Foresite Catalyst
MXDR for Google Cloud
Your Wiz → SecOps runbooks are already outdated
As of April 22, 2026, Wiz Defend feeds detections into Google Security Operations (Google SecOps, formerly Chronicle) and Mandiant Threat Defense natively, and MCP server support for Google Security Operations is generally available.
The combined effect is architectural, not cosmetic: Security Operations Center runbooks built on the pre-Next '26 assumption that enrichment happens after detection, that detection rules are human-authored, and that remediation is ticket-driven are now out of sync with the pipeline they are supposed to operate.
Source: Google Cloud Blog, "Next '26: Redefining security for the AI era with Google Cloud and Wiz", April 22, 2026.
Next '26 didn't add capability. It removed steps.
Three things changed at the architecture level:
- Context is resolved before the alert exists
- Detection rules are generated, not written
- Remediation paths are environment-specific, not generic
If your playbooks still assume you enrich after detection, author rules manually, and route fixes through a generic ticket workflow — you're operating out of sync with your own pipeline. And M-Trends 2026 tells you what that gap costs: adversaries now hand off access to a secondary threat actor in 22 seconds. Three years ago it was eight hours.
Your runbook rewrite isn't optional. Here's what to do with it.
What Broke
Expert AI security agents: Red = Attacker, Blue = Investigator, Green = Fixer
Your enrichment playbooks. Wiz Blue Agent (generally available) resolves cloud telemetry, runtime signals, and identity context before the event surfaces in your queue. Runbooks that pull Wiz Security Graph context as a post-detection step aren't backup coverage — they're duplicate work with divergent confidence scores.
Your detection authoring cadence. The Detection Engineering Agent (preview) generates persistent detection rules automatically. If your tuning process was scoped for human-authored rules, it will fall behind. More coverage isn't better coverage if it arrives faster than your team can validate signal quality.
Your remediation gates. Wiz Green Agent (public preview) generates environment-specific, step-by-step fix guidance synthesized from the Security Graph, identity ownership, and historical remediation patterns. If your change management process gates at the ticket stage, not the execution stage, you need to define where in the Wiz Agentic Workflows sequence human approval lives — before agents act, not after.
Green Agent remediation steps UI
Your on-call model. Wiz Agentic Workflows collapses the cloud/SOC boundary. Teams that built separate escalation paths for Wiz admins and SOC analysts now have two teams reaching for the same incident with no defined handoff.
Your MCP-based integrations. MCP server support for Google SecOps just went generally available. Any custom parsing or normalization logic built to bridge Wiz data into Chronicle UDM should be audited. The native pipeline may handle what those transforms were doing — or conflict with them.
The Gap
Wiz Security Graph attack path visualization
|
Current state:
|
New model:
|
If your runbooks still assume the first model, you're not just behind — you're running two parallel workflows that produce inconsistent response at exactly the moment consistency matters most.
What This Changes About Control
Agentic workflows don't just move faster. They act.
That shifts the question from "did we detect it?" to "can we defend the decision the system made?"
If your SOC can't show why an agent acted, what data it used, and who — or what governance layer — approved it, then speed becomes liability. An agentic workflow that can't be audited isn't a security control. It's an unmanaged process running inside your security stack.
This is where most teams will fail the transition. Not because the tools don't work — because accountability wasn't designed in before the agents went live.
The Glass Box model Foresite operates under requires every autonomous action to produce an auditable trail: what triggered it, what the agent reasoned, what it executed, and whether a human validated it. That's not a constraint on speed — it's what makes speed defensible in front of a board, a regulator, or an incident responder.
Foresite Glass Box model overview
Who Benefits
Most teams won't benefit from this.
If Google SecOps is just another platform in a five-tool stack, the Wiz integration makes your operations more complex, not more capable. You'll add agent outputs to a pipeline that wasn't built to consume them, and you'll get noise before you get coverage.
The teams that capture the upside are the ones already operating natively inside this stack — who know where Mandiant Threat Defense hooks fire, whose SOAR content is already built on the Wiz Security Graph, and who can re-scope correlation rules without dropping triage velocity in the transition window.
Redis confirmed the working version at Next '26: Wiz Defend for consistent detection, Blue Agent for alert contextualization, no manual re-investigation. That workflow runs cleanly because the playbooks were already aligned to how Wiz structures context. If they're not, you enrich twice to reach the same answer — while the 22-second clock is running.
How Foresite Operates This
We've already rebuilt runbooks around:
- Pre-resolved context — not post-enrichment
- Machine-generated detections — not manual rule authoring
- Agent-defined remediation paths — not generic ticket queues
That's the difference. Not access to the tools — alignment to how they actually operate.
Foresite's Catalyst platform maps directly to this stack. Citadel (powered by Google Security Operations) runs the detection and response layer, including Wiz Defend integration and the new agent-augmented workflows. Bridge (powered by Mandiant Hunt) runs proactive threat hunting — directly relevant to the Threat Hunting Agent capabilities announced this week. Command (powered by Google Threat Intelligence) feeds the detection content layer, now enhanced by dark web intelligence and M-Trends 2026 telemetry.
We've operated natively inside Chronicle since its launch. We know where the Mandiant hooks fire because we've tuned them across production client environments — not in a lab.
What This Means for Security Leadership
Liability. You now own decisions made by agentic workflows. If they aren't auditable, they aren't defensible — to a regulator, an auditor, or your board after an incident.
Operational risk. The transition window is real exposure. Old runbooks running against a new pipeline produce inconsistent response at exactly the moment consistency matters most.
Financial impact. Running parallel enrichment, detection, and remediation paths doubles analyst effort and slows response time. The integration is designed to eliminate that overhead — but only if the transition is executed cleanly.
The question for your team: can you re-tune faster than your attackers can exploit the gap while you do?
That's the conversation Foresite is built for.
Talk to a Catalyst engineer →
See Catalyst Citadel →
Related Reading
- The CISO's Guide to Google Cloud Next 2026
- Shadow Agent Risk: What's Running in Your Organization Right Now
- Survive and Thrive at Google Cloud Next 2026
Foresite Cybersecurity is the 2026 Google Cloud Security Partner of the Year (North America). Catalyst delivers Practitioner-Governed Agentic SOC operations built natively on Google Security Operations, Mandiant, and Wiz.
