Upwind Runtime Detection Passthrough re-raises Upwind security detections within Panther to surface runtime threats at the container/host level. It focuses on process execution anomalies, syscall-based threats, container escapes, and other host/container behavioral indicators observed in Upwind.Detections. The rule correlates detections on the same resource over the prior 24 hours to determine if events are isolated or part of a pattern, and it analyzes triggers[].events[].data.command and data.user_name to assess alignment with normal workload behavior. It also queries for other HIGH or CRITICAL alerts from the same resource (by cloud_account_id or cluster_id) in the past 7 days to identify broader compromise or lateral movement. The rule maps to MITRE ATT&CK techniques TA0002: Execution (T1059) and TA0004: Command and Scripting Interpreter (T1611). It is enabled but experimental, with a deduplication window of 720 minutes and a threshold of 1, indicating any single matching Upwind.Detections event can trigger a response. Tests demonstrate a Critical runtime detection showing suspicious container process execution (bash -c whoami) running as root within a pod, and other non-runtime detections used for negative validation. The rule is tagged with Upwind, Passthrough, Runtime, Execution, Privilege Escalation, and Command and Scripting Interpreter, and references the Upwind threat-detection REST API for further context.