Upwind Runtime First CNAPP Arrives on Azure Marketplace with MACC Co Sell

Upwind’s new agreement with Microsoft moves runtime-first cloud security from boutique add‑ons into Azure’s native procurement and operational flow, delivering a single, unified CNAPP experience that’s purchasable on the Microsoft Marketplace, eligible for Microsoft IP co‑sell and Azure Consumption Commitment (MACC) treatment, and engineered to feed runtime telemetry into Microsoft Sentinel and Microsoft Defender for Cloud. /www.upwind.io/partners/azure)

Background​

Upwind, a cloud‑security startup built around a runtime‑first architecture and eBPF‑powered telemetry, has been rapidly expanding its footprint across hyperscalers and analyst reports. The vendor positions its product as a runtime‑powered CNAPP that unifies posture management, workload protection, vulnerability detection, and identity context into a single pane of glass—and now that platform is formally available through Azure’s commercial channels.
This announcement arrives at a moment when enterprises are juggling the cost, complexity, and risk of multi‑cloud estates while trying to protect increasingly ephemeral workloads (containers, serverless, short‑lived VMs) and GenAI pipelines. Upwind’s pitch: embed runtime truth into the security stack so teams act on what’s actually exploitable in the live environment, not on noisy static scan results.

---

What Microsoft and Upwind are delivering​

A transactable, co‑sell‑ready offering on Azure Marketplace​

• Upwind’s Azure partner listing confirms the solution is transactable on the Microsoft Marketplace and marked as MACC / IP co‑sell ready—meaning customers can procure the product through the Marketplace and, where appropriate, apply purchases against Azure Consumption Commitments. This simplifies procurement for enterprise buyers who already run significant Azure spend.
• Achieving co‑sell readiness also opens Upwind to Microsoft’s partner sales motions, which can accelerate enterprise deals and reduce procurement friction for customers who prefer Marketplace procurement and integrated billing. Evidence from other vendors shows this materially shortens sales cycles in many enterprise scenarios.

Deep Azure alignment and telemetry integration​

• The offering bundles runtime protection, CSPM-style posture data, container and registry scanning (ACR), and prioritized vulnerability insights into a single experience. Upwind’s integration claims include ingesting Azure audit logs, scanning Azure Container Registry images with runtime context, and streamlining Azure asset onboarding to produce prioritized, actionable findings.
• The product is engineered to export or feed telemetry into Microsoft Sentinel and to coexist with Microsoft Defender for Cloud—enabling security teams to correlate Upwind’s runtime signals with broader telemetry and investigations inside Azure‑native security consoles. This tight alignment is central to the vendor’s argument that runtime signals should be part of Azure’s operational model, not a parallel toolset.

Runtime‑first protection with eBPF​

• Upwind emphasizes a runtime‑first architecture backed by eBPF sensors that observe live process, network, and file activity inside workloads. That combination of agentless cloud signals plus kernel‑level runtime telemetry is intended to reduce blind spots typical of posture‑only or outside‑in scanners. Upwind’s documentation and product materials explain how eBPF programs attach to kernel events to produce high‑fidelity runtime observability.
• The vendor claims this approach reduces false positives and accelerates detection of multi‑stage cloud attacks by correlating runtime activity with identity and configuration signals into “threat stories” that map back to code, pipelines, or cloud resources. Independent analyst coverage and the broader industry trend toward runtime visibility support the idea that runtime telemetry is becoming essential for cloud‑native protection.

---

Why this matters for enterprise Azure customers​

Faster time‑to‑value through Marketplace procurement​

Procurement via Azure Marketplace and the ability to apply purchases against MACC lowers friction for large customers who rely on committed Azure spend. For customers with procurement policies tied to Marketplace transactions, this reduces contractual complexity and can accelerate proof‑of‑value (PoV) projects. Co‑sell readiness also means Microsoft sellers may proactively include Upwind in customer conversations where runtime protection is relevant.

Closing the runtime visibility gap​

Many enterprises still rely on posture checks and scheduled scans that miss ephemeral runtime behavior. Upwind’s eBPF telemetry aims to reveal active exploitability—what processes are running, what outbound connections exist, what files are being touched—so teams prioritize fixes based on live context rather than theoretical exposure. For high‑risk verticals such as finance and healthcare, that reduction in uncertainty can shrink dwell time and materially lower incident impact.

Integration with existing Azure security tooling​

Because Upwind is designed to work with Microsoft Sentinel and Defender for Cloud, teams can see runtime findings inside the consoles they already use for triage and hunting, reducing the need to operate a separate, siloed incident response pipeline. That reduces tool sprawl—one of the recurring operational headaches for cloud security teams.

---

Technical deep dive: how runtime‑first CNAPPs differentiate​

eBPF sensors + agentless cloud signals​

• eBPF‑based telemetry provides low‑overhead, high‑fidelity insights directly from the kernel: system calls, network flows, and process trees. When correlated with cloud audit logs and identity events, these signals reveal whether a vulnerability is being actively exploited or if a misconfiguration is accessible to attacker techniques. Upwind documents describe exactly this combination as a core differentiator.
• Complementing eBPF with agentless scanners and registry scanning (e.g., ACR image inspection) produces a full lifecycle view: code and images at rest, posture and configuration, and live runtime behavior. This is the essence of a CNAPP that claims to be able to triage what matters now rather than surface long lists of theoretical findings.

Threat stories and prioritization​

Upwind’s platform correlates telemetry into higher‑level narratives that map a runtime anomaly back to the pipeline, container image, or identity that introduced it—giving incident responders a starting point for remediation rather than a disconnected alert. This kind of correlation is precisely what customers ask for when they say they want “fewer but more meaningful alerts.” Analyst coverage and vendor materials show this pattern is central to Upwind’s product claims.

---

Analyst recognition and market momentum — verified, but read carefully​

• Upwind has publicly announced multiple analyst recognitions—Frost & Sullivan’s CNADR Company of the Year, placements in GigaOm’s Container Security Radar, and references in Gartner materials—claims that are repeated in company press releases and third‑party coverage. These recognitions reflect market interest in runtime‑centric architectures.
• That said, vendors’ press statements and analyst mentions often reflect a mix of paid research, vendor briefings, and selective metrics. For example, press material cites explosive growth figures (one press release references “over 4,000% year‑over‑year” growth in a particular period), while other sources repeat different growth percentages. These numbers are worth treating cautiously until audited financials or independent market research reports are consulted. Where precise growth figures matter to procurement or investment decisions, ask for audited metrics or customer‑by‑customer references.

---

Strengths: what Upwind + Microsoft brings to the table​

• Runtime accuracy and reduced noise — eBPF telemetry combined with cloud signals gives higher‑fidelity detections and contextual prioritization, which addresses alert fatigue for SOC teams.
• Operational fit for Azure shops — Marketplace transactable offers, MACC eligibility, and co‑sell readiness reduce procurement friction and enable integrated billing flows for organizations heavily invested in Azure.
• Integrated telemetry for faster investigations — Native pathways into Sentinel and Defender for Cloud let teams pivot from Upwind findings to broader investigation workflows without heavy tool stitching.
• Coverage for serverless and ephemeral workloads — The runtime-first model claims to extend into serverless runtimes and short‑lived container workloads where traditional EDR and periodic scans miss activity. This is an important capability as cloud-native architectures increasingly rely on ephemeral compute.

---

Risks, caveats, and realistic expectations​

No single vendor can be a silver bullet. Here are the risks and operational trade‑offs security teams should weigh.

1) Vendor claims vs. independent validation​

Vendor press releases and partner pages emphasize co‑sell readiness, analyst awards, and growth metrics—but these are marketing assets. Procurement teams should request:

• Proof of marketplace listing and procurement terms (transactable SKUs and MACC tags).
• Customer references in your industry and region.
• A clear SLA and data residency guarantees for sensitive workloads.

Treat press claims as signals to investigate, not as procurement proof.

2) eBPF/Kernel instrumentation considerations​

eBPF is powerful but operates at the kernel level; operational teams should evaluate:

• Compatibility across OS versions and kernel builds used in your fleet.
• Performance overhead and testing in representative workloads.
• Security posture for the agent/sensor itself (update processes, supply chain controls).

Request an architecture and ops review during PoV and ensure your platform engineering team is comfortable with kernel‑level instrumentation.

3) Integration and alerting discipline​

Bringing runtime telemetry into Sentinel and Defender for Cloud is only half the work—teams must tune correlation rules, SOC playbooks, and response automation. Without investment in processes and runbooks, high‑fidelity detections still require time to drive remediations. Ask vendors for sample playbooks and run a joint tabletop exercise during evaluation.

4) Multi‑cloud parity and single‑pane claims​

Upwind markets multi‑cloud coverage, but parity across providers can lag. If your estate spans Azure, AWS, and GCP, verify:

• Feature parity for runtime telemetry on each provider.
• Which capabilities are Azure‑first and which are multi‑cloud.
• How the vendor maps cloud‑specific services (e.g., Azure Functions, AWS Lambda) into a unified model.

Don’t assume all features you see in an Azure demo will be identical in other clouds—validate with test accounts.

---

Deployment guidance and questions to ask in a PoV​

If you’re evaluating Upwind’s Azure Marketplace offering, follow a structured PoV to verify claims and measure impact:

• Scope: Identify 3 representative environments (one AKS cluster, one VM scale set, one serverless function set).
• Onboarding: Time how long it takes to connect Azure subscriptions, enable the cloud scanners, and deploy the eBPF sensor (if required). Document required IAM permissions.
• Signal coverage: Confirm Azure audit logs, activity logs, ACR scanning, and runtime events flow into the platform and Sentinel.
• False positive rate: Run a baseline for two weeks and measure how many detections are actionable versus noise. Ask for vendor tuning guidance.
• Remediation pipeline: Validate how findings generate tickets (e.g., Azure Boards, ServiceNow), whether playbooks can be automated, and how the vendor integrates with your CI/CD toolchain.

---

Realistic ROI: what to expect​

• Short‑term: Expect faster discovery and triage for live exploitable issues (minutes to hours instead of days) if runtime telemetry is properly deployed and tuned. This often reduces time spent chasing non‑actionable scanner findings.
• Medium‑term: Lowered incident dwell time and fewer escalations if SOC and platform teams adopt the vendor’s contextual threat stories and automate routine responses. Quantifying ROI requires baseline measurements (current MTTR, alert volumes) before the PoV.

---

Final analysis — strategic implications for Azure customers​

Upwind’s entrance into the Azure Marketplace as a transactable, co‑sell‑ready runtime CNAPP is meaningful because it reduces procurement friction and folds runtime telemetry into Azure’s security fabric. For Azure‑centric enterprises, this lowers the operational friction of adopting runtime‑first defenses, and the integration with Sentinel and Defender for Cloud makes the product more likely to be operationalized instead of becoming just another silo.
However, buyers should separate marketing from engineering reality. Ask for technical validations: kernel compatibility for eBPF sensors, performance data under representative load, multi‑cloud parity statements, and audited growth or deployment metrics. Vendor assertions about explosive growth or analyst rankings are useful signals, but procurement decisions must be grounded in PoV results, reference checks, and a clear remediation pipeline.

---

Recommendation checklist for security leaders​

• Require a two‑week PoV across representative Azure workloads and verify Sentinel/Defender integration.
• Validate MACC eligibility and Marketplace SKU for your procurement team so Marketplace purchases can be applied to consumption commitments.
• Insist on performance and compatibility reports for eBPF sensors across your Linux distributions and kernel versions.
• Request customer references in your industry (financial services, healthcare) to confirm real‑world effectiveness and compliance posture.
• Build playbooks and automation early—integrate Upwind alerts into your ticketing and CI/CD remediation pipelines during the PoV.

---

Runtime visibility is no longer a boutique advantage; it’s becoming a procurement‑level consideration for Azure customers who must secure ephemeral workloads and GenAI pipelines. Upwind’s partnership with Microsoft lowers the adoption friction by bringing runtime truth into Azure’s Marketplace and security tooling—but the usual caveats apply: validate the technical assumptions in your environment, measure real detection quality during a PoV, and require concrete operational playbooks before committing at scale. The partnership is an important step toward making runtime‑first protection a mainstream, enterprise‑deployable capability in Azure—but informed, technical due diligence remains essential before a full rollout.

---

Source: SourceSecurity.com https://www.sourcesecurity.com/amp/...-co-14053-ga-co-1773399410-ga.1773400069.html