Skip to main content

Upwind Coverage Model

Overview

Upwind secures your cloud environment in two approaches - agentless scans and runtime protection. These approaches allow for full visibility from account level to runtime. This document outlines each stage and its impact on your security posture.

Stage 1: Cloud Onboarding and Agentless deployment

Organizational Onboarding

The first step is connecting Upwind to your environment at the root or management account. Instead of connecting each account, project and subscription manually, you connect at the highest level, where Upwind can analyze your organizational hierarchy best.

What you get:

  • Automatic discovery of accounts and resources across your whole organization.
  • Continuous coverage so that when you add new accounts or projects, they are included automatically without any additional setup.
  • A single place to manage and monitor security across your fleet, ensuring you won’t miss anything.

This keeps onboarding simple and assures nothing is left out as your environment grows.

Cloud Mapping and Discovery

Once onboarded, Upwind uses your cloud’s APIs to collect metadata about your assets. Upwind will not run arbitrary code in your environment; it only uses this metadata to build a clear picture of your resources and their relationships.

What you get:

  • A relationship view of your environment: which resources communicate with which, how the data flows, and how workloads are organized.
  • Architectural context that flat asset lists don’t show - allowing you to see the impact scope, the dependencies you rely on, and misconfigurations that affect your security posture - along with their context.
  • Configurations: Highlights misconfigured assets that might lead to security issues, such as overly permissive access, sensitive data exposure and infrequent key rotation, among other critical configuration gaps.
  • A foundation for prioritizing risk and understanding the impact of each aspect, letting you plan the best approach.

This step turns a list of resources into a map of your cloud environment, so security decisions are based on structure and context as well as individual settings.

Cloud Scanners - Agentless Deployment

Upwind runs regional, read-only scans of your assets, using a cloud-native scanning engine called Cloud scanners. These take non-intrusive snapshots designed to gather security-relevant data without affecting performance or stability at all.

What you get:

  • Vulnerabilities: Known security gaps in applications that might be exploited by attackers. Upwind cross-reference your assets against the public CVE repository across the entire lifecycle - from CI/CD scans to deployed images.
  • Data security and Secrets: Discovers sensitive data (such as credentials, passwords and private information) in your cloud assets, classifies it and highlights exposure risks so you can see which data is at risk and where.
  • Inventory graph: Upwind analyzes your assets to build a graph of their relationships, further deepening the understanding of your environment.

The agentless snapshot-based approach lets you get broad coverage of your environment across regions and asset types without deploying or maintaining agents on every resource. Upwind provides context to your findings, so you see both what is wrong and where it affects your environment.

Agentless scans excel at posture, configuration, and asset-level risk, but they can't see what happens inside your workloads as it happens: live process activity, real traffic, or threats in runtime. Upwind also provides this inside out protection with its runtime components.

Stage 2: Runtime protection

To catch actual runtime threats, Upwind uses Sensors and Tracers on your compute - VMs, containers, and serverless (Lambdas, Fargate, Cloud Run and similar). These lightweight components observe activity and traffic, build a runtime map, and alert as threats happen so you can respond before damage spreads.

What you get:

  • Runtime behavior: See process execution, file access, and system-level activity as they happen. Upwind surfaces unexpected activity, privilege escalation, and changes to critical files or binaries in real time - so you catch detect anything the moment it occurs, not as a post-incident report.
  • Application-layer (L7) visibility: Upwind inspects HTTP, gRPC, and other L7 traffic to pinpoint API abuse, data exfiltration, and malicious payloads that network-only and agentless tools can't find. You get which endpoints are hit, by whom, and when patterns look off.
  • Vulnerability prioritization: Runtime closes the loop on your vulnerabilities: is the vulnerable code loaded in memory? Is the affected function actually in use (Function In-Use)? Is the resource exposed to the internet? You prioritize what’s exploitable instead of chasing every CVE blindly.
  • API catalog: A catalog of your API activity built from live traffic - endpoints, methods, and usage. Upwind flags when PII, PCI, credentials, or tokens show up in requests or responses so you can remove what shouldn’t be there or restrict its accessibility.
  • Network threats: Full visibility into who your resources talk to - external APIs, Gen-AI services, databases, and other dependencies. Upwind alerts on known bad IPs, unexpected outbound connections, and suspicious traffic - so you catch any attack before it becomes a breach.
  • Runtime map: Your environment map, updated continuously from real workload activity. See the live topology - which services call which, how traffic flows, and how it changes - instead of a stale snapshot.

These two stages provide full coverage and close any loose ends: you get a full view of your environment with no blind spots and gain context to each finding, which lets you understand the impact better. Upwind’s coverage detects any change and runtime behavior, giving you the best picture of your security status.