Today, we are thrilled to announce the Public Preview of the Wiz Runtime Sensor for Windows. This milestone brings the same unified protection Wiz customers rely on for Linux and Container workloads to the Windows ecosystem. By extending the Wiz Runtime Sensor to Windows, security teams can now monitor, detect, and respond to threats across their entire hybrid environment in Wiz.
This completes the security lifecycle for Windows workloads in Wiz, adding real-time monitoring and active threat response to the agentless visibility across Code, Pipeline, and Cloud that our customers already leverage today. By bringing this runtime visibility to Windows, we are enabling a truly unified approach to threat detection across the hybrid cloud. You now get a consistent security experience across:
-
Virtual Machines: High-fidelity monitoring and inventory for both Windows and Linux instances.
-
Modern Infrastructure: Full parity across Kubernetes clusters (including Windows nodes)
-
Multi-Cloud & Hybrid: Seamless coverage for workloads across Azure, AWS, GCP, and hybrid environments.
Key Challenges Solved by the Wiz Runtime Sensor for Windows
Building a security agent for Windows requires a deep respect for system stability. For many administrators, the agent tax is not just about CPU cycles, it’s about the risk of a kernel-level failure crashing a mission-critical server. We designed the Wiz Runtime Sensor to solve these architectural hurdles head-on with three guiding principles:
-
Minimal Kernel Footprint: Unlike traditional EDRs that run heavy logic in the kernel, we move definition parsing and rule engines to the user space. Our minimalist kernel module registers only with Windows security APIs and forwards data, resulting in a thinner, more reliable driver.
-
Memory-Safe Implementation: We’ve mitigated the memory corruption and pointer errors common in C-native code. By building our user space and substantial parts of the kernel space in Rust, we inherently prevent the types of errors that cause the Blue Screen of Death.
-
Predictable Resource Consumption: The Wiz Runtime Sensor maintains a low-impact profile that adjusts to your instance size. While typically capped at 0.5 cores and 500MiB, its boundaries scale intelligently on larger systems to ensure high-performance environments remain secure without resource contention.
With this foundation of stability, we can solve the following challenges for Windows in modern cloud environments:
Real-Time Threat Detection and Response for Windows
Detection should not happen in a silo. When the Wiz Runtime Sensor identifies a suspicious process, such as LSASS memory dump or unauthorized access to cloud instance metadata credentials (IMDS), it does more than just fire an alert. Through Wiz Defend, these workload-layer signals from the sensor are automatically correlated with cloud-native telemetry to provide a single, unified timeline of the attack.
By combining sensor data with cloud control plane logs, Wiz tells the full story of an attack. For example, you can see if a suspicious Windows process was preceded by a login from an unusual IP address in Azure, or if it is currently attempting to steal cloud credentials from the Instance Metadata Service. This cross-layer correlation turns isolated events into actionable incidents with clear context.
To empower SecOps teams with granular control, the Wiz Runtime Sensor for Windows moves beyond monitoring and detecting threats to helping you respond to threats:
-
Custom Detection Rules: Tailor threat logic to your environment’s unique security requirements, ensuring you catch the specific behaviors that matter most to your fleet.
-
Automated Runtime Response: Implement policies that automatically terminate malicious processes based on specific rules or threat categories, stopping an attack before it escalates.
-
Context-Aware Forensics: Streamline investigations with the automatic capture of logs, suspicious binaries, and scripts at the exact moment of detection. This ensures high-value evidence is preserved and available directly within the Wiz platform.
Runtime Risk Validation: Mitigating Vulnerability Fatigue
The biggest challenge in vulnerability management is not finding vulnerabilities, it’s prioritizing and fixing the ones that are actually exploitable. A single Windows server might report hundreds of critical vulnerabilities, but if the vulnerable libraries are never actually loaded into memory, they pose no immediate risk to your environment.
The Wiz Runtime Sensor enables Runtime Validation to help vulnerability management teams prioritize fixing the vulnerabilities that are loaded into memory. By monitoring which DLLs and packages are actively loaded into memory and executed on your Windows servers, Wiz identifies which vulnerabilities are in use. This allows you to deprioritize fixing the vulnerabilities that are not being executed and focus your remediation efforts on the active risks that attackers could actually exploit today.
Closing the Cloud Security Gap for Windows
Windows has long been a complex piece of the cloud security puzzle, but it shouldn’t be a blind spot. By bringing our sensor to Windows, we are empowering organizations to protect their entire cloud estate with a single, unified platform. From elastic cloud instances to complex Kubernetes environments, Wiz now provides the stable architecture and deep context needed to secure the modern multi-cloud enterprise.
Whether you are looking to stop active threats in real time or want to cut through the noise of a growing vulnerability backlog, the Wiz Runtime Sensor for Windows is ready to help you protect your most critical cloud assets. This unified approach ensures that security is no longer a trade-off between visibility and performance, but a powerful advantage for your business.
Ready to try the sensor? Follow our documentation (login required) to get started with the Wiz Runtime Sensor for Windows today.
Leave a Reply