Cloud security is no longer just about checking whether storage buckets are public or firewall rules are too open. Modern cloud environments include infrastructure, applications, identities, CI/CD pipelines, containers, APIs, data stores, AI systems, and business logic that changes constantly.
Because of that, cloud security companies tend to approach the problem from different angles. Some build platforms for continuous visibility and risk prioritization. Some focus on runtime protection. Some specialize in offensive testing and attacker simulation. Others provide hands-on advisory work, architecture reviews, and practical remediation support.
At Cloud Security Partners, we work with teams that are building, migrating, testing, and securing cloud and AI systems. We also pay close attention to the broader ecosystem, because different organizations need different kinds of help. Below are several cloud security companies worth knowing and how their approaches differ.
Wiz
Wiz is one of the most recognized companies in the cloud security platform market. The company was founded by Assaf Rappaport, Ami Luttwak, Yinon Costica, and Roy Reznik, who previously worked together in cloud security and set out to build a platform focused on broad visibility and risk prioritization. (wiz.io)
Wiz approaches cloud security as a platform problem. Its product helps organizations understand risk across cloud infrastructure, workloads, identities, applications, data, models, and development pipelines. A major part of its value is context: instead of treating every issue as a standalone alert, Wiz helps teams understand how issues connect across the environment.
Its differentiator is breadth. Wiz is designed to give large teams a common view of cloud and AI risk, with capabilities such as agentless visibility, security graph analysis, attack-path analysis, code-to-cloud correlation, runtime protection, and workflow automation. (wiz.io)
For larger organizations, Wiz can be a strong fit when the goal is continuous cloud visibility, risk correlation, and automated prioritization across complex environments.
Upwind
Upwind is a newer cloud security company focused on runtime-first cloud and AI security. The company was founded in 2022 by Amiram Shachar, Liran Polak, Lavi Ferdman, and Tal Zuri, the same team behind Spot.io. (The Times of Israel)
Upwind’s main differentiator is its runtime-first approach. While many cloud security tools start with static configuration data, asset inventories, or periodic scans, Upwind puts a heavier emphasis on what applications and workloads are actually doing while they are running. That runtime context helps security teams understand which risks are theoretical and which ones are active, reachable, or connected to real application behavior.
Upwind also combines outside-in and inside-out visibility. Its platform brings together agentless scanning, runtime sensors, cloud activity logs, APIs, network topology, application behavior, and data flows into a live view of the environment. (upwind.io)
That makes Upwind different from more static posture-management tools in a few important ways:
Runtime context. Upwind focuses on live workload behavior, not just cloud configuration snapshots.
Signal over noise. The platform is designed to help teams prioritize issues based on actual exposure, usage, and runtime activity.
Application and infrastructure together. Upwind connects cloud posture, application security, API security, Kubernetes, and container activity, and threat detection in one platform.
Real-time protection. Instead of only identifying risks for later remediation, Upwind emphasizes detection and response while applications, APIs, AI systems, and workloads are running. (upwind.io)
Upwind can be a good fit for teams running fast-moving, containerized, API-heavy, or AI-enabled cloud environments where static scans alone do not provide enough context. Like Wiz and Orca, it is primarily a product-led platform rather than an independent consulting or assessment firm.
Where Cloud Security Partners Fit
Cloud Security Partners was founded in 2017 by Michael McCabe with a focus on practical cloud and application security work. Since then, our team has reviewed hundreds of applications and thousands of cloud implementations across startups, enterprises, and financial institutions. (cloudsecuritypartners.com)
We sit in a different category from companies that are primarily software platforms. Our work is service-led and practitioner-driven. We help teams assess, design, test, and improve their cloud and application security programs through hands-on engagements.
Our services include cloud security assessments, AWS security reviews, secure cloud architecture, cloud security program development, secure CI/CD pipeline reviews, SaaS security assessments, infrastructure-as-code reviews, secure code review, dynamic application testing, threat modeling, network assessments, red teaming, social engineering, and AI security testing. (cloudsecuritypartners.com)
A lot of cloud security work comes down to prioritization. Tools can find issues, but teams still need to understand which findings matter, how an attacker might use them, and what the right fix looks like in the context of the business. That is where hands-on advisory work can be useful.
Our AI Security Testing Process
As organizations build with LLMs, agents, retrieval-augmented generation, AI coding tools, and model-driven workflows, cloud security and AI security are becoming more closely connected.
Our AI security work is built around a practical idea: use automation where it helps, but keep experienced security practitioners in the loop. AI can help accelerate testing, review, and analysis, but final judgment still requires people who understand architecture, trust boundaries, exploitability, and business impact.
For LLM applications, we test the integration layer between the model and the application. That includes prompt injection, data leakage, insecure output handling, context manipulation, authentication and authorization bypass, and cases where model-generated output can trigger traditional vulnerabilities like XSS, SSRF, command injection, or SQL injection. (cloudsecuritypartners.com)
For AI agents and agentic systems, we look at what happens when AI systems can take action. Agents may call APIs, execute code, read and write data, use tools, and chain decisions across systems. Our testing evaluates tool-calling agents, MCP servers, AI coding assistants, and multi-agent workflows for issues such as prompt injection, tool misuse, privilege escalation, memory poisoning, unintended data access, sandbox weaknesses, and human-in-the-loop bypasses. (cloudsecuritypartners.com)
We also perform AI red teaming, where we approach the system from an attacker’s perspective. This includes jailbreak testing, guardrail bypass attempts, system prompt extraction, multi-turn manipulation, cross-context attacks, capability elicitation, and abuse of AI-powered business logic. (cloudsecuritypartners.com)
The goal is not just to produce a list of clever prompts. The goal is to help teams understand where their AI systems are exposed, how those weaknesses could affect the business, and what practical changes can reduce risk.
Open-Source Work
We also publish open-source security tools and research to make parts of our process more transparent and useful to the broader community.
One example is our CloudSecurityPartners/skills repository on GitHub. The project provides security-focused workflows for reviewing AI coding skills, plugins, and codebases. It includes a /skill-audit workflow for reviewing Claude Code skills and plugins for risks such as prompt injection, hidden instructions, backdoors, dangerous permissions, suspicious code execution, hooks, and supply chain concerns. (GitHub)
The repository also includes a /security-review workflow for broader codebase reviews. It combines deterministic tooling such as Semgrep, TruffleHog, and Trivy with expert triage and a consensus-style review process. (GitHub)
That reflects how we approach client work as well. Automated tools are useful, but they are not the whole answer. Security findings need to be reviewed, challenged, prioritized, and connected back to realistic attack paths.
Rhino Security Labs
Rhino Security Labs takes a more offensive, security-focused approach. The company was founded by Benjamin Caudill, a cybersecurity researcher and entrepreneur. (Rhino Security Labs)
Rhino is known for penetration testing, red team assessments, cloud security testing, and hands-on research. Its services include web application penetration testing, mobile application testing, network testing, AWS, Azure, and GCP cloud penetration testing, social engineering, secure code review, and red team engagements. (Rhino Security Labs)
One of Rhino’s best-known contributions is Pacu, an open-source AWS exploitation framework. Pacu is designed for offensive security practitioners and helps test AWS environments for attack paths involving privilege escalation, persistence, reconnaissance, data exposure, log manipulation, and other post-compromise techniques. (Rhino Security Labs)
Rhino is a good example of a company focused on answering a practical question: “What could an attacker actually do in this environment?” That kind of perspective is valuable for teams that want to move beyond compliance checks and understand real-world exposure.
Orca Security
Orca Security is another major company in the cloud-native application protection platform market. Its co-founders include Gil Geron and Avi Shua. Orca is known for its agentless approach to cloud security and its SideScanning technology. (Orca Security)
Orca’s platform helps organizations identify and prioritize risks across cloud workloads, identities, data, vulnerabilities, compliance requirements, APIs, and cloud configurations without requiring traditional agent deployment on every asset. Its capabilities include CSPM, CWPP, CIEM, DSPM, container and Kubernetes security, API security, application security, AI security, and cloud detection and response. (Orca Security)
Orca’s differentiator is frictionless deployment and broad agentless visibility. It is often a good fit for organizations that want wide cloud coverage without installing agents everywhere. Like Wiz and Upwind, it is primarily a product-led platform focused on helping teams centralize cloud security visibility and prioritization.
Different Problems Need Different Security Approaches
There is no single best cloud security company for every organization.
A large enterprise looking for continuous cloud visibility may benefit from a platform like Wiz, Upwind, or Orca. A team that wants offensive testing and attacker simulation may look to a firm like Rhino Security Labs. An organization that needs hands-on help assessing architecture, testing applications, reviewing cloud environments, securing AI systems, or building a cloud security program may need a more practitioner-led partner.
That is the role Cloud Security Partners aims to fill.
We work with teams that want to understand their actual risk, improve their security architecture, validate their cloud and AI systems, and make meaningful progress without getting buried in noise. In a cloud environment, findings are only useful when they lead to better decisions. Our job is to help teams get there.
Stay in the loop.
Subscribe for the latest in AI, Security, Cloud, and more—straight to your inbox.
