Upwind secures the entire AI stack with next-gen wizardry

Upwind has unveiled a major new product launch today, marking a pivotal evolution in how the company approaches AI risk management. CEO Amiram Shachar published a detailed post this morning outlining the firm’s “Security for AI” thesis, a natural extension of their earlier focus on agentic AI capabilities. The central premise is straightforward: AI security cannot exist as a standalone product that gets bolted on after the fact. Instead, it must be integrated into every existing layer of cloud security, from the code pipeline all the way through to runtime operations.

The attack surface has fundamentally shifted. Shachar’s analysis highlights a critical blind spot in traditional runtime security, which has long focused on monitoring process execution, malware signatures, and network traffic. That approach is increasingly obsolete. The most significant threat activity now occurs at the application layer, involving APIs, payloads, prompts, and the hundreds of MCP calls a single AI agent triggers to complete a task. When a model receives a prompt, calls a tool, accesses an MCP server, retrieves data from a datastore, and returns a payload, each step in that chain becomes a potential exposure point. Threats like prompt injection, data leakage, and over-permissioned tool calls simply don’t appear when you’re only watching network packets.

The inventory problem has become critical. There are now more ways than ever to consume AI in the cloud, through managed services like AWS Bedrock, Azure AI Foundry, and Vertex AI, as well as self-hosted open-source models, custom agents, MCP servers, knowledge bases, and inference endpoints. The challenge is that teams across an organization are constantly spinning these up, often without any security visibility. Upwind’s solution is an AI inventory layer that goes beyond a flat resource list to map the relationships, dependencies, and risks between components. In practice, this means every Bedrock Agent, Azure OpenAI Assistant, and self-hosted agent is surfaced alongside the model behind it, showing whether guardrails are enabled, the last invocation timestamp, and the non-human identity it runs as. Datastores feeding AI workloads get flagged for PII, PHI, and exposed secrets. MCP servers display their authentication method and public versus private exposure status.

Shachar specifically calls out publicly exposed MCP gateways in a degraded state as a prime target for attackers, and given how fast MCP adoption is accelerating, that concern is far from hypothetical.

Shift left isn’t dead, but it has to run faster. On the code side, Upwind is updating its scanning capabilities to keep pace with AI-generated code, a fundamentally different challenge from reviewing human-authored commits. Velocity has increased by an order of magnitude, with more code from more sources, merged faster, and more dependencies pulled in automatically. The company points to its own research team’s work uncovering the Shai-Hulud campaign, a compromised package that moved through the supply chain and into build pipelines, as a preview of what this threat landscape looks like in practice.

There is more on the horizon. Upwind is signaling that the next piece involves securing AI endpoints themselves, the point where prompts and responses actually cross the wire, with a private preview already open for registration. The broader bet Upwind is making is that the security industry is still treating AI as a niche concern, a new box to check rather than a thread running through every existing risk category. Whether you buy that framing or not, the product substance here is real: inventory, runtime behavioral baselines, and supply chain scanning that has been rearchitected for the agentic era. That is a more coherent AI security story than most vendors are telling right now.