Rinki Sethi makes the case for runtime-first cloud security and why visibility must precede controls.
As Indian enterprises sprint toward cloud adoption, the security gaps they leave behind are growing faster than most CISOs can track. From identity sprawl to AI workloads operating without runtime visibility, the attack surface is evolving in ways that traditional tools were simply never built to handle. Rinki Sethi, Chief Information Security Officer at Upwind, has sat on both sides of this challenge — as a practitioner navigating cloud transformation and now as a security leader rethinking how enterprises should see their environments from the inside out. In this conversation, she cuts through the noise around CNAPP, alert fatigue, and AI risk to deliver one clear message: visibility must come before controls, and real-time is no longer a feature — it is the foundation.
CIO&Leader: Cloud adoption in India has accelerated dramatically but so has the attack surface. What are the two or three cloud security challenges that Indian enterprises — large conglomerates, fintechs, or public-sector adopters — are underestimating right now?
Rinki Sethi: First, most organizations still don’t have complete visibility into what’s running in their environments. They know what should be running – their configs, their policies, their compliance state. But they cannot tell you what’s actively executing, how it’s behaving, or whether something anomalous is happening right now. That gap is enormous, and it becomes catastrophic when you’re operating across multi-cloud environments at the pace Indian enterprises are moving.
Second, the identity sprawl problem is deeply underestimated. It’s not just human identities – it’s service accounts, API keys, machine identities, cloud principals, and increasingly, AI agents acting autonomously. Attackers love this sprawl. Credential theft is often easier than writing malware. Indian enterprises, especially in BFSI and fintech, have accumulated years of permissions that were never properly right sized. That creates attack paths no one has mapped.
Third, and this is especially relevant in India, given the pace of AI adoption, teams are deploying AI workloads and LLM-powered applications without treating them as production security risks. The workload is live: it’s accessing data, making decisions, and most organizations have no runtime view of what it’s doing. That’s not a future problem. It’s happening now.
CIO&Leader: Upwind’s core thesis is “inside-out” security — using a runtime fabric to observe cloud workloads from the inside. For an Indian CISO who has invested heavily in traditional CSPM or agent-based tools, how does runtime context change the security calculus fundamentally, and not just incrementally?
Rinki Sethi: I’ve been on that side of the table. When I was deep in cloud transformation at a previous company, I was focused on compliance, getting configs right, ensuring automation was in place, and reporting through dashboards. It felt productive. Then someone said something to me that changed my thinking entirely: “By the time you’re looking at the dashboard, the attack may have already happened.”
That stuck with me because it’s true. CSPM tells you what should be true. Runtime tells you what is true, right now. The difference is not incremental; it is architectural.
For a CISO invested in traditional tooling, posture management, and configuration scanning are essential, but they view the cloud from the outside. They can tell you that the door might be unlocked. Runtime tells you whether someone is walking through it. Attackers don’t exploit theoretical weaknesses. They exploit active, reachable vulnerabilities in live environments. If you can only see the former, you remain reactive.
Upwind was built inside-out, starting from where workloads run and using eBPF to provide kernel-level visibility without impacting performance. This is not a capability you layer on top of existing tools. It is a fundamental advantage. For Indian enterprises operating at the speed and scale they are, real-time is not a feature; it is a requirement.
CIO&Leader: The CNAPP category has become one of the most crowded and confusing in cybersecurity. What separates a genuinely effective CNAPP platform from a loose bundle of tools wearing a CNAPP badge — and how should Indian CISOs evaluate the difference during procurement?
Rinki Sethi: This is the question I think about constantly because the confusion is real and costly. As a practitioner who had to evaluate these platforms, I’ve seen how this category gets stretched.
A genuine CNAPP is built on a unified data model at its core. Everything flows from a single source of truth about what is running, how it is connected, and what is at risk. A bundled product is a collection of acquisitions or bolt-ons, each with its own schema. Teams end up doing the correlation work themselves, manually stitching context across dashboards. That is not a security. That is an operational overhead.
The test is simple. Ask a vendor to demonstrate a real end-to-end attack path. Not a demo or synthetic scenario. Show the vulnerability, whether it’s reachable in my live environment, the identity that could exploit it, and the blast radius. If this requires jumping across screens or multiple tools, it is a bundle.
For Indian CISOs evaluating procurement, insist on a proof-of-concept in your own environment. Evaluate how the platform handles alert volume. Does it reduce noise or amplify it? Ask how runtime data is collected. Is it polling, agent-heavy, or truly lightweight and continuous? These answers quickly separate philosophy from capability.
CIO&Leader: Alert fatigue is the top operational complaint among security teams in India. Upwind claims up to 95% noise reduction through runtime-informed prioritization. What is the architectural reason runtime context has such a dramatic effect on signal quality — and what does that mean for how Indian security teams should be structured?
Rinki Sethi: Alert fatigue is not a volume problem. It is a context problem. When alerts are generated without knowing whether a workload is running, whether vulnerability is reachable, or whether there is active exploitation, the result is noise. Lots of noise. Over time, teams begin to ignore it.
Runtime context changes this fundamentally because it adds the one dimension most tools are missing: what’s happening. Is this workload live? Is this process behaving normally? Is this network connection expected? When you can answer those questions at the moment of detection, you can immediately separate signals from noise. That’s how you get to 95% noise reduction, not by suppressing alerts, but by having the context to know which one matters.
This has implications for team structure. Runtime-informed security enables smaller teams to operate with greater confidence. Instead of managing tens of thousands of findings, teams can focus on the handfuls that are actively exploitable. This shifts the model from reactive triage to focused response. For organizations operating with lean budgets, this is both operationally and financially critical.
CIO&Leader: AI is simultaneously the biggest new threat vector and the most promising defensive tool. As Indian enterprises race to deploy AI agents and LLM-powered applications, what are the specific runtime risks they may not even be aware of?
Rinki Sethi: This is the area I am most focused on right now because risk is being created faster than it is being understood.
When enterprises deploy AI agents and LLM-powered applications, they’re not deploying static software. They’re deploying autonomous systems that take action, make API calls, access data, and increasingly communicate with other agents through protocols like MCP. Each of those interactions becomes a potential attack surface, and most organizations have no runtime visibility into what their AI workloads are doing.
The risks are clear. Prompt injection can cause agents to take unintended actions, especially when permissions are broad. Data exfiltration can occur during model reasoning without visibility into what was accessed or where it was sent. Lateral movement becomes possible through agentic workflows as trust boundaries continue to evolve.
Upwind’s AI-SPM capability is designed to address this by giving security teams visibility into AI workload behavior at runtime. AI systems should be treated like any other production workload. They need to be monitored continuously, not just reviewed before deployment.
CIO&Leader: India’s DPDP Act is now a compliance reality, with RBI, SEBI, and IRDAI advisories layered on top. How does data residency intersect with runtime security telemetry — and what assurances should Indian customers demand from cloud security vendors claiming local compliance support?
Rinki Sethi: This is a question I hear a lot from Indian CISOs, and it has real operational implications.
Runtime security telemetry is continuous and high-volume, capturing behavioral data from your workloads, process activity, network flows, and system calls. That data needs to be processed and stored somewhere. For organizations operating under DPDP, RBI, SEBI, or IRDAI mandates, that location matters. If telemetry is leaving India and being processed in a foreign region, it can introduce compliance risk regardless of the security capability.
That is why Upwind invested in in-region SaaS instances in India. It is an architectural commitment that telemetry remains within Indian borders, that support aligns with local regulatory requirements, and that data sovereignty is built into the infrastructure from the start.
Customers should ask direct questions. Where is my telemetry processed and stored? Can you provide contractual guarantees regarding data residency? Do you have local support teams who understand RBI or SEBI requirements? And if there is a breach that involves telemetry data, what are the notification obligations under Indian law? Vendors who cannot answer these questions clearly are not ready for regulated environments in India.
CIO&Leader: Many Indian CISOs are wrestling with the cultural challenge of DevSecOps — security and engineering teams siloed, with vulnerability backlogs nobody owns. Upwind is frequently described as “loved by DevOps.” What is the philosophy behind that — and what practical advice would you give an Indian CISO trying to break down that wall?
Rinki Sethi: I have seen this from both sides. As a CISO, I’ve had engineering teams treat security as the team that says no and slows things down. And honestly, I understood why, because too often, that’s how security teams operate. We handed over long lists of 10,000 vulnerabilities with no context, no prioritization, and no support for remediation. We owned the finding and threw it over the wall. That’s not a partnership.
The reason Upwind resonates with DevOps teams is that it solves their problem as well as the security team’s. When a vulnerability is surfaced, the platform shows exactly where it came from, including which code branch, which developer, and which pipeline introduced it. It shows whether the issue is actually reachable and running in production. And it delivers that context directly to the tools developers already live in, such as Jira, Slack, or whatever their workflow is.
For CISOs, the shift is to lead with shared outcomes. Show engineering what a real attack path looks like in their environment. Run tabletop exercises together. Bring them into red-team simulations. When developers see that a finding is active and exploitable in production, they act. When it’s a theoretical risk, it gets deprioritized. Security’s role is to provide that clarity. That’s how you build a culture where everyone owns security.
CIO&Leader: Upwind is building significant local presence in India — a development center in Pune, a partner network, and dedicated local support. How important is this local depth for Indian enterprises evaluating a cloud security platform?
Rinki Sethi: The Indian market is not a geography you can serve effectively from a global headquarters with an occasional visit. The regulatory landscape is layered and evolving. DPDP, RBI, SEB, and IRDAI all introduce framework requirements that need local understanding. The threat landscape has regional characteristics. The partner ecosystem is distinct. Customer expectations for support responsiveness vary.
When we committed to India, including offices in Mumbai, Bangalore, and Pune, a dedicated development center, a partner ecosystem, and in-region SaaS infrastructure, it wasn’t a market entry move. It was a signal about how seriously we take being a long-term partner to Indian enterprises.
For Indian enterprises evaluating a cloud security vendor, local depth matters in two areas—first, responsiveness. When something is going wrong in your environment at 2 am IST, you need a support team that’s awake, understands your regulatory context, and can act immediately. Second, co-development. Building solutions that align with Indian regulatory and threat conditions requires teams that are based here and engaged day to day. That’s what we’re building. And I think the enterprises that choose vendors based on that depth will have a meaningfully better experience than those who don’t.
CIO&Leader: There is a growing debate about consolidation versus best-of-breed. Indian enterprises often have deeply entrenched toolsets, and CISOs are under pressure from the board to reduce vendor counts. How does Upwind think about platform consolidation — and where does runtime security fit in a rationalized stack?
Rinki Sethi: This is a board-level conversation happening everywhere, and it’s especially acute in India, where many enterprises have deeply entrenched toolsets. I have a pragmatic view of it.
Consolidation is a real strategic need. Vendor sprawl creates integration debt, and too many point solutions mean you’re doing the correlation work manually. But the path to consolidation matters. Ripping and replacing a mature endpoint solution or a well-integrated network tool to reduce vendor count is often more disruptive than the problem it solves.
The key question is what forms the foundation of the security stack. Runtime data should be the foundation, since everything that matters in cloud security ultimately happens there. If you start from that foundation and build posture, identity, network, and vulnerability context on top of it, you get a coherent picture of risk. If you start from a posture tool and try to add runtime context as a layer, you end up with fragmentation.
Upwind is not replacing endpoint or network security. It addresses the historical gap, providing continuous visibility into live cloud workload behavior. Our integrations with AWS, Azure, NVIDIA, and the broader ecosystem are designed to complement existing investments. For CISOs, the focus should be on whether the tools being consolidated share a unified data model or simply bundle capabilities without true integration.
CIO&Leader: What is the one piece of advice you would give an Indian CISO building a cloud security program for a rapidly scaling organization in 2026?
Rinki Sethi: Start with visibility, not controls.
I’ve seen organizations invest heavily in controls, firewalls, scanners, compliance tools, and still not be able to answer a basic question: what is running in the environment right now, and how is it behaving? Without that visibility, every other investment is incomplete.
You can’t hire your way out of complexity, but you can build a foundation that tells you what actually matters.
The reason this matters more in 2026 is that the threat landscape has changed fundamentally. AI is giving attackers the ability to identify and exploit weaknesses faster than most teams can measure them. What used to take skilled attacker days now takes minutes and increasingly without human involvement. In that environment, a quarterly audit or a static posture dashboard is not enough.
Build real-time awareness first. Understand what’s active, what’s reachable, and what’s behaving anomalously. Then layer controls on top of that visibility foundation, because controls without context are just noise generators. For a rapidly scaling organization, this is also the only approach that remains manageable as you grow. You can’t hire your way out of complexity, but you can build a foundation that tells you what actually matters, so your team can focus on the things that do.