Upwind, the next-gen wiz, now secures every corner of the AI stack

Upwind just dropped a new product announcement today, and it signals a fundamental shift in how the company thinks about AI risk.

CEO Amiram Shachar published a lengthy post this morning laying out Upwind’s “Security for AI” thesis, the companion piece to their earlier push around agentic AI capabilities. The core argument is simple: AI security isn’t a standalone product category you can bolt on. It has to be woven into every existing layer of cloud security, from the code pipeline all the way through to runtime.

The attack surface has moved

The most striking part of Shachar’s framing is his argument about where the real action now happens. Traditional runtime security spent years watching process execution, malware signatures, and network flows.

That’s increasingly the wrong place to look. The interesting threat activity has moved up to the application layer, to APIs, payloads, prompts, and the thousands of MCP calls a single AI agent fires off to complete a task. When a model receives a prompt, calls a tool, hits an MCP server, retrieves from a datastore, and returns a payload, every single hop in that chain is an exposure point. Prompt injection, data leakage, over-permissioned tool calls, none of it shows up when you’re watching packets.

The inventory problem is now critical

One of the more practical points in the announcement concerns cloud inventory. There are now more ways than ever to consume AI in the cloud, through managed services like AWS Bedrock, Azure AI Foundry, and Vertex AI, through self-hosted open-source models, or through custom agents, MCP servers, knowledge bases, and inference endpoints.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The kicker is that teams across your org are spinning these up constantly, often without security having any visibility. Upwind’s answer is an AI inventory layer that goes beyond a flat resource list to map the relationships, dependencies, and risks between components.

What that looks like in practice: every Bedrock Agent, Azure OpenAI Assistant, and self-hosted agent surfaces alongside the model behind it, whether it has guardrails enabled, its last invocation timestamp, and the non-human identity it runs as. Datastores feeding AI workloads get flagged for PII, PHI, and exposed secrets. MCP servers show their auth method and public vs. private exposure status. Shachar calls out publicly exposed MCP gateways in a degraded state as a prime target for attackers, and based on how fast MCP adoption is accelerating, that’s not a hypothetical concern.

Shift left isn’t dead, it just has to run faster

On the code side, Upwind is updating its scanning capabilities to keep pace with AI-generated code, a fundamentally different challenge than reviewing human-authored commits. Velocity is up by an order of magnitude, with more code from more sources, merged faster, and more dependencies pulled in automatically. The company points to its own research team’s work uncovering the Shai-Hulud campaign, a compromised package that moved through the supply chain and into build pipelines, as a preview of what this threat landscape looks like in practice.

What’s still coming

Upwind is signaling more to come. The next piece is securing AI endpoints themselves, the point where prompts and responses actually cross the wire, with a private preview already open for registration.

The broader bet Upwind is making is that the security industry is still treating AI as a niche concern, a new box to check rather than a thread running through every existing risk category. Whether you buy that framing or not, the product substance here is real, inventory, runtime behavioral baselines, and supply chain scanning that’s been rearchitected for the agentic era. That’s a more coherent AI security story than most vendors are telling right now.