A New Era of Cloud Risk Detection: Custom Posture Rules & Frameworks in Upwind

Cloud environments continue to grow in complexity—and with them, the risk surface expands. CISOs and security leaders are now contending with an increasing volume of posture alerts, many of which fail to account for real-world exploitability. Traditional posture frameworks, while rooted in best practices, often fail to prioritize real risks. They evaluate risk by individual misconfiguration rather than understanding how multiple factors intersect in practice to create real exploit paths.

At Upwind, we believe security posture should be built on real-time, runtime data—not static best practices alone. That’s why we’re introducing Custom Posture Rules & Frameworks, an evolution in how security teams define, detect, and enforce cloud security at scale. These enhancements are broken down into four main categories:

• Custom Posture Rules: Define and enforce security posture based on your unique environment, using attributes like identity, infrastructure, privileges, vulnerabilities, and runtime behavior.
• Custom Posture Frameworks: Group related custom rules into reusable, targeted frameworks aligned with specific threat categories and risk surfaces.
• Findings Tab: Surface and prioritize violations based on exploitability, exposure, privilege, and real-world runtime signals.
• Configurations Dashboard: View high-level, centralized insights into posture risk across environments

This release brings unprecedented flexibility and precision to Cloud Security Posture Management (CSPM), enabling organizations to build and enforce posture rules based on their unique environment, threat models, and business context.

The Problem: Best Practices Don’t Equal Real-World Risk

Most CSPM solutions today evaluate cloud misconfigurations in isolation—an open port here, an unencrypted disk there, an inactive Lambda function running an outdated runtime. Each of these may technically require attention and remediation, but they rarely reflect the true risk to the environment unless evaluated in combination with other risk factors.

Consider the following scenario: an EBS volume is unencrypted, contains secrets, and is attached to a workload that is vulnerable to remote code execution and publicly exposed to the internet. This isn’t a low-priority misconfiguration—it’s an active breach path. And yet most posture tools will alert you to three separate issues, each treated with the same priority as dozens of other findings.

Upwind’s approach focuses on high-fidelity, exploit paths—multiple risk factors that, when correlated, create open paths to exploitation and represent true operational risk. With Custom Posture Rules, security teams can define exactly what matters to them and prioritize risk accordingly.

What Are Custom Posture Rules?

Custom Posture Rules allow security teams to define misconfiguration conditions based on attributes across identity, infrastructure, vulnerabilities, privileges, and runtime behavior. These rules can represent anything from industry compliance requirements to environment-specific guardrails or threat intelligence-informed detection criteria.

In the Upwind platform, rules can be built using:

• The Upwind Explorer, a visual and query-based policy engine that supports both GUI-driven logic and direct Rego syntax (from the Open Policy Agent ecosystem)
• Full access to Upwind’s rich telemetry—spanning CVEs, process behavior, IAM bindings, container runtime metadata, outbound traffic, secrets exposure, and more

What sets this apart is that any custom query built in the Upwind Explorer can be instantly converted into a posture rule. That rule is then continuously evaluated in the background, and violations appear in Upwind’s Configurations module, along with recommended remediation steps.

Building a Custom Rule in Upwind

Creating a custom rule starts in the Configurations module, where users can initiate a new rule and immediately launch into the Upwind Explorer. The Explorer supports two modes:

• Visual Explorer Mode: Build complex rules by combining logic blocks across asset type, software version, exposure level, IAM role, runtime activity, and more
• Rego Mode: For advanced users, Rego-based queries can be written manually, allowing fine-grained control and policy-as-code workflows

Upwind Explorer is not just a query interface—it’s backed by a full runtime data engine, so the results are high-fidelity context to what’s actually happening in your cloud.

Example Use Cases

For example, in the Configurations module, Upwind users can create custom queries that are turned into custom rules, such as:

• Identify Kubernetes workloads running Python with known SSRF vulnerabilities that are exposed to the internet and communicating with IMDSv1
• Find EC2 instances using high-privilege IAM roles, running outdated Apache configurations, and connected to unencrypted databases
• Detect inactive Lambda functions with outdated runtimes storing credentials in environment variables
• Surface any container exposed to the internet that is processing sensitive data and interacting with external GenAI services

These aren’t hypothetical risks—they are actual high-impact misconfigurations we see in real environments, often missed by traditional CSPMs.

Introducing Upwind Custom Frameworks

In addition to custom rules, we’re releasing Custom Posture Frameworks—curated collections of rules designed around specific threat categories and risk surfaces, that go beyond best practices to actively identify real risks. These frameworks serve as baselines or accelerators for teams building their own posture strategies.

Initial Upwind out-of-the-box custom frameworks include:

• Cloud Identity and Access Management (IAM)
• Security Infrastructure 
• External Exposure 
• Upwind Runtime Framework 

Each framework can be used as-is or extended with additional custom rules. Together, they provide a comprehensive view of real configuration risk and active exploit paths—grounded in runtime evidence, not static checks.

Here are just a few examples of custom rules from Upwind’s Runtime Risk Framework:

• A publicly exposed API endpoint lacking authentication is processing personally identifiable information (PII) on a container vulnerable to Log4Shell (CVE-2021-44228), while also communicating with IMDSv1
• An EC2 instance exposed to the internet is running Apache with a mod_proxy vulnerability (CVE-2023-25690), has admin-level IAM permissions, and connects to an unencrypted RDS database
• A Lambda function using an unsupported Python runtime holds privileged IAM roles and stores AWS credentials in environment variables

Each of these rules surfaces an active exploit path that would be missed or deprioritized in traditional posture tools.

Runtime-Powered Findings: Turning Posture into Prioritized Action

Upwind doesn’t stop there for exploit path prioritization – all violations from your custom rules and frameworks are surfaced in Upwind’s Findings tab, where they are ranked using runtime signals like exploitability, exposure, privilege level, and service usage.

This contextual approach means security teams are no longer overwhelmed by thousands of alerts—they can immediately focus on the findings that matter most. And because each finding is tied directly to real runtime behavior, response actions are grounded in operational context, not theoretical risk.

The Configurations Dashboard: Actionable Posture at Scale

Rounding out Upwind’s new custom rule and framework enhancements is the Configurations Dashboard – a high-level, centralized view into posture risk across environments. Unlike static dashboards, the Configurations view is powered by real-time runtime data—providing a live snapshot of posture risk based on both standard rules and your custom definitions.

Key capabilities include:

• Rule Coverage Overview: View how many assets are covered by each rule or framework, and where violations are concentrated
• Top Risk Combinations: Automatically surface high-severity exploit paths—like vulnerable workloads with high-privileged IAM roles and external exposure
• Policy Enforcement Status: Track which rules are enforced vs. informational, and their integration status across cloud accounts
• Custom Framework Insights: See which custom or Upwind-provided frameworks are producing the most impactful findings, mapped to relevant environments

This isn’t just a view of misconfigurations—it’s a strategic insight platform designed to support risk-based decision-making at the executive level.

A Smarter, Runtime-Driven CSPM

With CNAPP platforms becoming the standard for cloud security, posture management must evolve. At Upwind, we’ve built CSPM capabilities that are both broader and deeper than what legacy vendors offer.

Rather than relying solely on static configuration scanning, we integrate runtime telemetry via eBPF sensors, delivering unparalleled visibility into how your environment behaves in production. This context is the foundation for accurate posture evaluation, custom rule enforcement, and precise prioritization.

Upwind’s Custom Posture Rules & Frameworks represent the next generation of posture management—flexible, context-rich, and built to scale with the complexity of modern cloud environments.

Learn More

For security teams looking to go beyond generic posture checks and start detecting real risk, now is the time to explore Upwind’s Custom Rules and Frameworks.

• Learn how to build custom rules using the Upwind Explorer
• Dive into our latest frameworks and view sample risk rules across IAM, runtime, and external exposure
• Connect with our team to discuss how to tailor this capability to your environment and compliance needs

With Upwind, posture findings are no longer just best-practice recommendations—they are high-impact, actionable insights grounded in how your cloud actually operates. To learn more about Upwind’s custom posture policies and frameworks, schedule a demo today.