Filed under: the cloud at full tilt
Company File - May 2026
Upwind Security.
Runtime-first cloud and AI security, built by people who already sold one company to NetApp and apparently liked the exercise.
Runtime-first cloud and AI security, built by people who already sold one company to NetApp and apparently liked the exercise.
A security engineer at a streaming company is staring at a dashboard. The dashboard is full. The dashboard is always full. Eleven thousand vulnerabilities, all marked critical, all glowing the same shade of red. Somewhere in there is the one that matters. Somewhere in there is the breach that hasn't happened yet.
This is the room Upwind walked into. Cloud security tools, by 2022, had become very good at producing lists. They were not as good at producing answers. Scanners surfaced everything a container could theoretically be vulnerable to, regardless of whether the vulnerable library was loaded, the port was open, or the workload was even running. The result was alert fatigue dressed up as diligence.
Upwind's pitch was simple to say and harder to build: stop guessing from snapshots, watch the thing while it runs.
"Scanners tell you what could go wrong. Runtime tells you what is." The Upwind thesis, distilled
By the early 2020s, the average enterprise security team was running between six and a dozen overlapping tools just to cover the cloud. There was a posture tool (CSPM), a vulnerability tool, a container tool, a Kubernetes tool, an IaC tool, an API tool, and a separate tool to correlate the output of the first six. Cloud-native application protection - CNAPP, in the jargon - was supposed to be the antidote. In practice it became a sticker that vendors put on the same buffet of disconnected scanners.
The pain was specific. A pre-production scan would flag 4,000 CVEs in a base image. A runtime check, if you had one, would reveal that fewer than 80 of those packages were actually loaded into memory. The other 3,920 were noise. Engineers learned to ignore the dashboard. Attackers learned this too.
"If your security tool can't tell you what's running right now, what exactly are you paying for?" A CISO, paraphrased, in roughly every Upwind sales call
The market wanted fewer screens, sharper signal, and a way to triage findings that mapped to actual blast radius. The incumbents had every incentive to keep things complicated. The opening was obvious. Closing it required someone who had built infrastructure at scale before, knew the kernel, and was not afraid to start over.
Amiram Shachar had been here before. In 2015 he co-founded Spot.io, a cloud optimization company that NetApp acquired in 2020 for a reported $450 million. After the lock-up, most founders take a sabbatical. Shachar took meetings. The conversations kept circling the same complaint from security buyers - the tools didn't scale with the cloud they were supposed to protect.
In 2022 he co-founded Upwind alongside Liran Polak, Lavi Ferdman, and Tal Zuri - all from the Spot.io engineering bench. Bringing the entire founding team forward is unusual; in cybersecurity, exits typically scatter operators across half a dozen new ventures. Upwind kept the band together.
The thesis was crisp: combine the depth of a Spot-style cloud-native data plane with eBPF-based runtime visibility, and you could finally tell teams which findings to fix first - not based on CVSS scores, but based on whether the vulnerable code was actually running, exposed, and reachable.
Upwind's CNAPP folds the usual constellation of cloud security tools into a single platform - posture, vulnerability management, container security, IaC scanning, API security, data security, and runtime detection. The trick is not the breadth. Plenty of vendors claim breadth. The trick is the runtime layer underneath everything, an eBPF sensor that watches workloads as they execute and feeds context back into every other module.
When the scanner finds a CVE, the runtime layer can say: yes, but the vulnerable function is never called. When the posture tool flags an open S3 bucket, the runtime layer can say: yes, but no process has touched it in 90 days. The output is a shorter, sharper list. The metric customers quote is roughly a 10x reduction in noisy findings.
The unified platform - posture, vulns, containers, IaC, and runtime in one console.
Runtime threat detection across AWS, Azure, GCP, and Kubernetes via eBPF sensors.
Discovery and protection for live APIs, including the shadow and zombie ones nobody owns.
Maps where sensitive data lives and who is talking to it.
Protection for AI and LLM workloads, models, and data pipelines.
Agents that triage findings, investigate alerts, and propose fixes for the human in the loop.
"The win is not finding more. It is finding less, and being right about it." The runtime-first sales line, used often
Customer adoption tells the second half of the story. The roster - Roku, Carvana, Waste Management, Siemens, Wix, Check Point, Peloton, ClickUp, Agoda, TheRealReal, Vestiaire Collective, Nextdoor, Vectra, CAVA - is the kind of list that tends to follow product-market fit rather than precede it. Check Point in particular is notable: a competitor in adjacent categories shipping Upwind in its own stack is not the kind of endorsement you can buy.
"We were paying for three tools that argued with each other. We replaced them with one that didn't." A platform engineering lead at a Fortune 500 customer
Upwind's stated mission is to "turn code, posture, and runtime into a real-time intelligence layer." Translated out of marketing: shrink the gap between something happening in production and someone qualified knowing about it. The cloud already moves faster than humans can scan. The AI layer moves faster than the cloud. The only honest response is to instrument the runtime and let machines do the first pass of triage.
That is also where the AI Agentic Pack comes in. Rather than treating AI as a separate category to be secured, Upwind is also using AI as the analyst tier inside the platform - agents that take an alert, walk the call graph, check what's exposed, and present a triaged finding to a human. It is the same logic that made runtime context valuable in the first place, applied one layer up.
The cybersecurity market is not short on companies. It is short on companies that meaningfully reduce the work a security team has to do. Upwind is one of a small handful betting that the next decade of cloud defense will be won by whoever fuses posture and runtime into a single source of truth - and then layers AI on top so the humans only see the findings that need a human.
If they're right, the streaming company's 3 a.m. engineer is not staring at 11,000 alerts. She is looking at twelve. Eleven of them are noted and queued. The twelfth is the one she's working on. The dashboard, for once, is not full.
It is 3:14 a.m. The pager has not gone off. That is, eventually, the whole point.