Upwind just dropped a new product announcement today, and it marks a significant shift in the way the company thinks about AI risk.
CEO Amiram Shachar published a lengthy post this morning calling Upwind “AI security” thesis, a piece that coincides with their early push for agent AI capabilities. The main argument is simple: AI security is not a stand-alone product category that you can shut down. It must be woven into every existing layer of cloud security, from the code pipeline to the runtime.
The attack site is gone
The most striking part of Shachar’s plot is his argument about where the real action takes place now. Traditional runtime security has spent years looking at process execution, malware signatures, and network flows.
That is increasingly the wrong place to look. The interesting task of the threat has gone up to the application layer, to the APIs, the payload, the notification, and thousands of MCP call one AI agent to complete the task. When a model receives data, calls a tool, hits the MCP server, downloads from the data store, and returns the load, each hop in that chain is an exposure point. Fast injection, data leaks, overridden tool calls, none of that shows up when you watch the packets.
The inventory problem is now critical
One of the most useful points in the announcement concerns cloud inventory. There are now more ways than ever to use AI in the cloud, through managed services like AWS Bedrock, Azure AI Foundry, and Vertex AI, through self-hosted open source models, or through custom agents, MCP servers, databases, and endpoints.
💜 for EU tech
The latest talk from the EU tech scene, a story from our genius founder Boris, and some incredible AI art. It’s free, every week, in your inbox. Register now!
The bottom line is that teams throughout your organization are constantly running around this, often with no apparent security. Upwind’s answer is an AI innovation layer that goes beyond a flat resource inventory to map relationships, dependencies, and risks between components.
What that looks like in practice: every Bedrock agent, Azure OpenAI assistant, and self-hosting agent is close to the model behind it, even if it has guardrails enabled, a last invocation timestamp, and an impersonated identity that acts like it. Data stores that feed AI workloads are flagged for PII, PHI, and exposed secrets. MCP servers display their authentication mechanism and relative public exposure status. Shachar calls MCP gateways that are publicly exposed in a degraded state as a target for attackers, and based on how fast MCP detection is, that’s not an imaginary concern.
Left Shift is not dead, it should run faster
On the code side, Upwind is updating its scanning capabilities to keep up with AI-generated code, a very different challenge than updating human-authorized bindings. Speed increases by an order of magnitude, with more code from multiple sources, compiled faster, and more dependencies pulled in automatically. The company points to the work of its research team uncovering the Shai-Hulud campaign, a vulnerable package that passed through supply chains and building pipelines, as a preview of what this threat landscape looks like in action.
What is yet to come
Upwind shows more to come. The next episode secures the AI endpoints themselves, the place where information and responses cross the wire, with a private preview that’s already open for registration.
The broad bet that Upwind is making is that the security industry still treats AI as a concern, a new box to be checked rather than a thread that runs through all risk categories. Whether you buy that framework or not, the product here is physical, inventory, runtime behavioral basics, and agent-time refactored supply chain scanning. That’s a much more relevant AI security issue than most vendors are saying right now.
