Get a Demo
Under Attack?
API Custom Threat Detection

Upwind brings Custom Detection Policies for APIs

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Danilo Michelucci July 17, 2026

Upwind brings Custom Detection Policies for APIs

Every API has a different risk profile. An internal billing endpoint and a public-facing authorization endpoint don’t fail the same way. They don’t get attacked the same way either. A generic ruleset can’t account for that. Custom rules can, and now those rules can see sensitive data too.

This new release brings two things together to improve API Security: custom runtime API rules, so your team defines what suspicious means for your own environment, and sensitive data detection inside those rules, so you can act on where sensitive data actually shows up in a request or response, not just that it showed up somewhere.

Here’s what’s new.

The problem with one-size-fits-all API detection

Most API security tooling ships with a fixed set of detection patterns. That catches the obvious stuff, but it misses the information that’s specific to your organization. 

API-Threat-Detection-mock-a-1024x690

Say your service mesh has an endpoint that should only ever be called by three other services. A generic ruleset doesn’t know that. A fourth caller showing up doesn’t look malicious in the abstract. It only looks wrong if you know your own environment.

Custom rules close that gap. And now they close a second one: knowing sensitive data is present isn’t the same as knowing where.

Custom runtime API rules

API is now a selectable rule type for Upwind’s runtime sensor. You define the logic: specific endpoints, request patterns, caller behavior, access that shouldn’t be happening.

APISecurity

A few examples:

  • Flag any request to an internal-only endpoint from outside its expected service group
  • Alert on abnormal request volume to a specific API path, tuned to what’s actually normal for that endpoint
  • Catch access attempts against deprecated or shadow endpoints that should see zero traffic
  • Detect unauthorized access to sensitive data endpoints, correlated with the process making the call

The rule runs at the sensor level, reading L7 traffic directly from the kernel. No traffic mirroring, no separate proxy. Write it once and it’s live.

Because it’s a sensor rule, it inherits the same runtime context as every other detection type: the process behind the call, the network path, what else was happening on that host. A custom API rule isn’t a filter bolted onto your traffic. It runs on the same runtime fabric as everything else.

Now with sensitive data detection, by location

In addition, custom API Security rules can now detect sensitive data in API traffic, and pinpoint exactly where it appears.

sensitive-data flags are surfaced per HTTP location. A rule can distinguish sensitive data in the URI or query string from sensitive data in the body, and from sensitive data in headers. 

Why that split matters: PII showing up in a response body is a different problem than PII showing up in a request URL. One might be expected behavior for a given endpoint. The other might be a real leak. Without location-level detection, both get flagged the same way, or neither does.

Now you can write a rule that alerts specifically on PII leaking in a response body, while staying silent on the same data category appearing legitimately in a request URL elsewhere in your environment. That’s the difference between an alert your team trusts and one they start ignoring.

Where it fits

Detections from these rules land alongside your process, network, and Kubernetes audit log detections, with the same investigation view: request details, the runtime context around it, everything in one place. You can also filter by detection type when you want to isolate everything your custom rules are identifying.

APISecurity2

Why this matters day to day

A rule that knows sensitive data exists is useful. A rule that knows whether it’s sitting in a header, a query string, or a response body is actionable. That distinction is what turns a compliance checkbox into a real detection your security team can act on without wading through noise.

Runtime context has always been the differentiator behind Upwind’s platform. This puts that logic directly into your hands for the API layer: not a predefined ruleset catching what everyone else catches, but rules built by the people who know what normal, and what sensitive, actually looks like for their own services.

Learn more about Upwind’s API Security capabilities here

Contents

Further Reading

KSPM-Agentless-Scanning

Complete KSPM: From Pull Request to Production Runtime

Kubernetes environments move fast. Workloads appear and disappear, container images change continuously, services are exposed, permissions evolve, and development teams deploy updates throughout the day. But most cloud security platforms force practitioners to investigate Kubernetes risk through interfaces designed for the broader cloud, leaving teams to manually filter the noise before they can begin investigating…
Upwind MCP Server

Revolutionizing Security Investigations with the Upwind MCP Server

Frontier AI models combined with a rampant rate of new critical vulnerabilities mean speed and context are everything. When a critical production service starts behaving suspiciously, every second spent jumping between different tools and dashboards is a second lost to a potential attacker. At Upwind, we are excited to introduce a game-changer for security teams:…
Security Feed - Threat

No npm Token Required: Inside the AsyncAPI Supply Chain Attack

Executive Summary Upwind identified a critical supply chain compromise across five npm packages in the @asyncapi scope, published on July 14, 2026 via two separate branch compromises in two GitHub repositories. The attacker never touched an npm token. They abused each project's own CI pipeline through GitHub Actions OIDC to publish the malicious packages. The…