Cloud security tools have a visibility problem. Most of them are good at spotting misconfigurations or flagging known vulnerabilities, but they don't tell you what's actually happening inside a running workload. That gap matters because attackers don't stop at the configuration layer.
Upwind is trying to close that gap inside Microsoft Azure.
The company announced a partnership with Microsoft that integrates runtime protection, posture management, and vulnerability detection directly into the Azure ecosystem. The solution is available through the Azure Marketplace and connects with Microsoft Sentinel and Defender for Cloud.
Extending What Azure Already Does
The pitch to existing Microsoft customers is straightforward: Defender for Cloud gives you a solid baseline, and Upwind adds behavioral visibility on top of it.
Amiram Shachar, CEO and co-founder of Upwind, told ChannelE2E, "Microsoft Defender for Cloud provides a vital foundation for cloud security. However, when combined with Upwind, customers gain massive added value. For Microsoft customers who already rely on Sentinel and/or Defender, Upwind gives true runtime context across the entire cloud security stack."
Where native tools focus on configuration and static scanning, Upwind monitors what workloads are actually doing. "While native tools focus on configuration and posture, Upwind brings deep visibility into in-memory execution, network behavior, and API-level activity," Shachar said. "Instead of an endless list of alerts, Azure customers get a centralized view of risks that are actually reachable and exploitable across code, cloud, containers, and VMs."
How Runtime Data Changes the Picture
The technology behind this is eBPF, a kernel-level observability tool that captures workload behavior without requiring code changes. What Upwind argues sets it apart is that eBPF isn't something it bolted on later.
"The difference isn't just the technology, it's the fundamentally new approach and architecture Upwind brought to cloud security," Shachar said. "While other platforms are now bolting on eBPF or using it strictly for Cloud Detection and Response, Upwind was built from day one with eBPF-based runtime data as our primary source of truth."
That architecture shapes how the platform handles alerts. Instead of firing off individual events for analysts to sort through, it groups related activity into structured "Threat Stories" with a full timeline and root cause context. "When an anomaly occurs, we don't just fire an alert. We provide the full context that includes the timeline, the root cause, and the exact response actions, because that context was captured in real time at the source," Shachar said.
What It Means for Service Providers
The partnership also has a managed services angle. Upwind supports multi-tenant management, so MSPs and MSSPs can onboard customers, apply policies, and monitor risks across multiple environments from one place.
"At our core, we are a partner-first company," Shachar said. "Co-selling with Microsoft is a big accelerator for our enterprise business, but partners are core to our go-to-market through our established Upwind Partner Program."
On the commercial side, Shachar said the program is designed to be predictable for partners. "Partners get a consistent revenue stream with attractive incentives, predictable margins, comprehensive training, dedicated enablement, and joint go-to-market support to build high-margin managed runtime security services."
With cloud environments getting more dynamic, and containers spinning up and down and workloads talking to dozens of services at once, static analysis alone leaves real blind spots. Security teams increasingly need to know not just what could go wrong, but what is happening right now. Bringing runtime visibility directly into Azure, rather than running it as a separate tool with its own data pipeline, helps teams move faster from detection to response while keeping pace with how modern cloud infrastructure evolves.
