The cybersecurity industry is racing to embed AI into every layer of detection and response. But as vendors rush to bolt Large Language Models (LLMs) onto dashboards, one problem continues to undermine trust: hallucination.
Uptycs is taking a fundamentally different approach. With the announcement of Juno AI Analyst, the company claims an industry first: the first architecturally verifiable AI analyst embedded within a Cloud-Native Application Protection Platform (CNAPP). Rather than treating AI as a black box that generates probabilistic answers, Juno is designed to show its work, transparently, query by query, against a purpose-built security data lake.
The Market Context: CNAPP Meets AI
Before AI hype reshaped the conversation, Uptycs was focused on cloud security fundamentals: providing CISOs and security operations teams with visibility, compliance reporting, and breach protection across cloud workloads. The company built its CNAPP foundation on a philosophy Ganesh Pai describes as “better security through telemetry.”
Instead of relying on siloed security tools, Uptycs harvests telemetry from:
- Cloud workloads
- Containers
- Endpoints
- Identities
All telemetry is centralized into a unified security data lake, where analytics drive outcomes such as compliance reporting, incident detection, and operational insights. This architecture positioned Uptycs uniquely when frontier LLMs like Claude, GPT, Gemini, and Grok began demonstrating extraordinary ability to reason across large data sets. The question became: how do you fuse AI with cloud security without sacrificing trust?
The Problem: AI Hallucination in Security
In security operations centers (SOCs), hallucinations are not academic errors, they create real risk. If an AI system misinterprets telemetry, fabricates causal relationships, and/or suggests incorrect remediation, It can lead to wasted investigation cycles — or worse, incorrect action during an active incident. Ganesh Pai describes the industry challenge as a “hallucination cycle” with vendors layering AI on top of raw data without guardrails. The result? A probabilistic assistant that sounds intelligent but cannot be verified.
Industry’s First Architecturally Verifiable AI
Juno AI Analyst introduces what Uptycs calls an architecturally verifiable approach. Instead of allowing the LLM to freestyle across raw telemetry, Juno operates within a structured agentic architecture:
- The LLM interprets natural language input from the analyst.
- It translates that intent into structured analytics queries.
- It executes those queries directly against the security data lake.
- It presents the analyst with both the result and the underlying queries used to generate it.
Every finding is backed by SQL queries, Telemetry logs, and explicit reasoning steps. This transparency allows analysts to click, inspect, and verify exactly how the AI reached its conclusion. In practical terms, Juno behaves less like a chatbot and more like a junior analyst who documents their investigative trail. That architectural checkpointing is the core differentiator.
How Juno Works at Scale
One of the most striking claims is Juno’s ability to reason across 3,000 tables and 150,000 columns. It achieves this using a logical ontological map — a structured understanding of how security data relates across cloud assets, identities, workloads, and endpoints.
This ontology, combined with purpose-built telemetry harvesting, forms the company’s core intellectual property. Rather than flooding the LLM with entire datasets (which would overwhelm context windows and explode costs), Uptycs applies what Pai describes as context engineering.
The system gives the model “just enough context,” effectively taking “sips of data” to answer the question without ingesting the entire lake. This approach addresses two critical constraints in enterprise AI: context window limitations plus scalability and cost control. It also preserves reasoning accuracy.
Integrated into Unified CNAPP/XDR
Juno is not a standalone assistant. It is embedded directly into Uptycs’ unified CNAPP/XDR platform. Integration matters because the telemetry is unified, not stitched together from acquisitions, so Juno can analyze cross-domain signals in a single pass.
This cross-layer reasoning is difficult to achieve in fragmented platforms and allows Juno to answer questions like:
- “Is this workload anomaly related to an identity compromise?”
- “Which misconfigurations contributed to this container event?”
- “Show me compliance gaps tied to this suspicious activity.”
Privacy-First Architecture
Juno is built on Anthropic’s Claude model via AWS Bedrock. Importantly, customer telemetry is never used to train the underlying model, and data remains within the customer’s secure boundary.
In regulated industries and blue-chip enterprises, including customers like IBM, Nutanix, Wix, and FINRA, this privacy posture is not optional, it’s mandatory.
General Availability and Early Feedback
Juno reached General Availability in November and is now shipping to existing customers. Early feedback has reportedly described it as a “game changer.” Why? Because it allows analysts to query complex telemetry using natural language, something that previously required custom analytics expertise.
Instead of writing manual SQL across thousands of tables, analysts can ask, “Show me all suspicious identity escalations in the last 24 hours tied to container workloads.” Juno then translates, executes, verifies, and explains. The system reduces alert fatigue not by generating more alerts, but by accelerating investigation with verifiable evidence.
Roadmap: From Advisor to Remediator
Today, Juno acts as a CISO advisor and an incident responder assistant. The architectural model supports modular agents that can be interconnected into workflows, making remediation automation a natural next step. Next on the roadmap are:
- Remediation capabilities — with human-in-the-loop oversight.
- Connector expansion — linking to customer-owned repositories via plug-in connectors (MCP).
- Extension to SaaS telemetry — Office 365, Google Workspace, and beyond.
Strategic Differentiation
In short, the architecture was ready when AI arrived. That timing may prove decisive. Many vendors are layering a thin LLM interface over legacy products. Uptycs argues its moat lies in:
- Purpose-built telemetry lake
- Unified architecture (not acquisition silos)
- Ontology-driven reasoning
- Agentic architecture with checkpoint transparency
- Context engineering discipline
The Bigger Picture
Cloud security platforms are converging around AI assistance. But trust remains the gating factor. In a market flooded with AI dashboards, verifiability becomes the differentiator. Juno AI Analyst does not ask analysts to trust a probabilistic answer. It exposes the underlying analytics queries, the supporting telemetry, and the reasoning path behind every conclusion.
The true industry first is not AI in CNAPP, but architecturally verifiable AI in CNAPP — built from the ground up to withstand scrutiny. In security operations, that difference matters.
AI Industry Firsts Validated by IT Brand Pulse
AI Industry Firsts spotlight the breakthroughs themselves, the moments when companies deliver genuine firsts that reset expectations, create new categories, or change how markets operate. AI Brand Leaders voted by humans and validated AI Industry Firsts together tell the full story of leadership in the AI era: who is leading and what is moving the industry forward. We invite readers to explore both perspectives to gain a complete view of how innovation and brand leadership intersect. We’re happy to cover your industry first. Just let us know.
