The main use case for Wiz Code is its unique selling proposition, which is the dashboarding. What you want is to see what is wrong within your environment, and that is where Wiz Code picks up the market value with a unified dashboard for all your code-to-cloud issues under a single umbrella, something missing in other products like Prisma Cloud or Aquasec. Aquasec does not have DAST and does not compete with the entire solution, while Prisma Cloud does DAST but lacks in dashboarding and recategorization of the vulnerabilities, which is the USP of Wiz Code.
External reviews
1 review
from
External reviews are not included in the AWS star rating for the product.
Unified dashboards have streamlined code‑to‑cloud risk tracking and reduced manual reviews
What is our primary use case?
What is most valuable?
The best features of Wiz Code that I appreciate the most include their entire dashboarding and the seamless integration with different DevOps tooling like GitHub or Azure DevOps. It seamlessly integrates, allowing you to run scanners directly onto the machines without consuming too many resources, and the recategorization of vulnerabilities is absolutely wonderful, giving you a complete attack path, which is something I love about Wiz Code because it details the entire lateral movement of the issue, whether it is a complete shift-left or shift-right, serving as the differentiators compared to other tools in the market.
When I talk about ROI with Wiz Code, it almost cuts you down to 20% to 25% of the daily effort needed in terms of FTE. If you are working with around 100 developers or engineers, you might come down to 60 to 70 engineers, with the rest completely automated by removing false positives, showcasing where the USP comes in.
What needs improvement?
The areas that have room for improvement in Wiz Code are their IaC policies, which require a little more maturity. When discussing IaC policies, you want to ensure engineers cannot merge anything non-compliant to your environment, and they need to streamline these with different cloud service providers, as every cloud has its own policies, such as Azure's policies. They need to mature their IaC policies and provide more custom policies for better integration.
Aside from the policies, that is the main area for improvement.
For how long have I used the solution?
I started using Wiz Code as part of one of the client engagements where they wanted to do some market research around the SaaS, DAST, IaC, and container scanning tools. From that point in time, I have been using this for more than a year.
What do I think about the stability of the solution?
In terms of stability, I rate it a nine, as I did not observe any instability within the product. The best part is that their entire solution is built on APIs, allowing for easy integration without a codeless approach.
What do I think about the scalability of the solution?
For scalability, I rate it nine.
How are customer service and support?
I would rate the technical support of Wiz Code an eight. It is not bad, but the response time or RTO is longer than expected, indicating where they need to improve.
How was the initial setup?
In terms of deployment, I would not say there were any challenges. The documentation is absolutely excellent and easy to follow, although they have locked the documentation, requiring minimum access called document reader, which is available only if you take a solution from them.
The deployment took just a day. You only need to be ready with your service principal to authenticate your environment, and then you can onboard the entire system, where results typically need at least 24 to 48 hours to start populating on the dashboard, but integration is quite seamless.
What was our ROI?
During my POC, I observed that the automated code reviews reduce human error by approximately 47%, which is the exact number we found out, reflecting a 50-50 ratio.
What's my experience with pricing, setup cost, and licensing?
Regarding pricing, I would say that the pricing model is a little bit hefty on the pocket. For instance, Wiz Code scans your containers twice, first during runtime and then during shift-left when you build the Kubernetes manifest, which causes Wiz Code to charge separately for running the agent on the containers to give runtime posture, as well as for scanning images in the environment during shift-left, which I feel is not good for the client, although I understand it is a marketing strategy.
What other advice do I have?
My thoughts on Wiz Code's error detection feature is that it is an add-on that makes life easier. Though I personally did not find it a path-breaking solution, it adds value where you are already getting the ROI of the product.
My thoughts on the real-time code tracking in Wiz Code is that it is very important because you cannot expect developers to use a repo on a daily basis, as there can be a release cycle for each application causing some days when the repo is dormant, making shift-left only applicable when you trigger the pipeline. That is where agentless scanning comes into play to ensure you have a continuous state of your repository, especially for picking up zero-day vulnerabilities which can pop up within 15 to 20 days.
If you ask me for advice regarding Wiz Code, I would definitely recommend it. Google already bought Wiz Code in a 32 billion dollar deal, improving it significantly, but it still depends on how customers choose to use it. If you want a single view of your entire code-to-cloud, then Wiz Code is the product, but for more mature needs in CSPM, CWPP, ASPM, or DSPM, you may need a POC to determine the best fit for your environment.
Approximately, we had a team strength of about 2,000 to 2,500 developers using Wiz Code.
Wiz Code does not require any maintenance unless it is an on-prem solution where you are managing the underlying machine within your environment.
I would rate this review overall a 9.5.
Continuous code security has reduced vulnerabilities and provides real-time risk visibility
What is our primary use case?
Folks deploying infrastructure with Terraform code need to verify that those deployments do not have vulnerability concerns, and if they do, they need to be remediated, which is the main use case for Wiz Code.
What is most valuable?
The best features with Wiz Code give you a reasonable picture when it comes to vulnerabilities, which means you see the usual severity levels. You also get to see references on how to remediate vulnerabilities. The fact that it has a visual dashboard helps all stakeholders, especially folks who need to remediate, to get that picture correctly and then take action. You know exactly how to track SLAs, which is another great feature. Those features make the tool useful for most people.
It has been quite easy to get visibility into the vulnerabilities and what steps need to be taken. The fact that you get something in real-time means you can plan to either remediate in real-time or put that as an action to remediate. Overall, Wiz Code improves your workflow efficiency to more than average.
What needs improvement?
I have a big improvement in mind for Wiz Code, not a small improvement. When I look at tools such as vulnerability detection tools, I focus on how the reporting could help fast-track risk mitigations. I don't want folks to just look at the severity rating, whether it's critical, high, or medium. I would love to see how that presents a risk. Meaning that if a particular vulnerability is compromised, it could be a low severity, but if it's compromised, what business impact does it have? With capabilities we have in AI and other technologies, I think we could do much more than just sharing vulnerability ratings or severity ratings for folks to act on. That approach is outdated. Something that communicates the value would make sense and could help drive or change habits. That's what I'm thinking, and that's why I say it's a big one, not just something small.
For how long have I used the solution?
I have used Wiz Code for about three years now.
What do I think about the stability of the solution?
Wiz Code is reasonably cool in terms of stability overall.
What do I think about the scalability of the solution?
Wiz Code is scalable.
How are customer service and support?
The support from Wiz Code is incredible. I don't give anyone a 10 in the first place, frankly, but I think a nine will look good. Wiz has done incredibly well. They've set up regular connects with the team, they share new updates, and they want to get feedback in terms of what we think could be done differently. Those sessions actually help. If you need them to jump on a call to resolve an issue, they are always available. That's why I give them a nine.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I did use other solutions before choosing Wiz Code for this, specifically InsightVM. InsightVM has some capabilities I've used in the past as well. However, I wouldn't say I've used InsightVM the way I currently use Wiz Code. I can't really judge or compare the difference between the two. I'm sure InsightVM or Rapid7 has improved on its offerings since when I used it.
Which other solutions did I evaluate?
The metric regarding automated code reviews is something I have not captured, but it's a good metric.
What other advice do I have?
I do use Wiz Code's real-time code tracking.
From my perspective, I think it's positive, but for folks who need to remediate and have old habits when it comes to software development, it might be a big concern. Ultimately, it helps everyone because you have that visibility and you can take action within a sprint because of that visibility. If you can act right away, you can capture that as part of your sprint planning and remediate promptly. It's a good feature. However, I speak from a security perspective. For a product team, it could be a lot to handle. With creating the right habits over time, it becomes an advantage for everyone.
I have never had to think about Wiz Code's error detection feature for improving code quality.
I do not use the analytics tools within Wiz Code. I may know this tool by a different term, but I need clarification on what the analytics tool encompasses.
I have no idea of the pricing for Wiz Code. I have no knowledge of current pricing.
To rate Wiz Code, I need to think of some baseline, but I don't really have any baseline. When I consider the support they offer, which is fantastic, and how reliable the tool is, I could give them a rating of eight.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Unified security platform has enabled proactive detection of code and pipeline vulnerabilities
What is our primary use case?
I mainly use Wiz Code to evaluate the codebase on AWS.
Wiz Code is used to run security scans on registry images as a specific example of how I evaluate my AWS codebase.
What is most valuable?
Wiz Code offers great features by providing vulnerabilities that it can detect within code.
Wiz Code detects vulnerabilities effectively through integration with the workflow while being fast and accurate.
Wiz Code takes CNAPP to the next level by offering AppSec capabilities on top of CSPM functionality.
Wiz Code has positively impacted my organization through the unified platform that gives the ability to shift left in security and detect issues before they go into production.
Wiz Code provides the ability to detect vulnerabilities within infrastructure code or the CI/CD pipeline early so that issues can be fixed before going into production.
What needs improvement?
Integration with more scans would be great, though Wiz Code is currently pretty solid as it is.
For how long have I used the solution?
I have been using Wiz Code for about a year now.
What other advice do I have?
My advice for others looking into using Wiz Code is that it is a great product if you are looking for a CNAPP solution that includes CSPM and AppSec along with CWP, providing a unified platform to see your whole code to deployment. I would rate this product an 8 out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
showing 1 - 3