An Engineer’s Journey from Heavy Runtime Agents to Agentless, and a Hybrid Future

Jan 22, 2026

Cloud security architecture rarely begins with a grand design. More often, it evolves through necessity, one decision at a time, shaped by scale, cost, and the operational realities of modern cloud environments. Looking back, that evolution follows a familiar path. It’s a journey many cloud security engineers have taken, divided into three distinct generations, each defined by the tradeoffs of its time. It’s also the journey that led us to today’s hybrid CNAPP architectures.

Generation 1: The Agent Era

In the early days, the security model was intuitive and straightforward: if you could instrument the workload, you could secure it. We deployed Winbeat on Windows servers, configured auditd on Linux, and consumed journald logs to gain deep visibility into system behavior. On paper, it was everything security teams wanted – complete, granular insight into what was happening inside the system at runtime. However, reality arrived quickly.

Rolling out agents across tens of thousands of instances became an operational burden. Version drift introduced blind spots. Performance overhead created constant friction with DevOps teams. And as containers and serverless workloads entered the picture, entire classes of infrastructure were left uncovered. The environment evolved faster than the tooling designed to protect it.

Heavy agents delivered depth, but only where they could run, and at a cost few organizations could sustain as their environments scaled.

Generation 2: The Metadata Scramble

As the limitations of agents became impossible to ignore, the industry pivoted outward – if we couldn’t live inside the workload, we’d observe everything around it. Cloud metadata services, CloudWatch metrics, and CloudTrail logs became the new foundation for security visibility. From an architectural perspective, this approach was sound: EventBridge routed events, Kinesis streamed data, and Lambda functions processed changes, and coverage improved dramatically while deployment friction dropped. For the first time, security teams could see across their entire cloud footprint without touching production workloads.

Scale exposed a new problem: economics. In medium-sized environments, CloudTrail processing alone could exceed $20,000 per month. Security telemetry began to cost more than the infrastructure it was meant to protect. What seemed elegant at a small scale became unsustainable at an enterprise scale. Collecting everything was technically possible, but financially painful.

Generation 3: The DIY Data Lake

Like many engineers faced with rising costs, we tried to outbuild these problems. The idea was straightforward: ingest CloudTrail data efficiently, normalize it, and store it cost-effectively in S3. A custom pipeline would give us control over performance and cost. In theory, it was the best of both worlds. In practice, it created an entirely new class of problems.

Processing clusters required constant maintenance. Custom schemas became tribal knowledge known by only a handful of engineers. Security teams spent more time keeping the pipeline alive than investigating threats. On-call rotations existed not for attackers, but for ingestion jobs that failed in the middle of the night.

The data lake slowly turned into a data swamp. The complexity hadn’t disappeared; it had simply moved elsewhere.

The Uncomfortable Truth

At scale, cloud security forces complex tradeoffs. You can optimize for:

Complete visibility, but at prohibitive cost
Near real-time detection, but with significant architectural complexity
Cost efficiency, but with inevitable coverage gaps

Trying to maximize all three with a single approach inevitably fails. This realization reframed the problem entirely. The question is no longer “agent or agentless?” It’s “what level of visibility is appropriate for each workload, and at what cost?” That insight defines modern CNAPP architecture.

The Core Challenge: Agentless at Massive Scale

Agentless scanning sounds straightforward: query the cloud control plane and assess the results. At a small scale, that works. At enterprise scale, it doesn’t.

Large organizations operate tens of thousands of resources across multiple clouds and regions. Environments change continuously, and slow scans quickly become outdated. Cloud APIs impose strict rate limits, turning naive scanning approaches into bottlenecks that yield stale visibility rather than real insight. Even when access is efficient, volume becomes the following constraint. Reprocessing unchanged configuration data increases costs and scan times, leaving teams managing scanners rather than risk.

Agentless doesn’t have to mean slow, but achieving timely visibility requires event-driven design and normalized data across clouds. Without that foundation, scale turns simplicity into fragility.

How Upwind Addresses These Challenges

Upwind’s architecture didn’t emerge from a single design document. It emerged from the cumulative failures of the approaches that came before it. Each architectural choice exists to solve a problem experienced firsthand.

Designing for Scale Starts with the API

Cloud APIs are the control plane of modern infrastructure and are a finite resource. Treating API calls as cheap or unlimited guarantees slow scans, throttling, and blind spots. Upwind’s scanning engine treats API limits as a first-class constraint. Scans are distributed across regions and services, prioritized by risk, and dynamically throttled based on real-time feedback. Rather than pulling everything as fast as possible, the platform extracts maximum signal from each request.

The result is predictable, bounded scanning, full-environment visibility in hours rather than days, without overwhelming cloud provider APIs or customer environments.

architecting-cloud-scanners-D — Upwind adapts in real time, extracting maximum signal from every API call.

From Snapshots to a Living Cloud State

Earlier approaches relied on repeated snapshots: pull everything, analyze it, repeat. At scale, that model collapses. Upwind replaces snapshots with a continuously updated state model. The platform maintains a graph-based representation of the cloud environment, where resources and their relationships are tracked over time. When a configuration changes, the graph updates and the platform evaluates the change’s impact on risk.

This enables instant impact analysis, historical drift detection, and relationship-aware findings. Instead of asking “what does my environment look like right now?”, security teams can ask “what changed, why does it matter, and what does it expose?”

architecting-cloud-scanners-A — Upwind replaces snapshot scans with a living cloud graph, reflecting your real time cloud environment.

Accepting That No Single Model Is Enough

The most important realization in this journey was that no single visibility model works everywhere. Agentless scanning is unmatched for breadth. It provides immediate coverage across all cloud resources, including managed services, PaaS, and serverless workloads, without deployment friction or production impact. It establishes a security baseline from day one.

But some workloads demand more from high-value systems where runtime behavior matters, Such as Upwind layers in lightweight eBPF sensors. These sensors deliver kernel-level visibility with minimal overhead and are deployed selectively, typically to a small percentage of the environment.

This hybrid model avoids the extremes of the past. Instead of choosing between coverage and depth, organizations get both, applied intentionally, where each makes sense.

Reevaluate-scanner-A-2 — Upwind enables a best of both worlds approach with agentlessd cloud scanners for immediate converage and lightweight eBPF sesors for deep kernal level visibility.

Solving the Cost Problem at the Architecture Level

One of the hardest lessons from earlier generations was that security cost cannot be solved downstream. No amount of optimization fixes an architecture that processes too much data too often. Upwind’s platform is built to minimize unnecessary work. Delta processing ensures only meaningful changes are analyzed. Intelligent caching eliminates redundant computation. Data is stored efficiently, with lifecycle controls that balance performance and retention.

By addressing economics at the architectural level, continuous security becomes sustainable as environments scale.

architecting-cloud-scanners-C — Upwind minimizes unnecessary work with delta processing, intelligent caching, and efficient data lifecycles, so security scales sustainably.

A Unified View Across Clouds

Upwind abstracts away the complexity of multi-cloud environments. Native integrations with AWS, Azure, and GCP feed into a normalized data model, ensuring policies, risk scoring, and workflows remain consistent across providers. For security teams, this means fewer tools, fewer dashboards, and a clearer understanding of risk – without losing the nuance of each cloud’s native services.

architecting-cloud-scanners-B — Upwind’s live topology map reveals risk as cloud relationships evolve.

Conclusion: The Hybrid Future

Cloud security has matured beyond one-size-fits-all solutions. Pure agent-based models don’t scale. Pure agentless models lack runtime depth. DIY pipelines shift complexity without solving it. The future belongs to hybrid architectures that balance coverage, depth, and cost – adapting security controls to the realities of modern cloud environments. Agentless scanning provides the foundation. Runtime sensors add precision. Together, they offer a future-proof path forward.

As cloud environments continue to grow and attackers move faster, the real question is no longer how to architect cloud security, but how quickly organizations can deploy it effectively. To learn more about Upwind’s agentless and sensor-based hybrid approach, schedule a customized demo with our team today.