Upwind just released a new product announcement today, and it signals a fundamental shift in the way the company thinks about AI risk.
CEO Amiram Shachar published a lengthy post this morning presenting the “Security for AI“thesis, the complementary piece of his previous push agent AI capabilities. The central argument is simple: AI security is not a standalone product category you can screw. It has to be integrated into every existing layer of cloud security, from code processing to runtime.
The attack surface has moved
The most surprising part of Shachar’s approach is his argument about where the real action is happening now. Traditional runtime security spent years looking at process execution, malware signatures, and network flows.
That’s increasingly the wrong place to look. The interesting threat activity has moved to the application layer, to APIs, payloads, warnings, and the Thousands of MCP calls are triggered by a single AI agent. to complete a task. When a model receives a message, calls a tool, accesses an MCP server, retrieves data from a data store, and returns a payload, each jump in that chain is an exposure point. Fast injection, data leak, tool calls with excessive permissionsnone of that shows up when you’re viewing packages.
Inventory problem now critical
One of the most practical points of the announcement concerns cloud inventory. There are now more ways than ever to consume AI in the cloud, through managed services like AWS Bedrock, Azure AI Foundry, and Vertex AI, through self-hosted open source models, or through custom agents, MCP servers, knowledge bases, and inference endpoints.
The 💜 of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Register now!
The good thing is that teams in your organization are constantly changing them, often without security visibility. Upwind’s answer is an AI inventory layer that goes beyond a flat list of resources to map the relationships, dependencies, and risks between components.
What that looks like in practice: Each Bedrock Agent, Azure OpenAI Assistant, and self-hosted agent appears next to the model behind it, whether it has guardrails enabled, its last invocation timestamp, and the non-human identity it runs under. Data stores that power AI workloads are flagged for PII, PHI, and exposed secrets. MCP servers display their authentication method and public versus private exposure status. Shachar notes that MCP gateways publicly exposed in a degraded state are a primary target for attackers, and based on how quickly MCP adoption is accelerating, that’s not a hypothetical concern.
Shifting left isn’t dead, it just needs to run faster
On the code side, Upwind is upgrading its scanning capabilities to keep pace with AI-generated code, a fundamentally different challenge than reviewing human-written commits. Speed has increased by an order of magnitude, with more code from more sources, merged faster, and more dependencies built in automatically. The company highlights the work of its own research team that discovered the Shai-Hulud campaign, a compromised package that Moved through the supply chain and into construction pipelines.as a preview of what this threat landscape looks like in practice.
What’s next to come?
Upwind indicates that there will be more to come. The next piece is to secure the AI endpoints themselves, the point where prompts and responses actually cross the wire, with a private preview already open for registration.
The broader bet Upwind is making is that the security industry still treats AI as a niche concern, a new box to check rather than a common thread running through all existing risk categories. Whether you buy that framework or not, the essence of the product here is real: inventory, runtime behavior baselines, and supply chain scanning that’s been redesigned for the agent era. This is a more coherent AI safety story than most vendors are telling at this point.
