Threat Investigations Product Announcement - Blog Hero

Investigate Faster, Detect Smarter: The Next Wave of Upwind AI Threat Detection

A man with short brown hair and a beard smiles at the camera. He is wearing a dark t-shirt and standing against a neutral, light-colored background. Moshe Hassan Upwind

By Daniel Shaoul & Moshe Hassan

Jun 18, 2026

The moment an attacker initiates access to your network, evidence starts to appear, and in that moment, detections start to fire. That’s the moment you just start the hard part of investigating and discovering the true attack chain.

Our goal shifts from monitoring to investigating – What was this workload actually doing? What happened before the signal? Does this match expected behavior, or is something wrong?

Too often, answering those questions means switching between tools, querying separate systems, and assembling a picture from incomplete fragments. Investigation becomes a slow, fragmented process, and in fast-moving cloud environments, that friction has a real cost.
And you miss the big picture that meshes your real data into consolidated context.

Today, Upwind is introducing two major capabilities, Upwind Investigations and Upwind Next Gen Threat Detection Engine. Our new products give teams a single place to investigate raw activity across their entire cloud environments and full control over what gets detected in the first place.

threat-investigations-runtime-events-scaled

Too Many Alerts. Not Enough Answers.

Most security tools are built around the assumption that when a detection fires, the investigation begins, Find the log, Pull the context, Reconstruct what happened, Repeat across however many tools your stack requires.

The problem isn’t just that this is slow. It’s that by the time you’ve pieced the story together, you’re already behind.

  • What process triggered this? 
  • What did it touch? 
  • Was the detection part of a multi-stage attack?

Those questions take minutes or hours to answer because the context lives somewhere else. Cloud logs in one place, runtime data in another, no shared timeline between them.

The missing piece isn’t another detection rule. It’s a place where the activity already lives, normalized, searchable, and waiting, so when something is detected, you’re not starting from scratch. You’re already there.

The missing piece is runtime context.

Always-On Visibility

Investigation brings together cloud logs, AWS CloudTrail, Azure Activity, Entra ID, and Google Cloud, alongside runtime telemetry across process, network, and file activity. All of it normalized and searchable, all of it already there before an alert ever fires.

Pick a workload, filter to a process execution, and you see not just that event but everything it spawned, child processes, file writes, syscalls, and associated network activity. A complete picture of what a process actually did, without jumping between tools or manually correlating events.

You’re not starting from a detection and working backwards. You’re starting from the raw activity itself. That’s a fundamental shift in how cloud security investigations work.

Granular filters let you zero in on exactly the environment you care about, with no noise from unrelated systems. Detections link directly into the underlying activity, so moving from a signal to full context is a single click.

Above this layer, Stories correlate related detections into a coherent narrative, so teams can quickly understand what is connected and where to focus first.

threat-investigations-filters-scaled

Upwind AI Accelerate Your Investigations

Choppy AI is embedded throughout, operating across the full activity context. Any raw event can be surfaced in plain language: what happened, which systems were involved, and why it matters, while keeping the original evidence available for validation. What used to be minutes of log parsing is now seconds.

Blue, the investigation agent, works across the same runtime and cloud context to connect evidence surface-related signals and helps teams move from a prioritized alert to a supported conclusion. Think of it as having an analyst automatically working the case alongside you.

threat-investigations-ai-summary-scaled

Detection Logic Empowered By You

When you spot something in an investigation that should be a detection but isn’t, you can codify it on the spot.

Custom Policies let teams define detection logic directly within Upwind, built on the same activity data that powers Investigation, cloud logs, runtime telemetry, and Kubernetes audit data. A behavior that is routine in one environment may be a red flag in another. Custom Policies let you encode that distinction, embedding your specific business logic, risk tolerance, and security requirements into the platform.

threat-investigations-product-create-threat-policy-a-scaled

Choppy AI helps teams define rules using natural language or Rego. Describe what you want to detect, and ChoppyAI turns that into a working policy.

threat-investigations-choppy-ai-1-scaled

Existing managed policies remain active throughout, so there is no disruption to current coverage. Custom Policies layer on top, expanding detection precisely where your environment requires it.

Abnormal-AI-Quote

Coverage That Compounds

The best security programs don’t just respond to threats, they get better at finding them. When investigation and detection share the same activity layer, every incident makes the program stronger. Noise drops. Threats get caught earlier. Response gets faster. 

cyera-quote

See It In Action

The shift from reactive investigation to continuous, compounding detection coverage starts with having the right activity layer underneath. Everything else, less noise, faster response, and earlier detection, follows from that.

Start with the cloud security maturity journey to see where continuous detection fits in your program.

Investigate Faster, Detect Smarter: The Next Wave of Upwind AI Threat Detection

Further Reading

the lineup (1)
Product

The Lineup: Where Partnerships Become Real Value

Screenshot 2025-08-04 at 6.32.03 AM

By Alon Saban

Jun 16, 2026

In surfing, the lineup is where it all starts. It’s the place where surfers seize the next big wave, together! It’s where experience meets timing. Where trust, respect, and awareness matter as much as skill. That idea is exactly what inspired The Lineup: Upwind’s Technology Alliances Program, and why we think it’s the right model […]

AWS Well-Architected Framework
Product

AWS Well-Architected Framework Available in Upwind

SamLangrockHeadshot

By Sam Langrock

Jun 12, 2026

Continuous Compliance for Cloud Security Teams The AWS Well-Architected Framework is now available in Upwind. The framework helps organizations evaluate architectural decisions and align workloads with AWS best practices across 6 pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. The Well-Architected Framework was designed by AWS as a consistent way for teams […]

Supply Chain Attack Detections
Product

Upwind Now Detects Novel Supply Chain Attacks in Real Time

Lidor Machluf Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Lidor Machluf & Tomer Hadassi

Jun 10, 2026

Software supply chain attacks are no longer rare events that make headlines once a quarter. In 2026, significant attacks are landing every few days, and the pace is accelerating. AI-assisted code generation is lowering the barrier for attackers to craft sophisticated, obfuscated payloads and inject them into trusted open source packages at scale. The window […]