DEV Community

Cover image for AWS re:Invent 2025 - Runtime + AI: Reinventing Cloud Security on AWS (SEC223)
Kazuya
Kazuya

Posted on • Edited on

AWS re:Invent 2025 - Runtime + AI: Reinventing Cloud Security on AWS (SEC223)

🦄 Making great presentations more accessible.
This project enhances multilingual accessibility and discoverability while preserving the original content. Detailed transcriptions and keyframes capture the nuances and technical insights that convey the full value of each session.

Note: A comprehensive list of re:Invent 2025 transcribed articles is available in this Spreadsheet!

Overview

📖 AWS re:Invent 2025 - Runtime + AI: Reinventing Cloud Security on AWS (SEC223)

In this video, Lavi, co-founder of Upwind, presents their cloud security platform that introduces a runtime-based "inside-out" approach to complement traditional "outside-in" methods. He explains how modern AI workloads require real-time visibility into APIs, processes, network flows, and data movement. Upwind combines agentless scanning with runtime sensors to provide behavioral baselines, detect threats as they happen, and prioritize vulnerabilities based on actual runtime context rather than theoretical risk scores. The platform addresses AI security challenges by monitoring ephemeral agents and MCPs, tracking sensitive data flows to AI services, and enabling real-time threat response at the process level.


; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.

Main Part

Thumbnail 0

Introducing Upwind: A New Mission in Cloud Security Born from DevOps Experience

Hello everyone, thank you for joining. It's a pleasure to be here. My name is Lavi, one of the co-founders of Upwind. I'm going to walk you through our story, what we do, why the hell you need to hear about another cloud security platform, and what we're doing differently.

Thumbnail 20

Thumbnail 30

So let's kick it off. At Upwind, we are on a mission to build the best cloud security platform. A little bit about us. We're a team that has been together for so many years. We all met back in the days in the Israeli military, coming from a DevOps infrastructure background. Upwind is actually the second company we are building. The first one was called Spot. We were building a cloud automation platform that was matching the right infrastructure to the right application based on the application demand in terms of performance, cost, and availability. We were acquired by NetApp in 2020 for almost half a billion dollars.

For two years we were there until we said we wanted to go back to innovation, and then we started Upwind. The true story about Upwind and the idea that led us to build the company began back in 2022 when we started Upwind. We were looking at the market and examining what was out there in terms of cloud security, and we saw that there was a really different approach to how you deal with cloud security back then, and we said we need to fundamentally change that.

Thumbnail 100

So we're on a mission. We're building a cloud security platform with an entirely new dimension of visibility. We take you through the whole journey of securing your code, configuration, workloads, applications, your data, your APIs, and your AI workloads, but in a very different approach. And why is that?

Thumbnail 120

Why does the world need a new approach? You all probably know the competitive landscape of cloud security. There are all players out there, the most successful ones, the less successful ones, but why does the world really need that? If you look at modern architecture and especially what happens with AI, our attackers are leveraging AI, and how we are building AI agents and MCPs that are just behaving differently than what we used to see.

Thumbnail 150

And what do I mean by that? When we look at AI workloads and new architecture, everything happens at runtime. Everything happens in real time. Things are communicating through APIs. Everything is ephemeral, keeping minimal state. Everything is leveraging data flow in real time, in runtime, and there has to be another dimension for visibility that fundamentally gives you a new approach to see what happens in your environment.

So you need visibility to your API layer. You need visibility to every process execution, to every network flow in layer 3, layer 4, and layer 7. You want visibility to how data flows internally in your environment, how it flows from the internet to your environment and from your environment outside. You want to understand your topology. You want to understand your architecture in real time and see all the changes and why they happen. And you want to observe and detect attacks as they happen.

Thumbnail 250

You can't anymore just look at your exposure, attack paths, and your vulnerabilities and misconfigurations. It's important, but in parallel you want to see how things behave in real time to detect threats, to respond to them, to give root cause analysis, to understand how to prevent them the next time, and to put the guardrails and the right policies in place to better secure the environment. So Upwind is bringing a fresh new approach to how we look at securing your environment.

The Inside-Out Approach: Runtime Visibility as the Game-Changer for Modern AI Workloads

We all used to see the environment from the outside. We called it an outside-in approach. It was very based on configuration, on statically scanning the environment, which is important. You want to see how you configure your environment. You want to see everything that exists over there. You do it in an agentless fashion. It's very quick. It gives you full inventory visibility. But you want to include another dimension that is radically different than how you approach cloud security before that, and that's the inside-out approach we're talking about.

You want to have the visibility that lives inside the application, inside the workload, that can understand from the inside how it behaves, so you can build behavioral baselines.

of every application and workload in your environment. You can understand exactly how it behaves and what it does. Then you can do two things very differently than what you used to do.

One, when you have this dimension of visibility on your runtime environment, you can detect threats in real time. Attackers don't use non-malicious activities and leverage attack paths that are very easy to detect anymore. They're using automated AI tools that are very different than how we used to detect threats. Everything now behaves differently. You want to observe the behavior and then look at anomalies, look at deviations from a regular baseline, and detect threats while they happen. Find indications of compromise, then connect the dots to create a story that tells you exactly what happened, how it happened, and let you detect things in real time. Let you respond to that with all the context you need.

The second piece is that now that you have the runtime context and visibility, you can really go back to your posture management and feed this context to all your misconfigurations, compliance issues, and vulnerability management. I'll ask, is this critical vulnerability that CVSS says is critical just critical in the wild, theoretically critical for every organization, or is it really critical for my specific workloads in the way that they behave in my runtime environment? That gives you a very different approach to how you prioritize all your security findings, because I can tell you, no matter what cloud security platform you use today, no matter how much it tells you it can prioritize your findings in the best way possible, at the end of the day, you are suffering from hundreds or thousands or tens of thousands of alerts that you need to know how to deal with. You want to cut through this noise and deal with the five, ten, or fifteen most critical things when you wake up in the morning.

How do you do that when you really understand what is critical in your specific runtime environment? Because now we can say, is the package that is vulnerable or the misconfiguration that is exposing a critical exposure path really critical for my specific workload? Is the package really loaded to the memory? Is the function really being called? Is the way that I connect to my different pieces of my environment, to my sensitive data, to my exposed internet traffic, really matching to the way that this vulnerability can be exploitable? When you have the runtime context and the data, you can actually figure that out and cut through this noise and understand what is really critical in my specific environment.

Thumbnail 510

The Upwind runtime piece is leveraging all the context we can get by shifting left, watching all your CI/CD pipeline, your code changes, your configuration changes, your infrastructure as code, and feeding that with the dimension of runtime visibility. Then take you through the entire journey of securing your code, securing your configuration, dealing with your vulnerabilities, and identifying exposed secrets at rest and in real time. Look at your data and how it's being secured at rest and in motion, baseline every workload for threat detection, do API security on top of it, do AI security on top of it, and that's how you can really complete the picture and understand how your environment behaves. Whether it's really exposed at real time, what are my most critical threats that I need to deal with immediately.

We have to talk about AI. Everyone talks about AI these days, so I have to spare a minute about that. When you think about AI security, everyone talks about AI security right now. You can't deal with securing your AI workloads with how we traditionally used to secure our environment. AI agents, MCPs, they live at runtime. They are ephemeral. They keep minimal state. They communicate with APIs. Data is flowing in microseconds.

You need to have the runtime visibility to understand how they behave, to have full visibility into what your developers are actually doing, where your AI workloads are internally and externally, how data flows to AI services, what sensitive data goes outside of your environment to AI services, and how you can detect threats coming through your MCPs and AI agents inside your environment. That all happens at runtime. So from a posture perspective, you want the visibility. You want a graph to query everything, to understand all the technologies, all your misconfigurations, all your critical vulnerabilities. But from the other side, you want to understand in real time when you're being attacked.

Thumbnail 650

The Upwind Way: Real-Time Discovery, Threat Detection, and Consolidated Cloud Security

So the Upwind way is all about giving you full discovery, a map of how your environment looks like in real time. No more videos, no more static snapshots of your environment. It's a real-time view on the changes that happen in your environment, on how data flows, on network flows, on how different pieces in your architecture are being changed. We put it on a timeline. You can watch it like a Netflix movie, go back in time, see how things change, investigate, and find the real critical pieces of your environment with critical threats. That's the first thing.

The second piece, now that we have this data, is to identify all your exposures and reduce your attack surface. The idea is to fix the five percent that really matters, not the thousands of alerts you have, but the five to ten alerts that when you wake up in the morning, your security engineers, your SOC engineers, your DevOps people opening up the dashboard, opening up the Jira dashboard, whatever ticketing system you're using, they are dealing with these specific critical findings that would really secure your environment and make them believe in your security as well.

And then the fourth piece is that you really want to have this engine that gives you peace day and night, that you'll always have the right engine to detect threats as they happen, that can block attacks, that can prevent them from happening, that can give you the whole story and the chain of events on how an attacker got into your environment. How they got permissions, how they escalated that, how they got into your specific data and network secrets and everything, and where you can stop it in this journey, so you know that you can detect it, you know that you can prevent it, and in the worst case, you know that you can respond to it.

When you live at runtime, you can kill a process, go to the level of the process that is being executed inside a container to stop an attack, to stop a network path, to stop an API path, to stop a path to sensitive data, and so on. You want to have all these capabilities in real time to really deal with all these kinds of threats.

Thumbnail 800

So with Upwind, you can get started in minutes. You get our agentless cloud scanners that give you full visibility into how your environment is being behaved, is configured, is live in your environment. And then on the other side, the runtime sensors, which are the heart of our platform, feed data to every piece of our platform and give you this visibility. They are automatically managed, automatically deployed. They are so lightweight that you won't even feel that they exist over there, but these are the heart and the soul of the platform that gives you this new dimension of runtime, these new possibilities from a visibility and defense perspective to really secure your traditional workloads, but also the new era of AI, leveraging AI capabilities to secure it and secure every new thing you build in your environment.

Thumbnail 870

And the platform covers you with all the different use cases you can think about in your cloud security journey, from all your posture from a cloud and data and AI perspective, all your workload and infrastructure security, and of course the runtime threat protection. So we are securing every piece of your cloud stack, every use case. You can consolidate many different tools that you used to use into a single platform that can really give you the right visibility, cut through the noise, and really secure you in this modern architecture and cloud era.

Thumbnail 920

And with that, I really want to welcome you to our booth. It's in aisle 600. It's a surf shop with surfboards and cool t-shirts, so you can see a demo, see how it looks like in real life, talk about your specific needs, your architecture, and how we can help with that. So thank you very much. I'll be here for a few minutes if anyone wants to have a conversation, and I welcome all of you to our booth.

; This article is entirely auto-generated using Amazon Bedrock.

Top comments (0)