The security industry has a problem. There are growing concerns about potential ethical boundaries in cybersecurity research, particularly regarding Wiz’s approach to vulnerability disclosure.
The recent blog post by Wiz is a good example. They basically lay out unethical intrusion, a targeted operation without authorization with hallmarks of military intelligence tactics, as if it’s just a happy story about what they apparently perceive as their new normal within political discourse.
Their notification to the world of DeepSeek’s exposed database does not read to me as a researcher disclosing a vulnerability. The circumstances surrounding this disclosure raise questions about the motivations and methods behind such aggressive security research, given Israeli ex-special forces who run Wiz might do the “wildest things” to DeepSeek.
After you leave [Israel’s secret military technology unit of Special Operations — Unit 81] you realize that up until now you did the wildest things in your life together with the most talented people and you want to extend that into civilian life.
To set context here, I was the head of security for one of the largest and most successful database companies in history. I’m not exaggerating when I say I’ve had to deal with literally tens of thousands of reports like the Wiz blog post, handling some of the most sensitive data and hundreds of researchers. I’m applying that lens. Also I have spent the better part of three decades as an authorized penetration tester myself, reporting vulnerabilities I’ve found, following an academic background (graduate degree and thesis) in philosophy and history of military intervention (e.g. Mission 101), unconventional warriors and insertions through and behind enemy lines.
“Intel mapping” operations have been particularly difficult for the [Israeli] army to justify on any kind of security grounds. That led earlier this year to unwelcome scrutiny from Israel’s top court, which gave the army until August to divulge the wording of its “mapping” protocol. The army’s cancellation of the practice last week means [secrecy remains for] purposes behind these random “mapping” raids. They are part of the gradual process by which the army acculturates its young soldiers into a life of committing habitual war crimes. It breaks down their sense of morality and any remnants of compassion…. It turns [targets] into nothing more than objects of suspicion and fear for the soldiers. Or as one Palestinian woman told Yesh Din: “The way they banged and came into the house was like entering somewhere with animals, not people.”
The details of this Wiz incident merit careful review by industry regulators to ensure compliance with established ethical standards in security research.
Therefore I will try to be as clear as possible in layman’s terms about what Wiz themselves admit: security experts specifically targeted DeepSeek to push without prior authorization into systems to see anything they know they shouldn’t see. Wiz staff say in their blog post it was a rising company in the news that gave them motivation to break in and find something to publish publicly as damaging or embarrassing. Upon finding a door at this targeted company, they checked if it was locked, and then entered and looked around at anything they could, landing and expanding. As soon as they found the first thing, they say they tried more, and more and more until they felt they had quite a lot of evidence and details. Perhaps they have even more than they reveal.
In a normal ethical research scenario things unfold very differently to such a bizarrely tone-deaf admission of unethical forced entry and gathering.
Usually, I expect a researcher comes upon a random door they don’t understand or recognize. They check if it’s locked because they don’t know what they have found or even why it’s there. An Internet address has a port, the port seems to be listening to commands. Maybe it’s supposed to be open? Maybe they were even invited to use it but have stumbled upon something they didn’t expect or want to see? When they use a command to understand what’s going on they find something they know they should report to the owner, full stop. If they realize at first glance this door should have been locked, they stop and don’t need to go further, hopefully for obvious reasons. Instead their efforts center on ways to notify the owner to take action based on first discovery, even with a note that more discovery may have been possible but not attempted. A good deed done is one that doesn’t go too far, and certainly one that doesn’t come with intentions of capitalizing on repeatedly intentionally overstepping boundaries up front.
Wiz did the exact opposite to simple research principles, unleashing a complicated and extensive series of intrusions, which to me looks like they are engaged in espionage that has more in common with military intelligence operations than civilian.
Think of them as literal Israeli mercenaries who were trained to rush into a house using their honed special operations technology to run from room to room mapping an entire place as quickly as possible to establish dominance over that target on the presumption of power transfer. Once they find the bedroom they yank out the drawers and find a diary. They scan and upload diary pages… and post findings to a high-profile website with a warning: “Good thing we aren’t the bad guys, these fine residents of 14 Abdallah Street should have known better than to leave any doors, drawers or books unlocked, as you can see from the private thoughts in their diary we copied. After all, what if some bad guys showed up and walked in without asking first?”
- Executed SQL queries to examine database structure
- Accessed and documented sensitive customer data and chat histories
- Mapped internal APIs and backend systems
- Published technical details about DeepSeek’s infrastructure
This wasn’t some accidental discovery requiring information gathering to achieve a responsible disclosure. This wasn’t even a humanitarian mission that tries to self-justify by exposing danger to prevent harm. The methodology employed appears to push beyond conventional boundaries of responsible vulnerability research, raising significant ethical concerns within the cybersecurity community. Intelligence gathering of a nation-state disguised as private security research of course already has been problematic to the industry. Wiz knew exactly what they were looking for and it sounds like they gleefully documented everything they found while they also blew through stop sign after stop sign, grabbing DeepSeek by the… IP.
If you are a Wiz customer you should immediately ask whether you are safe from such behavior turned on you, given what Wiz reveals about their management ethics. Customers should carefully evaluate the potential implications of a security research approach that seems to extend beyond traditional ethical guidelines. Did Lance Armstrong admit to cheating when confronted? Asking for a cyclist friend right now evaluating Wiz for a large enterprise deal.
Timing of their headline-grabbing braggadocio exploitation of a targeted company is particularly concerning given an ongoing lawsuit against Wiz that highlights very similar issues in the recent past. Orca Security, a leader in the space that Wiz abruptly entered and became strangely proficient in without explanation, alleges that Wiz engages in a clear pattern of acquiring confidential information without authorization.
…Wiz has hired former Orca employees and worked with third parties to acquire Orca’s confidential information relating to current and future product plans, marketing, sales, prospective customers, and prospective employees, and has used that confidential information in furtherance of its efforts to copy and to compete unfairly with Orca.
The latest incident with DeepSeek not only follows the same playbook – finding a vulnerability, then using it to gather competitive intelligence while claiming “responsible” IP-grabbing – it shows that Wiz named themselves the Wizard of Oz as more than just a silly aspiration to run the world. They appear to hold themselves unaccountable to basic ethics let alone laws that prevent such business practices.
Wiz attempts to justify their actions by stating “We did not execute intrusive queries beyond enumeration to preserve ethical research practices.” This statement is worse than being a meaningless distinction, it’s an attempt to destroy our actual notions of unauthorized access. Admittedly a nation-state funding mercenaries to break-and-enter private property in times of “war” has a different authorization model. But Wiz appears to be trying to pass themselves off as civilans after jumping out of an airplane at 30K feet, as if an adrenaline-fueled Unit 81 “untouchable” halcyon buzz can work if you put on the wrong pants.
Shout out to Agent Zo.
A query against an unauthorized system is an intrusion, a query against a known system is a known unauthorized intrusion, an exploratory query seeking exposure of private data is a known unauthorized intrusion to violate rights. Claiming extensive steps in “enumeration” isn’t “intrusive” is like saying “I just read all the papers in the diary I found in the drawer in your dresser in your bedroom in your house, but don’t worry I didn’t take anything and you really should see someone for that drinking problem I read all about.”
The security industry needs to call this behavior what it is and prevent it being normalized. I suspect Wiz doesn’t even want what Wiz is, and what Wiz does. Self-defense and power (the sword) demands balance with moral and spiritual values (the light), seeking the ambivalent middle rather than a false choice between one or the other (Talmud Shabbat 21b).
Walking to the back of an office building under a giant bright sign that says Wiz and finding an unlocked door doesn’t give you the right to walk in, rifle through all their private information, and then claim you’re helping Wiz by pointing out the unlocked door by describing the papers you found. You know it’s Wiz before you even test the door. So the moment you test the door and find it unlocked that’s it! You tell Wiz and they tell you if that’s ok. Like walking in the front door and saying “hello, I’m here to see…” so they can say ok or no, instead of jumping over the front desk and making a run for it. There’s absolutely no reason to go so far so fast to look around and see what can be exposed when you know that’s not your job. You stop where everyone should know you stop, at first notice you are someplace you shouldn’t be. Thus to me at least, as well as the many others asking me about it, Wiz crossed clear ethical and likely legal lines, then published about it as if to say “look what an imbalanced sword can do.”
Such behavior damages the credibility of legitimate security research. Real security researchers get prior authorization from targeted assets. Real security researchers who chance upon unknown assets that are exposed approach it with the professional minimum necessary to find and notify owners without need for over-accessing or over-exposing sensitive data. What Wiz did wasn’t research by their own admission of detailed exposure of ethics failures.
That’s basically it. I ask you to consider their unauthorized access and intelligence gathering with that explanation. And if you read Wiz corporate history, you can fit it into a pattern that led to formal documentation for judges and courtrooms.
The security industry can’t keep looking the other way when one of their own repeatedly crosses the line and abuses the people we are supposed to protect. Americans should ask what would a Silas Soule do if he saw these acts of immorality as if facing a digital Sand Creek? If we want security research to be taken seriously, we need to firmly reject this kind of “bad Stetson” behavior that wants to make disclosure indistinguishable from illegal corporate espionage. Security researchers build trust by holding a bright line on ethical disclosure, which means they recognize exploitation and unauthorized data extraction undermines the entire industry.
The track record of Wiz needs to lead to accountability, not apologetic investments.
Their actions with DeepSeek continue a documented concerning pattern of crossing ethical lines while thumbing their nose at basic security principles. Just because you can access something on a target doesn’t mean you should. The security community deserves better than this.
It’s time to have an honest conversation about where legitimate security research ends and unauthorized access begins. Wiz’s boasting about how they get away with things nobody should be doing, amid mounting allegations of espionage described in the Orca lawsuit, inform us of a company that operates intentionally without concern for the harms they cause others, presumably including their own customers.
| Wiz’s Actions | Legitimate Security Research |
|---|---|
| Intentionally targeted DeepSeek for any high-value exposure | Discovery is authorized as scoped or it is a matter of professional routine, or it is accidental and doesn’t blur them |
| Deliberately pushed hard into a high-value target without authorization | Minimal access (least necessary for appropriate notification) |
| Conducted extensive reconnaissance with API mapping and SQL queries to gain customer data access | Focus on accuracy for notification, not extraction and exploitation for compromise |
| Published technical details about targeted corporate espionage, threatening industry research integrity | Prior authorization is documented for targeted research, following code of ethics, and principles of actual least-harm are documented within routine and broad/generic research steps |
