Search
Mitigant Blog

Feature Release: Cloud Penetration Testing with Prowler and Wiz Integrations

Mitigant Cloud Pentests now integrate with Prowler and Wiz, enabling seamless validation of CSPM findings through real, safe attack execution that surfaces SCP-aware privilege-escalation paths, fully visualized and mapped to compliance benchmarks.
10.4.2026
Kennedy Torkura
5 Minutes
Feature Release: Cloud Penetration Testing with Prowler and Wiz Integrations
Table of Contents
Example H2
Example H3
Example H4
Example H5
Example H6
Contributors
Kennedy Torkura
Kennedy Torkura
Co-Founder & CTO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

We are pleased to share a significant expansion of Mitigant's Cloud Penetration Testing , the core workflow was built around Mitigant's native Cloud Security Posture Management (CSPM). The workflow was simple ; posture findings drive attack selection, attacks execute with full evidence capture, and produces a structured report.  However, after discussing with customers we realised the need to support interoperability with other CSPMs already used by security teams.

This release adds three capabilities: Bring Your Own CSPM support for Prowler and Wiz, Privilege Escalation, and Attack Path Visualization. The practical outcome for security teams and pentest firms already running Prowler or Wiz is significant: posture findings are automatically validated against internet-exposed resources, assessment findings are validated for actual exposure to reduce noise, and over 300 Mitigant attacks are leveraged to confirm deeper exploitation. Privilege escalation findings are SCP-aware, meaning they reflect what is genuinely exploitable within AWS Organization's controls, not just what is theoretically possible. This article explores each capability and how they work together.

From Posture Assessment to Exploitable Findings

We have written before about why CSPM scans are not cloud penetration tests, the core argument: a cloud posture scan produces 2,000+ findings, most of which are noise. Without validation, security teams cannot distinguish theoretical risks from actively exploitable ones. The outcome is alert fatigue, deprioritized remediation, and a false sense of security.  Mitigant Cloud Penetration Testing addresses these challenges via  a three-phase workflow:

Posture Assessment: The platform ingests CSPM findings, either from Mitigant's native CSPM or from an imported scanners e.g. Prowler and Wiz.

Posture Validation: Automated exploitability analysis narrows findings to the ~200 most actionable candidates in approximately 30 seconds. Exploitability analysis and attack emulation validate these findings by precisely testing them passively to filter out the actually exploitable ones. Optionally, users can enable the active exploitation of these filtered findings using the existing Mitigant attacks.

Exploitable Findings: The output is a set of proven threats: evidence-based, prioritized, and actionable. The noise reduction is approximately 85%.

The result is a Mean Time to Validate (MTTV) of around 5 minutes from the start of the pentest, through validation to reporting. This is the metric that matters for security teams operating under time pressure and for pentest firms that need to deliver client-ready output efficiently.

Bring Your Own CSPM: Prowler and Wiz Integrations

A significant part of the feedback we received from customers and partners was a variation of the same question: Can we run Cloud Pentests if we already use other CSPMs, such as Prowler or Wiz? The answer is now YES. The pentest feature now allows uploading of CSPM reports, and there are three options available:

  • Mitigant CSPM: Native, fully integrated. No upload required. The existing workflow is unchanged.
  • Prowler: Import a Prowler assessment report in CSV or JSON-ASFF format and run a cloud pentest on top of it.
  • Wiz: Import a Wiz CSPM assessment report in CSV format and run a cloud pentest on top of it.

Teams running Prowler or Wiz do not need to migrate their posture tooling to benefit from Mitigant's cloud penetration testing. Also, this integration reflects a broader mission: the accessibility of security validation as a means to focus on exploitability, especially as AI rapidly makes it easy to find security findings and vulnerabilities.

Privilege Escalation

Cloud identity is the most targeted attack surface in cloud environments. When attackers gain initial access to a cloud environment, whether through a leaked credential, a misconfigured role, or a compromised workload, their next step is almost always privilege escalation. They look for IAM users, roles, and policies that can be abused to expand access, move laterally, or gain administrative access. This pattern is consistent across the cloud breach data published by Mandiant, CrowdStrike, and others year after year. The Privilege Escalation capability validates this attack surface. It discovers real, exploitable IAM escalation paths in your AWS environment and, critically, it validates them through actual execution rather than theoretical assessment across 28 privilege escalation techniques. These techniques span across the most commonly abused IAM primitives: policy manipulation, PassRole chains into Lambda and EC2, access key creation against high-privilege identities, trust policy exploitation, and CloudFormation-based escalation, among others. All privilege escalation findings are mapped to MITRE ATT&CK: primarily T1098 (Account Manipulation) and T1562 (Impair Defenses), with cross-account paths mapping to T1199 (Trusted Relationship).

SCP-Aware Validation

One of the most common sources of false positives in privilege escalation findings is the failure to account for Service Control Policies (SCPs) configured at the AWS Organizations level. An escalation path that appears exploitable at the IAM level may be fully blocked by an SCP that restricts the relevant API calls across the entire organization.

The Privilege Escalation assessment is SCP-aware. Before surfacing a finding, it evaluates whether the path is actually executable within the SCP constraints in place. This means the findings in your report reflect what is genuinely exploitable in your environment, not what would be exploitable in the absence of your organizational controls. The practical result is a significantly lower false-positive rate than tools that evaluate IAM permissions in isolation.

Integration with the Pentest Report

Privilege escalation findings appear alongside CSPM-driven findings in the cloud pentest report, marked with a Priv Esc badge. Every finding in the report, including privilege escalation paths, is mapped to MITRE ATT&CK techniques, so security teams and pentest firms can align findings directly with the framework that underpins their detection rules, threat models, and client reports. A single pentest run captures both misconfiguration exposure and IAM escalation risk in one unified output, with evidence and MITRE mappings attached to each finding.

Attack Path Visualization

A list of technique IDs tells a security engineer what the vulnerability is. A graph tells them how far an attacker can go. Attack Path Visualization presents IAM escalation paths as an interactive directed graph, surfaced in the Attack Path tab within each pentest finding.

The graph renders identity nodes on the left, escalation technique nodes in the center mapped to PRIVESC IDs and MITRE ATT&CK references, and outcome nodes on the right showing the resulting access level. Multi-hop paths, where an attacker chains two or more techniques to reach a higher privilege level, are represented as branching edges through the graph. Seeing that a specific IAM user has a three-hop path to administrator access is more actionable than reading a list of API call names.

The graph is interactive: users can pan, zoom, fit the view, and download it as an SVG for inclusion in pentest reports or executive briefings.

What This Unlocks for Security Teams

For a pentest firm or security team running Prowler or Wiz today, these capabilities address specific operational gaps.

Attack surface context, including internet-exposed resources. Posture findings alone do not tell you which misconfigurations are reachable from the internet. Mitigant includes internet-exposed resources in the pentest scope, so the findings that surface reflect real-world attacker access, not just internal configuration states.

Validated findings with a 5-minute MTTV. Manual triage of critical and high-severity findings from a CSPM report is time-consuming and imprecise. The Mitigant pentest workflow validates findings through passive and active attack execution, reducing thousands of posture findings to a focused, confirmed, evidence-backed set in approximately 5 minutes. The manual filtration step is replaced by automated exploitability analysis.

Fully automated execution, on demand. A pentest can be initiated at any time and produces a structured report without manual intervention. For teams running continuous security programs or firms delivering recurring engagements, this removes the scheduling and setup overhead from each test cycle.

Over 300 attack techniques for further testing and exploitation. Beyond the initial posture-driven selection, Mitigant's catalog of over 300 cloud attacks is available for deeper testing and exploitation scenarios. Attack actions are atomic security tests targeting specific cloud services, each mapped to the MITRE ATT&CK framework. Attack scenarios chain multiple actions into realistic, multi-step campaigns. Together, they allow security teams to move well beyond the findings surfaced by CSPM into broader adversarial coverage across cloud services.

Contextual, SCP-aware privilege escalation. IAM escalation findings are evaluated within the SCP constraints of the AWS organization. Only paths that are genuinely executable under the organization's control policies are surfaced as findings. This eliminates false positives from evaluating IAM permissions in isolation and ensures remediation efforts are directed at real exposure.

What Is Coming Next

This release focuses on AWS. The next phase of the Privilege Escalation Engine will expand coverage to Azure and GCP, where escalation paths involve different primitives: managed identities, service principals, RBAC assignments, and workload federation. Microsoft's own Azure Threat Research Matrix will inform the technique catalog for those platforms.

Pentest scheduling is also on the roadmap, allowing security teams and pentest firms to run recurring pentests automatically without manual initiation, keeping posture validation continuous rather than point-in-time.

We are also continuing to expand attack emulation coverage across all three major cloud providers, and deeper integration between posture findings and attack execution remains the core focus of the roadmap.

To explore these features, log in to your Mitigant account and start a new pentest, or book a demo to see them in action.

Ready to Secure Your Cloud Infrastructures?
Connect with the Mitigant Team and proactively protect your clouds today.
Book DemoStart Free Trial

Read Other Interesting Blog Posts

View Blogs
Cloud Security
Mitigant Threat Catalog: 61 Techniques & 12 AWS Services Added
March 18, 2026
Mitigant Threat Catalog massive update! We added 61 techniques & 12 AWS services, totalling 91 techniques across 32 AWS services. The catalog now includes techniques across 11 MITRE ATT&CK tactics.
Read More
Cloud Security
Introducing the Mitigant Threat Catalog: From Static Descriptions to Dynamic Executions
February 13, 2026
We are launching (1) Mitigant Threat Catalog, a free, interactive resource that transforms MITRE ATT&CK cloud techniques into executable CLI commands, (2) The Cloud Attack Language, a format for effectively constructing complex, multi-step attacks.
Read More
Cloud Security
Mitigant Attack Builder: Custom Cloud Attacks in Seconds
November 21, 2025
Mitigant Attack Builder empowers defenders to build cloud attacks within seconds, enabling production-ready security tests without sacrificing time and quality.
Read More

Join The Cloud Security Revolution Today!

Take control of your cloud security in minutes. No credit card required.
Get Demo Environment
Start 30-day Free Trial