Get a Demo
Under Attack?
Upwind MCP Server

Revolutionizing Security Investigations with the Upwind MCP Server

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Guy Gilad July 15, 2026

Frontier AI models combined with a rampant rate of new critical vulnerabilities mean speed and context are everything. When a critical production service starts behaving suspiciously, every second spent jumping between different tools and dashboards is a second lost to a potential attacker. At Upwind, we are excited to introduce a game-changer for security teams: the Upwind MCP (Model Context Protocol) Server.

Beyond Dashboards: Natural Language Queries

The core value of the Upwind MCP server is its ability to let customers interact with their cloud and AI security data using natural language. Instead of manually navigating through complex filters, tables, and dashboards across multiple platforms, security practitioners can now get answers faster and smarter directly within the tools they already use.

When you ask a question, the Upwind MCP server pulls the necessary data, and connects different pieces of context to return a clear, structured answer. This isn’t generic information; it’s powered by real-time data from your specific environment, including:

  • Runtime context
  • Inventory graphs and SBOMs
  • Vulnerability data and API security
  • Cloud account coverage and workflows
  • Shift-left data

A Real-World Scenario: From Detection to Remediation in Minutes

To demonstrate the power of the Upwind MCP server, we walked through a live scenario (see video above) involving a suspicious payment service. Normally, investigating such an event would take hours of manual work. With the MCP server, we handled the entire lifecycle: detection, blast radius analysis, root cause identification, and the fix, without ever leaving the chat interface, enabling:

1. Rapid Investigation

By asking “what actually happened?” the team immediately identified a suspicious API request and a process execution where a Python flask app spawned a shell to run a curl command to a cloud metadata endpoint.

2. Understanding the Blast Radius

Using the asset graph, the MCP server quickly mapped out the affected entities, including EC2 instances, VPCs, and IAM roles. It revealed that the attack wasn’t just theoretical; a high-privilege role with a “god mode” wildcard was involved, potentially exposing the entire environment.

Upwind MCP

3. Pinpointing the Root Cause

The investigation identified a critical CVE, an unsafe YAML load, in an unauthenticated, internet-exposed endpoint. The Upwind MCP server didn’t just flag a vulnerability; it confirmed the package was actually being loaded and executed in the runtime environment.

4. Automated Remediation Plans

Triage is only half the battle. The MCP server generated a comprehensive remediation plan split into two categories:

  • Application Fixes: Patching the CVE, removing unsafe methods, adding authentication to vulnerable routes, and rotating plain-text secrets into API calls.
  • Infrastructure Fixes: Narrowing security group exposure, enforcing IMDSv2, applying least-privilege IAM roles, and removing root permissions from the service.

Turning Complex Information into Clear Action

The Upwind MCP server ensures that critical context is never lost between different teams or services. By bringing everything into one conversational interface, we empower security teams to move from complex data to clear actions in seconds.

Ready to see how Upwind can streamline your security operations? Watch the full demonstration above and discover the future of automated security investigations. Want more tactical tips on using the Upwind MCP server, check out our blog post where we compiled the top 10 MCP use cases for Upwind.

Contents

Further Reading

Security Feed - Threat

No npm Token Required: Inside the AsyncAPI Supply Chain Attack

Executive Summary Upwind identified a critical supply chain compromise across five npm packages in the @asyncapi scope, published on July 14, 2026 via two separate branch compromises in two GitHub repositories. The attacker never touched an npm token. They abused each project's own CI pipeline through GitHub Actions OIDC to publish the malicious packages. The…
AI bottlenecks

AI Proves the Real Bottleneck Was Never Finding Vulnerabilities

Let this sink in: finding security vulnerabilities was never the bottleneck, vulnerability prioritization was. AI-scale discovery is about to make that impossible to ignore, and the teams that see it coming will pull ahead of the rest. Here's what kept me up this week. Anthropic ran a frontier model against some of the world's most…
SBOM for VM

Upwind gives you SBOM coverage across every cloud workload

Software supply chain risk doesn't stop at the container boundary. Most organizations still run a meaningful share of production workloads on virtual machines across legacy services, data pipelines, and infrastructure that was never containerized. The Upwind Platform creates SBOMs at runtime, delivering greater accuracy than build-time tools by continuously monitoring your live environment. Format adds…