Simplify Custom Posture Rule Creation with Upwind’s LLM-based Rego Support

Upwind now supports a significant new AI-powered capability in the Upwind platform, allowing users to create custom posture rules with LLM-based Rego, streamlining workflows and accelerating reduction of their cloud attack surface.

Upwind’s runtime-backed posture engine has always surfaced high-impact misconfigurations that pose true risks to cloud environments, often missed by traditional CSPMs. With this latest release of LLM-based Rego support, we’re making it even easier for teams to harness that runtime context for fast, impactful rule creation that accelerates attack surface reduction rather than generating generic alerts or non-actionable issues.

How to Create a Custom Posture Rule with Upwind

Creating a custom rule starts in the Custom Rules tab of the Configurations module, where users can initiate a new rule and immediately begin enforcing it. With this latest release, users now have three easy ways to create custom policies:

• Graph (Query Builder) Mode: Build complex rules by combining logic blocks across asset type, software version, exposure level, IAM role, runtime activity, and more
• Manual Rego Mode: For advanced users, Rego-based queries can be written manually, allowing fine-grained control and policy-as-code workflows
• LLM-based Rego Mode: Users can now use natural-language queries and commands to automatically create custom rules that include the same fine-grained control offered when using Manual Rego.

Upwind’s Custom Rule capabilities offer highly-accurate, runtime-backed findings that enable teams to easily understand what’s happening in the cloud environment and intelligently reduce their attack surface. 

Why We Built LLM-based Rego Capabilities

At Upwind, everything we design solves real customer problems. A large fintech security team needed to track EC2 instances running outdated software with sensitive permissions. Writing the required Rego queries manually was slowing their progress, and they risked missing critical gaps before an upcoming compliance audit. Using LLM-based Rego, they described the issue in plain language and had a working rule deployed within minutes. This cut down hours of manual work and gave them timely insight to act confidently. According to the team, this capability made their workflow noticeably more efficient and reliable.

We’ve heard from many security teams that they need highly accurate, instant searches of their cloud environment and the ability to create customizable rules to meet their unique needs. While we previously supported custom rule creation through our Graph and Manual Rego Modes, this release makes fine-tuned Rego rule creation faster and easier for security teams, allowing them to keep tight control while speeding up the process.

How to Use LLM-based Rego

The Upwind Custom Rule engine is a powerful tool for security teams, empowering them to instantaneously run custom queries that are converted into custom rules. With the introduction of LLM-Based Rego, we are making it easier for security teams to write precise queries and the creation of new policies, while retaining fine-grained control and flexibility for their unique cloud environment.

For example, with the LLM-Based Rego, Upwind users can leverage Upwind’s AI support to write natural-language commands that are turned into rego, such as: 

• Find all Kubernetes workloads running Python with known SSRF vulnerabilities that are exposed to the internet and communicating with IMDSv1
• Find all my EC2 instances using high-privilege IAM roles, running outdated Apache configurations, and connected to unencrypted databases
• Detect inactive Lambda functions with outdated runtimes storing credentials in environment variables
• Show me any containers exposed to the internet that are processing sensitive data and interacting with external GenAI services

To start using LLM-based Rego, visit the “Custom Rules” Tab of the Configurations Module, where you will find the “LLM-based Rego” Sub Tab. Once there, all you need to do is begin typing natural-language directives, and Upwind will automatically begin creating your customized Rego rules. 

Learn More

To learn more about how Upwind is accelerating and simplifying security operations, or to explore how Upwind enables teams to create Custom Rules and streamline posture management, visit the Upwind Documentation Center (login required) or schedule a demo today.