Skip to main content

Wiz UX Research — Decision Architecture and User Journey

1. Executive Summary

Wiz feels modern less because it has a graph, AI, or flashy security visuals, and more because its pages are arranged around a decision sequence. Public Wiz materials repeatedly present a consistent reading order:

  1. identify the risk
  2. explain why it matters
  3. show who should handle it
  4. surface the next action
  5. keep evidence available for validation

That is the core lesson for SecurityV0.

SecurityV0 already has a lot of the right raw material: deterministic findings, evidence strength, path-level truth, ownership concepts, remediation guidance, drift deltas, and emerging grouped action views like Top Risk Reducers. The problem is not lack of data. The problem is that the product still often makes the analyst do the orchestration mentally.

Today, SV0 frequently asks the user to infer the story by stitching together severity, explanation, ownership, scope drift, execution history, and remediation across multiple cards and pages. Wiz, by contrast, compresses that work into the page architecture itself.

The main conclusion is:

SecurityV0 should not imitate Wiz feature-for-feature. It should imitate Wiz’s decision architecture while preserving SV0’s deterministic, accountable-review model.

That means:

  • keep the atomic path/finding/evidence layer
  • add stronger grouped action views above it
  • reorganize pages around reading order, not data availability
  • make ownership, safest-first-action, and proven-vs-inferred impossible to miss
  • present scope drift as a change event with before/after and cause, not as a static condition label

If SV0 does that, it can feel more modern without becoming generic CNAPP software.

2. User journey comparison (Wiz vs SV0 — narrative)

Wiz: from login to action

A typical analyst journey in Wiz, based on public product posts, integration pages, and review language, appears to work like this:

The analyst lands on a role-scoped view, not an undifferentiated universe. Wiz Lens explicitly markets role-based views for executives, SecOps, data security, and AppSec. That matters because the user is not first asked to decide how to frame the environment; the product frames it for them.

The first screen emphasizes a curated posture story: top trends, highest-priority Issues, team progress, or scoped risk. The analyst’s first decision is usually not “what data should I filter?” but “which of these already-prioritized issues deserves attention?”

From there, the analyst clicks into an Issue. Public Wiz material consistently describes the Issue as an already-correlated risk object, often a “toxic combination.” That means the click does not open a raw finding row; it opens a pre-composed security story. The page tends to answer, in order:

  • what issue exists
  • what resources/data/identities are involved
  • how it could be exploited or what blast radius exists
  • who owns it
  • what remediation strategy to follow

Then the analyst can act immediately. Public sources describe:

  • one-click assignment
  • create ticket from the issue context
  • workflow automation
  • AI-generated or strategy-specific remediation steps
  • routing to Jira/Slack/owners

So the effective journey is usually:

login → choose/top-priority scoped issue → validate context → assign or ticket or remediate

For a common case, the click path appears to be about 2–4 clicks to action:

  1. open Wiz / land in lens or issue-oriented dashboard
  2. click a prioritized issue
  3. click assign / create ticket / run action
  4. optionally choose remediation strategy or target output format

The key design advantage is not just fewer clicks. It is that the decision tree is shallow. Wiz has already collapsed many possible raw findings into a smaller number of action objects, so the analyst does not need to build their own triage model first.

SecurityV0: from login to action

SV0 currently has two partially overlapping journeys.

Journey A: overview to cluster to path to action

The analyst lands on the Overview page. The page does include useful business framing: observed autonomous execution, drift activity, risk-cluster cards, and top risks. This is directionally right.

But from there the user still has to choose how to enter the problem:

  • click a risk cluster card
  • click into authority paths
  • click into findings
  • or click into a specific top risk path

That means the first analyst decision is often about navigation model, not risk handling.

If they click a risk cluster card, they reach the strongest current SV0 flow. The Risk Cluster Detail page is the clearest example of Sergey’s desired architecture already beginning to appear:

  • What Happened
  • Am I Exposed?
  • Governance Condition
  • How Do I Fix It?
  • then the detailed path table underneath

That reading order is much closer to Wiz.

From there, the user can:

  • inspect top risk reducers
  • open a path
  • copy ticket content from a modal
  • drill into path-level rows

This is better than the raw findings flow, but action still has friction. “Create Ticket” currently generates copyable text rather than completing a first-class downstream action. The user still does more operational glue work than in Wiz.

Journey B: findings list to finding detail

The findings journey is more traditional and more fragmented.

The user lands on Findings, sees a table with severity/type/status/description/evidence, and chooses a row. The list has good filter affordances and now defaults to severity-desc and active status, but it still behaves like a table of items rather than a queue of decisions.

After clicking a finding, the user lands on a vertically stacked detail page:

  • header
  • explanation
  • inline path visualization
  • recommended actions
  • scope drift detail if applicable
  • evidence completeness
  • evidence pack
  • metadata

The pieces are there, but they are still laid out like a dossier. The analyst must infer:

  • what is proven vs inferred
  • why this matters in business terms
  • what the safest first action is
  • who owns the response

That is exactly the gap Sergey called out.

Journey C: authority paths as a truth layer

Authority path detail is closer to the product’s wedge. It contains strong detail around:

  • path header and activity state
  • diagram/context
  • findings on the path
  • remediation
  • ownership / mitigation tracking

But it is still carrying too much semantic burden. It is acting simultaneously as:

  • inventory page
  • evidence page
  • review page
  • action page
  • ownership page

That increases cognitive branching. The analyst is often not sure whether they are supposed to treat the page as something to review, something to assign, or something to remediate.

Net comparison

Wiz’s journey is optimized around decision compression. SV0’s journey is optimized around truth exposure.

SV0 should keep truth exposure. That is the moat. But it needs a stronger decision layer on top of it.

The target journey for SV0 should become:

login → see grouped action surfaces → open one brief → understand what changed / why it matters / who owns it / safest first action → validate evidence only if needed → track accountable action

That is not feature copying. That is reading-order discipline.

3. The 3-second test results per page

Dashboard / overview

Wiz

In 3 seconds, the user likely understands:

  • whether risk is trending up or down
  • which issues or domains need attention now
  • whether they are looking at a role-relevant view
  • whether the platform already has an opinion about priorities

Why: public Wiz material emphasizes curated, role-specific, trend-oriented summary views. Lens is specifically about scoped relevance. Reviews repeatedly mention clarity, prioritization, and “issue tab” usefulness.

SecurityV0

In 3 seconds, the user understands:

  • this is about autonomous execution / NHI exposure
  • there is drift activity
  • there are clusters and some top risks
  • there are business metrics like sensitive domains reached

What is good:

  • the page has a product-specific voice
  • the risk-cluster cards are much closer to a decision surface than older raw-metric dashboards
  • drift activity is called out near the top

Where it fails the 3-second test:

  • the page still presents multiple competing entry points rather than one dominant “start here” decision path
  • metric tiles are informative but not yet tightly tied to the next action
  • the analyst still has to infer whether they should go to findings, clusters, or paths
  • “what should I do next?” is weaker than “what exists?”

Verdict

SV0 dashboard passes the identity test but only partially passes the action test.

List page

Wiz

In 3 seconds, the user likely understands:

  • these are already-prioritized issues, not raw noise
  • which items are most important
  • what kind of issue each row represents
  • whether there is a team/owner/ticket/action state attached

The list is not just inventory. It is a triage queue.

SecurityV0 Findings List

In 3 seconds, the user understands:

  • there are findings with severity and type
  • there are filters and summary pills
  • evidence state exists
  • this is a table of security items

What works:

  • severity is visible
  • evidence trust is present
  • top severity/type pills help scanning
  • filters and presets improve usability

Where it fails:

  • the list still reads as a table of records, not a ranked action queue
  • ownership is absent at row level
  • safest first action is absent
  • business impact is not visible inline
  • grouped resolution is absent, so the user cannot tell whether 10 rows are 10 tasks or 1 IAM cleanup event
  • even with evidence badges, the row does not quickly answer “why should I care right now?”

SecurityV0 Authority Paths List

In 3 seconds, the user understands:

  • paths exist between workloads, identities, and destinations
  • some have findings, ownership states, and execution activity
  • grouped mode exists

Where it fails:

  • the page is high-fidelity truth, but low immediate decisiveness
  • terms like grouped/flat, active/present, findings, and execution require product understanding
  • it still asks the analyst to do the grouping logic

Verdict

SV0 list pages pass on data visibility, fail on immediate decision architecture.

Detail page

Wiz

In 3 seconds, the user likely understands:

  • exactly what the issue is
  • how serious it is
  • why it matters
  • what remediation or response path is available
  • that evidence and blast radius exist underneath

This is the strongest thing Wiz does. The detail page behaves like a brief for action.

SecurityV0 Finding Detail

In 3 seconds, the user understands:

  • the finding type n- severity
  • evidence strength badge
  • status/source

That is not enough.

What is missing in the first read:

  • business consequence in plain language
  • clear owner
  • safest first action
  • whether this is isolated or part of a broader repeated problem
  • whether the item is “proven” vs “inferred” in full sentence form, not just via badge

The current page tells the user what exists, then asks them to scroll for meaning.

SecurityV0 Risk Cluster Detail

In 3 seconds, the user understands:

  • the exposure brief topic
  • severity
  • narrative summary
  • exposure shape
  • governance condition failures
  • top fix groups

This is the page type that most closely passes the test.

Remaining issues:

  • ownership is still not dominant enough
  • ticketing still feels like clipboard assistance, not action completion
  • the path table below can visually reintroduce density before the action decision is closed

SecurityV0 Authority Path Detail

In 3 seconds, the user understands:

  • the exact path
  • whether it appears active/confirmed/standing authority
  • there is a create-ticket affordance

But the page still has mixed semantics around review vs remediation vs evidence. And Sergey’s April 1 feedback shows that status language and governance condition language can still create contradictions.

Verdict

  • Wiz detail pages clearly pass the 3-second test.
  • SV0 cluster detail nearly passes.
  • SV0 finding detail does not yet pass.
  • SV0 authority path detail is directionally promising but semantically inconsistent in places.

4. Cognitive load hotspots in SecurityV0

1. The user must mentally group many rows into one action

This is the biggest avoidable load.

Sergey’s correction is right: analysts should not have to discover for themselves that eight findings are all one IAM cleanup, one ownership assignment, or one scope expansion event.

Current symptom:

  • findings remain atomic, which is correct
  • but grouped action views are inconsistent or absent except in emerging places like Top Risk Reducers

Result:

  • the product is truthful but expensive to use

2. Ownership is present as metadata, not always as decision architecture

SV0 knows ownership matters. It has ownership badges, ownership assignment flows, and owner-related findings. But ownership is not always one of the first four things the page makes obvious.

That forces the analyst to keep asking:

  • who should handle this?
  • is the owner proven, inferred, invalid, or absent?
  • is the task for IAM, platform, data owner, or application team?

Wiz’s public messaging is explicit about ownership routing and code-to-cloud ownership context. SV0 needs the same explicitness, tuned to NHI governance.

3. Proven vs inferred is available, but not always fully legible

The EvidenceTrustBadge is a good primitive. It distinguishes execution observed, permission exists, capability inferred, etc. That aligns directly with Sergey’s requirement.

But a badge alone still makes the analyst translate semantics.

The page should often say, in sentence form:

  • Proven: this path executed 87 times in the last 30 days.
  • Inferred: permission exists but no execution has been observed.

That removes interpretive work.

4. Scope drift still risks being interpreted as a label instead of an event

The newer ScopeDriftDetail component is much better than a simple condition chip. It has:

  • before/after role counts
  • resource delta
  • sensitivity delta
  • risk statement
  • change source
  • blast radius

That is good progress.

But the problem is distribution and prominence. On some pages, scope drift is still mainly encountered as a finding type or governance condition pill. That forces the analyst to remember:

  • what exactly changed
  • whether the drift is material
  • whether it was exercised
  • what caused it
  • who should act

Until the first read of the page says “before → after → cause → impact → owner → safest action,” scope drift still imposes memory load.

5. Contradictory status language makes analysts reconcile the UI manually

Sergey’s April 1 feedback identifies several places where the UI asks the user to adjudicate contradictions:

  • path shown as Active even when 0 observed executions in 30 days
  • “additional standing authority, not exercised” alongside “all grants observed executing”
  • unproven execution shown as governance condition rather than standing authority state
  • grouped identity view changing Observed Executions to unclear Max Executions terminology

These are not cosmetic issues. They directly increase cognitive load because they undermine semantic trust.

6. Page sections are often equally weighted when they should not be

Finding detail is the clearest example.

The analyst does not need Explanation, Access Path, Remediation, Evidence Completeness, Evidence Pack, and Metadata to all compete visually on first read. That creates “flat hierarchy,” where every section is technically useful but the page offers weak directional guidance.

Wiz feels modern because it de-weights verification content until after the action story is clear.

7. Some typography and visual density choices make important information harder to absorb

Sergey specifically called out oversized metric typography in “Am I Exposed?” cards and redundant failing pills. Those are small issues individually, but together they force more eye movement and reduce calmness.

Modern-feeling interfaces are often just interfaces that make fewer visual demands per decision.

5. What makes Wiz feel modern (specific, actionable observations)

1. It respects reading order

This is the biggest one.

Across public Wiz material on Issues, Security Graph, Green Agent, Workflows, and Lens, the structure is consistent:

  • risk first
  • impact second
  • remediation/response next
  • evidence and investigation behind that

This is cheap to adopt. It is mostly page architecture, copy, and section priority.

2. It uses a strong “primary object of attention” on each page

Wiz rarely makes the user wonder what the page is “about.”

Examples from public materials:

  • Lens pages are about role-specific priorities
  • Issue detail is about a single Issue
  • Workflows are about operational processes
  • blast radius views are about a specific incident or attack path

SV0 sometimes makes one page about too many things at once. Risk Cluster Detail is better because it has one governing object: the exposure brief.

Cheap adoption:

  • every page should have a single dominant noun
  • everything else should support that noun

3. It compresses multiple low-level facts into a single, readable verdict

Public Wiz examples repeatedly use issue framing like:

  • this resource is publicly exposed and can reach sensitive data
  • this toxic combination is exploitable
  • this issue should be remediated by this owner

That does not mean hiding evidence. It means synthesizing it.

SV0 can do the same without losing determinism:

  • “Proven: this agent path executed 43 times against finance data and has no active owner.”
  • “Inferred: standing authority exists to confidential support data, but no recent execution was observed.”

Cheap adoption:

  • add one plain-language verdict sentence near the top of every detail page

4. It makes the next action available before the evidence dump

Wiz’s public issue/remediation materials emphasize immediate actions:

  • assign owner
  • create ticket
  • run action
  • choose remediation strategy
  • generate code/CLI instructions

SV0 frequently puts action below explanation or mixed into later sections.

Cheap adoption:

  • primary action card directly under summary
  • “Safest first action” as explicit label
  • owner / responsible team in same block

5. Progressive disclosure is disciplined

Wiz often makes dense evidence available, but not mandatory for the first read. This creates confidence without heaviness.

SV0 tends to expose more raw richness earlier. That is powerful for auditors, but it makes first-read operation feel denser.

Cheap adoption:

  • collapse deep evidence by default
  • use tabs or anchor nav: Summary, Action, Path, Evidence, Metadata
  • keep summary/action open by default

6. Typography hierarchy is calm and predictable

Even in curated screenshots and public product material, Wiz tends to use:

  • a clear headline
  • compact supporting metadata
  • restrained badge usage
  • metrics that are large only when they are actually headline metrics

This contributes heavily to the “modern” feeling.

Cheap adoption:

  • reduce oversized tile values where they don’t represent a headline metric
  • remove redundant status pills when iconography already conveys the same state
  • use fewer competing accent colors on the same surface

7. Color is used to direct attention, not decorate everything

Wiz’s public UX language suggests consistent use of severity/status accenting, but not a rainbow per component. The result is better scannability.

Cheap adoption:

  • reserve hot colors for urgency, drift deltas, or unsafe states
  • keep supporting context mostly neutral

8. It creates the impression that the product already did some work for you

This is a major qualitative difference. Wiz’s Issue model, ownership routing, and workflow language all imply: “we already correlated this, scoped it, and prepared the next move.”

That is exactly what makes software feel high-quality.

SV0 can create the same impression by making grouped action views more prominent:

  • one fix resolves N findings
  • one team owns these 12 paths
  • this drift event came from one role change

That is more impactful than any cosmetic redesign.

6. Anti-patterns to avoid

1. Don’t replace deterministic truth with abstract issue scoring

Wiz can afford to lead with “toxic combinations” and contextual severity because its market expects a correlated risk engine.

SV0’s wedge is different. If SV0 starts over-abstracting path-level truth into opaque score objects, it will weaken the core promise: “See what your agents do.”

Do not copy:

  • opaque risk scores without traceable reasoning
  • hidden grouping logic that obscures exact affected paths
  • AI verdicts that replace evidence-backed conclusions

2. Don’t let grouped action views erase atomic drill-down

Sergey’s correction is precise here. Grouping is needed, but only as a derived action layer.

Bad copy of Wiz:

  • collapsing many path findings into a single issue with no obvious path back to exact evidence

SV0 must preserve:

  • exact path
  • exact finding
  • exact evidence
  • exact owner/assignment trace

3. Don’t become an inline blocker product

Public Wiz material includes one-click remediation, auto-remediation, response actions, and workflow automation. Some of that is appropriate for cloud misconfig and incident response. It is not the core identity of SV0.

SV0 should remain a system of accountable review and action, not an inline prevention/blocking layer.

That means:

  • prefer review, assignment, attestation, and tracked mitigation
  • be careful with language that implies automatic suppression or auto-fix as the primary story

4. Don’t import generic CNAPP terminology where SV0 needs precise NHI language

Terms like Issue, toxic combination, posture debt, blast radius, and lenses are useful reference points, but if copied too literally they would blur the category.

SV0 should stay anchored in its own nouns:

  • authority path
  • autonomous execution
  • ownership
  • standing authority
  • scope drift
  • accountable review

Borrow structure, not vocabulary.

5. Don’t over-index on graph theater

Wiz can use graph visuals as a signature because its product is genuinely graph-centered.

SV0 should not assume that adding more diagrams will make pages feel modern. Sergey’s point is the opposite: Wiz feels modern because the story is told in the right order.

If a diagram helps, use it. If a one-sentence verdict and grouped action card help more, prefer those.

6. Don’t hide uncertainty inside polished language

Wiz sometimes speaks in validated or AI-assisted remediation language. SV0 cannot afford to blur proven vs inferred.

Any modernization that weakens that boundary would be harmful.

A good SV0 page should make uncertainty clearer than Wiz, not less clear.

7. Don’t make the product look broader than it is

Wiz is a broad cloud security platform. SV0 wins by being sharper.

If SV0 copies Wiz’s broad, all-security-platform framing too closely, it risks losing the clear wedge around non-human identity governance, review, and attestation.

Highest impact / lowest-to-medium effort

1. Rebuild finding detail around explicit decision flow

Impact: Very high
Effort: Medium

Reorder the page to:

  1. Header summary
  2. Risk summary
  3. Primary action
  4. Path / blast-radius context
  5. Evidence / metadata

Add explicit fields at the top:

  • Proven vs inferred
  • Why it matters in business terms
  • Safest first action
  • Owner / responsible team

This directly addresses Sergey’s core feedback and will produce the biggest perceived quality gain.

2. Promote grouped action views above atomic findings

Impact: Very high
Effort: Medium

Add derived layers such as:

  • Fix groups: one remediation resolves N findings
  • Team routing groups: who should receive the work
  • Change-event groups: one scope drift or ownership decay event across many paths

Keep atomic drill-down underneath.

This reduces the biggest source of analyst cognitive load.

3. Standardize a first-read verdict sentence on every major detail page

Impact: High
Effort: Low

Examples:

  • “Proven: this agent path executed 21 times against confidential HR data and currently has no active owner.”
  • “Inferred: this identity retains standing authority to finance systems, but no recent execution has been observed.”

This is cheap and immediately improves clarity.

4. Make owner/responsible team visually first-class

Impact: High
Effort: Low to medium

Every finding/cluster/path detail should make ownership obvious near the top. Not buried in badges or secondary metadata.

If ownership is unresolved, say that in the main summary.

5. Fix semantic contradictions before cosmetic polish

Impact: High
Effort: Low to medium

Specifically address Sergey’s April 1 issues:

  • stop labeling non-executing paths as Active when that implies current execution
  • remove contradictory execution/grant language
  • treat unproven execution as standing-authority state, not governance risk
  • preserve observed execution terminology when grouping
  • remove redundant failing pills

These fixes reduce cognitive drag more than visual redesign alone.

High impact / medium effort

6. Make scope drift a first-class change event everywhere it appears

Impact: High
Effort: Medium

Use a consistent summary block everywhere:

  • Before → After
  • Net-new reach
  • Cause
  • Why it matters
  • Owner
  • Safest first action

The detailed component already points in this direction. The remaining work is making this framing dominant across lists, briefs, and path views.

7. Elevate ticketing/tracking from clipboard helper to action workflow

Impact: High
Effort: Medium

Current “Create Ticket” patterns are useful but still feel partial. The product should increasingly behave like a system of accountable review/action, not just a system that generates ticket text.

At minimum, unify the interaction model across cluster/path/detail pages and make action state visible.

8. Convert lists from records to queues of decisions

Impact: Medium-high
Effort: Medium

On Findings and Authority Paths lists, add inline cues for:

  • owner / unowned
  • grouped fix relationship
  • why it matters
  • safest first action or routing hint

This can be progressive and does not require replacing tables.

Medium impact / low effort

9. Tighten typography and remove visual noise

Impact: Medium
Effort: Low

  • reduce oversized card values where not warranted
  • reserve large numerals for truly headline metrics
  • remove redundant pills
  • calm accent color usage
  • increase visual distinction between summary and audit sections

This is one of the cheapest ways to improve perceived polish.

10. Collapse deep evidence by default

Impact: Medium
Effort: Low

Keep evidence rich, but do not force it into the primary scan path. Use tabs, anchors, or accordions.

11. Add “why this matters” copy to list rows and cards where possible

Impact: Medium
Effort: Low

Short business framing goes a long way:

  • reaches finance data
  • unowned authority still executing
  • scope expansion into restricted resources

12. Make “proven vs inferred” more explicit in prose, not only badges

Impact: Medium
Effort: Low

The badge primitive is already good. It needs supporting text.

Lower impact but useful follow-ons

13. Strengthen overview page entry-point hierarchy

Impact: Medium
Effort: Medium

Choose a dominant “start here” path on the dashboard, likely a grouped exposure/action brief. Reduce competition among entry points.

14. Continue building cluster-style briefs as the primary review object

Impact: Medium
Effort: Medium to high

The current Risk Cluster Detail page is the clearest evidence of the right direction. It should become the model for other page types.

Closing synthesis

Wiz’s real advantage is not that it has more features. It is that the UI behaves like it already understands the analyst’s job.

SecurityV0 can achieve that without losing its category identity.

The winning model is:

  • atomic truth underneath
  • grouped action above it
  • decision flow before evidence depth
  • owner, safest action, and proof status visible immediately
  • drift shown as an event, not a label

That is how SV0 can feel more modern while becoming more itself, not less.

Sources consulted

Internal

  • sv0-documentation: [[2026-03-29-wiz-ux-pattern-analysis]], [[2026-03-31-sergey-feedback-on-wiz-ux-pattern-analysis]], 2026-04-01-sergey-prod-feedback
  • sv0-platform UI pages: OverviewPage, FindingsList, FindingDetail, AuthorityPathsListPage, AuthorityPathDetailPage, RiskClusterDetailPage
  • sv0-platform UI components: RemediationPanel, ScopeDriftDetail, EvidenceBadge, PathRiskClusterCard

Public Wiz / external

  • Wiz Lens: https://www.wiz.io/blog/introducing-wiz-lens-role-based-views-for-every-security-team
  • Wiz Workflows: https://www.wiz.io/blog/introducing-wiz-workflows
  • Wiz Security Graph for incident response: https://www.wiz.io/blog/wiz-security-graph-enhances-cloud-incident-response
  • Wiz Green Agent: https://www.wiz.io/blog/introducing-wiz-green-agent
  • Wiz Jira integration: https://www.wiz.io/integrations/jira
  • Wiz Posture Issues: https://www.wiz.io/blog/introducing-posture-issues-transform-security-findings-into-actionable-outcomes
  • Wiz AI remediation 2.0: https://www.wiz.io/blog/introducing-ai-powered-remediation-2-0
  • Wiz remediation and response: https://www.wiz.io/blog/wiz-remediation-and-response-security-best-practices
  • Wiz Security Graph landing page: https://www.wiz.io/lp/wiz-security-graph
  • AWS Marketplace review snippets for Wiz Runtime Sensor (public reviews page)

Next Action

Status: research-complete — input to [[combined-ux-strategy]] Decision needed from: CTO (Ivan) See: [[combined-ux-strategy]] for synthesized recommendations and decision options