Skip to content

Escape + Wiz: Unified Cloud Security, Application Discovery and DAST for Modern Applications

Escape and Wiz help customers understand the full context, assign clear ownership, and empower security and development teams to work smarter, faster, and more confidently to integrate security into applications early in the development lifecycle.

Overview of the Integration

wiz-banner.png

As cloud adoption accelerates and application environments grow more complex, understanding what's exposed—and mitigating risks—across the full spectrum, from code to the cloud, has become essential. Escape and Wiz bring together two unique strengths: Wiz excels at identifying cloud infrastructure vulnerabilities, while Escape focuses on the application layer to uncover risks such as API exposures, sensitive data leaks, and business logic flaws with its DAST. Together, Escape and Wiz help customers understand the full context, assign clear ownership, and empower security and development teams to work smarter, faster, and more confidently to integrate security into applications early in the development lifecycle.

Integration Benefits:

  1. Practical Code-to-Cloud Security: Large organizations often struggle to bridge application-level exposures with cloud infrastructure insights. Now, they can correlate both from Escape & Wiz, track them back to the same responsible teams, and reduce friction between dev, ops, and security.
  2. Immediate Assignment: If Escape finds a user associated with the Wiz application, the moment Escape's DAST finds a security issue that's also a Wiz issue, you know exactly which team needs to address it. No more guesswork, no more rummaging through outdated confluence pages or domain registries.
  3. Reduced Operational Overhead: Security Engineers spend less time “hunting” for who owns what and how to prioritize your API and Web App risks. Instead, they can devote their energy to actually securing the organization.
  4. Acceleration of Remediation: When ownership data is at your fingertips, the gap between detection and remediation shrinks from weeks or months to days or even hours. This empowers you to confidently integrate security into applications early in the development lifecycle.
  5. One Unified View: All vulnerabilities and CWEs—from exposed S3 buckets to API logic flaws—flow into a single Wiz interface. This “single pane of glass” eliminates information silos and drastically reduces the likelihood of serious issues slipping through the cracks.

How it works

wiz-schema.png Escape's Integration with Wiz, from EASM to DAST & ASM Vulnerability Enrichment

  1. Wiz External Attack Surface Management finds exposed cloud resources and hands them over to Escape.
  2. Escape Inventory then identifies, fingerprints, and classifies these resources as specific application assets—such as APIs, Single-Page Applications (SPAs), and more.
  3. With this enriched information, Escape Agentless Security Testing runs at scale on the applicative assets, including APIs, without needing any network interception or agent installation.
  4. Finally, all the vulnerabilities, exposed secrets, findings and remediations are fed back into the Wiz Security Graph using DAST & ASM Vulnerability Findings enrichment, merging both infrastructure and application-level insights into a single, unified view.

Better together

With the number and complexity of modern cloud-native applications increasing, securing them has become critical for organizations. Escape's integration with Wiz provides a unified solution for the security of modern cloud-native applications from code to cloud.

Escape ingests network exposure data from Wiz, identifies whether an asset is exposed and what type of application it is, and maps it to code repositories and owners. Once resources are linked, Escape runs large-scale DAST scans to uncover business logic vulnerabilities, API misconfigurations, and sensitive data leaks. Each newly identified CWE finding and corresponding remediation are fed back into the Wiz and automatically enriched with available project ownership data, merging both infrastructure and application-level insights into a single, unified view. By consolidating findings into one seamless workflow, organizations gain end-to-end visibility across all environments, prioritize threats with full cloud context, and enhance security—without slowing development speed.

Use case overview

Secure cloud-native APIs, SPAs, and microservices, even at the business logic level. Organizations with large or rapidly scaling technology stacks need a solution that not only identifies but also helps resolve threats without compromising development speed.

Challenge

Modern applications are becoming increasingly complex and are often prime targets for attackers. With hundreds (or even thousands) of APIs and SPAs, finding business logic vulnerabilities and mapping resources to the right stakeholders for remediation can be time-consuming. Security teams often struggle to connect application-level vulnerability findings with cloud infrastructure insights, spending valuable time figuring out ownership and how to prioritize API and web app risks.

Solution

Escape's integration with Wiz empowers organizations to secure modern applications by combining Escape's large-scale DAST scanning with Wiz's agentless inventory, misconfiguration detection, and dynamic exposure scanning. Using previously ingested and enriched Wiz resources, Escape DAST identifies business logic vulnerabilities, API misconfigurations, and sensitive data leaks, then feeds these findings—including CWE classifications and remediations—directly into Wiz. This integration enriches security teams with valuable context and ownership data, enabling them to prioritize and remediate vulnerabilities more effectively. With this unified solution, organizations can detect risks quickly, gain clear ownership insights, and confidently embed security early in the development lifecycle.

wiz-screenshot.png Escape Vulnerability Finding with Remediation imported into Wiz

Setup the Integration

wiz-setup-3.png

Escape can be connected to Wiz directly from the Wiz dashboard.

  1. Go to app.wiz.io
  2. Navigate to Settings > Integrations
  3. Click on Add Integration
  4. Search and click on Escape
  5. Give your integration a name, select all resources, review the scope(s)
    • read:resources (mandatory)
    • read:network_exposure (for External Enrichment)
    • read:projects (for External Enrichment)
    • create:external_data_ingestion (for External Enrichment)
    • read:system_activities (for External Enrichment)
  6. After clicking add integration you are given the Client ID, Client Secret, API Endpoint URL, and the Authenticate API.
  7. Copy and use them in Escape.

Dual-Binding Integration with DAST & ASM Vulnerability Findings External Enrichment

Pushing Escape's Results directly into Wiz is available using Escape's Workflows. To enable this integration, you need to create a new Workflow and chose you Wiz integration as the destination.

wiz-workflow.png Example of an Escape Workflow to push DAST findings into Wiz

How do the linking between Escape findings and Wiz resources work?

  • Extracting Data: Escape extracts external exposures that include application endpoints.
  • Matching Subdomains: The subdomains found in these application endpoints are matched against the API services in Escape Inventory.
  • API Discovery: Escape also searches for any APIs that do not yet exist in Escape Inventory.
  • Linking to Wiz: The API services in Escape Inventory contain links to the corresponding Wiz Provider IDs. When a DAST scan completes, data for each API is automatically pushed to Wiz API using an Escape Workflow. The Workflow is triggered individually for each API scan.
  • Batching Uploads: Note that “end of scan” events can be grouped over periods such as 1 hour, 6 hours, or several days if needed. This helps accumulate data and reduces the frequency of uploads.
  • Issue Lifecycle: If an issue disappears from one scan to the next, it will be removed from Escape accordingly. Typically, Escape's scheduling system runs scans regularly, which in turn ensures that uploads to Wiz occur on a regular basis.