This rule re-raises Upwind vulnerability detections into Panther to surface exploitable CVEs identified in runtime assets across containers, virtual machines, and serverless environments. It prioritizes findings by active exposure (e.g., internet-facing, critical workloads) and enables correlation with patch cadence and prior activity to determine recurrence or exploitation. The rule ingests Upwind.Detections (vulnerability category) and emits corresponding Panther alerts, facilitating triage and policy-driven response. It maps detections to MITRE ATT&CK (TA0001: Initial Access, T1190: Exploit Public-Facing Application) and uses a deduplication window (1440 minutes) with a threshold of 1 to control noise. The Status is Experimental and Severity is Medium, reflecting ongoing refinement while providing visibility for high-risk CVEs in exposed runtime environments. Runbook steps validate exposure, assess historical vulnerability cadence, and check for prior exploitation to contextualize risk before triggering responses or escalations.