In this video, Oron Noah, VP Partnerships & Product Extensibility at Wiz and Anton Chuvakin, Security Advisor at the Office of the Chief Information Security Officer at Google Cloud, join the discussion on innovative strategies for addressing multi-cloud security challenges at the RSAC 2025.
Noah and Chuvakin explore the complexities of securing cloud environments in today's technology landscape. With extensive expertise in cloud security and strategic advisement, they discuss the evolution of Wiz and Google Cloud, emphasizing the growing importance of a multi-cloud approach. The conversation is guided by insightful contributions from Dave Vellante and theCUBE Research.
Key points from the discussion include the necessity of a horizontal strategy for cloud security, democratizing access across development and security teams, and integrating across multi-cloud environments. Chuvakin asserts that the key to overcoming multi-cloud security challenges is leveraging expertise in posture, runtime detection, and code to create a seamless security environment. Additionally, Noah emphasizes how Wiz addresses cloud complexity with an agentless deployment strategy, simplifying visibility and remediation across Google Cloud Platform, Amazon Web Services, and Microsoft Azure.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Security Advisor at Office of the CISOGoogle Cloud
search
Dave Vellante
>> Hi everybody, welcome back to Moscone West. My name is Dave Vellante, and you are to theCUBE's continuous live coverage. This is day three of RSAC 2025. I'm here with John Furrier, and Jackie McGuire, and Jon Oltsik, the entire CUBE team. We're super excited, day three, to have Oron Noah, who is VP of partnerships and product sensibility at Wiz, you may have heard of them, and Anton Chuvakin, who's a security advisor at the Office of the CISO at Google Cloud. Gentlemen, good to see you. Welcome.
Anton Chuvakin
>> Thank you.
Oron Noah
>> Yeah. Thank you for having us.
Dave Vellante
>> Anton, former analyst. Well, I'm going to, probably going to ask you to put your Gartner hat on at one point.
Anton Chuvakin
>> I still have it. Yes.
Dave Vellante
>> You've got a great background in this industry with friends with our Rob Strechay at theCUBE Research.
Anton Chuvakin
>> Yeah.
Dave Vellante
>> But let's start with Wiz. We were talking off camera. Somebody said to me, "I don't really understand Wiz. I mean, they're such a hot company. They throw these great parties. What are they all about?" Take us back to when you guys started the company and how you entered the market with such appeal to customers.
Oron Noah
>> Yeah. So basically, Wiz, founded like five years ago, it's all about cloud security. So we started by having a multi-cloud strategy, because customer today want to protect. They're using AWS, Azure, GCP, and they want to have visibility to everything runs in their cloud. Okay. So we started by protecting the cloud, give you visibility, identify the most critical attack path. Then, the more we evolve, the more we understand we need to address more persona, that just like the cloud security team, we also need to help the developers, the DevSecOps, and then we shift left to the code area, protect the code, the pipeline. Then, we also want to engage with the SecOps team and then help them basically responds to, actually, runtime threats in the cloud. This is how we expand over the years.
Dave Vellante
>> But the other thing, I mean, I consistently hear about Wiz from customers. First of all, they always say they love it, and they said, "It simplifies my life." Explain that, your thinking when you guys started the company and developing the product. Did you flip the security mindset on its tail, on its head? Security's supposed to be complex with a lot of acronyms, so-
Anton Chuvakin
>> The acronyms.
Oron Noah
>> Yeah. The acronyms. I got the acronyms for you. No. Definite. So the approach was, first of all, how you can use an agentless approach, connect to different cloud environments within minutes, deployed within minutes through the agentless solution, and then have a visibility to all the running technologies you have, whether it's like VM, serverless, Kubernetes, buckets, what is all the different technologies running over there? Then, on top of that, instead of understanding, what is your, let's say, vulnerabilities, what are your misconfiguration, what are your data finding over there, we basically want to correlate everything into the one security graph and tell you what are the most critical attack path exist in your environment to basically help you remediate fast and focus on the most important problem that you have in your cloud environment. That's how we manage to simplify cloud security.
Dave Vellante
>> So what was the catalyst for you guys getting together and going to market? What was the customer pain points that you saw? Obviously, it's around multi-cloud. Maybe you could talk about that a little bit, and again, what you saw as an analyst, back in the day, I mean, multi-cloud was clearly a thing despite all the friction from some of the hyperscalers that didn't exist. Google always leaned into that. Some people would say, "Well, they had to." Okay. Fine, but that's a reasonable strategy. What's your take on that, Anton?
Anton Chuvakin
>> Think there are two main pillars. One is that if you expand from posture, posture assessment, you expand in two directions, you expand left to code and you expand right to runtime. That to me is a really good visual and I can imagine it being a triangle if I still write in a research paper when it has the posture. And then you have code. Posture means configuration settings, things that you have in the cloud that you operate. Left is the code you write. Of course in cloud environments would be a lot of custom code. So there would be a lot of AppSec, a lot of other things. And the right code would be runtime security, cloud detection response. So these three things, expanding from posture is where most cloud security minds are. People think, okay, I got to do posture, I've done posture. Wait a second, runtime, I'd rather use the same tool and then wait a second, my developers are writing code. I can't just deal with configs and runtime, I have to fix the code. So this keeps being posture, runtime code. But the second pillar is if you would only have one cloud and environment, you can potentially push your cloud provider to build three things, but it's not the answer. You have to have three providers, three things. So it's nine things. I don't know, that's hard to do. That's a lot of work. You do need to be an expert in posture, runtime detection, code, and three cloud providers. That's a rare skill set that has real magic.
Dave Vellante
>> And back in Covid, we kind of, as a goof, we coined this term super cloud and we got a lot of heat for it because people were saying, "What is that? That's just a buzzword, it's just multi-cloud." We say it is more than multi-cloud. It's an abstraction layer that sits all over the clouds and simplifies the developer's life so they don't have to learn all the different security and storage and all the different primitives of each of the individual clouds. And then Wiz comes along, because we always said security is going to be the limiting factor to super cloud. And then Wiz came like, "Ah, that's a super cloud."
Anton Chuvakin
>> The opposite. It's a security cloud.
Dave Vellante
>> And so you normalize. How do you normalize across GCP and Azure and AWS and what's the secret sauce behind it? It's just a hard integration and engineering work.
Oron Noah
>> The first, it's a lot of work, but just always we need to remind why we're doing that. Engineers today, developers really like why the multi-cloud strategy is even there,. Developers sometimes like in GCP, they like this database. In Azure, they like Neptune Graph. In Azure, they might like Cousteau. They want to build their application with the different technologies that the different cloud providers provide them. So that's first of all the needs. So what we are doing is once we connect to the control thing, we connect to the environment, a VM is a VM. We do the translation. How a VM look like in GCP, how a VM look like in Azure, how a VM look like in AWS. And then when we correlate risks, we tell you we have a publicly exposed asset that if it's been compromised, we can have a lateral move to a crown jewel asset containing a PII. This specific race can be across multi-cloud. For you it's very easy. We normalize the data for you. That is another way to simplify the cloud security. You don't have to understand, oh, this VM runs in Azure, this VM runs in GCP. You need to understand that just to remediate. But from the risk perspective, it's agnostic.
Anton Chuvakin
>> But also this is multi-cloud by choice. This is not of multi-cloud by chance. When people use one cloud for most tasks and then they acquire a company or they use this little task for this little task, the cloud doesn't have it. So I feel like with multi-cloud by choice, there's a lot of multi-cloud by chance, but the security struggle in this case is real. The CISO has to cover both cases. Multi-cloud by choice is great. Multi-cloud by chance is the rest of the case. There is no board, nobody who is like, "I'm just going to use one cloud and never ever allow anything else." You can say that, but it won't happen.
Dave Vellante
>> No, we know that doesn't happen. And again, that's one of the criticisms we got of super-cloud is, oh congratulations, you discovered multi-cloud. My response to that was, "Well, this is really what multi-cloud should have been."
Anton Chuvakin
>> Meant to be, yes.
Dave Vellante
>> Because it really wasn't. Because you're right. Multi-cloud by chance is what it became. Multi-cloud by design, by choice, you called it-
Anton Chuvakin
>> By choice, yeah.
Dave Vellante
>> Was rare. Okay, so maybe you could share with us, because your experience from former, you guys Mandiant and you see all kinds of visibility on a lot of things. What are the misconfigurations that you see that turn a nice great functioning cloud into chaos?
Anton Chuvakin
>> So we probably both have answers and we should synchronize them in advance because right now you're going to get two answers from us. Who goes first?
Oron Noah
>> You go first.
Anton Chuvakin
>> Okay, I'm going to go first. Okay. I'm going to rely a lot on my Mandiant colleagues and their research. We still do see a lot of identity mistakes. Mistakes when identities have too much access, too much privilege. You think you should connect to X, but you also connect to Y and do things. I think identity is one bucket. Another thing is where data store is too open. Some people say that least privilege in the cloud is not very popular. People open to much access. Developers run things. They don't want to be restricted, they don't want to follow narrow policy. So identity is one. Data access being too loose is two, and then the miscellaneous misconfig is another bucket. But again, Mandiant reminds us that identity is probably what would get you in the end.
Dave Vellante
>> All right.
Oron Noah
>> So know where's the CNAP? CNAP stands for all the cloud native application protection was born because if you just take a look on CSPM by itself and then just take a look about vulnerability by itself and then identity, and then data. Just by itself, okay, you have a publicly exposed bucket, you should fix that first. Or what's more important, if you have, let's say a container run on a Kubernetes cluster that is publicly exposed because someone misconfigured that to be publicly exposed and it has a vulnerability. So now when an attacker can compromise this asset because it's publicly exposed and then using a key to later move to an admin privileges in your environment. So it's all about the toxic combination and that's exactly what Wiz is doing. The toxic combination, multiple factors combined your most critical attack path in your environment.
Dave Vellante
>> When the clouds, it's really started to take off. We observed something, it's like, okay, the cloud now has become the first line of defense. And initially the shared responsibility model maybe wasn't well understood by some folks, but eventually they, "Okay, whoa, we got to do our part too."
Anton Chuvakin
>> It's less well understood, less poorly understood now.
Dave Vellante
>> Yeah, less poorly understood now.
Anton Chuvakin
>> Okay, we'll go with that.
Dave Vellante
>> So part, so you've got the cloud is the first line, and then you've got the CISO and he or she's saying, okay, developers, you now have to, you say before shift left, so now you're putting all this security onus on the developers. So my question is, what are you guys doing this? At the time I was like, "Well, okay, what is the industry doing to make the CISOs and developers life easier?" And it was just this really difficult situation. So what are you doing to make the developer's life easier and maybe put some structure into their workflow?
Oron Noah
>> So think about that. Every company want to innovate fast and deploy fast, right? In today's world, you want to write a code today, the very next day it's supposed to be in production, right?
Dave Vellante
>> Yep.
Oron Noah
>> Having said that, still security teams, the way that it works, the developer have code scanners, DevSecOps have pipeline scanners, Cloud security team have cloud scanners, and then SecOps team have basically runtime scanner, but the attacker doesn't care about the organizational structure. They will come up for the weakest point and where they can actually compromise. So basically we believe that the security needs to switch from a vertical point of view to a horizontal point of view. So it's all about democratized cloud security. Because I'll give you an example. If your SecOps team find an ongoing attack in your production environment, they will block it immediately and then a moment later they will do investigation and engage with the cloud security team to tell them, "Okay, how does this one happen? What caused this critical attack path?"
And then the cloud security persona will try to reach out to the developer that actually pushed this code into production to fix that. So if you will democratize cloud security, and that's our belief, okay, let everyone have access. Everyone can collaborate on a single platform. Everyone is engaged. I'm the developer, I know the risk, I'll immediately be engaged.
Anton Chuvakin
>> It's much worse than that even. I mean there will be companies that are coming from on-prem world where security operations team, the SOC team doesn't even do cloud. So for them it's like a mysterious other thing which they don't deal with. So the chasm is deeper between some of the on-premise minded, on-premise tooled teams and the cloud breaches. So in some cases it would break right after your first step, they detect something and they're like, "Oh yeah, it's in this Ephemeral environment that we don't fully understand. Who do we do? Who's the system admin?" There's no such thing. So it breaks way worse. And to me, the island mentality is not going to work. You have to have one platform.
Oron Noah
>> Yes. And another thing that we are always try to do is if you want to help the developer, you want to meet them where they are in their IDE. Okay? When they write the code, when they deploy the code. So in a centralized way, define your policy. You do not allow to have a plain secret reach out to the cloud. You do not allow, let's say a critical vulnerability to reach out to the cloud. So the security person can define the policy in one place and that's effect through write in the code, build your pipeline, deploy your cloud.
Dave Vellante
>> So how does the pipeline, the handoff work? I mean I think about DevOps, it came about because you had development tossing it over the fence to the operational people. They said, oh, they deploy it. Is there something wrong with your code? No, the code was fine. When I sent it over, you changed it because it didn't come out. Okay. So DevOps comes about, but when you take something like know Whiz code and you go to whiz defend, you've got Gemini code assist, how does that all fit together? How do you guys keep that simple?
Oron Noah
>> So the moment Democratization is all about everyone have access to the system. Obviously with the relevant permissions, you want to make sure this team responsible for those assets, that's what he will see. But the moment you have a problem and everyone is engaged and Wiz is all about when we have the toxic combination that the risk is very visualized. We use graph. So when you visualize the risk, you don't have to convince the developer or the dev sec ops that they need to be engaged into remediate that. Because when you visualize the risk, everyone is immediately engaged. So you can automatically assign this issue to you. You are the developer, I automatically push a PR for you. You fix your code, thumbs up.
Anton Chuvakin
>> And of course the guardrails come in because ideally you want certain things to never appear. And in that sense, I'd rather not have rapid response. I'd rather have some things to be secured out of existence, eliminate the entire classes of vulnerabilities, which is built by making guardrails for developers so they can do whatever they want, but they cannot do X, Y and Z because X, Y and Z would ruin your company. I'm being overly dramatic, but to me, guardrails is where you also apply to what developers can do. So play in the sandbox, but don't open this to outside. This privilege can never be given to this entity or team because they're open to outside. There are many other examples, especially in IAM and in network access. So to me, guardrails play another critical pillar to this.
Oron Noah
>> And also I think we need to nurture this culture of being security aware, okay. Take a look for an engineer perspective. You do not push code to production without PR. You do not build something without design review. So don't build something without security review in the very beginning of the process. Don't wait for things to be running in the cloud, then security team will tell you, "Oh, you build it the wrong way from a security perspective." So also nurturing a security culture in the organization help everyone be more secure and build security by design, which I think is hard work.
Anton Chuvakin
>> This part is hard work, but it's also without it it's not going to move. We're going to still be dealing with buffer flows in 10 years if we don't change it.
Dave Vellante
>> I was happy at Google Cloud next to here, one of the keynotes, I don't remember, it was TK or whomever said, "Hey, the world's not going to move everything into the cloud. The reality is with AI, some people want to bring the AI to the data, it'll live on-prem." And I remember when the cloud first started to take off, it wasn't that the cloud had bad security, or it had better security actually, it was just different than what people were used to. And they had to go through a process to say, okay, our edicts are a little different. And this took some time. So my question is, with AI being everywhere, all at once, every place all at once, what's the on-prem story that you guys have? How do you see that from a trend standpoint shaping up? Is it valid that the people are going to bring AI to the data on-prem? How do you approach that and what's your story there?
Anton Chuvakin
>> Depending on who you ask. The percentage of workloads that are still largely not moved into cloud is, what was it, like 80% or 70%?
Dave Vellante
>> I think it's more like-
Anton Chuvakin
>> Hard to say, yeah.
Dave Vellante
>> 60 maybe. Okay, Whatever. It's a lot.
Anton Chuvakin
>> Yeah, you're right. There's a range of who you ask. But it's a lot. Yeah. And to me that means that if you do data security, if you do network security, you have to deal with on-prem as well. It's maybe less of a Wiz question, but of course in our case, we have to deal with customers, we have to deal with regional customers, have to deal with cloud laggers in case of Chronicle for example.
Oron Noah
>> So to be honest, I do think a lot of companies, I think hybrid is still a thing. And guess what? We also now do things in the on-prem. Okay. We basically acquire a company named Daz, like in 2024. And basically they're able to connect to others scanners like Wally's, Tenable, Rapid7, that scan on the on-prem. And basically now we're able also to connect to those scanners. And our runtime sensor is also getting into the on-prem. So it's a thing, it needs to be solved and hybrid. It's still something that we need to solve.
Anton Chuvakin
>> It probably would be real for the good number of years.
Oron Noah
>> Yes.
Dave Vellante
>> I want to share something with you. My last question, maybe it's a little tease of your roadmap or whatever you're comfortable doing here. Our partners at ETR, Enterprise Technology Research, we just did a state of the cloud security annual thing and they had a question. There was 500 respondents. "If you could completely rebuild your cyber security stack, what one product or vendor would you most prioritize," and the most popular choice... It's okay, it happens. Maybe we got you covered. Don't worry. It's all good. The most popular choice wasn't a vendor. It was we want features, which is interesting. Okay. Which features? Number one was MFA and identity, number two was EDR XDR. And then three was really interesting. It was like we want a platform, like the holy grail of platforms. I wonder if you could comment on that and maybe a little tease of the things you're working on that you're excited about.
Oron Noah
>> So I think Wiz today, if you take a look about our journey, we become a platform. Okay. That's why we have cloud concept, code, pipeline runtime, and also address on-prem. Because as you mentioned, customer wants a platform because a platform really help you democratize cloud security. More teams in the organization will basically engage in one single platform that can help you remediate fast, response faster to threats. And that I think it's very interesting that they choose that. Having said that, I'm not surprised.
Anton Chuvakin
>> Yeah. That's true. MFA is a very logical answer as well because with MFA you stop certain things from ever appearing. Well, MFA done well. So to me, MFA is not surprising. Endpoint is a little surprising and I think the platform is not surprising again. But you know what? We are at RSA, there are 3000 security vendors and platforms among them, like Wiz and like others, people still buy best of breed tools as well. So it's almost like they want platforms, but who funds all this stuff? End users do.
Dave Vellante
>> Well, we had a question in there about that, and we asked last year. Last year we asked to what degree are you able to essentially consolidate the number of vendors in your security stack? And essentially last year it was increasing the number of vendors. This year we're starting to see at least the consolidation is flat, but we're seeing the tools creep slow down. And so it looks like there's evidence, the tools creep is slowing. So will see what that means. But you talk to CISOs, they still have to go with best of breed for certain situations.
Oron Noah
>> By the way, Wiz is an open security platform. So the product today can integrate with more than 150 different integrations. We have basically a platform that we call it like WIN, it stands for Wiz Integration Network. So we integrate with many other product. Some of them are complementary to Wiz. I'll give you an example, like Data Lakes of the world. Another identity, you mentioned identity provider. So we also partner with them. Network security company. So the goal is as an open security platform, yes. If you want to streamline the operational flow, most of the time you do have other tools in your security stack. And it's much better that the different tools will integrate and interact with each other. Then like, oh, this is my domain, this is your domain, let's not integrate.
Dave Vellante
>> So that's how you with WIN avoid the whole lock-in argument.
Oron Noah
>> Exactly.
Dave Vellante
>> 'Cause you're delivering tight integration with whether it's Mandiant or Chronicle or-
Oron Noah
>> Yes.
Dave Vellante
>> Okay, makes sense. Guys, I would love to have you back and go deeper, but out of time. Thank you so much. Really appreciate your time.
Oron Noah
>> Thank you so much.
Dave Vellante
>> And thank you for watching. Keep it right there. This is Dave Vellante. The whole crew is here. John Furrier, John Oltsik, Jackie McGuire. You're watching theCUBE's coverage of RSAC 2025. We're right back in Moscone West right after this short break.
>> Hi everybody, welcome back to Moscone West. My name is Dave Vellante, and you are to theCUBE's continuous live coverage. This is day three of RSAC 2025. I'm here with John Furrier, and Jackie McGuire, and Jon Oltsik, the entire CUBE team. We're super excited, day three, to have Oron Noah, who is VP of partnerships and product sensibility at Wiz, you may have heard of them, and Anton Chuvakin, who's a security advisor at the Office of the CISO at Google Cloud. Gentlemen, good to see you. Welcome.
Anton Chuvakin
>> Thank you.
Oron Noah
>> Yeah. Thank you for having us.
Dave Vellante
>> Anton, former analyst. Well, I'm going to, probably going to ask you to put your Gartner hat on at one point.
Anton Chuvakin
>> I still have it. Yes.
Dave Vellante
>> You've got a great background in this industry with friends with our Rob Strechay at theCUBE Research.
Anton Chuvakin
>> Yeah.
Dave Vellante
>> But let's start with Wiz. We were talking off camera. Somebody said to me, "I don't really understand Wiz. I mean, they're such a hot company. They throw these great parties. What are they all about?" Take us back to when you guys started the company and how you entered the market with such appeal to customers.
Oron Noah
>> Yeah. So basically, Wiz, founded like five years ago, it's all about cloud security. So we started by having a multi-cloud strategy, because customer today want to protect. They're using AWS, Azure, GCP, and they want to have visibility to everything runs in their cloud. Okay. So we started by protecting the cloud, give you visibility, identify the most critical attack path. Then, the more we evolve, the more we understand we need to address more persona, that just like the cloud security team, we also need to help the developers, the DevSecOps, and then we shift left to the code area, protect the code, the pipeline. Then, we also want to engage with the SecOps team and then help them basically responds to, actually, runtime threats in the cloud. This is how we expand over the years.
Dave Vellante
>> But the other thing, I mean, I consistently hear about Wiz from customers. First of all, they always say they love it, and they said, "It simplifies my life." Explain that, your thinking when you guys started the company and developing the product. Did you flip the security mindset on its tail, on its head? Security's supposed to be complex with a lot of acronyms, so-
Anton Chuvakin
>> The acronyms.
Oron Noah
>> Yeah. The acronyms. I got the acronyms for you. No. Definite. So the approach was, first of all, how you can use an agentless approach, connect to different cloud environments within minutes, deployed within minutes through the agentless solution, and then have a visibility to all the running technologies you have, whether it's like VM, serverless, Kubernetes, buckets, what is all the different technologies running over there? Then, on top of that, instead of understanding, what is your, let's say, vulnerabilities, what are your misconfiguration, what are your data finding over there, we basically want to correlate everything into the one security graph and tell you what are the most critical attack path exist in your environment to basically help you remediate fast and focus on the most important problem that you have in your cloud environment. That's how we manage to simplify cloud security.
Dave Vellante
>> So what was the catalyst for you guys getting together and going to market? What was the customer pain points that you saw? Obviously, it's around multi-cloud. Maybe you could talk about that a little bit, and again, what you saw as an analyst, back in the day, I mean, multi-cloud was clearly a thing despite all the friction from some of the hyperscalers that didn't exist. Google always leaned into that. Some people would say, "Well, they had to." Okay. Fine, but that's a reasonable strategy. What's your take on that, Anton?
Anton Chuvakin
>> Think there are two main pillars. One is that if you expand from posture, posture assessment, you expand in two directions, you expand left to code and you expand right to runtime. That to me is a really good visual and I can imagine it being a triangle if I still write in a research paper when it has the posture. And then you have code. Posture means configuration settings, things that you have in the cloud that you operate. Left is the code you write. Of course in cloud environments would be a lot of custom code. So there would be a lot of AppSec, a lot of other things. And the right code would be runtime security, cloud detection response. So these three things, expanding from posture is where most cloud security minds are. People think, okay, I got to do posture, I've done posture. Wait a second, runtime, I'd rather use the same tool and then wait a second, my developers are writing code. I can't just deal with configs and runtime, I have to fix the code. So this keeps being posture, runtime code. But the second pillar is if you would only have one cloud and environment, you can potentially push your cloud provider to build three things, but it's not the answer. You have to have three providers, three things. So it's nine things. I don't know, that's hard to do. That's a lot of work. You do need to be an expert in posture, runtime detection, code, and three cloud providers. That's a rare skill set that has real magic.
Dave Vellante
>> And back in Covid, we kind of, as a goof, we coined this term super cloud and we got a lot of heat for it because people were saying, "What is that? That's just a buzzword, it's just multi-cloud." We say it is more than multi-cloud. It's an abstraction layer that sits all over the clouds and simplifies the developer's life so they don't have to learn all the different security and storage and all the different primitives of each of the individual clouds. And then Wiz comes along, because we always said security is going to be the limiting factor to super cloud. And then Wiz came like, "Ah, that's a super cloud."
Anton Chuvakin
>> The opposite. It's a security cloud.
Dave Vellante
>> And so you normalize. How do you normalize across GCP and Azure and AWS and what's the secret sauce behind it? It's just a hard integration and engineering work.
Oron Noah
>> The first, it's a lot of work, but just always we need to remind why we're doing that. Engineers today, developers really like why the multi-cloud strategy is even there,. Developers sometimes like in GCP, they like this database. In Azure, they like Neptune Graph. In Azure, they might like Cousteau. They want to build their application with the different technologies that the different cloud providers provide them. So that's first of all the needs. So what we are doing is once we connect to the control thing, we connect to the environment, a VM is a VM. We do the translation. How a VM look like in GCP, how a VM look like in Azure, how a VM look like in AWS. And then when we correlate risks, we tell you we have a publicly exposed asset that if it's been compromised, we can have a lateral move to a crown jewel asset containing a PII. This specific race can be across multi-cloud. For you it's very easy. We normalize the data for you. That is another way to simplify the cloud security. You don't have to understand, oh, this VM runs in Azure, this VM runs in GCP. You need to understand that just to remediate. But from the risk perspective, it's agnostic.
Anton Chuvakin
>> But also this is multi-cloud by choice. This is not of multi-cloud by chance. When people use one cloud for most tasks and then they acquire a company or they use this little task for this little task, the cloud doesn't have it. So I feel like with multi-cloud by choice, there's a lot of multi-cloud by chance, but the security struggle in this case is real. The CISO has to cover both cases. Multi-cloud by choice is great. Multi-cloud by chance is the rest of the case. There is no board, nobody who is like, "I'm just going to use one cloud and never ever allow anything else." You can say that, but it won't happen.
Dave Vellante
>> No, we know that doesn't happen. And again, that's one of the criticisms we got of super-cloud is, oh congratulations, you discovered multi-cloud. My response to that was, "Well, this is really what multi-cloud should have been."
Anton Chuvakin
>> Meant to be, yes.
Dave Vellante
>> Because it really wasn't. Because you're right. Multi-cloud by chance is what it became. Multi-cloud by design, by choice, you called it-
Anton Chuvakin
>> By choice, yeah.
Dave Vellante
>> Was rare. Okay, so maybe you could share with us, because your experience from former, you guys Mandiant and you see all kinds of visibility on a lot of things. What are the misconfigurations that you see that turn a nice great functioning cloud into chaos?
Anton Chuvakin
>> So we probably both have answers and we should synchronize them in advance because right now you're going to get two answers from us. Who goes first?
Oron Noah
>> You go first.
Anton Chuvakin
>> Okay, I'm going to go first. Okay. I'm going to rely a lot on my Mandiant colleagues and their research. We still do see a lot of identity mistakes. Mistakes when identities have too much access, too much privilege. You think you should connect to X, but you also connect to Y and do things. I think identity is one bucket. Another thing is where data store is too open. Some people say that least privilege in the cloud is not very popular. People open to much access. Developers run things. They don't want to be restricted, they don't want to follow narrow policy. So identity is one. Data access being too loose is two, and then the miscellaneous misconfig is another bucket. But again, Mandiant reminds us that identity is probably what would get you in the end.
Dave Vellante
>> All right.
Oron Noah
>> So know where's the CNAP? CNAP stands for all the cloud native application protection was born because if you just take a look on CSPM by itself and then just take a look about vulnerability by itself and then identity, and then data. Just by itself, okay, you have a publicly exposed bucket, you should fix that first. Or what's more important, if you have, let's say a container run on a Kubernetes cluster that is publicly exposed because someone misconfigured that to be publicly exposed and it has a vulnerability. So now when an attacker can compromise this asset because it's publicly exposed and then using a key to later move to an admin privileges in your environment. So it's all about the toxic combination and that's exactly what Wiz is doing. The toxic combination, multiple factors combined your most critical attack path in your environment.
Dave Vellante
>> When the clouds, it's really started to take off. We observed something, it's like, okay, the cloud now has become the first line of defense. And initially the shared responsibility model maybe wasn't well understood by some folks, but eventually they, "Okay, whoa, we got to do our part too."
Anton Chuvakin
>> It's less well understood, less poorly understood now.
Dave Vellante
>> Yeah, less poorly understood now.
Anton Chuvakin
>> Okay, we'll go with that.
Dave Vellante
>> So part, so you've got the cloud is the first line, and then you've got the CISO and he or she's saying, okay, developers, you now have to, you say before shift left, so now you're putting all this security onus on the developers. So my question is, what are you guys doing this? At the time I was like, "Well, okay, what is the industry doing to make the CISOs and developers life easier?" And it was just this really difficult situation. So what are you doing to make the developer's life easier and maybe put some structure into their workflow?
Oron Noah
>> So think about that. Every company want to innovate fast and deploy fast, right? In today's world, you want to write a code today, the very next day it's supposed to be in production, right?
Dave Vellante
>> Yep.
Oron Noah
>> Having said that, still security teams, the way that it works, the developer have code scanners, DevSecOps have pipeline scanners, Cloud security team have cloud scanners, and then SecOps team have basically runtime scanner, but the attacker doesn't care about the organizational structure. They will come up for the weakest point and where they can actually compromise. So basically we believe that the security needs to switch from a vertical point of view to a horizontal point of view. So it's all about democratized cloud security. Because I'll give you an example. If your SecOps team find an ongoing attack in your production environment, they will block it immediately and then a moment later they will do investigation and engage with the cloud security team to tell them, "Okay, how does this one happen? What caused this critical attack path?"
And then the cloud security persona will try to reach out to the developer that actually pushed this code into production to fix that. So if you will democratize cloud security, and that's our belief, okay, let everyone have access. Everyone can collaborate on a single platform. Everyone is engaged. I'm the developer, I know the risk, I'll immediately be engaged.
Anton Chuvakin
>> It's much worse than that even. I mean there will be companies that are coming from on-prem world where security operations team, the SOC team doesn't even do cloud. So for them it's like a mysterious other thing which they don't deal with. So the chasm is deeper between some of the on-premise minded, on-premise tooled teams and the cloud breaches. So in some cases it would break right after your first step, they detect something and they're like, "Oh yeah, it's in this Ephemeral environment that we don't fully understand. Who do we do? Who's the system admin?" There's no such thing. So it breaks way worse. And to me, the island mentality is not going to work. You have to have one platform.
Oron Noah
>> Yes. And another thing that we are always try to do is if you want to help the developer, you want to meet them where they are in their IDE. Okay? When they write the code, when they deploy the code. So in a centralized way, define your policy. You do not allow to have a plain secret reach out to the cloud. You do not allow, let's say a critical vulnerability to reach out to the cloud. So the security person can define the policy in one place and that's effect through write in the code, build your pipeline, deploy your cloud.
Dave Vellante
>> So how does the pipeline, the handoff work? I mean I think about DevOps, it came about because you had development tossing it over the fence to the operational people. They said, oh, they deploy it. Is there something wrong with your code? No, the code was fine. When I sent it over, you changed it because it didn't come out. Okay. So DevOps comes about, but when you take something like know Whiz code and you go to whiz defend, you've got Gemini code assist, how does that all fit together? How do you guys keep that simple?
Oron Noah
>> So the moment Democratization is all about everyone have access to the system. Obviously with the relevant permissions, you want to make sure this team responsible for those assets, that's what he will see. But the moment you have a problem and everyone is engaged and Wiz is all about when we have the toxic combination that the risk is very visualized. We use graph. So when you visualize the risk, you don't have to convince the developer or the dev sec ops that they need to be engaged into remediate that. Because when you visualize the risk, everyone is immediately engaged. So you can automatically assign this issue to you. You are the developer, I automatically push a PR for you. You fix your code, thumbs up.
Anton Chuvakin
>> And of course the guardrails come in because ideally you want certain things to never appear. And in that sense, I'd rather not have rapid response. I'd rather have some things to be secured out of existence, eliminate the entire classes of vulnerabilities, which is built by making guardrails for developers so they can do whatever they want, but they cannot do X, Y and Z because X, Y and Z would ruin your company. I'm being overly dramatic, but to me, guardrails is where you also apply to what developers can do. So play in the sandbox, but don't open this to outside. This privilege can never be given to this entity or team because they're open to outside. There are many other examples, especially in IAM and in network access. So to me, guardrails play another critical pillar to this.
Oron Noah
>> And also I think we need to nurture this culture of being security aware, okay. Take a look for an engineer perspective. You do not push code to production without PR. You do not build something without design review. So don't build something without security review in the very beginning of the process. Don't wait for things to be running in the cloud, then security team will tell you, "Oh, you build it the wrong way from a security perspective." So also nurturing a security culture in the organization help everyone be more secure and build security by design, which I think is hard work.
Anton Chuvakin
>> This part is hard work, but it's also without it it's not going to move. We're going to still be dealing with buffer flows in 10 years if we don't change it.
Dave Vellante
>> I was happy at Google Cloud next to here, one of the keynotes, I don't remember, it was TK or whomever said, "Hey, the world's not going to move everything into the cloud. The reality is with AI, some people want to bring the AI to the data, it'll live on-prem." And I remember when the cloud first started to take off, it wasn't that the cloud had bad security, or it had better security actually, it was just different than what people were used to. And they had to go through a process to say, okay, our edicts are a little different. And this took some time. So my question is, with AI being everywhere, all at once, every place all at once, what's the on-prem story that you guys have? How do you see that from a trend standpoint shaping up? Is it valid that the people are going to bring AI to the data on-prem? How do you approach that and what's your story there?
Anton Chuvakin
>> Depending on who you ask. The percentage of workloads that are still largely not moved into cloud is, what was it, like 80% or 70%?
Dave Vellante
>> I think it's more like-
Anton Chuvakin
>> Hard to say, yeah.
Dave Vellante
>> 60 maybe. Okay, Whatever. It's a lot.
Anton Chuvakin
>> Yeah, you're right. There's a range of who you ask. But it's a lot. Yeah. And to me that means that if you do data security, if you do network security, you have to deal with on-prem as well. It's maybe less of a Wiz question, but of course in our case, we have to deal with customers, we have to deal with regional customers, have to deal with cloud laggers in case of Chronicle for example.
Oron Noah
>> So to be honest, I do think a lot of companies, I think hybrid is still a thing. And guess what? We also now do things in the on-prem. Okay. We basically acquire a company named Daz, like in 2024. And basically they're able to connect to others scanners like Wally's, Tenable, Rapid7, that scan on the on-prem. And basically now we're able also to connect to those scanners. And our runtime sensor is also getting into the on-prem. So it's a thing, it needs to be solved and hybrid. It's still something that we need to solve.
Anton Chuvakin
>> It probably would be real for the good number of years.
Oron Noah
>> Yes.
Dave Vellante
>> I want to share something with you. My last question, maybe it's a little tease of your roadmap or whatever you're comfortable doing here. Our partners at ETR, Enterprise Technology Research, we just did a state of the cloud security annual thing and they had a question. There was 500 respondents. "If you could completely rebuild your cyber security stack, what one product or vendor would you most prioritize," and the most popular choice... It's okay, it happens. Maybe we got you covered. Don't worry. It's all good. The most popular choice wasn't a vendor. It was we want features, which is interesting. Okay. Which features? Number one was MFA and identity, number two was EDR XDR. And then three was really interesting. It was like we want a platform, like the holy grail of platforms. I wonder if you could comment on that and maybe a little tease of the things you're working on that you're excited about.
Oron Noah
>> So I think Wiz today, if you take a look about our journey, we become a platform. Okay. That's why we have cloud concept, code, pipeline runtime, and also address on-prem. Because as you mentioned, customer wants a platform because a platform really help you democratize cloud security. More teams in the organization will basically engage in one single platform that can help you remediate fast, response faster to threats. And that I think it's very interesting that they choose that. Having said that, I'm not surprised.
Anton Chuvakin
>> Yeah. That's true. MFA is a very logical answer as well because with MFA you stop certain things from ever appearing. Well, MFA done well. So to me, MFA is not surprising. Endpoint is a little surprising and I think the platform is not surprising again. But you know what? We are at RSA, there are 3000 security vendors and platforms among them, like Wiz and like others, people still buy best of breed tools as well. So it's almost like they want platforms, but who funds all this stuff? End users do.
Dave Vellante
>> Well, we had a question in there about that, and we asked last year. Last year we asked to what degree are you able to essentially consolidate the number of vendors in your security stack? And essentially last year it was increasing the number of vendors. This year we're starting to see at least the consolidation is flat, but we're seeing the tools creep slow down. And so it looks like there's evidence, the tools creep is slowing. So will see what that means. But you talk to CISOs, they still have to go with best of breed for certain situations.
Oron Noah
>> By the way, Wiz is an open security platform. So the product today can integrate with more than 150 different integrations. We have basically a platform that we call it like WIN, it stands for Wiz Integration Network. So we integrate with many other product. Some of them are complementary to Wiz. I'll give you an example, like Data Lakes of the world. Another identity, you mentioned identity provider. So we also partner with them. Network security company. So the goal is as an open security platform, yes. If you want to streamline the operational flow, most of the time you do have other tools in your security stack. And it's much better that the different tools will integrate and interact with each other. Then like, oh, this is my domain, this is your domain, let's not integrate.
Dave Vellante
>> So that's how you with WIN avoid the whole lock-in argument.
Oron Noah
>> Exactly.
Dave Vellante
>> 'Cause you're delivering tight integration with whether it's Mandiant or Chronicle or-
Oron Noah
>> Yes.
Dave Vellante
>> Okay, makes sense. Guys, I would love to have you back and go deeper, but out of time. Thank you so much. Really appreciate your time.
Oron Noah
>> Thank you so much.
Dave Vellante
>> And thank you for watching. Keep it right there. This is Dave Vellante. The whole crew is here. John Furrier, John Oltsik, Jackie McGuire. You're watching theCUBE's coverage of RSAC 2025. We're right back in Moscone West right after this short break.
Dave Vellante