Frontier AI models combined with a rampant rate of new critical vulnerabilities mean speed and context are everything. When a critical production service starts behaving suspiciously, every second spent jumping between different tools and dashboards is a second lost to a potential attacker. At Upwind, we are excited to introduce a game-changer for security teams: the Upwind MCP (Model Context Protocol) Server.
Beyond Dashboards: Natural Language Queries
The core value of the Upwind MCP server is its ability to let customers interact with their cloud and AI security data using natural language. Instead of manually navigating through complex filters, tables, and dashboards across multiple platforms, security practitioners can now get answers faster and smarter directly within the tools they already use.
When you ask a question, the Upwind MCP server pulls the necessary data, and connects different pieces of context to return a clear, structured answer. This isn’t generic information; it’s powered by real-time data from your specific environment, including:
- Runtime context
- Inventory graphs and SBOMs
- Vulnerability data and API security
- Cloud account coverage and workflows
- Shift-left data
A Real-World Scenario: From Detection to Remediation in Minutes
To demonstrate the power of the Upwind MCP server, we walked through a live scenario (see video above) involving a suspicious payment service. Normally, investigating such an event would take hours of manual work. With the MCP server, we handled the entire lifecycle: detection, blast radius analysis, root cause identification, and the fix, without ever leaving the chat interface, enabling:
1. Rapid Investigation
By asking “what actually happened?” the team immediately identified a suspicious API request and a process execution where a Python flask app spawned a shell to run a curl command to a cloud metadata endpoint.
2. Understanding the Blast Radius
Using the asset graph, the MCP server quickly mapped out the affected entities, including EC2 instances, VPCs, and IAM roles. It revealed that the attack wasn’t just theoretical; a high-privilege role with a “god mode” wildcard was involved, potentially exposing the entire environment.

3. Pinpointing the Root Cause
The investigation identified a critical CVE, an unsafe YAML load, in an unauthenticated, internet-exposed endpoint. The Upwind MCP server didn’t just flag a vulnerability; it confirmed the package was actually being loaded and executed in the runtime environment.
4. Automated Remediation Plans
Triage is only half the battle. The MCP server generated a comprehensive remediation plan split into two categories:
- Application Fixes: Patching the CVE, removing unsafe methods, adding authentication to vulnerable routes, and rotating plain-text secrets into API calls.
- Infrastructure Fixes: Narrowing security group exposure, enforcing IMDSv2, applying least-privilege IAM roles, and removing root permissions from the service.
Turning Complex Information into Clear Action
The Upwind MCP server ensures that critical context is never lost between different teams or services. By bringing everything into one conversational interface, we empower security teams to move from complex data to clear actions in seconds.
Ready to see how Upwind can streamline your security operations? Watch the full demonstration above and discover the future of automated security investigations. Want more tactical tips on using the Upwind MCP server, check out our blog post where we compiled the top 10 MCP use cases for Upwind.



