Downwind today released a new product announcement that marks a major shift in the company’s thinking about AI risk.
CEO Amiram Shachar published a lengthy post this morning Deployment of UpwindSecurity for AI” thesis, companion piece to push around them earlier agent AI capabilities. The main argument is simple: AI security is not an independent product category you can close. It must touch every layer of cloud security available, from the code pipeline to the runtime.
The attack moved superficially
The most striking part of Shachar’s framing is his argument about where the real action is happening now. Traditional runtime security spent years monitoring process execution, malware signatures, and network flows.
It’s increasingly the wrong place to look. Interesting threat activity is applied to the application layer, APIs, payloads, hints, and thousands of MCPs calling to disable a single AI agent to complete a task. When a model receives a request, calls a tool, touches the MCP server, retrieves data from the datastore, and returns a payload, each hop in this chain is an exposure point. Quick injection, data leakage, excessive allowed tool callsnone of these appear when you view the packages.
The inventory problem is now critical
One of the more practical points in the announcement relates to cloud inventory. There are now more ways than ever to use AI in the cloud through managed services like AWS Bedrock, Azure AI Foundry, and Vertex AI, self-hosted open source models, or custom agents, MCP servers, knowledge bases, and inference endpoints.
💜 of EU technology
The latest rumblings from the EU tech scene, a story from our wise founder Boris and some questionable AI art. Free in your inbox every week. Register now!
The bottom line is that teams in your organization are constantly rolling them out without any security invisibility. Upwind’s answer is an AI inventory layer that goes beyond a straight resource list to map relationships, dependencies, and risks between components.
Here’s what it looks like in practice: every Bedrock Agent, Azure OpenAI Assistant, and self-driving agent is visible alongside the model behind it, whether or not guardrails are enabled, the last call timestamp, and the non-human identity it’s running on. PII, PHI, and exposed secrets are recorded in the data stores that feed AI workloads. MCP servers show their auth method and public and private exposure status. Shachar cites publicly exposed MCP gateways in a degraded state as prime targets for attackers, and based on how quickly MCP adoption is accelerating, this is not a hypothetical concern.
Left swipe isn’t dead, it just needs to work faster
On the code side, Upwind updates its scanning capabilities to keep up with AI-generated code, which is a completely different challenge than reviewing human-written commits. Speed increases by orders of magnitude with more code from more sources, faster merging, and more dependencies automatically included. The company points to the work of its research team that uncovered the Shai-Hulud campaign. moved through the supply chain to pipeline constructionas a glimpse into what this threat landscape looks like in practice.
What else is coming
The blowing wind signals more of the future. The next part provides the AI endpoints themselves, the point where prompts and responses actually go over the wire, a private preview that’s now open for registration.
The broader bet Upwind is making is that the security industry still sees AI as a new box to check, rather than a theme that runs through every existing risk category. Whether you buy this framework or not, the essence of the product here is real-world, inventory, on-the-job behavioral fundamentals and supply chain scanning, reengineered for the agent era. This is a more coherent AI security story than most vendors are telling right now.
