Back to portfolio

Case Study | Wiz API | GraphQL | Python

Wiz API and GraphQL automation for scalable security operations.

Built an automation pattern for querying Wiz issue data, mapping security controls, enriching finding context, and supporting repeatable workflow updates without relying on manual console work.

Implementation Outcomes Production
GraphQL Query
Issue Context
Control Mapping
Workflow Update

Challenge

Security teams often need more context than a single finding view provides. The problem was to collect issue details, affected resources, project ownership, severity, control relationships, and routing signals in a repeatable way.

Manual lookups do not scale when findings span multiple teams, cloud accounts, and remediation paths. The automation needed to make Wiz data easier to query, normalize, and reuse across playbooks.

Approach

  • Designed reusable GraphQL query patterns for issue details, entity metadata, projects, controls, and status fields.
  • Normalized response data so downstream playbooks could use predictable Python objects instead of raw nested API payloads.
  • Mapped Wiz fields to routing decisions such as owner, environment, cloud provider, exposure type, and remediation eligibility.
  • Added defensive handling for missing fields, empty result sets, pagination, authentication failures, and API errors.

Implementation Details

The workflow treats the Wiz API as the source of truth, then converts the response into a smaller automation object that other playbooks can reuse. That object contains the fields most useful for security operations: issue ID, severity, status, resource name, cloud platform, project, owner, control, exposure path, and remediation signal. 

query IssuesForAutomation($first: Int!, $after: String) {
  issues(first: $first, after: $after) {
    nodes {
      id
      status
      severity
      entity { name type cloudPlatform }
      project { name }
      control { name severity }
    }
    pageInfo { hasNextPage endCursor }
  }
}

Outcomes

Faster triage

Packaged owner, severity, resource, project, and control context before an analyst opened the finding.

Reusable data model

Created a normalized structure that alerting, remediation, and reporting workflows could share.

Cleaner operations

Reduced dependence on manual console research by making API-driven context available to playbooks.

Security Controls Demonstrated

  • Reduced manual research time during triage by packaging the context an analyst or engineer needs first.
  • Improved consistency across alerting, notification, remediation, and audit workflows.
  • Created a foundation for automated control mapping and issue lifecycle updates.
  • Made security decisions easier to explain because each workflow used the same source data and decision fields.

Production Considerations

  • Unit tests around response parsing and pagination behavior.
  • A small query library with named GraphQL operations and typed response models.
  • Rate-limit handling, retry policy, and structured logs for production observability.
  • A dashboard view showing API-driven workflow volume, failures, and issue outcomes.