Upwind Recognized as a Leader in the QKS Group 2025 SPARK Matrix™ for CNAPP

The QKS Group 2025 SPARK Matrix™: Cloud Native Application Protection Platform report captures a shift that many security engineering teams have been anticipating for years. Cloud environments have become too dynamic, too identity-driven, and too interconnected for configuration-centric CNAPP tools to keep pace. According to QKS Group, the vendors advancing most quickly are those that anchor detection, prioritization, and response in runtime execution data, workload-native telemetry, cloud activity logs, and application-layer behavior.

Upwind’s recognition as a Leader reflects this transition. The analysis highlights a broader industry movement toward architectures capable of understanding what workloads, identities, and APIs are actually doing at any moment.

This article provides a technical breakdown of the SPARK Matrix findings and explains why runtime-first cloud security is becoming foundational for security leaders.

Why the Market Is Moving Beyond Configuration-Based CNAPP

The report outlines a core problem: traditional CNAPP tooling evaluates the environment as it’s configured, not as it’s operating. In Kubernetes and service mesh based architectures, these two states diverge within minutes.

Key observations from the SPARK Matrix include:

• Runtime telemetry exposes misuses of identities, network paths, and APIs that configurations alone cannot detect.
• eBPF-based instrumentation and cloud audit logs allow platforms to reconstruct actual process behavior, service-to-service communication, and privilege transitions.
• Real-time mapping of Kubernetes and container environments enables correlation across namespaces, clusters, and ephemeral workloads.

This is precisely the operational gap security teams experience when they face threats like lateral movement inside clusters, unauthorized identity use, or API misuse that never appears in IaC scanning.

Technical Capabilities Highlighted in Upwind’s Leader Position

The SPARK Matrix vendor profile identifies several differentiators in Upwind’s platform architecture. Below, we will dive into each of the differentiators and why they are significant for security teams.

Runtime Telemetry Through eBPF and Cloud Logs

Upwind correlates:

• Kernel-level signals from eBPF sensors
• Cloud activity logs revealing IAM operations and API calls
• Application-layer traffic patterns
• Network flows and service dependencies

This combination produces a continuously updated topology graph. It exposes behaviors such as:

• Unexpected privilege escalation inside containers
• Cross-namespace communication that violates expected topology
• Unauthorized data flows between services
• Zero-day exploitation paths based on actual, not theoretical, dependencies

Detection relies on observed activity, rather than static rules.

Kubernetes-Native Mapping and Multi-Layer Containment

The report noted Upwind’s ability to maintain accurate runtime topology maps despite autoscaling, node replacements, rolling updates, and more. Upwind continuously identifies:

• Real container-to-container communication
• Identity bindings between pods and cloud IAM roles
• Process-level activity inside workloads
• Network flows associated with workload abnormalities

Upwind can respond across several layers:

• Process-level termination of malicious activity
• Network-level isolation to block east-west or egress traffic
• Identity-level revocation for compromised roles or temporary credentials

Containment aligns with how incidents unfold inside distributed systems, not how they are predicted in static preproduction scans.

Application and API-Layer Visibility Treated as Core Security Telemetry

The growing number of cloud incidents involving APIs has led to increased scrutiny of application-layer behavior. The SPARK Matrix highlights Upwind’s ability to:

• Automatically discover APIs through runtime traffic
• Infer schemas for HTTP, REST, GraphQL, and SOAP
• Detect weak authentication patterns or unrestricted flows
• Map sensitive data as it moves between internal services and third-party AI/ML APIs
• Identify OWASP Top 10 categories through inspection of live requests

This provides an accurate representation of how applications actually operate in production.

Runtime SBOMs for Zero-Day Response

Traditional SBOMs describe intended software composition. Upwind’s runtime SBOMs capture what components are truly loaded and executed inside containers during operation. The SPARK Matrix emphasizes this capability for zero-day triage because it allows teams to immediately determine:

• Which workloads load vulnerable libraries
• What cloud resources interact with those workloads
• Which identities access affected services
• What data paths intersect with vulnerable components

This approach reduces investigation timelines during zero-day exploitation events, when speed is critical.

AI-Driven Correlation and Attack Narrative Reconstruction

Upwind leverages machine learning to baseline normal container, identity, and network activity, then correlate deviations into complete attack narratives which are referred to as Threat Stories. These narratives include:

• All affected resources
• Identity transitions and privilege changes
• API and network interactions
• Process executions and anomalies over time

This allows analysts to understand the sequence of events without stitching together logs from multiple systems.

3. Impact CNAPPs Have on Security Outcomes

The SPARK Matrix includes independent research findings reflecting operational outcomes seen across enterprises when leveraging:

• AI-driven threat detection and response: 30% improvement in SOC efficiency from reduced false positives and faster investigation.
• CNAPP for both infrastructure & application security: 25% reduction in operational cost due to consolidation of legacy tools
• Cloud entitlement management: 20% reduction in high-risk permissions through integrated entitlement visibility and automated enforcement.
• CNAPP with API security: up to 40% fewer production incidents tied to undocumented or insecure APIs.

These results correspond to the areas where runtime-first architectures produce immediate value: noise reduction, improved prioritization, and faster containment.

4. Alignment Between Upwind’s Architecture and Industry Direction

The SPARK Matrix concludes that CNAPP is moving toward platforms that unify runtime, identity, posture, application, and data flows in a single offering. The analyst commentary on Upwind emphasizes the same trajectory:

• Deep runtime visibility through eBPF
• Integration of cloud logs for identity and control-plane context
• Application and API-layer inspection
• Automated compliance across SOC 2, PCI-DSS, HIPAA, and GDPR
• A roadmap oriented toward AI-driven automation and proactive risk reduction

This is consistent with the shift security teams are already making as Kubernetes workloads scale, API-driven systems proliferate, and automation accelerates deployment cycles.

Conclusion

Upwind’s recognition as a Leader in the SPARK Matrix™ reflects a broader change in how cloud security must operate. Static posture scanning and isolated tools cannot provide the fidelity or speed required to defend modern environments. Runtime telemetry, spanning kernel-level signals, identity events, API behavior, and cloud activity, is becoming the one real source of truth for detection and prioritization.

The report reinforces what many engineering teams have already concluded: the next phase of CNAPP will be defined by platforms built to understand cloud-native systems as they actually run, not as they are configured. To learn more about how Upwind provides real-time, contextualized cloud security, read the full report or schedule a demo today.