The machine sitting on a developer’s desk has become one of enterprise security’s most consequential blind spots. As AI agents run locally, connect to external servers, and execute automated tasks across cloud platforms and SaaS applications, the developer endpoint has evolved from a device management problem into a cloud security problem.
Upwind Security has built a response to that shift. The company announced today the launch of its AI Sensor for Endpoints, a new capability that extends Upwind’s platform to cover developer workstations alongside the cloud environments it already monitors.
AI at the Edge
Cloud security platforms were built for a world where the critical infrastructure was the cloud. That assumption held as long as the most sensitive and consequential AI activity happened in cloud-hosted workloads. Increasingly, it does not.
Developers today run AI models locally, build and test agents on their own machines, and connect those agents through MCP to external services that span cloud providers and SaaS platforms. The endpoint is where AI workflows frequently originate. It is where the tokens and permissions that power those workflows are stored. It is, as a result, where the risk starts.
MCP-connected endpoints represent a specific amplification of that risk. When a developer’s machine is integrated with MCP servers, it can initiate actions across an organization’s cloud infrastructure automatically, without requiring additional authentication at each step. A single device with the right MCP connections can reach broadly across an organization’s entire stack.
Amiram Shachar, CEO of Upwind Security, described the scale of the problem: “In the new world of AI Agents and MCP servers, the cloud risk extended to the edge, where tokens, permissions, and cloud actions are now taken automatically from the developers’ workstations. To truly protect the cloud, we must help security teams see the journey from the endpoint.”
The New Capability
Upwind’s AI Sensor for Endpoints gives security teams real-time monitoring of MCP connections initiated from developer endpoints. It correlates endpoint activity with cloud identity and action data. It also detects anomalous AI-driven actions across SaaS and cloud platforms.
The sensor integrates into Upwind’s existing platform, pulling endpoint data into the same unified view that already covers cloud workloads, actions, identities, and prompts. Security teams working in Upwind do not need a separate product to cover the endpoint layer. The coverage extends through the existing platform interface, giving teams the full picture without requiring additional tool management.
Where the Gap Was
Before this announcement, Upwind’s platform covered the cloud and application layers with runtime-powered security. What it did not cover was the device layer where an increasing share of AI-driven activity originates.
That gap matters because the threat path has changed. The traditional model of enterprise risk assumed that attackers would target the cloud directly or would compromise an endpoint and then move toward the cloud through conventional lateral movement. AI agents and MCP connections introduce a different dynamic: the endpoint is already integrated into the cloud, holding permissions and MCP connections that give it direct reach into infrastructure and SaaS platforms.
Security teams with visibility only at the cloud level see the downstream effects of endpoint activity without seeing the activity itself. They can detect that something unusual happened in their cloud environment, but they cannot trace it back to the device and the agent that initiated it. That gap between cause and effect makes investigation slower and remediation more difficult.
What Changes With the Sensor
With the AI Sensor for Endpoints running, security teams gain the starting point they were missing. They can see which developer machines are connecting to which MCP servers, what actions those connections are driving in cloud and SaaS environments, and whether those actions fall within expected patterns or represent something worth investigating.
The correlation between endpoint and cloud data happens within the platform rather than requiring manual effort from security analysts. An event that starts at a developer laptop and moves through an MCP server into cloud infrastructure appears as a connected sequence, not as two separate anomalies in two separate systems.
For organizations running AI-heavy development workflows, that connected view is the difference between a security operation that can keep pace with how their environment actually works and one that is perpetually reacting to events it did not see coming.
Upwind’s platform is built around the principle that runtime data should inform security decisions rather than configuration audits alone. The AI Sensor for Endpoints applies that principle to the device layer, completing the picture for security teams that need coverage across the full arc of AI activity in their environments.
