As organizations continue to scale their cloud-native applications across multi-cloud and hybrid-cloud environments, the complexity of threat detection has reached a new high. Traditional, signature-based approaches are no longer sufficient – they often fail to catch modern attacks that unfold subtly across layers of infrastructure and identity.

Upwind introduces a powerful new approach to cloud security by leveraging real-time runtime telemetry and baseline-driven anomaly detection –  all enriched by contextual threat correlation. In our latest whitepaper, we break down how Upwind Cloud Baselines and Threat Stories transform how security teams detect, investigate, and respond to cloud threats.

Runtime-Powered Threat Detection That Sees the Full Picture

At the core of Upwind’s solution is a runtime detection engine built on eBPF, offering deep visibility into system-level behaviors across Layers 3, 4, and 7. But it doesn’t stop at capturing telemetry. What sets Upwind apart is its ability to correlate and contextualize events across cloud, identity, and workload data – providing a complete view of an attack as it happens.

Upwind Threat Stories: Real-Time Incident Correlation

Threat Stories are Upwind’s way of making sense of complex attacks. Each story begins with a runtime event, such as an unexpected shell or outbound traffic, and then pulls in supporting activity from Kubernetes, identity logs, and network flows. The result is a dynamic, real-time timeline that connects disparate signals into a unified attack narrative.

Key capabilities include:

• Dynamic Timeline Updates: Real-time threat progression with story summaries and evolving event feeds.
• Correlated Events: Automatically links runtime behavior, identity activity, and access logs.
• Enhanced Workflows: Collaborate and respond faster with automatic notifications, email alerts, and in-platform story sharing.

Use cases like lateral movement detection, privilege escalation, and data exfiltration are made dramatically clearer – without manual pivoting between tools.

Cloud Baselines: Know What’s Normal, Detect What’s Not

Upwind leverages LLM models and AI agents to create Upwind Cloud Baselines, which are the driving force behind Threat Stories. Upwind Cloud Baselines distinguish normal activities from anomalies across workloads, APIs, and infrastructure. By learning both process and network baselines, Upwind surfaces previously unseen threats – without relying on static signatures.

You’ll see alerts for:

• Unusual shells in containers where they don’t belong
• Suspicious connections from trusted pods to the kube-system
• Spikes in data transfer to unknown IPs or via odd protocols

This anomaly detection approach gives security teams real-time, data-driven defense against novel and sophisticated attacks. Not every anomaly is a threat – and Upwind knows the difference. By continuously learning behavioral baselines for processes, traffic, and access patterns, the platform flags deviations and uses AI reasoning to determine if they align with known TTPs.

Deviations are automatically evaluated and mapped to MITRE ATT&CK tactics, allowing Upwind to distinguish between benign drift and genuine risk. To do so, Upwind continuously monitors cloud environments for both normal and abnormal behaviors – looking at events that could be suspicious, and deeply analyzing them to determine relevancy. For example, Upwind will look at commands such as whoami that are intended to provide information about the user ID, but will not automatically elevate them to detections as they can also be used for legitimate purposes. However, if a triggering event is detected, Upwind will begin compiling a threat story with the following steps:

• Observe the environment and all activities in it
• Identify the triggering event
• Go back in time in intervals of 5 minutes to identify the entire threat story
• Correlate commands such as whoami and connect them to the triggering event, in this example identifying them as part of reconnaissance activities
• Provide deep context on every command run and the series of events that led to the triggering event and larger threat story

The result of this fine-tuned evaluation and AI-reasoning is fewer false positives, more precise detections, and prioritized response based on real attacker behavior as fined by MITRE tactics.

Accelerated Detection to Action

Behind the scenes, Upwind continuously evaluates new signals against baselines and known tactics, automatically correlating incidents and suggesting response actions. These can be enforced via policy or executed manually:

• Kill malicious processes without stopping containers
• Set custom prevention policies that block future attempts
• Track and audit every action to maintain full control and compliance

The result? Accelerated response times, reduced false positives, and fewer alert fatigue incidents.

Get the Full Technical Overview

If you’re ready to rethink how your team handles cloud threats, it starts with understanding the architecture behind it. Learn how to correlate complex events in real-time, build reliable baselines, and accelerate your threat response – all without the noise, by reading our white paper or scheduling a personalized demo with us.