Navigation section

Azure Marketplace Integrates Upwind Runtime-First CNAPP with Sentinel and Defender for Cloud

  • Thread Author
Microsoft Azure customers now have a new native option to close a longstanding visibility gap: Upwind’s runtime-first security platform is officially integrated into the Azure ecosystem, available through the Azure Marketplace and engineered to feed runtime telemetry into Microsoft Sentinel and Microsoft Defender for Cloud so teams can move from theoretical risk to what’s actually happening right now inside workloads.

A person wearing headphones monitors a glowing blue security dashboard with cloud and AKS icons.Background​

Cloud security tooling has historically divided into two camps: posture and static analysis tools that inspect configurations, IaC, images, and known CVEs; and runtime defenders—EDR, runtime application self-protection (RASP), and newer kernel-level observability agents—that watch live behavior. Each plays a role, but a blind spot persists when posture tools flag a misconfiguration or a vulnerable library without telling security teams whether that vulnerability is in a running, reachable path an attacker can exploit.
Microsoft’s Defender for Cloud supplies a broad, integrated CSPM/CWPP baseline inside Azure, covering posture, container scanning, and some runtime protections. What Upwind brings to that table is a runtime-first telemetry fabric based on eBPF (extended Berkeley Packet Filter) that observes in-memory execution, syscall and API-level activity, and host-to-service network flows—then correlates that telemetry with cloud, identity, and orchestration signals to produce prioritized, contextual incidents.
This move follows a year-plus of product activity from Upwind—product launches, the acquisition of an eBPF engine, and major fundraising—positioning the company as a runtime-first CNAPP (cloud native application protection platform) vendor that now has an Azure-native delivery path.

Overview: What the Microsoft–Upwind partnership delivers​

  • A transactable Upwind offering in the Azure Marketplace, simplifying procurement for Azure customers.
  • Direct integrations that forward Upwind detections and enriched telemetry into Microsoft Sentinel and correlate with signals in Microsoft Defender for Cloud.
  • Runtime visibility across Azure workloads—VMs, containers (AKS), serverless functions—without modifying application code.
  • A multi-tenant management model designed for MSPs and MSSPs to deliver managed runtime security services at scale.
  • A runtime correlation model (Upwind’s Threat Stories) that aggregates events into an investigative timeline with root-cause context and response recommendations.
Taken together, the integration is not just resale or co-marketing: it’s intended to make runtime telemetry a first-class signal inside Azure security operations rather than something siloed in a separate vendor console.

Technical architecture: eBPF as the primary source of truth​

Why eBPF matters​

At the heart of Upwind’s offering is eBPF, a kernel-level hook-and-observe mechanism that runs sandboxed programs in the Linux kernel to capture rich telemetry from system events—process execution, syscalls, network events, and file operations—without deploying heavyweight kernel modules.
eBPF’s advantages for cloud runtime security are clear:
  • High fidelity: eBPF captures system-level events that expose what a workload actually does, not just what’s packaged in an image.
  • Low overhead: When implemented correctly, eBPF can collect data with a smaller performance footprint than traditional user-space agents.
  • Real-time context: Kernel hooks allow detection close to the source of activity, enabling faster, more precise correlation.
Upwind’s public product material and engineering releases emphasize that eBPF is not an add-on for them; it’s the primary telemetry source baked into their architecture. The company also consolidated an eBPF engine via acquisition and integration, which they position as a differentiator—having designed their detection and correlation pipeline around kernel-level data from day one.

From telemetry to action: Threat Stories​

A common failure in security operations is alert fragmentation: hundreds of disparate signals that are hard to stitch into a meaningful incident. Upwind addresses this by consolidating related telemetry into structured incident narratives it calls Threat Stories. Each Threat Story contains:
  • A dynamic timeline of events that led to the detection.
  • Cross-signal correlation: runtime events tied to cloud logs, identity actions, and network flows.
  • Root-cause context and an assessment of exploitability—whether a finding represents a pathway an attacker can actually use.
  • Suggested response actions that reference concrete runtime artifacts (process IDs, container names, API calls).
This model attempts to shift the operator experience from triage of isolated alerts to investigation-ready incidents, reducing noise and accelerating mean time to remediation.

What the Azure integration looks like in practice​

Marketplace and operational plumbing​

Upwind is available as a transactable solution on the Azure Marketplace, which reduces procurement friction for organizations already buying cloud services through Microsoft channels. Beyond commerce, the integration points Upwind highlights include:
  • Microsoft Sentinel ingestion: Upwind can forward enriched alerts and telemetry to Sentinel for SIEM correlation, hunting, and playbook automation.
  • Microsoft Defender for Cloud complementarity: Upwind maps runtime detections to posture, asset, and vulnerability signals so teams can understand which cloud posture or config issues are actually being exercised at runtime.
  • Microsoft Entra ID integration for identity-based correlation and single-sign-on to manage user provisioning into Upwind.
  • Coverage claims for Azure Virtual Machines, AKS (Kubernetes), and Azure Functions, enabling runtime visibility across common Azure compute primitives.
For SOC teams this means Upwind’s runtime evidence can appear inside the same investigation workbench where they already combine network, identity, and endpoint signals.

MSP / MSSP enablement​

Upwind’s platform includes multi-tenant policies, centralized onboarding, and partner enablement features tailored for managed service providers. This suggests two things:
  • MSPs can roll runtime visibility across multiple customer environments from a single control plane.
  • Upwind’s GTM motions include partner incentives and co-sell readiness on Azure Marketplace—important signals for service providers evaluating a partner-first commercial model.
From an operational standpoint, MSPs will care about tenant separation, role-based access controls, per-tenant log retention, billing predictability, and support SLAs—areas where the vendor’s partner program is a crucial consideration.

The practical upside: What security teams gain​

  • Actionable prioritization: Rather than a long list of possible problems, teams receive consolidated, context-rich incidents that identify reachable attack paths and the exact code or service elements involved.
  • Faster detection-to-response: Real-time runtime evidence lets teams trace from an anomalous syscall or unexpected outbound connection to the cloud controls and identity events that enabled it.
  • Lower noise and fewer false positives: By correlating runtime events with cloud posture and identity logs, Upwind aims to reduce noisy alerts that are inactive or irrelevant.
  • Stronger protection for dynamic workloads: In environments where containers and serverless functions spin up and down quickly, runtime telemetry captures behavior that static scans miss.
  • A managed services playbook: For partners, the multi-tenant runtime view enables packaged, repeatable managed runtime security offerings.
These benefits are exactly what defenders have been asking for: not just “what could be wrong” but a direct answer to “what’s happening now and which of those things an attacker could exploit.”

Risks, constraints, and what to validate in a proof-of-value​

No technology is a silver bullet. eBPF-based runtime platforms add meaningful value but also bring trade-offs and operational considerations security teams should vet.

Performance, compatibility, and operational risk​

  • Kernel-level instrumentation has consequences. While eBPF runs in a sandbox and typically has low overhead, poorly written eBPF probes or misconfigurations can increase CPU usage or induce instability in extreme cases. Validation under production load is essential.
  • Managed nodes and immutable environments. In tightly controlled PaaS offerings or in environments where host changes are restricted (e.g., some AKS node pools, managed Windows workloads), deploying kernel-level observability may require coordination with platform teams or selecting compatible node types.
  • Windows coverage is different. eBPF originated on Linux and provides deep visibility there; while eBPF ports and Windows equivalents are emerging, Windows runtime visibility remains a different engineering problem. Organizations with large Windows server estates should confirm the vendor’s coverage matrix rather than assume parity.
  • Scaling telemetry volume. Kernel-level events are granular and can produce large volumes of telemetry. Buyers should clarify which data is kept locally, what is sampled or aggregated, and how long evidence is retained—particularly for cost and compliance reasons.

Threat-model and false assurance​

  • Not everything “seen” is exploitable. Vendors will often present high-fidelity telemetry as a catch-all; security leaders should be careful not to conflate visibility with total protection. An environment with excellent runtime telemetry still needs robust identity controls, network segmentation, and secure CI/CD pipelines.
  • Vendor consolidation and single point of failure. Integrating runtime telemetry deeply into your security posture increases dependence on that vendor’s accuracy and availability. Ensure incident response plans account for possible gaps or outages in that stream.
  • Cloud provider constraints and policy limits. Some cloud customers operate in regulated spaces where introducing new telemetry pipelines requires approvals. Upwind’s partnerships with FedRAMP advisory firms indicate a push into regulated markets, but teams should still confirm compliance posture and auditability.

Questions to put to any vendor during evaluation​

  • Which Azure compute types and OS versions are supported today, and what's roadmapped for the next 90–180 days?
  • What are the agent or sensor deployment patterns? Are node-level changes required for AKS node pools?
  • What is the expected CPU, memory, and storage overhead under our workload mix?
  • How does the platform define retention, sampling, and redaction for sensitive telemetry?
  • Can the platform forward normalized events to Sentinel with native parsers and playbook triggers?
  • For MSPs: how is tenant separation enforced, and what are the role and billing models?
Validating these answers in a short, focused Proof of Value (PoV) across representative workloads—stateful VMs, AKS system and user node pools, and serverless functions—will reveal most practical concerns.

The bigger picture: CNAPP evolution and market dynamics​

Upwind’s Azure integration is emblematic of two broader market shifts:
  • A move from purely cloud-posture-first CNAPPs to runtime-first platforms that treat live execution telemetry as a primary input to risk prioritization.
  • Increased hyperscaler-native delivery—vendors are packaging deeper capabilities to be consumed through cloud marketplaces and SIEM integrations, reducing friction for enterprise adoption.
Hyperscalers are not aiming to displace specialized runtime vendors; instead, they are building ecosystems where best-of-breed partners add capabilities that native tooling doesn’t fully cover. For commercial buyers, this means more choice but also a more complex procurement and orchestration landscape: choosing a runtime partner involves evaluating both vendor engineering and how well the solution embeds into the cloud provider’s operational model.
The CNAPP market will likely bifurcate into vendors emphasizing posture + developer security (shift-left, SBOMs, IaC), and vendors that centralize runtime observability and in-memory behavior. Buyers with dynamic, cloud-native environments will increasingly expect both—integrated to provide exploitability-aware prioritization.

What MSPs and MSSPs should know​

For managed service providers, the proposition is attractive: runtime detection and event-rich Threat Stories allow MSP teams to deliver higher-value managed detection and response with clearer SLAs and escalations that reference reproducible runtime evidence.
Operational requirements for MSPs include:
  • Centralized onboarding and policy templates for rapid tenant activation.
  • Cost controls for telemetry ingestion and per-tenant retention.
  • Playbook automation hooks to streamline containment and remediation actions across tenants.
  • Audit and compliance features that map evidence to customer-specific retention and data residency needs.
A predictable revenue model and partner enablement program—both of which Upwind emphasizes in its partner messaging—matter to MSPs who want to build repeatable service bundles without unpredictable margin erosion.

Independent validation and notable claims to verify​

Upwind’s positioning—and the marketing claims that runtime-first telemetry cuts noise and exposes reachable attack paths—are consistent with a broader industry trend where eBPF is increasingly used for high-fidelity security telemetry. Multiple technical communities and vendors (Linux Foundation eBPF work, Sysdig, Datadog engineering blogs) corroborate eBPF’s suitability for runtime observation.
That said, some vendor claims deserve careful testing:
  • Any assertion that a runtime sensor “sees everything” should be taken with caution; observability is constrained by kernel hook points, orchestration boundaries, and cloud platform restrictions.
  • Performance and operational stability claims must be measured against your workload mix and scale.
  • Compatibility with managed Azure services (certain PaaS or edge-managed nodes) must be validated ahead of wide deployment.
Where Upwind or any vendor promises dramatic noise reduction, buyers should ask for customer case studies that include concrete pre/post metrics (alert volume, mean time to detect/contain, CPU/latency impact) collected in production-like environments.

How to run a short, effective PoV with Azure + Upwind​

  • Define representative workload targets: one AKS cluster with mixed system/user node pools, one Azure VM scale set with Linux nodes, and one Azure Functions deployment if serverless coverage is needed.
  • Baseline metrics: capture current alert volumes and mean time-to-investigate for container and VM incidents in Sentinel and Defender for Cloud.
  • Deploy Upwind sensors to a subset of nodes (staging) and enable Azure integrations with Sentinel and Defender correlation.
  • Run a two-week monitoring window that includes routine traffic patterns and a controlled set of red-team or synthetic anomalies to exercise syscall, network, and identity correlation.
  • Compare outcomes: alert noise, time-to-evidence, and fidelity of attack paths reconstructed by Threat Stories.
  • Measure overhead: CPU, memory, container startup times, and impact on developer pipelines.
A scripted PoV with clear acceptance criteria will surface integration and scale issues quickly and provide evidence for procurement decisions.

Final assessment​

Integrating runtime runtime telemetry into the Azure security stack is a sensible next step for cloud defenders. Upwind’s eBPF-first architecture and Threat Stories model address real operational pain points: noisy alerts, lack of exploitability context, and fractured telemetry across the cloud stack.
For Azure-native customers already invested in Defender for Cloud and Sentinel, the partnership offers a pragmatic path to add runtime clarity without duplicating core telemetry pipelines. For MSPs, the multi-tenant design and partner-first commercial model make Upwind a candidate for managed runtime security services.
But success will depend on execution: real-world PoVs are essential to validate performance, compatibility with managed Azure nodes and Windows workloads, and the quality of the vendor’s correlation logic in noisy environments. Runtime instrumentation introduces both operational complexity and powerful new signals; teams that validate carefully and integrate those signals into playbooks will extract the most value.
The partnership is another signal of where cloud security is headed: not just checking “what could be wrong,” but proving what is happening now and whether it can actually be exploited. For security teams wrestling with high-scale cloud operations, that proof can make the difference between hunting in the dark and responding to a precisely described, evidence-backed incident.
Source: ChannelE2E Upwind and Microsoft Partner to Bring Runtime Security to Azure
 

Click to expand...
Microsoft and Upwind have moved runtime security from a niche add‑on to an Azure‑native procurement and operations play, formalizing an integration that makes Upwind’s runtime‑first CNAPP available through the Azure Marketplace and engineered to feed runtime telemetry into Microsoft Sentinel and Microsoft Defender for Cloud. /www.upwind.io/partners/azure)

A neon blue cloud icon sits over a circuit-board backdrop, symbolizing Azure cloud services.Background / Overview​

Cloud security has long been split between pre‑deployment posture tools (CSPM, IaC scanners) and host/agent protections (CWPP, EDR). Upwind’s play — described by the vendor as a runtime‑first CNAPP — aims to close the persistent visibility gap that appears once an application is live: function calls, process flows, inter‑service API traffic, and the real behavior of running workloads. Upwind has been explicit about marrying runtime telemetry with cloud context (IAM, configuration, inventory) so teams can prioritize and act on what’s actually happening inside workloads rather than surface‑level misconfigurations alone.
The practical outcome of the recent announcement is twofold: customers can procure Upwind directly via the Azure Marketplace as a transactable offer, and Upwind’s runtime telemetry and detections are designed to pipeline into Microsoft’s detection and response stack — notably Microsoft Sentinel and Microsoft Defender for Cloud — enabling joint operational workflows inside Azure. That marketplace placement also signals Microsoft’s willingness to make Upwind solutions co‑sell and commercially accessible within its ecosystem.

What exactly was announced​

Main points of the integration​

  • Upwind’s solution is listed in the Azure Marketplace as a transactable offer and is presented as IP co‑sell ready, meaning customers can acquire the product through normal Marketplace flow and engage Microsoft’s commercial mechanisms for joint selling and billing.
  • The Upwind platform is engineered to push runtime telemetry and detections into Microsoft Sentinel and Microsoft Defender for Cloud, allowing alerting, correlation, and automated response to include function‑level runtime evidence alongside cloud configuration and identity signals.
  • Upwind’s product roadmap and public engineering moves (including the Nyx acquisition and eBPF‑based function‑level runtime visibility) make the integration possible: Upwind can capture low‑level runtime behaviors (process and function calls, network flows, API invocations) in containerized and serverless environments and present them as actionable signals.
These claims are restated across vendor materials and the Azure Marketplace listing; independent verification exists in vendor announcements and third‑party reporting on Upwind’s Nyx integration and its runtime telemetry approach.

Why this matters: the runtime visibility gap​

Modern cloud attacks increasingly favor living‑off‑the‑land techniques, lateral API abuse, and exploitation of misconfigured runtime interactions — attack vectors that posture scanning or periodic vulnerability scans rarely expose in real time. A runtime‑first approach focuses on answering questions that matter to defenders:
  • What are services actually doing at the function and process level?
  • Which API calls are originating from which function or container?
  • What data paths are traversing the environment right now?
  • What anomalous behavior is occurring in a workload that otherwise appears compliant?
By instrumenting runtime behavior and joining that data with Azure inventory, identity, and configuration context, Upwind promises to turn theoretical risk into observable evidence for triage and response. This is precisely the visibility gap many SOCs struggle with when cloud alerts lack runtime corroboration.

Technical anatomy: how Upwind collects and integrates runtime telemetry​

eBPF and function‑level visibility​

Upwind’s recent engineering moves — including the integration of Nyx — emphasize eBPF‑driven visibility for Linux‑based workloads. eBPF (extended Berkeley Packet Filter) allows lightweight, programmable instrumentation inside the kernel to observe system calls, network flows, and application behaviors at very high fidelity without heavy agents or kernel recompilation. That capability enables Upwind to capture:
  • Process execution and lineage
  • Network flows tied to the originating function or container
  • System call sequences useful for behavior profiling
  • Function‑level traces inside serverless or function containers (where applicable)
The practical advantage is high‑resolution telemetry with comparatively low performance overhead; the tradeoffs remain operational (compatibility, kernel versions, platform constraints) and require careful testing. Upwind’s public materials and third‑party coverage confirm their use of eBPF and Nyx to deliver function‑level runtime detection.

Integration points with Azure security services​

Upwind has engineered connectors and ingestion paths to bring runtime telemetry into Microsoft’s security ecosystem:
  • Microsoft Defender for Cloud: Upwind detections can surface as enriched alerts within Defender for Cloud, giving cloud security teams combined posture and runtime evidence in a single pane. This helps tie a misconfiguration or identity event to observed runtime exploitation or suspicious behavior.
  • Microsoft Sentinel: Runtime events and detections can be forwarded into Sentinel as logs and incidents, enabling SIEM playbooks, cross‑tenant correlation, and automated SOAR responses that incorporate runtime evidence. That pipeline is especially useful for organizations already using Sentinel for centralized detection across hybrid estates.
The result is a combined operational model: posture, identity, and runtime signals are correlated to reduce false positives and prioritize high‑value incidents.

Strengths and immediate benefits​

  • Concrete runtime evidence: Feeding function‑level telemetry into Sentinel/Defender turns speculative alerts into verifiable incidents with an artifact trail — vastly improving triage speed and confidence.
  • Market accessibility and procurement friction removal: Being transactable on the Azure Marketplace and IP‑co‑sell ready lowers procurement and commercial friction for Azure customers, especially enterprises that prefer consolidated billing and Microsoft procurement workflows.
  • Platform alignment: Native integration with Azure security tooling reduces the engineering lift to onboard runtime signals into existing Microsoft‑centric SOC processes. Security teams can reuse playbooks, automation rules, and analyst skillsets already built around Sentinel and Defender for Cloud.
  • Runtime‑first CNAPP approach: Instead of retrofitting runtime checks into a posture product, Upwind’s runtime‑first design aims to make live workload behavior the primary source of truth, reducing time‑to‑detect for live threats. Public product docs and market guides highlight this positioning.

Risks, caveats, and unanswered questions​

No integration is risk‑free. Security teams should weigh several practical and architectural concerns before wide deployment.

1) Telemetry volume and cost​

Streaming high‑fidelity runtime telemetry into Sentinel or cloud log stores can be expensive. Azure monitoring, Log Analytics ingestion, and Sentinel retention incur direct costs; organizations must plan for filter rules, sampling strategies, and retention policies to avoid runaway bills. Upwind’s runtime fidelity is valuable, but it requires careful telemetry engineering and governance.

2) Data residency, privacy, and compliance​

Runtime traces can include sensitive identifiers, PII, or proprietary code paths. Legal and compliance teams will want clarity on what telemetry is collected, where it is stored, and how long it is retained. Marketplace procurement does not bypass these concerns; ensure contractual terms, data processing addenda, and regional hosting options are explicit.

3) Operational complexity and agent/compatibility constraints​

eBPF and kernel instrumentation are powerful but sometimes fragile across kernel versions, distributions, and managed environments (e.g., certain managed Kubernetes nodes, specialized host images). Organizations will need a validation matrix and pilot program to ensure compatibility across their Azure VM SKUs, AKS versions, and serverless offerings. Upwind’s engineering materials discuss broad support, but customers should verify against their environment.

4) False positives and alert fatigue​

High‑resolution telemetry can surface many anomalous but benign behaviors, especially in fast‑moving microservices architectures. The promise of correlation with cloud context mitigates this, but SOCs must invest in tuning detection rules, normalizing baselines, and building robust playbooks to avoid alert overload.

5) Vendor and platform lock‑in risk​

Relying heavily on a single vendor’s runtime instrument plus deep integration into Microsoft security services can increase switching costs. Teams should evaluate cross‑cloud portability, export formats for forensic artifacts, and how Upwind’s runtime agents (or agentless mechanisms) operate across AWS, GCP, and Azure. Upwind promotes multi‑cloud parity, but technical and contractual checks remain essential.

How to evaluate and pilot the integration: practical checklist​

If you manage cloud security in Azure and want to evaluate Upwind with Sentinel/Defender, use this structured approach.
  • Define high‑value use cases.
  • Prioritize 2–3 scenarios where runtime telemetry will change outcomes: lateral API abuse, cryptominer detection, or suspicious function chaining.
  • Prepare a small, representative pilot environment.
  • Use a non‑production subscription with mirrored identity and network topologies. Ensure AKS, Functions, and VMs are present if they’re in scope.
  • Validate compatibility and performance.
  • Test Upwind’s runtime instrumentation on the exact kernel and container runtimes used in production. Measure CPU, memory, and latency impact under load.
  • Configure telemetry controls.
  • Establish ingestion filters, sampling, and log retention policies before enabling wide forwarding to Sentinel to control costs.
  • Integrate with Sentinel playbooks and Defender.
  • Map Upwind detection outputs to Sentinel analytics rules and Defender for Cloud incidents. Build SOAR playbooks that use runtime artifacts for enrichment.
  • Run red/blue tests.
  • Execute controlled attack simulations to validate that runtime evidence is captured end‑to‑end and that SOC playbooks surface the correct lead.
  • Review governance and contracts.
  • Confirm data handling, residency, and SLAs in the Marketplace offer and any co‑sell agreements. Clarify support and escalation paths with Upwind and your Microsoft partner manager.
This sequence helps organizations avoid false starts and expensive surprises while providing a measurable path to production adoption.

Integration in practice: sample SOC playbooks and response flows​

Below are concrete, operator‑friendly examples of how runtime telemetry can be used inside Azure detection and response workflows.
  • Detection: Unusual outbound API call from a containerized function to an external IP.
  • Runtime telemetry ties the call to a specific function and code path (function name, container image, exec lineage). Upwind flags as suspicious and forwards to Sentinel. Sentinel correlation matches the function’s identity with a recent privilege escalation event recorded in Entra ID, escalating to a high‑priority incident in Defender for Cloud. SOC playbook triggers container isolation and initiates forensic snapshot capture.
  • Detection: Process spawning unusual binaries inside an AKS node.
  • eBPF traces show unexpected system calls and a sequence consistent with post‑exploitation. Upwind’s detection surfaces the process and exact command line; Sentinel enriches with asset owner data and known CVE matches; automation remediates by rolling the node and quarantining the pod.
These workflows illustrate the power of combining runtime specificity with cloud identity and posture evidence to reduce dwell time and speed remediation.

Business and procurement implications​

Listing on the Azure Marketplace is not just a convenience — it changes the economics of adoption. Marketplace offerings that are transactable enable consolidated billing, and IP co‑sell readiness signals that Microsoft’s partner sales teams can promote the solution to customers alongside Azure purchases. For midmarket and enterprise buyers that rely on Microsoft’s procurement and reseller networks, this can materially shorten procurement cycles.
That said, buyers should still conduct standard vendor due diligence: pricing transparency for telemetry ingestion, operational support SLAs, runbooks for incident handling, and contractual assurances around data handling.

Competitive context and market positioning​

Upwind’s runtime‑first CNAPP positioning sits in a competitive field that includes established CSPM vendors, CWPP/EDR providers, and other CNAPP challengers. The differentiator here is runtime fidelity (function‑level, eBPF‑backed traces) combined with cloud context and a deliberate push to be a first‑class citizen inside Microsoft’s operational stack. Industry guides and Upwind’s own market materials highlight this hybrid posture/runtime ambition as a core selling point.
Competitors will respond by deepening their runtime telemetry, building tighter SIEM integrations, or offering bundled posture+runtime suites. For organizations, the critical evaluation metric will be how easily a vendor’s runtime signals reduce noise and accelerate triage compared with the operational cost to maintain them.

Recommendations for security leaders​

  • Treat runtime telemetry as a strategic capability, not a feature toggle. Allocate budget for ingestion, storage, and SOC tuning.
  • Run a representative pilot and measure detection value (time‑to‑detect, time‑to‑contain) against baseline posture tooling.
  • Insist on exportable forensic artifacts and forensically sound evidence formats in case you need to switch vendors.
  • Integrate Upwind alerts into Sentinel and Defender playbooks early so that identity, configuration, and runtime signals are correlated by design.
  • Work with procurement and legal to lock down data residency, retention, and SLAs in the Marketplace purchase.

Open questions and what to watch next​

  • How will pricing models for runtime telemetry evolve? Will vendors and hyperscalers offer tiered ingestion or sampling to control costs at scale? This remains a critical commercial question.
  • Will Microsoft expand native runtime capabilities inside Defender for Cloud, reducing the need for third‑party telemetry? Defender for Cloud is actively evolving its CNAPP capabilities, and buyers should track native feature roadmaps alongside partner integrations.
  • How well will eBPF‑centric approaches operate across managed node types and Windows workloads? Upwind’s current engineering focus is Linux/eBPF; Windows runtime parity and managed runtime constraints will be important for heterogeneous estates.

Conclusion​

The Upwind–Microsoft arrangement is a practical, market‑level milestone: runtime‑first security is now available as a mainstream procurement option inside Azure, and security operations can consume function‑level evidence directly inside Microsoft’s Sentinel and Defender for Cloud environments. For defenders, the promise is significant — faster, evidence‑backed detection and richer correlation of identity, posture, and behavior. For implementers, the work is operational: pilot, validate, tune telemetry, and control costs.
This integration will not replace posture tooling or fundamental hardening practices, but it does give security teams a new, actionable way to see what is actually happening inside their cloud workloads. Organizations that treat runtime telemetry as part of their core detection fabric — and that carefully plan for cost, privacy, and operational compatibility — will gain measurable improvements in their ability to detect and disrupt modern cloud attacks.
Source: The Joplin Globe Upwind Partners with Microsoft to Deliver Runtime Security for Azure Workloads
 

Microsoft and a small but fast-growing runtime-security vendor have quietly moved a critical defensive capability from the margins into Azure’s native operations model, enabling Azure customers to buy, deploy, and operate a runtime‑first CNAPP that feeds live telemetry into Microsoft Sentinel and Microsoft Defender for Cloud and is listed as transactable on the Azure Marketplace.

A blue cloud security infographic showing shielded protection and tools like Defender for Cloud and Sentinel.Background​

Cloud security tooling has historically split into separate worlds: pre‑deployment posture tools (CSPM, IaC scanners) that reason about configuration and exposure, and host‑level protections (CWPP, EDR) that protect running systems. Over the past two years the industry has pressed for a single pane that bridges posture, identity, and runtime — a consolidated Cloud‑Native Application Protection Platform (CNAPP) that can tell you not only what could go wrong, but what is actually happening inside your workloads right now.
Upwind, a runtime‑first cloud security vendor built around function‑ and process‑level visibility, has positioned itself squarely in that gap. The company’s platform emphasizes runtime evidence — function reachability, API call graphs, and live network flows — to suppress noise, prioritize remediation, and power automated response. Upwind’s product team has spent the last 18 months integrating runtime sensors, eBPF‑style observability, and cloud API collection into a single product that treats runtime telemetry as primary evidence. The vendor’s messaging and recent product updates make Azure a first‑class target for those capabilities.
On March 12, 2026, press coverage and partner pages signaled that Upwind and Microsoft have formalized a practical partnership to make the Upwind runtime CNAPP available inside the Microsoft ecosystem — transactable through the Azure Marketplace, engineered to push telemetry to Microsoft Sentinel and Defender for Cloud, and positioned to be sold and supported through Microsoft‑centric procurement channels. This moves runtime‑level protection from point solutions into the flow IT and security teams already use for procurement and incident response.

What the announcement actually says (verifiable facts)​

  • Upwind’s product is an integrated runtime‑first CNAPP that collects workload runtime evidence (application calls, network flows, function invocations) and correlates that with cloud configuration and identity signals.
  • The solution is now listed as a partner solution for Microsoft Azure, presented as transactable and IP co‑sell ready on the Azure Marketplace, which means customers can acquire it through standard Azure procurement channels.
  • The integration includes telemetry and alert shipping to Microsoft Sentinel and Microsoft Defender for Cloud, enabling Azure customers to correlate Upwind’s runtime signals with other Azure telemetry sources (Azure Activity Logs, Log Analytics).
  • Upwind’s Azure documentation and product feed indicate support for Azure compute primitives (VMs, AKS, Functions) and workflow guidance for onboarding via managed identities and service principals.
These are the load‑bearing, verifiable items on which enterprise decision‑makers should base their first impressions; they are supported by both Upwind’s product and partner pages and the coverage syndicated through mainstream press distributions.

Why this matters: the operational shift to runtime‑first protection​

The visibility gap that enterprises actually live with​

Traditional posture tools focus on what’s possible — an open port, an overly permissive IAM policy, a vulnerable package version. That information is valuable, but it produces long lists of hypotheticals. Runtime‑first approaches invert that model: they ask what is actually running, what code paths are being executed, which vulnerable functions are reachable in production, and which external APIs an application is calling in real time.
This focus reduces alert noise, changes remediation priorities, and helps teams answer operationally meaningful questions: Is the vulnerable library actually used by a live code path? Which workloads are exfiltrating data right now? Which service accounts are active in suspicious sequences? Upwind’s product aims to make those answers first‑class evidence, not after‑the‑fact guesses.

Why Azure customers gain from an integrated runtime signal​

There are three practical advantages to having runtime evidence available inside Azure’s native toolchain:
  • Unified observability: Upwind’s runtime telemetry fed into Azure Log Analytics and Sentinel lets security teams pivot from a single incident to correlated artifacts across identity, network, and cloud activity logs.
  • Faster triage: Runtime‑aware prioritization can suppress false positives from static scans and surface the small fraction of findings that matter right now. That materially reduces time‑to‑remediate.
  • Simpler procurement and operations: Being transactable in the Azure Marketplace means procurement, invoicing, and contractual relationships can stay inside an organization’s Azure consumption and procurement flows — a non‑trivial operational win for enterprises tied to a cloud bill.
These are not theoretical benefits; they are precisely the sorts of outcomes that drove the recent alignment between Upwind and Microsoft. The vendor and partner pages emphasize making runtime signals interoperable with Microsoft’s security stack to accelerate detection and response.

Technical underpinnings: how Upwind brings runtime evidence into Azure​

Sensors, eBPF, and probe architectures​

Upwind’s technical approach combines lightweight runtime sensors with agentless cloud scanning where necessary. The product has publicly documented components that:
  • Deploy eBPF‑style sensors (for Linux‑based hosts and containers) that capture syscall and network stack context with low overhead.
  • Use Kubernetes DaemonSets for container environments (AKS) to provide function‑level reachability and in‑pod network observability.
  • Implement agentless scanners for environments where installing an agent is impractical, correlating runtime traces with cloud inventory.
Using eBPF is a natural fit for low‑latency, function‑aware monitoring: it lets defenders capture syscall arguments, connection tuples, and metadata without heavy instrumentation or prolonged sampling windows. The vendor materials emphasize efficiency and the ability to run in production at scale.

Evidence model: from raw telemetry to prioritized findings​

Upwind’s platform treats runtime traces as evidence and fuses them with configuration and identity data to create actionable findings. Key capabilities include:
  • Function reachability analysis that suppresses vulnerabilities for code paths never exercised in production.
  • API‑level observability that shows outbound calls (including to generative AI APIs and external SaaS), helpful for AI and data exfiltration risk assessment.
  • Automated correlation with cloud identity signals (Microsoft Entra/Azure AD) to identify suspicious privilege escalations or lateral movement patterns.
This evidence‑first model is what vendors mean by runtime‑first CNAPP: posture and vulnerability findings remain important, but runtime signals decide priority and context.

Integration with Microsoft tooling​

Operational integration is where the partnership aims to deliver the most immediate customer value:
  • Azure Marketplace listing: Upwind is positioned as a marketplace transactable product, meaning procurement, metering and billing can flow through Azure. This is important for predictable procurement and consolidated invoicing.
  • Microsoft Sentinel: Upwind emits incidents and telemetry that can be collected by Sentinel for cross‑source correlation and enterprise SIEM workflows; this lets SecOps teams use existing playbooks.
  • Microsoft Defender for Cloud: Defender for Cloud consumes signals for workload protection and can provide complementary CWPP actions and recommendations alongside Upwind’s evidence.
Taken together, those integration points let organizations fold runtime evidence into the same consoles they already use to manage Azure security.

Benefits for IT and security teams​

  • Reduced alert noise — runtime‑aware prioritization reduces false positives and helps teams focus on exploitable risks.
  • Faster incident response — live evidence lets teams trace a suspicious call or exfiltration path to the exact function and container that executed it.
  • Procurement simplicity — Azure Marketplace availability streamlines acquisition and support via a central vendor relationship.
  • Improved compliance evidence — runtime logs and correlated detections can strengthen post‑incident forensics and compliance reporting.
These benefits, if realized, close long‑standing operational gaps between security design and live application behavior.

What to watch for: risks, limitations, and realistic expectations​

Any new integration that promises faster detection and simpler procurement carries tradeoffs. Organizations should be pragmatic and validate the claims against their environment.

1) Coverage and sensor deployment complexity​

  • eBPF and DaemonSet agents are powerful, but they require careful deployment in production clusters and cloud VMs. Organizations with strict kernel update cadences, immutable images, or highly regulated environments may face additional operational work to onboard the sensors. Upwind offers agentless alternatives, but those have different coverage characteristics.

2) Data residency, telemetry volume, and cost​

  • Shipping runtime telemetry to cloud services increases log volume and possibly egress/ingestion costs. Customers need to test ingestion rates (to Azure Log Analytics/Sentinel) and model operational cost to ensure that the signal delivered justifies the incremental spend. This is especially important for high‑throughput applications or applications with heavy short‑lived container churn.

3) Integration depth vs. vendor lock‑in​

  • While being sold through the Azure Marketplace is operationally convenient, organizations must evaluate the long‑term portability of runtime evidence. If your incident response and playbooks become tightly coupled to a single CNAPP vendor’s data model, switching costs can grow. Ensure that exported evidence, APIs, and integration patterns meet your portability and SIEM normalization needs.

4) False sense of security​

  • Runtime‑first does not obviate posture and IaC hygiene. It augments them. Companies that rely solely on runtime telemetry without solid configuration, identity hygiene, and supply‑chain controls risk missing systemic exposure. Implement runtime evidence as part of a defense in depth strategy.

5) Unverifiable claims and marketing language​

  • Vendor materials and syndicated press releases sometimes present aspirational ROI metrics (e.g., “reduce alert fatigue by X%”) based on specific pilot results. Those figures are useful as directional indicators but should be validated with a proof‑of‑concept in your environment before assuming comparable outcomes. Where claims are not independently verifiable from neutral third‑party testing, treat them as vendor statements requiring due diligence.

Practical rollout guidance: a realistic path to evaluate and adopt​

If you manage Azure workloads and want to evaluate Upwind’s runtime capabilities inside Microsoft’s toolset, follow a staged approach to reduce risk and validate value.
  • Inventory and scope. Identify a small set of representative workloads (one AKS cluster, one Linux VM scale set, and perhaps a serverless function) for an initial pilot.
  • Procurement via Marketplace. Acquire the product through the Azure Marketplace trial or transactable offer to streamline contracting and billing. (Marketplace procurement also simplifies trial activation and support entitlements.)
  • Deploy sensors in a staging environment. Use Kubernetes DaemonSets and a limited set of hosts to understand sensor behavior, telemetry volume, and any compatibility constraints with kernel versions or host security modules.
  • Integrate with Sentinel/Log Analytics. Route Upwind alerts into Sentinel and test detection playbooks, incident creation, and runbooks for enrichment. Validate that correlation rules surface meaningful incidents without overwhelming SOC capacity.
  • Run a 30‑ to 90‑day pilot. Measure alert reduction, mean time to detect/contain, remediation velocity, and any cost impacts (ingestion, storage). Compare with baseline metrics from your existing CNAPP/CWPP tooling.
  • Expand incrementally. If the pilot meets objectives, expand coverage by workload criticality, and bake Upwind‑driven alerts into your threat hunting and incident response playbooks.
This incremental approach reduces operational surprises and gives procurement teams the time to evaluate Azure billing and support implications.

Enterprise governance and compliance considerations​

  • Data access and residency: Confirm where runtime telemetry is stored, who can access it, and whether it is retained in a tenant‑controlled Log Analytics workspace or a vendor‑controlled store. This matters for regulated industries with strict data residency requirements.
  • Least privilege onboarding: Upwind’s Azure onboarding uses service principals and managed identities; design these identities with least privilege and monitor their use. Upwind’s documentation includes guidance for RBAC and managed identity configuration.
  • FedRAMP and government use: If you operate in U.S. federal clouds or need FedRAMP status, confirm the vendor’s accreditation progress and whether the marketplace offer supports sovereign cloud procurement. Upwind has signaled FedRAMP partnership efforts previously, but you should verify the current accreditation status before production use in federal environments.

Competitive context: where Upwind fits and what alternatives exist​

The CNAPP market is consolidating features that used to be distributed across multiple vendors: CSPM, vulnerability management, CWPP, and now runtime application detection. Upwind is notable for emphasizing runtime evidence and function‑level reachability. Competitors include larger vendor CNAPPs that bundle posture and runtime protections (Microsoft Defender for Cloud’s CNAPP capabilities, Palo Alto Prisma Cloud, Wiz, etc.), each with different tradeoffs in integration, telemetry depth, and pricing.
If you already use Microsoft Defender for Cloud and Sentinel, the Upwind partnership aims to provide deeper runtime fidelity while leaving existing enforcement and SIEM investments intact. That makes Upwind an attractive fit when your objective is to extend detection depth without rewriting playbooks or switching SIEMs.

Financial and procurement signals to watch​

  • Marketplace transactable offers typically accelerate procurement but also standardize billing frequency and metering. Expect subscription or consumption metering that integrates with Azure billing. Validate whether the offer supports Azure consumption commitment (MACC) eligibility or IP co‑sell arrangements if you rely on reseller contracts. Upwind’s partner page claims marketplace transactable status and IP co‑sell readiness. Confirm program eligibility with your Microsoft account team.
  • Total cost of ownership should factor in sensor management, telemetry ingestion, SOC staffing effects (reduced noise vs. increased data volume), and any required integration work for playbooks.

Critical reading of the announcement: strengths and marketing caution​

There are clear strengths in the partnership: making runtime telemetry available in the Azure procurement and operations stack lowers friction for adoptioms leverage existing Sentinel playbooks and Defender protections. The technical approach (sensor + agentless coverage + runtime evidence) is aligned with modern cloud observability principles and addresses long‑standing gaps in CNAPP workflows.
However, readers should be cautious about headline economics and one‑size‑fits‑all claims. Many press releases and partner pages highlight high impact reductions in noise and dramatic triage improvements; these outcomes are real in pilots but vary substantially by application architecture, telemetry retention policies, and how well the sensors map to your production workload patterns. Where possible, insist on pilot metrics measured against your baseline for alert counts, time‑to‑remediate, and SOC false positive rates. If the vendor cites percentages or absolute numbers in marketing, request the underlying methodology and sample size used to compute those numbers.

Bottom line: who should care, and what to do next​

  • Cloud security leaders running production workloads in Azure should evaluate runtime‑first CNAPPs as part of a prioritized defensive strategy. If your organization already invests in Microsoft Sentinel and Defender for Cloud, the Upwind partnership lowers the operational friction to add deeper runtime telemetry.
  • Security engineering teams should run a controlled pilot focused on workload types that historically produce the most ambiguous findings (serverless, containers, and ephemeral compute). Measure the triage improvements and cost impacts before expanding.
  • Procurement and cloud‑ops leaders should consult their Microsoft account or partner contacts to confirm Marketplace offer details, IP co‑sell eligibility, and any Azure consumption commitments that might affect pricing or discounts.

Conclusion​

The Upwind–Microsoft alignment is a practical, operationally meaningful step for Azure customers: it embeds a runtime‑first CNAPP into Azure’s procurement and security operations flows, brings function‑level evidence into Sentinel and Defender for Cloud, and promises to reduce the friction that has historically slowed adoption of runtime telemetry at scale. The technical approach — eBPF‑style sensors, DaemonSets for Kubernetes, agentless options for hard‑to‑instrument workloads, and evidence‑first prioritization — is sensible and well matched to modern cloud architectures.
That said, the real test will be measured pilots inside customer environments: integration depth, telemetry costs, sensor compatibility, and the actual reduction in SOC workload will determine whether the promise becomes everyday reality. Treat the announcement as a signal that runtime security is maturing into mainstream procurement channels, but validate the vendor’s operational claims against your own workloads and SOC metrics before you adopt at scale.
For Azure customers, the pragmatic next step is straightforward: request a Marketplace trial, pilot the sensors on representative workloads, and measure both the security‑operational benefits and the cost dynamics before expanding the deployment across production fleets.
Source: 巴士的報 Upwind Partners with Microsoft to Deliver Runtime Security for Azure Workloads
Source: Morningstar https://www.morningstar.com/news/bu...deliver-runtime-security-for-azure-workloads/
 

You must log in or register to reply here.
Back
Top