> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security/wiz-integration.md).

# Wiz Integration

<figure><img src="/files/ynuFY5Zdp1luCYiSIpMF" alt=""><figcaption></figcaption></figure>

## Overview

The Wiz integration sends cloud security findings into Keeper Cloud Security for remediation. It is built for issues that need credential rotation, managed onboarding, or tighter privileged access controls.

### Why integrate Wiz with Keeper

Wiz identifies exposed identities, risky access paths, and cloud misconfigurations. Keeper helps you act on those findings by turning them into managed privileged access controls.

This integration helps you:

* send relevant Wiz findings directly to Keeper
* remediate identities and resources with KeeperPAM controls
* keep remediation status aligned across both systems

### How the workflow works

The remediation flow is:

* An admin receives a finding in Wiz.
* The admin reviews the finding and sends it to Keeper for remediation.
* A Keeper admin receives the finding and maps the affected resource in Keeper.
* After remediation, Keeper marks the finding in Wiz as in-progress.
* After the next Wiz validation cycle, the issue is cleared if the risk is resolved.

Keeper uses [Keeper Encrypter](/keeperpam/privileged-access-manager/cloud-security/keeper-encrypter.md) to preserve zero-knowledge architecture during this exchange.

### User experience

After you configure the integration, findings pushed from Wiz appear in the **Cloud Security** dashboard. Admins can review each issue, ignore it, delete it from Keeper, or start remediation.

<figure><img src="/files/DLLp9bGJu8IUHfcDHErO" alt=""><figcaption></figcaption></figure>

When an admin selects **Resolve**, they can onboard a new resource or map the issue to an existing KeeperPAM resource.

<figure><img src="/files/FoReur8lAgA4KayRAour" alt=""><figcaption></figcaption></figure>

After the resource is mapped, the admin can remediate the issue with KeeperPAM controls. Streamlined remediation is currently available for credential rotation.

<figure><img src="/files/i4c9FgWTZ9QQ5tbADPsy" alt=""><figcaption></figcaption></figure>

The admin can then adjust the rotation profile if needed and perform the rotation.

<figure><img src="/files/WZZyYk4V8wackDYZVa6E" alt=""><figcaption></figcaption></figure>

Keeper automatically notifies Wiz after remediation starts. The issue then moves to the **In Progress** tab.

<figure><img src="/files/Qc8C7WUAC6elmTDNyKfZ" alt=""><figcaption></figcaption></figure>

After Wiz completes a new scan and confirms the risk is gone, the issue moves from **In Progress** to **Resolved**.

## Setup

{% stepper %}
{% step %}

### Deploy Keeper Encrypter

Deploy [Keeper Encrypter](/keeperpam/privileged-access-manager/cloud-security/keeper-encrypter.md) before you activate the Wiz integration. It receives Wiz webhook traffic and encrypts the integration flow inside your environment.
{% endstep %}

{% step %}

### Select a PAM Configuration

In your PAM Configuration:

* Select the gateway you created during Encrypter setup.
* Select the shared folder that stores the encryption key.
* Choose **Wiz** as the CNAPP status provider.

<figure><img src="/files/eV4X3NKrGnsZ34KY9KAH" alt=""><figcaption></figcaption></figure>

After you select the provider, choose the CNAPP configuration record created earlier and complete the setup.
{% endstep %}

{% step %}

### Verify the Encrypter connection

Use the **Verify Connection** tab to connect Keeper Encrypter to this PAM Configuration.

Use these values from the UI:

* Set `NETWORK_UID` in the Encrypter `.env` file to **Network UID**
* Set `KSM_CNAPP_CONFIG_RECORD_ID` in the Encrypter `.env` file to **CNAPP Configuration Record UID**

<figure><img src="/files/VIV9NE16bfDROWg8EkAi" alt="" width="368"><figcaption></figcaption></figure>

Click **Verify**. A green checkmark confirms that Keeper Encrypter is connected successfully.
{% endstep %}

{% step %}

### Authorize Wiz

In the second tab, enter the credentials provided by Wiz and click **Authorize**.

<figure><img src="/files/GGADQMd1dYDTG9955keW" alt="" width="366"><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/cloud-security/wiz-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.