Google Cloud links Wiz exposure data with threat intel
Wed, 8th Jul 2026 (Today)
Google Cloud has begun integrating Google Threat Intelligence with Wiz Attack Surface Management, linking external exposure data with real-time threat intelligence.
The aim is to help security teams identify which internet-facing weaknesses are not only present but actively targeted by attackers. Google said the integration is intended to improve how organisations prioritise remediation and threat-hunting work.
Under the approach, exposure data from Wiz Attack Surface Management will feed into the Google Threat Intelligence correlation engine. This is meant to let customers match assets such as domains, IP addresses and application interfaces with intelligence on adversary infrastructure and campaign activity.
Security teams are under pressure to sift through growing volumes of alerts as artificial intelligence speeds up both vulnerability discovery and exploitation. By combining knowledge of exposed assets with intelligence on active attacker behaviour, the integration is intended to reduce the number of issues that demand immediate attention.
How it works
Wiz Attack Surface Management is designed to map an organisation's external attack surface across cloud, artificial intelligence, software-as-a-service and on-premises environments. It identifies exposed assets and scans for exploitable vulnerabilities, misconfigurations, default credentials, exposed secrets and sensitive data.
Google Threat Intelligence, meanwhile, tracks adversary infrastructure and campaigns in real time. Correlating those feeds with exposure data is intended to show which weaknesses carry more immediate operational risk because they align with current attacker activity.
The companies are also working on a deeper native integration. Google said this would automate the flow of exposure data into its threat intelligence engine, giving defenders a more direct way to prioritise remediation and threat hunting around issues attackers are exploiting in the wild.
Behaviour focus
Another planned element is behaviour-based guidance tied to alerts on critical risks. Google said the guidance is expected to describe how an attacker typically behaves after exploiting a vulnerability, including the host commands or malware that may be used after initial access.
That information could give defenders more context when investigating whether exploitation has already occurred inside their environment. Rather than stopping at the identification of an exposed flaw, the system is positioned to support follow-on hunting for indicators linked to known attacker tradecraft.
The announcement also highlights the role of the Wiz Red Agent, which uses artificial intelligence to scan for logic-driven vulnerabilities. These include authentication bypasses, business logic flaws and multi-step attack chains that can be harder for conventional scanning tools to detect.
Such issues often sit outside straightforward software defects because they arise from how applications behave across several steps or under unusual conditions. By combining those findings with threat intelligence, the vendors aim to give customers a narrower set of risks to examine first.
Wider pressure
The tie-up reflects a broader shift in cyber security towards prioritisation rather than simple inventory building. Many organisations already know they have large numbers of vulnerabilities and exposed assets, but often struggle to determine which weaknesses matter most at any given moment.
Attack surface management tools have grown in use as companies expand across cloud services, software subscriptions and hybrid infrastructure. At the same time, threat intelligence platforms have been used to track criminal groups and state-backed campaigns, though the practical link between global intelligence and a single company's exposed assets has often been difficult to operationalise.
Google is positioning the integration as a way to bridge that gap, saying customers will be able to focus on the exposures adversaries are targeting in the wild and use real-time threat intelligence to prioritise remediation efforts and threat-hunting activities.