds is always good practice. Even an AI-augmented attacker will happily exploit an unprotected S3 bucket or a known vulnerability if you leave it lying around. Wiz dramatically reduces the “low-hanging fruit” that an attacker — human or machine — might use as an easy entry. In that sense, Wiz’s approach, whether using Wiz or your own automation and severity rankings, seems like a necessary foundation of defense: it shrinks the attack surface. Even as attackers get creative, they often chain together lapses in security hygiene. By denying attackers those basic building blocks, you force them into more complex, hopefully less certain methods.
On the other hand, attackers only have to be successful once to get inside your environment. While reducing your attack surface will make their job more difficult, it will not make it impossible. You still need to be able to identify attacks as they occur and must be able to triage them quickly as well.
As mentioned in my prior blogs, LLM-powered attackers can identify unconventional pathways and even logic flaws that aren’t on any vulnerability list. They might generate exploits for 0-day vulnerabilities faster, or figure out multi-step social engineering ploys that slip past automated scanners. Wiz can only map what it can see. If an attacker finds a weakness that is not represented as a known risk factor in the graph, it will not trigger a “toxic combination” alert. For example, if an adversary uses a LLM or other AI agent to slowly abuse legitimate credentials perhaps gleaned via phishing or an unintended info leak and then escalate privileges in a novel way, there might be no CVE or misconfiguration to blame — the “attack path” will fly under the radar of a product like Wiz based upon static rules. As I discuss in another blog, attackers “are increasingly using LLMs” to boost their capabilities (Anomalies are not Enough. Mitre Att&ck as Context | by Evan Powell | DeepTempo | Feb, 2025 | Medium), meaning we should expect an “exponential” increase in the diversity of attack techniques.
Also, note that Wiz helps you to address the most important CVEs; however no one is asserting that all of the CVEs are being patched in most environments. As attackers increase their automation and sophistication, they flow to other vulnerabilities.
This is where adaptability and learning become crucial. Wiz’s graph can incorporate new patterns, after all the Wiz team updates its risk queries and intelligence feeds, but it’s still fundamentally a rules-based expert system — it identifies risk scenarios that humans have thought to look for such as “exposed + vulnerable + sensitive data”. The foundation of Wiz is a graph DB not a graph neural network (note that I have a blog on why GNNs have not worked out so well yet in security as well). When AI-driven attackers exploit a combo that isn’t in Wiz’s current knowledge base, Wiz will miss it. In summary, Wiz’s model addresses the known unknowns but may struggle with the unknown unknowns — creative, unforeseen attack vectors that haven’t been catalogued yet and that are an increasing percentage of attacks.
Eye of Sauron / DeepTempo = deep learning based visibility
So how do we defend against an adversary that is learning faster and thinking outside the box? This is where the contrast between Wiz and DeepTempo becomes clear. Wiz is the master of known-risk management — it’s a Wizard helping you to fix everything we already know could go wrong in the cloud, so we can fix it. In contrast, DeepTempo is a friendly Eye of Sauron that watches for the unknown — a foundation-model-driven system that can detect subtle anomalies and novel attack behaviors that Wiz either does not see or deprioritizes.
At DeepTempo, we build and leverage LogLMs. We have shown that our foundation model learns normal and abnormal patterns of activity across many organizations and spots attacks that a fixed-rule system or a traditional machine learning approach might miss. Our foundation model is a form of collective defense: because it’s trained on insights from many environments (while preserving privacy), it gains a sort of community immune system effect (The Promise of Cybersecurity Foundation Models | by Evan Powell | DeepTempo | Feb, 2025 | Medium). This is a sharp departure from Wiz’s tenant-specific graph of configuration data; a foundation model can generalize and transfer learnings from one environment to another.
Foundation models adapt very quickly to novel environments. In practice, this means much shorter tuning times than traditional ML systems which are notorious for taking weeks or even months to tune for a given environment and then lose their accuracy when the environment changes. Our foundation model-based system can retune itself, often in hours or less (The Promise of Cybersecurity Foundation Models | by Evan Powell | DeepTempo | Feb, 2025 | Medium). This ability to continuously learn is crucial as environments change quickly and are very diverse.
Finally, DeepTempo’s foundation-model approach excels at seeing novel attacks and so-called low and slow attacks. Sometimes there are only faint anomalies: a sequence of logins, network flows, or system calls that in isolation look benign, but when examined together with thousands of other events signify an ongoing breach. LogLMs ingest huge volumes of such data and detect very long and subtle patterns or sequences that deviate from learned normal behavior. We then map these to frameworks like MITRE ATT&CK for explainability such as flagging a sequence as resembling known lateral movement techniques. Our approach is the most powerful approach available today for watching for the “unknown unknowns” — the threats that don’t correspond to a known CVE or misconfiguration, but rather emerge from adversary behavior.
In a robust cloud defense strategy, both the Wizard and the Eye of Sauron are needed. Wiz helps teams harden their environment by finding and fixing the visible, measurable risks, ensuring that the most risky known holes are patched. However, not every risk can be addressed, and new risks are emerging all the time. This is where DeepTempo’s unique ability to see any attack takes over. In a world where “the adversary is learning faster than we are” (The Promise of Cybersecurity Foundation Models | by Evan Powell | DeepTempo | Feb, 2025 | Medium) (Anomalies are not Enough. Mitre Att&ck as Context | by Evan Powell | DeepTempo | Feb, 2025 | Medium), combining risk prioritization with adaptive threat detection may be the key to protecting us all.
Wiz’s Security GraphDB vs. DeepTempo’s LogLM was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Wiz’s Security GraphDB vs. DeepTempo’s LogLM appeared first on Security Boulevard.
Evan Powell
Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/04/wizs-security-graphdb-vs-deeptempos-loglm/?utm_source=rss&utm_medium=rss&utm_campaign=wizs-security-graphdb-vs-deeptempos-loglm