Your security findings as the attacker's target map: Wiz token abuse
A leaked read-only Wiz token changes nothing, yet it hands an attacker your prioritized map of exploitable weaknesses. Revoking it is not the end. You race to fix what was exposed.
Wiz is the cloud security posture tool, and its findings are a curated, prioritized map of your most-exploitable misconfigurations and attack paths. A read-only token changes nothing, yet it hands an attacker exactly the recon they want.
How the attack works
A read-only Wiz API token leaks from a SOAR integration. It is used from an IP outside the integration’s known egress, off its normal schedule, to pull the issues and findings endpoint and the attack-path graph, the exact list of most-exploitable weaknesses. The session then exports resource inventory, public-exposure findings, and toxic-combination details for targeting, and minutes later a publicly-exposed resource named in the findings sees unusual external connection attempts. The token cannot change anything, but it became a targeting system. In ATT&CK terms this is T1580, Cloud Infrastructure Discovery, and T1526, Cloud Service Discovery, reached through T1552, Unsecured Credentials, and T1078, Valid Accounts.
Why it works
The output of a security tool is itself sensitive. The token was broadly scoped and stored without source restriction or monitoring, so one credential read your whole weakness map.
How to fix it
The non-obvious move is that revoking the read-only token is not the end, because the attacker already holds your prioritized weaknesses. Revoke the token and rotate the integration, then treat the surfaced top findings as compromised intelligence and race to fix those exact attack paths before they are exploited. Raising the severity threshold just hides findings. For the class fix, scope security-tool tokens to least privilege, store them in a secret store with rotation, restrict access by source, and monitor for off-pattern reads of findings and attack-path data. The Wiz audit and API logs filtered to the token and window name exactly what was read, which becomes your remediation priority list.
Practice it
We built this as a GraphLattice Range scenario so teams can rehearse the recon read, the revoke-and-race-to-fix containment, and the framing that impact is elevated exploitation risk, not a count of records taken.