Upwind has launched AI Agentic Pack, a set of AI agents built into its Cloud and AI Security Platform to help security teams investigate threats, validate real exposure, and move remediation work along faster. The launch comes as cloud security teams face a familiar problem: too many findings, too many alerts, and not enough time to determine which risks actually matter. Cloud environments change constantly, and security teams often have to connect signals across workloads, identities, APIs, applications, and infrastructure before they can decide what needs action.
Cloud Security Teams Need Better Context
Upwind is positioning the AI Agentic Pack around runtime context. The goal is to help teams understand what is actively running, what is exposed, and how different parts of the environment connect. Many security findings look urgent in isolation but carry different levels of risk once teams understand whether the affected asset is in production, reachable, tied to sensitive data, or connected to other critical systems.
“The biggest differentiator is context. In AI, context is the product,” said
Moshe Hassan, VP Product & Research at Upwind, told MSSP Alert. “Many security vendors are adding AI agents on top of existing CNAPP workflows, but if the underlying data is mostly static posture data, the agent is limited. It can summarize findings, but it cannot reliably determine what matters in production.”
Hassan said Upwind’s approach starts with runtime data, including active workloads, running processes, service communication, exposed APIs, identity activity, and reachable paths. That runtime view is then combined with cloud, code, workload, and configuration context to help the agents reason over actual risk, rather than treating every vulnerability, misconfiguration, or identity issue the same way.
“That is especially important in cloud security because the same CVE, misconfiguration, or identity issue can mean very different things depending on whether it is running in production, exposed to the internet, connected to sensitive data, or part of a critical application path,” Hassan said. “Upwind’s agents are designed to make those distinctions automatically.”
Four Agents, One Workflow
The pack includes four agents, each mapped to a different part of the workflow. 'Choppy' focuses on context by mapping services, dependencies, and relationships across cloud, code, and runtime environments. 'Blue' supports response by analyzing alerts, suspicious activity, and runtime signals. 'Red' is designed to validate exposure by identifying entry points, mapping attack paths, and showing which risks are more likely to be exploitable. 'Green' focuses on remediation by translating validated findings into root cause analysis, prioritized actions, and implementation guidance.
Value for MSSPs
For MSSPs, AI agents need to make analysts’ jobs easier. That means faster triage, better alerts, fewer unnecessary escalations, quicker fixes and more SOC capacity. Hassan said Upwind built the AI Agentic Pack for multi-cloud and multi-tenant environments by using its runtime data layer.
“For MSSPs, that matters because every tenant has different infrastructure, business logic, cloud configurations, workloads, and risk tolerance,” Hassan said. “The agents do not look at findings in isolation; they reason over normalized runtime context from the customer’s actual environment, including workload behavior, network flows, cloud posture, APIs, identities, and code context.”
Tenant-specific context matters in managed security because the same issue can mean different things for different customers. In a multi-tenant SOC, analysts need to quickly see the risk, the business impact and the next step without spending hours pulling evidence together.
“In a multi-tenant MSSP model, this helps analysts move from ‘alert review’ to ‘decision support,’” Hassan said. “The agents can help triage alerts, explain why a finding matters in that specific tenant, identify the likely blast radius, recommend the next step, and support escalation with the evidence already packaged. That is where MSSPs see value: fewer low-value escalations, faster investigations, and more analyst capacity without lowering quality.”
Upwind highlights that early deployments are showing measurable operational gains. Hassan said Blue and Green have helped security and operations teams reduce investigation time by up to 75% in early deployments. He also said Red is helping reduce alert volume by more than 90%, around 92% in some environments, by focusing teams on issues that are exploitable or material in runtime.
Security Work Is Moving Closer to the Fix
Security teams are no longer just asking for more dashboards or more findings. They need tools that can take live context, explain what matters, and move the work closer to resolution. That applies inside the security platform, but also inside developer tools, ticketing systems, CI/CD pipelines, and other operational workflows.
Hassan said Upwind sees cloud security moving in both directions: AI-driven platforms for visibility, governance, and shared decision-making, and headless workflows where security work happens inside the tools teams already use.
“Upwind is building for both models,” Hassan said. “Our view is that the CNAPP becomes the runtime intelligence and control plane. The UI remains important for visibility, governance, and collaboration, while headless interfaces, APIs, AI gateways, and agent integrations allow that intelligence to be used wherever teams already operate.”