Obtain API credentials by creating a Service Account in Wiz (Settings > Service Accounts) with the SecurityReader role and noting the client ID and secret.
Authenticate by POST-ing to the Wiz auth endpoint with grant_type=client_credentials and your credentials to receive a short-lived JWT.
Send a POST request to the Wiz GraphQL endpoint (https://api.us1.app.wiz.io/graphql or your tenant-specific URL) with the Authorization: Bearer YOUR_TOKEN header.
Query identity risk findings using a GraphQL query selecting cloudEntitlements or identityRisks node types, filtering by riskLevel and identityType.
Paginate results using the standard Wiz cursor pattern: include first and after arguments, then follow the pageInfo.endCursor field in the response.
Export findings to a CSV or database for remediation tracking by combining GraphQL results with your identity provider's role assignment API.
Known gotchas
The Wiz GraphQL schema evolves; pin your query to stable field names and validate against the schema after Wiz platform updates.
The tenant-specific GraphQL endpoint URL is shown in Settings > Tenant; using the wrong regional URL returns authentication errors.
CIEM queries can return large result sets for organizations with many identities; always paginate and avoid querying without filters in production.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp