Headline & intro
Security teams don’t have a visibility problem anymore – they have a triage problem. Cloud tools already tell them that everything is vulnerable, all the time. What they lack is context: what actually matters right now. Upwind’s new $250 million round at a $1.5 billion valuation is a bet that solving this “runtime reality gap” is the next big platform shift in cloud security.
In this piece, we’ll look at what Upwind is really selling, why investors are still writing huge checks in an otherwise cautious market, how this reshapes the crowded CNAPP space, and what the inside‑out “runtime” model means for European enterprises facing NIS2, DORA and an AI-driven infrastructure boom.
The news in brief
According to TechCrunch, Israeli-founded Upwind Security has raised a $250 million Series B round at a $1.5 billion valuation. The funding was led by Bessemer Venture Partners, with Salesforce Ventures and Picture Capital also participating.
Upwind builds what it calls a “runtime” cloud security platform. Instead of only scanning cloud configurations from the outside, it consumes internal signals – such as network flows, API calls and process activity – to help security teams prioritise vulnerabilities and threats that are actually exploitable in real time.
As reported by TechCrunch, the company has grown aggressively since its $100 million Series A in 2024, claiming 900% year‑over‑year revenue growth and a doubling of its customer base. Its roster includes large, data-heavy organisations like Siemens, Peloton, Roku, Wix, Nextdoor and Nubank. Upwind has expanded beyond its initial focus on the U.S., U.K. and Israel into markets such as Australia, India, Singapore and Japan.
The fresh capital will go into product development, AI-driven security capabilities, and pushing its platform closer to developers to catch misconfigurations before they hit production.
Why this matters
Upwind sits at the intersection of three powerful forces: cloud‑native complexity, alert fatigue and investors’ obsession with cybersecurity as one of the last “growth at any price” categories.
First, the technical angle. Over the last decade, cloud security has largely meant CSPM (Cloud Security Posture Management) and its newer umbrella, CNAPP – platforms that scan infrastructure-as-code, cloud accounts and containers for misconfigurations. These tools are excellent at producing dashboards full of red. They are much worse at answering a basic operational question: Which of these thousand critical alerts will turn into a real incident this week?
Upwind’s runtime model tries to answer exactly that. By instrumenting live traffic, workloads and APIs, it can say, for example: “Yes, this container image has a severe vulnerability, but the service isn’t exposed to the internet, has no sensitive data paths, and is short‑lived,” versus “this trivial-looking misconfiguration is actually on a public-facing API that handles payment data.” That kind of contextual triage is what security leaders are desperate to buy.
Second, the commercial angle. Even in 2025–2026’s tighter funding climate, security remains an outlier. Large enterprises cannot slow down cloud adoption, AI workloads and software delivery, but they can consolidate vendors if someone promises fewer tools and fewer false positives. Upwind is explicitly positioning itself not as yet another point solution, but as a broad platform that wants to replace multiple products.
Who wins? Cloud‑mature organisations with sprawling microservices and multi‑cloud setups stand to benefit most: banks, SaaS giants, industrial groups, gaming, fintech. Who loses? Legacy, “outside‑in only” CSPM vendors and niche tools that can’t prove they reduce risk in production. For them, this round is another signal that the market is moving on from pure visibility to runtime impact.
The bigger picture
Upwind’s raise is not an isolated story; it’s part of a broader reshaping of cloud security that has been underway for a few years.
CNAPP convergence and the platform land‑grab. Vendors like Wiz, Orca Security, Palo Alto Networks and others have been racing to build end‑to‑end cloud security suites – combining CSPM, workload protection, Kubernetes security, data security and more. The trend is clear: CISOs want a smaller number of strategic platforms with strong integrations rather than a zoo of overlapping tools. Upwind is entering this same CNAPP race, but with runtime observability as its core identity.
Agentless vs. agent‑based, now with nuance. The last hype wave in cloud security was “agentless”: scan cloud APIs, do not touch production workloads. It was fast to deploy and easy to sell to security leaders wary of impacting reliability. But as TechCrunch notes from the founders’ comments, that outside‑in approach quickly hits a ceiling; you get lots of findings with shallow context. Upwind’s thesis – that you need “inside‑out” signals from live systems – suggests a more pragmatic future: mixed models where agentless is the entry point, and deeper runtime hooks are added where risk is highest.
From static to dynamic risk in the AI era. AI agents, serverless functions, ephemeral containers and data‑heavy pipelines mean that infrastructure state changes in minutes, not quarters. Traditional security scans are snapshots. Runtime security is essentially continuous security: a live feed of how code, data and users are actually behaving. That idea rhymes with what happened on endpoints a decade ago, when the market moved from classic antivirus to EDR/XDR with continuous monitoring.
For the broader industry, Upwind’s valuation confirms two things. First, investors still see cybersecurity – especially in cloud and AI infrastructure – as one of the few categories that can support multi‑billion‑dollar outcomes. Second, the differentiation bar is rising. “Yet another CNAPP” won’t raise $250 million in 2026. You need a credible story about solving alert overload, integrating into developer workflows, and handling AI‑driven infrastructure at scale.
The European / regional angle
For European enterprises, this news is not just about another Israeli‑American unicorn; it’s about regulatory survival.
The combination of NIS2, DORA (for financial services) and long‑standing GDPR obligations is forcing European organisations to prove not only that their cloud environments are configured correctly, but that they can detect and respond to real incidents quickly. Static compliance checklists are no longer enough.
Runtime cloud security slots neatly into this gap. If you can continuously observe which services talk to which databases, where personal data actually flows, and which APIs are exposed, you can build much stronger evidence for regulators and auditors. For a DORA‑regulated bank in Frankfurt or Milan, a tool that can show “this critical payment service is being monitored at runtime, and we can replay suspicious flows” is a powerful governance argument.
There is also a sovereignty twist. Many European CISOs are wary of over‑reliance on U.S. or Israeli vendors for deep telemetry into their production systems, especially in critical infrastructure. Projects like GAIA‑X and various national “trusted cloud” initiatives exist precisely because of this unease. If runtime platforms like Upwind become central nervous systems for cloud environments, questions around data residency, lawful access and cross‑border log transfer will intensify.
At the same time, Upwind already lists Siemens – a European industrial giant – as a customer, which shows that major EU companies are willing to adopt such technology when the value is clear. For European security startups, the message is mixed: there is still room to build local champions, particularly around EU‑specific compliance and sovereign hosting, but they will compete against heavily funded global platforms that move fast and integrate broadly.
For European mid‑market companies and public institutions, the practical takeaway is simpler: runtime security will increasingly be what large suppliers and regulators expect. Whether via Upwind or a competitor, the ability to prioritise risk based on live behaviour will become part of standard due diligence.
Looking ahead
Where does this go next?
1. Runtime becomes table stakes in CNAPP. Within the next 2–3 years, expect “runtime awareness” to be a checkbox requirement in most CNAPP RFPs. Even vendors that started life as pure CSPM or IaC scanners will bolt on some form of runtime analysis – whether through acquisitions, side‑car agents, eBPF instrumentation, or deep integrations with observability tools like Datadog and Prometheus.
2. Consolidation and M&A. The number of well‑funded cloud security vendors is not sustainable. As growth slows or IPO windows stay narrow, larger security and cloud providers will go shopping. Hyperscalers (AWS, Azure, Google Cloud) already offer native security services, but their neutrality as platforms limits how far they can go. That creates space for acquisitions by companies like Palo Alto Networks, CrowdStrike or even observability players wanting to step into security. Upwind’s size and differentiated positioning make it a likely future acquirer – or an attractive target.
3. Developer integration is the make‑or‑break. Upwind says it wants to move “closer to developers” and prevent misconfigurations before production. That is crucial. If runtime platforms only show up after deployment, they risk becoming yet another noisy dashboard for security teams. The winning pattern is: detect patterns in runtime, feed actionable guardrails back into CI/CD, IaC templates and API gateways. Think of it as a feedback loop between production reality and build‑time controls.
4. Regulatory scrutiny of deep telemetry. As runtime platforms see more of what’s happening inside applications and data flows, regulators and privacy advocates will ask hard questions. How much personal data is in those logs? Where are they stored? Who can access them during incident response? Vendors that treat data minimisation and regional hosting as first‑class features will have an edge in Europe.
The main risk for Upwind is the classic one in security: becoming a “nice to have” rather than a “must have” in budget cycles. To avoid that, it will need to keep proving that its runtime context directly reduces incident volume, dwell time and compliance cost – not just that it surfaces interesting graphs.
The bottom line
Upwind’s $250 million round is less about one company and more about a shift in mindset: from scanning clouds to understanding how they actually behave. Runtime, inside‑out security is poised to become the new baseline for serious cloud programmes, especially in heavily regulated European sectors.
The opportunity – and the challenge – is clear. If platforms like Upwind can genuinely cut through alert noise, feed real‑world insight back into development, and respect European sovereignty constraints, they’ll shape the next decade of cloud security. If not, they risk becoming just another dashboard in a crowded SOC. The question for CISOs now is simple: are you still securing configurations, or are you finally securing reality?
