Cloud security firm Upwind has expanded its runtime protection platform to support Windows Server virtual machines, addressing a critical visibility gap for organizations running Windows workloads in public clouds. The new capabilities, announced on May 5, 2026, cover Windows Server 2016 and later versions on Amazon EC2, Microsoft Azure Virtual Machines, and Google Cloud Compute Engine. This multi-cloud rollout means enterprises can now apply consistent runtime security controls to their Windows-based cloud VMs, regardless of the underlying cloud provider.

Background on Upwind

Upwind emerged from stealth in 2022 with a platform built from the ground up for cloud-native runtime security. The company quickly gained attention for its agentless approach on Linux, leveraging eBPF to monitor workloads deep inside the kernel without significant overhead. By 2024, Upwind had raised a $100 million funding round, signalling investor confidence in the runtime-first philosophy. Unlike many cloud security tools that focus on snapshot scanning or shift-left posture management, Upwind prioritized real-time workload behavior analysis, enabling teams to detect active threats that static scans miss.

The platform is typically categorized as a Cloud Native Application Protection Platform (CNAPP), but Upwind sets itself apart by emphasizing runtime visibility as the core—rather than an add-on—capability. With the Windows Server launch, Upwind broadens its addressable market to include the millions of Windows VMs running in production clouds, a segment often underserved by modern runtime tools.

What is Runtime Protection and Why It Matters Now

Runtime protection involves monitoring applications and operating systems as they execute, collecting telemetry on process activity, network connections, file system changes, and memory operations. Advanced engines then apply behavioral analysis and threat intelligence to spot malicious patterns in real time. This contrasts with static approaches like vulnerability scanning or configuration checks, which can only identify theoretical weaknesses—not active exploitation.

Attackers have shifted their tactics to target running workloads, often using stolen credentials or software supply chain compromises to inject code into memory. A traditional vulnerability scanner might report that a Windows VM is patched, but if an attacker is already executing ransomware via a PowerShell script, only runtime detection will raise the alarm. Security frameworks like MITRE ATT&CK and cloud security benchmarks increasingly demand runtime monitoring for cloud workloads, but Windows Server has lagged behind Linux in tool availability.

The Windows Server Blind Spot

Despite the container and serverless revolutions, Windows Server remains a staple in enterprise clouds. Legacy .NET applications, SQL Server databases, Active Directory services, and commercial off-the-shelf software often run on Windows Server VMs. In sectors like finance, healthcare, and government, these workloads process sensitive data and are frequent targets for cyberattacks. Yet, cloud security teams often struggle to extend their modern tooling to Windows because many agents are Linux-only or require deep kernel modules that conflict with Windows architecture.

Upwind’s own customer research highlighted this gap. Enterprises that had adopted the platform for their Linux container environments found themselves managing a separate, less effective set of tools for their Windows VM fleets. The lack of runtime context meant that security operations centers (SOCs) could not correlate an alert from a Windows web server with cloud identity anomalies or network flows in the same way they could for Linux workloads. This fragmented visibility was a primary driver for Upwind to invest in Windows support.

Technical Architecture and Agent Design

To protect Windows Server VMs without causing performance degradation or compatibility issues, Upwind developed a purpose-built lightweight sensor. Unlike the eBPF probes used on Linux, the Windows sensor taps into the operating system’s native event tracing and security telemetry channels. It hooks into Windows Event Log, ETW (Event Tracing for Windows) providers, and user-mode API monitoring to gather process creation, network connection, file modification, and registry access data.

The sensor is deployed as a Windows service that requires no kernel driver modifications. This design choice ensures compatibility with any Windows Server 2016 or later version—including Long-Term Servicing Channel (LTSC) and Azure Stack HCI—without customizations. Upwind claims the agent’s CPU overhead averages less than 2% and memory usage remains under 100 MB, based on internal benchmarks. For high-transaction environments, organizations can tune the telemetry collection policy from the Upwind console to balance visibility and resource utilization.

Once collected, telemetry is streamed securely to Upwind’s cloud-based analytics engine, where it is enriched with cloud context. The engine maps every VM event to its corresponding cloud metadata—security group rules, IAM role, resource tags, and workload identity. This correlation allows detection of cross-environment attack chains, such as an attacker pivoting from an exploited Linux container to a Windows VM hosting the corporate domain controller.

Multicloud Support and Unified Management

The announcement specifically highlights availability on Amazon EC2, Azure Virtual Machines, and Google Compute Engine. Upwind provides a single management plane where security teams can define policies, view risk dashboards, and respond to incidents across all three cloud providers. The Windows sensor automatically registers with the Upwind backend and inherits the tenant’s existing security policies, ensuring consistent enforcement regardless of the cloud hosting the VM.

This multicloud abstraction is critical for enterprises pursuing hybrid or multi-cloud strategies. A financial services firm might run its customer-facing applications on AWS while keeping sensitive back-office systems on Azure. With Upwind, the SOC can monitor both environments through one interface, reducing tool sprawl and training overhead. The platform also supports agent deployment via cloud-native automation tools—CloudFormation, Terraform, Azure Policy, and Deployment Manager templates—making it straightforward to protect ephemeral Windows VMs in auto-scaling groups.

Key Features and Detection Capabilities

Beyond basic runtime monitoring, the Windows Server integration brings several detection capabilities tailored to Windows threats. The platform can identify:

  • Credential access attempts via LSASS process dumping or registry hive extraction.
  • Suspicious PowerShell execution, including encoded commands, base64 payloads, and script block logging bypass techniques.
  • Ransomware behavior patterns such as rapid file encryption with appended extensions, volume shadow copy deletion, and persistence mechanism creation.
  • Lateral movement using remote services, SMB, or WinRM.
  • Living-off-the-land binaries (LOLBins) like certutil, mshta, or rundll32 being abused.

Alerts are contextualized with cloud metadata to help analysts quickly understand the scope: Is the victim VM publicly exposed? Does it have an over-permissive IAM role? Is it part of a critical application? The platform also integrates with SIEM and SOAR tools via API, webhook, and native connectors for Splunk, Microsoft Sentinel, and others.

Additionally, Upwind’s runtime vulnerability prioritization engine now covers Windows CVEs. It can combine vulnerability scan results with runtime evidence—for example, confirming a vulnerable component is actually loaded and executing—to reduce alert fatigue and focus remediation efforts on risks that matter.

Industry and Enterprise Use Cases

For legacy application estates that cannot be easily containerized, the new Windows support provides a bridge to modern security without rearchitecture. A healthcare provider running a Windows- based electronic health records system on Azure Virtual Machines can now get real-time alerts if an attacker attempts to access patient data via anomalous SQL queries. Meanwhile, a manufacturing company with industrial control system components hosted on Windows Server in Google Cloud can detect unauthorized changes to configuration files or network connections to unknown command-and-control servers.

Cloud-native startups, too, benefit when their architecture includes Windows components. Even heavily containerized environments often rely on some Windows VMs for build agents, Active Directory identity services, or compliance-mandated applications. Upwind’s platform unifies the security view, allowing DevOps and security teams to manage Windows and Linux as equal workload types under a single policy umbrella.

Competitive Context and Market Positioning

Upwind competes in the crowded CNAPP market, which includes players like Wiz, Orca Security, Palo Alto Networks (Prisma Cloud), CrowdStrike, and Microsoft’s own Defender for Cloud. Most of these vendors provide some form of runtime protection, but their approaches vary. Wiz and Orca have historically focused on agentless scanning, recently adding lightweight runtime features; CrowdStrike’s Falcon platform offers deep Windows endpoint security but is often perceived as a separate tool from cloud security. Upwind’s differentiator lies in its runtime-first architecture that covers both Linux and Windows with a consistent data model, plus its tight correlation between workload telemetry and cloud context.

Industry analysts have noted that Windows runtime protection in cloud VMs is an underserved niche. While Microsoft Defender for Cloud offers strong Windows security, it is inherently Azure-centric and can leave multi-cloud environments with gaps. Upwind steps in as a cloud-agnostic option, appealing to organizations that want to avoid vendor lock-in or that already have a multi-cloud strategy. Still, the company must prove its sensor’s reliability and performance at scale, as Windows Server ecosystems are notoriously complex and diverse.

Deployment Challenges and Considerations

Rolling out a new agent to production Windows VMs is not trivial. Enterprise change management processes require thorough testing, and any perceived performance impact can stall adoption. Upwind has published deployment guides and best practices, recommending a phased rollout starting with non-critical VMs. The sensor’s design as a user-mode service helps avoid kernel panics or blue-screen risks, but organizations will still want to run their own load tests.

Another consideration is end-of-support timelines. Windows Server 2016 mainstream support ended in January 2022, though extended security updates are available. Upwind’s sensor supports 2016 and later, but the company advises customers to stay on versions that receive regular security patches. Windows Server 2022, with its built-in virtualization-based security features, may offer smoother integration, though Upwind’s sensor does not require these features.

False positive tuning is an ongoing challenge for runtime tools. Windows environments often have noisy processes—IT management agents, scheduled tasks, and legitimate automation scripts—that can trigger alerts. Upwind includes machine learning-based noise reduction and allows administrators to create custom suppression rules based on process hashes, command-line arguments, or parent-child process relationships.

Future Roadmap and Expansion Plans

According to Upwind’s announcement, the Windows Server support is just the beginning. The company plans to extend runtime protection to Windows containers running on Azure Kubernetes Service, Amazon EKS, and Google GKE, where Windows nodes are becoming more common. Work is also underway to support hybrid scenarios, including on-premises Windows Server in data centers managed via Azure Arc, and to integrate more deeply with Microsoft’s security ecosystem—for example, ingesting Azure Activity Logs and mapping them to process events for richer incident timelines.

Upwind also hinted at upcoming features like runtime visibility into Active Directory domain services, which would open up new use cases in identity threat detection. As cloud architectures evolve, Upwind aims to maintain a unified data fabric across all workload types, making it a potential platform of record for cloud runtime security.

Conclusion

Upwind’s addition of Windows Server VM runtime protection across the three largest public clouds is a strategic move that acknowledges the enduring relevance of Windows workloads in enterprise IT. By delivering a consistent runtime security experience for both Windows and Linux, Upwind is positioning itself as a go-to CNAPP for organizations that cannot afford blind spots in any part of their cloud estate.

For security teams, the immediate benefit is closing a long-standing visibility gap without adding another siloed tool. The real test will be in the field as customers deploy the sensor at scale and validate its zero-touch integration and detection accuracy. If Upwind can deliver on its promises, this expansion could accelerate the shift toward runtime-first security strategies and set a new bar for cross-platform, multi-cloud protection.