Authenticate to the Wiz GraphQL API using a Service Account token with SecurityReader or DataReader permissions.
Query the dataFindings node in the Wiz GraphQL schema, filtering by sensitiveDataType (e.g., PII, PHI, PCI) and cloudResourceType to find exposed datastores.
Correlate each finding with its cloudResource to retrieve fields such as publicExposure, region, and accessLevel to prioritize remediation.
Use the securityIssues connection on each data finding to join data risk with associated misconfigurations or vulnerability findings for full attack-path context.
Export findings to a tabular format and group by data classification and public exposure status to drive a data-risk remediation backlog.
Set up a Wiz automation rule to alert when a new PII-containing datastore is found to be publicly accessible.
Known gotchas
DSPM findings are populated by agentless scans that run on a schedule; newly created datastores may not appear in the API immediately.
The dataFindings GraphQL node requires the DSPM module to be licensed and configured; the field is absent if DSPM is not enabled on your tenant.
Sensitive data classification confidence levels vary; filter by high-confidence results to reduce false-positive remediation noise.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp