Agentic Cloud Security Is Only as Smart as Its Runtime Context

Agentic Cloud Security Is Only as Smart as Its Runtime Context

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

May 12, 2026

Key Takeaways

  • Agentic cloud security is the use of autonomous AI agents, not chat assistants, to investigate, validate, and remediate cloud risk at machine speed.
  • Every major cloud security platform shipped agents in the past year, but the architectures underneath them vary drastically. Some agents reason on endpoint data, some on snapshot graphs, some on runtime telemetry, and a few on bolted-together combinations.
  • The ceiling on what an agent can do is set by the data it can see, not the model it runs on. A frontier LLM with stale or partial context will still hallucinate priorities, miss multi-step attack chains, and recommend fixes for things that aren’t actually running.
  • Runtime context (live process behavior, network flow, identity actions, data movement, code-to-cloud lineage) is the difference between an agent that sounds confident and an agent that’s correct.
  • When evaluating agentic cloud security, the right question isn’t “how many agents do you have?” It’s “what’s the data fabric your agents are standing on?”

Agentic cloud security is everywhere. What’s actually real?

Every cloud security platform shipped AI agents this year, but the differentiator isn’t the agents. It’s the data architecture they reason on.

Investigation agents, remediation agents, triage agents, copilots, analyst agents, workforce agents. Rest assured, most of these are real systems. But some are LLM chat interfaces dressed up as autonomy. Telling the two apart matters because the buying decision you make this year will shape your security operating model for the next five.

This post is a tour of what’s actually shipping, why the data layer is the real constraint that most evaluation conversations skip past, and what an agentic cloud security platform needs to be standing on to deliver on its promises. It matters now because security teams entering mid-year consolidation conversations are being asked to bet a long-term operating model on the architecture they pick. The agents are easier to demo than the substrate they reason on.

Read to the end. We’ve been quiet about something for a while.

What a real agentic cloud security platform actually does

Strip away the marketing and a real agent does five things: receives a signal, correlates context across sources, produces a verdict with the reasoning intact, takes a contained action or hands off a precise plan, and updates the shared context so the next investigation starts smarter than the last.

Most platforms shipping “agents” this year do two or three of those. The other parts are still humans staring at dashboards, writing the next prompt, or rebuilding context from scratch on every investigation.

In a real agentic workflow:

  • An agent receives a signal: an alert, a finding, a posture change, a runtime anomaly.
  • It investigates by correlating identity, code, cloud config, runtime behavior, data sensitivity, and network reachability.
  • It produces a verdict (malicious, benign, needs escalation) with the reasoning trail intact.
  • It either takes a contained action (open a PR, block public access, isolate a workload) or hands off a precise remediation plan to a human.
  • It updates the shared context so every subsequent investigation starts smarter.

A chatbot answers questions about your dashboard. An agent does the work the dashboard used to make you do.

Five shapes of agentic cloud security. Only one is worth shortlisting.

If you’re evaluating cloud security platforms with agentic capabilities right now, you’re going to run into the same handful of architectural patterns across every demo. They sound similar in the pitch, but they are not equivalent in production. Four of these patterns share the same problem: their agents are reasoning on data that can’t support autonomous decisions. The fifth is the exception. It’s the only architecture where the data and the agents were designed for each other from the start. That’s the one worth shortlisting. Here’s what each is, where the first four break down, and what the fifth one gets right.

Shape 1: Conversational copilots wrapping a static graph

These are LLMs with retrieval-augmented generation over an existing posture database. You ask a question in natural language, the system queries the underlying findings, and the model writes a paragraph back. Useful for analyst onboarding and ad-hoc queries. Not autonomous, not multi-step, not taking action.

This is where “it’s just a chatbot” is a fair criticism. Many of the “Ask AI” features bolted onto CSPM dashboards in 2024 and early 2025 fall here.

Shape 2: Agentic workforces built on endpoint telemetry

Some platforms ship genuinely autonomous fleets of agents (detection triage, investigation, malware analysis, threat hunting, exposure prioritization) orchestrated through a workflow layer with no-code agent-building tools on top.

This is real agentic AI. The constraint is the data layer underneath it: when the platform’s strength is endpoint sensor telemetry, the agents reason brilliantly about endpoint signals and identity events. For cloud-native workloads (containers, ephemeral compute, serverless, managed Kubernetes, GPU-bound AI inference), the picture thins out. EDR was not designed to see the inside of a pod or the behavior of an MCP server, and retrofitting it doesn’t change the shape of the original data model.

Shape 3: Reasoning agents on a snapshot-derived cloud graph

Several CNAPP vendors have shipped real reasoning systems: investigation agents that produce transparent verdict trails, remediation agents that own end-to-end fixes, validation agents that surface attack paths.

The architectural reality is that many of these platforms started as snapshot-based cloud scanners. The runtime sensors came later. The agents inherit a graph that was originally optimized for posture and configuration, with runtime behavior layered on top through a more recently shipped sensor. That’s a real limitation when the question is “what is this workload doing right now?” and not “what was true at the last scan?”

Shape 4: AI-on-AI defenders wrapping third-party agent platforms

A separate category has emerged for platforms whose primary job is not securing your cloud, but securing the AI agents your business teams are deploying inside SaaS platforms: copilots in productivity suites, agent studios in enterprise platforms, MCP relays for tool calls.

This is valuable work. It is also not the same product as agentic security for your cloud infrastructure. Buyers consolidating in 2026 should be careful not to confuse the two. Defending an LLM-powered customer service agent and defending the cloud workloads that AI runs on are different problems with different data needs.

Shape 5: Runtime-first agentic platforms

The rarer shape, and the one we built Upwind to be, is a platform with runtime telemetry as the foundation, not the afterthought. eBPF runtime sensors, agentless cloud scanning, and code-to-cloud context all designed from day one to feed into one correlated graph. We call it the Runtime Fabric. Agents built on top of that graph, not retrofitted onto a posture database that came before them.

This is where the data architecture and the agent architecture actually compound on each other. It’s not a small architectural detail. It’s the whole point.

Why the data layer sets the ceiling on every agent

The pattern across all five shapes is the same: the agent is only as good as the substrate.

Three reasons this matters more than people realize:

Freshness sets the response horizon. Agentic security only delivers on its core promise of machine-speed investigation and response if the underlying signals are live. An agent reasoning over data that’s hours or days old is making confident decisions about a world that no longer exists. For autonomous remediation, that gap is the difference between a clean fix and a production outage.

Breadth determines blind spots. An agent that only sees endpoint data will give endpoint-shaped answers to cloud-native questions. An agent that only sees posture findings will recommend fixes for vulnerabilities on workloads that aren’t running. An agent that doesn’t see the code commit, the pipeline that deployed it, the workload it ran on, and the identity that called it cannot reason end-to-end about a multi-step attack chain.

Correlation is what turns data into context. Raw telemetry is noise. An alert is just an event until it’s stitched to the asset, the identity, the data sensitivity, the network reachability, and the originating commit. Agents reason on graphs, not on log streams. The quality of the graph is the quality of the conclusion.

This is why “we have agents” is the wrong vendor question. The right one is: what does your agent actually see, how fresh is it, and how is it correlated?

What agentic cloud security actually needs underneath it

If the data layer is the constraint, here’s the bar a runtime-first foundation has to clear:

Continuous runtime telemetry, not periodic snapshots. eBPF sensors observing actual process behavior, syscalls, network flow, identity actions, and data movement, captured live, not reconstructed from logs after the fact.

Code-to-cloud-to-runtime lineage as one graph. Every running workload should be traceable back to the commit that introduced it, the pipeline that shipped it, the identity that runs it, and the data it can reach. This is the connective tissue agents need to reason about cause and effect.

Reachability and exploitability validated against live state. A vulnerability is only critical if the package is loaded, the code path is reachable, and the workload is exposed. Static scoring doesn’t tell you that. Runtime context does.

Identity, data, and AI as first-class citizens in the graph. Cloud non-human identities, sensitive data flows, AI-BOM (models, agents, MCP servers, training data), and shadow AI usage all need to live in the same correlated graph as everything else, not in a separate AI-SPM bolt-on.

A coordination layer the agents share. When multiple agents are operating in parallel (investigation, validation, remediation), they need a shared context object, not just shared APIs. Otherwise you get competing recommendations and brittle handoffs.

This is the bar we built the Runtime Fabric to clear, deliberately, before we built anything that runs on top of it. It’s also a hard bar to clear when you’re retrofitting it onto a platform that started somewhere else.

Four questions that cut through agentic security claims

If you’re consolidating tools or shortlisting platforms this year, four questions cut through the noise:

1. What data does your agent actually reason on? Make the platform walk you through the underlying telemetry: endpoint, agentless snapshot, runtime eBPF, logs, code repos. The answer reveals the ceiling.

2. How fresh is the context the agent uses to make decisions? “Real-time” is a marketing word. Ask for the actual latency between a workload behavior and the agent’s awareness of it. Minutes is good. Hours is a problem. Daily snapshots are a chatbot.

3. Show me a multi-step investigation in your own platform. Ask for a demo of an investigation that crosses code, cloud, identity, and runtime in one trace. If the agent can’t reason across all four, the architecture isn’t ready for the questions that actually matter.

4. What happens when the agent is wrong? Look for transparent verdict trails: the questions the agent asked, the data it pulled, how each signal shaped the answer. Black-box autonomy is a deployment risk. Explainable autonomy is a teammate.

The runtime-first move

The Runtime Fabric was the foundation. The agents were always the second move.

Agentic cloud security is going to define the next five years of how security teams operate. The platforms that win won’t be the ones shipping the most agents. They’ll be the ones whose agents are standing on data fresh enough, deep enough, and correlated enough to make autonomous decisions you can actually trust.”

Next week, we make the second move. Stay tuned. 

Agentic Cloud Security Is Only as Smart as Its Runtime Context

Further Reading

AI Threat Landscape
Thought Leadership

The AI Threat Landscape Demands a New Cloud Security Model

Moshe Hassan Upwind

By Moshe Hassan

May 13, 2026

This week, the Shai-Hulud npm campaign showed how quickly a compromised package can move through the software supply chain, jumping across trusted dependencies and reaching build pipelines before many teams even knew what they were looking at. But this is not just an npm story, and it is not just a story about one campaign. […]

Agentic Pack
Thought Leadership

The next wave of AI is here. Upwind becomes Agentic.

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

May 13, 2026

One of the most fascinating technologies I’ve encountered in my personal life over the past few years is autonomous driving. It started as a curiosity, “can my car really drive itself?” Can it actually make decisions with enough necessary context, and not rely solely on static things it sees like trees and roads? Can it […]

The exploit window didn't shrink. It flipped.
Thought Leadership

The exploit window didn’t shrink. It flipped.

Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Tomer Hadassi

Apr 29, 2026

TL;DR: Time-to-Exploit (TTE), the gap between vulnerability disclosure and first observed exploitation, has gone negative. Mandiant’s M-Trends 2026 report shows attackers now exploit vulnerabilities, on average, before a patch is publicly available and we see the same in running environments. That breaks the foundational assumption every legacy CNAPP architecture was built on — that defenders […]