Datadog (DDOG) Q4 Recap

Datadog announced Q4 and full year 2020 results on February 11th. They handily surpassed expectations for Q4 revenue and earnings. Similarly, they set initial guidance for Q1 and FY 2021 revenue above analyst estimates. In spite of this, the stock dropped about 4% the next day. This is likely attributable to continued concern for deceleration of the annual revenue growth rate and initial FY 2021 revenue guidance.

In spite of this, I think the results were strong. If we dig a little more deeply into quarterly trends, sequential revenue growth has been increasing since the COVID-driven Q2 dip and reached almost 15% for Q4. This trajectory implies that annualized revenue growth could inflect to the 60% range or higher as 2021 progresses. Customer metrics, both in new additions and spend expansion, further support the recovery case. Additionally, Datadog’s product development funnel continued to produce new revenue streams, bolstered by organic product extensions and a couple of acquisitions. Datadog now has 10 monetized product offerings and customers continue to adopt the newer ones.

Following these results, I have accumulated a mid-sized position in DDOG in my personal account. I have been covering the company for almost a year, waiting for a favorable entry point as Covid paused revenue growth. While Datadog had been executing well, I wanted to see revenue growth normalize before starting a position. I believe that has happened. Looking forward, I think 2021 will see Datadog return to its normal cadence of predictably high revenue growth combined with improving operational leverage. Additionally, rapid product expansion is presenting new market segments to drive growth. In this post, I review the Q4 results, product development progress and what we can look for in 2021.

Headline Financial Results

• Q4 2020 Revenue was $177.5M, up 56.2% year/year and 14.7% sequentially. This compares to the consensus estimate for $163.6M, which would have represented growth of about 44%. Q3 Revenue growth was up 61.1% year/year, and 10.5% sequentially. So, while annualized revenue growth dropped about 5%, sequential revenue gains accelerated. This represents an important inflection for investors to consider, as the sequential growth rate should drive the annualized rate back up, particularly after we lap Q2 2021.
• Q4 Non-GAAP EPS was $0.06 vs. $0.02 expected, representing a beat of $0.04. This compares to $0.03 in Q4 2019 and $0.05 in Q3.
• Q4 Non-GAAP operating income was $18.1M, representing an operating margin of 10.2%. This compares to operating income of $7.9M in the prior year period for an operating margin of 7%. Q3 operating margin was 9%.
• Q4 FCF was $16.6M for a FCF margin of 10.1%. This compares to FCF of $10.9M in Q4 2019 for a FCF margin of 9.6%.
• Full year 2020 Revenue was $603.5M, up 66% year/year. This beat analyst estimates for $590M or 62% growth. In 2019, revenue was $362.8M, with growth of 83%.
• Non-GAAP EPS was $0.22 for the year, versus analyst estimates for $0.18. This is up from the prior year of $0.0.
• Full year non-GAAP operating income was $63.6M, yielding an operating margin of 11%. For 2019, operating loss was $3.9M for an operating margin of -1%.
• Free cash flow for the full year was $83.2 million for a FCF margin of 13.8%. In 2019, FCF was $0.8M.

Forward Estimates

• Q1 2021 Revenue estimate of $185-187M, representing growth of 41.8% at the midpoint. This compares to the consensus revenue estimate of $181.5M for 38.3% growth. If Datadog beats the Q1 estimate with the same relative magnitude as Q3 (about 12%), they will keep revenue growth above 50%. Also, the sequential growth rate at the midpoint of the estimate is 4.8%, implying that a similar beat for Q1 would push sequential growth over 10% again.
• Q1 Non-GAAP EPS estimate for $0.02 – $0.03, which was a bit lower than the analyst estimate for $0.04. This should be beatable, given the Q4 EPS outperformance.
•  Q1 Non-GAAP operating income is estimated between $8.0M – $10.0M. At the midpoint of revenue estimates, this represents an operating margin of 4.8%.
• For the full year of 2021, Datadog provided preliminary revenue guidance of a range from $825M – $835M, representing growth of 37.5% at the midpoint. This beat the analyst estimate for $802.6M, for 33% growth. While this preliminary view appears to represent a slowdown, we should consider that the initial estimate for 2020 called for 49% growth, and Datadog actually delivered 66% in a challenging year.
• Non-GAAP EPS for 2021 is estimated at $0.10 – $0.14, versus the analyst projection for $0.19. Lower earnings estimates are attributable to continued investment in product development and go-to-market.
• FY2021 Non-GAAP operating income is projected to be $35M – $45M, which would represent an operating margin of 4.8%.
• Ended the quarter with cash, cash equivalents, restricted cash and marketable securities of $1.5B.

Other Performance Indicators

• Q4 billings were $219.4M, up 68% year over year. The CFO mentioned a one-time adjustment for the timing of $6M of billings in Q4 2019, which results in a pro forma billings growth of 61%. This is slightly higher than the quarter’s 56% annualized revenue growth.
• Total RPO was $434M, up 78% year over year. Current RPO growth was strong in the mid 60% range.
• Non-GAAP gross margin was 78%, in line with Q4 of 2019 and down slightly from 79% in Q3, due to minor inefficiencies created from platform and product expansion. Gross margin was also impacted temporarily from new cloud data center build-outs.
• Breaking down Q4 Non-GAAP expenses by category, we see nice year/year reductions in relative percentage of S&M and G&A. R&D spend was roughly inline, reflecting continued investment in building out the product portfolio. I am comfortable with such a high investment in R&D, particularly as compared to sales and marketing expense.
  • S&M = 30% (versus 35% in Q4 2019)
  • R&D = 30% (versus 27% in Q4 2019)
  • G&A = 8% (versus 9% in Q4 2019)

Ended the year with 2,185 employees, which represents a 56% increase over the end of 2019. This hiring increase is extraordinary for a company of this size, probably the largest year/year increase in headcount of the companies that I cover. Datadog deliberately leaned into hiring during the pandemic, driven by their optimism for the opportunity looking forward. The CEO has mentioned that Datadog benefitted from layoffs at other companies.

The highest growth was in the R&D and go-to-market teams. The increase in sales people (likely over 56%) should help drive revenue growth simply by having more feet on the street. On the earnings call, the CFO confirmed this correlation, noting that headcount growth was approximately in line with revenue growth in Q4.

Customer Activity

On the earnings call, the leadership team called out the fact that new customer adds and their initial ARR commitments were records for Datadog, in a “difficult macro environment”. All facets of customer growth continue to impress, showing no signs of slowing down, even within a mature competitive environment. The sum of total customer growth (35%) and spending increase for existing customers (>30%) exceeds the current annualized revenue growth. While not an absolute formula, this can be a directionally reliable indicator for sustained growth.

Additionally, large customer growth continues to excel, particularly for those spending more than $1M a year. On the earnings call, the CEO ticked off several 7-figure deals closed in Q4. This reflects the fact that Datadog can support very large customer installations, providing a strong foundation for a much larger revenue base. Finally, customers continue to adopt additional product lines. As Datadog keeps adding more monetized product offerings, this should further drive expansion metrics.

• Ended the year with 97 customers with ARR over $1M, up 94% from the 50 such customers at the end of 2019.
• Had 1,253 customers spending more than $100k a year, up 46% from 858 at end of 2019.
• Total customers reached 14,200, up 35% year/year from 10,500 at end of 2019. Datadog added 1,100 customers in Q4, exceeding the 1,000 added in Q3.
• DBNRR (Dollar-based Net Retention Rate) was over 130% again (14th consecutive quarter) in Q4, as existing customers expanded their usage and added new products.
• Emphasizing the adoption of multiple products, 72% of customers were using two or more products at end of 2020. This is up from 58% at end of 2019. Further, 22% of customers were using four or more products which is up from 10% at end of 2019.
• Of new customers, 75% landed with two or more products. It is noteworthy that this percentage is higher than for existing customers.

On the earnings call, leadership mentioned Datadog’s newest products like NPM (network monitoring), RUM (user monitoring) and Security are seeing sustained adoption. Each of these has reached hundreds or thousands of customers since launch within the last year. When asked on the call if a particular new product is doing better than the others, Datadog leadership said that the level of adoption is roughly determined by the length of time the product has been in the market. The order of size being infrastructure, APM, logging, Synthetics, NPM, RUM and Security. This reflects positively on Datadog’s product development efforts, as new products appear to resonate within the marketplace in a predictable way (as opposed to launching new products that fail to gain traction).

New logo generation was very strong including a new record of new logo ARR added that was significantly above last year’s number, very strong performance across the board from commercial and enterprise sales channels as well as a record number of million-dollar-plus new logo customers. Growth of existing customers was robust as customers of all sizes continue to grow their usage of Datadog to both increase consumption and cross-selling, and Q4’s growth of existing customers was broadly in line with pre-COVID trends. Lastly, churn remains very low and consistent with pre-pandemic historical rates.

Datadog Q4 2020 EArnings Call

On the earnings call, the Datadog CEO shared some customer wins and upsells from the quarter. I will cover the details briefly.

• Seven-figure ARR increases from COVID beneficiaries such as a consumer device company, a large e-commerce platform and a global video games company.
• Seven-figure upsell to a travel technology company, reflecting favorable demand for even impacted industries.
• Six-figure upsells to two separate airlines and a physical events company.
• Two notable seven-figure lands both with Fortune 100 companies, a retailer and an insurance company.
• Seven-figure land from a streaming sports platform in Asia which was enabled by the Datadog partner program. This company adopted the full Datadog platform. Tracing without Limits was a key differentiator for Datadog.
• Seven-figure land from a SaaS company based in EMEA. This company was previously handling monitoring in-house through open source and custom solutions. They wanted to free their engineers to build more products and deliver innovation.
• Nearly $1M upsell to a very large management consulting firm. This company is now using the network device monitoring product to replace legacy point solutions and gain visibility into physical network devices.

The size of these deals is a testament to the potential market for Datadog. If every company with a substantial Internet presence can drive $1M+ of annual spend, then just enterprise customer contribution will be a major driver of revenue. Consider Datadog’s 97 customers with spend over $1M likely represents several hundred million dollars of revenue by itself. This count of customers with large spend just doubled in the last year. Also, leadership highlighted that several of the upsells were from companies in impacted industries, like travel. While COVID is still generating some overhang on enterprise spend, these trends underscore the relative priority of observability within IT budgets.

Analyst Reactions

Following Datadog’s Q4 earnings results, 7 analysts provided updated coverage ratings. Of these, the feedback was mixed. Three analysts maintained a Buy rating and four have a Hold equivalent. The commentary from the less bullish analysts reflects concerns over decelerating annualized revenue growth, the low 2021 revenue growth guide as compared to 2020 and Datadog’s high relative valuation. The average price target for all analyst updates is $124, representing a 10% increase from the closing price after earnings of about $113 on December 12th.

Date	Analyst	Rating	Price Target
2/12	DA Davidson	Neutral	Raised from $80 to $112
2/12	Needham	Buy	Raised from $109 to $141
2/12	Morgan Stanley	Equal Weight	Raised from $112 to $120
2/12	Barclays	Overweight	Raised from $115 to $135
2/12	Mizuho	Buy	Raised from $115 to $125
2/12	RBC	Sector Perform	Raised from $110 to $120
2/12	Credit Suisse	Neutral	Raised from $95 to $115

Following the earnings report, Needham issued the highest price target of $141. Analyst Jack Andrews provided the following commentary.

Needham analyst Jack Andrews raised the firm’s price target on Datadog to $141 from $109 and keeps a Buy rating on the shares. The company reported a “strong” Q4 as revenue and earnings topped estimates, the analyst tells investors in a research note. Andrews adds that Datadog also reported record metrics for new logo annual recurring revenue as well as new logo growth. The company’s deals for an application security vendor and a log data pipeline company should result in new capabilities that will create further leverage amid the growing demand for DevSecOps tools, the analyst states.

TheFly.com, Feb 12, 2021

Product Development Activity

Datadog exited 2020 with nine products in GA. In February 2021, they added Incident Management, bringing the total number of products with pricing to 10. Just over four years ago, they had only one product offering with infrastructure. This rapid pace of additions has been enabled by Datadog’s extensible, purpose-built platform, their outsized R&D spend and short development cycles.

Just to get a sense for the pace of product releases, here is a list of independent product releases by year. In 2019, they added four products with stand-alone revenue streams. In 2020, they added five more. Note that a couple of stand-alone offerings introduced in 2020 haven’t been moved to GA yet (Marketplace and Compliance Monitoring).

• 2016 and before: Infrastructure
• 2017: APM
• 2018: Logs
• 2019: Synthetics, RUM, Network Monitoring, Serverless
• 2020: Incident Management, Marketplace, Continuous Profiler, Compliance Monitoring, Security Monitoring

On the earnings call, Datadog’s CEO expressed excitement for continuing this pace in 2021 and still feels like Datadog is just getting started. This cadence of product development represents an enormous competitive advantage for Datadog. They are rapidly rolling out new product offerings that expand their product footprint through all aspects of observability and more importantly into new revenue streams, like security monitoring, incident management, developer workflows and pre-production environments.

To appreciate the pace of product development, we need only look at Datadog’s security offering. Security monitoring was first announced in April of 2020, and was quickly followed by Compliance Monitoring in August, Runtime Security in November and Threat Intelligence in December. This was further extended in February with the acquisition of Sqreen, that enables applications to detect and block code-level exploits. I will talk about these developments further below, but highlight the progress here to underscore the rapid pace of development and the implications looking forward. In under a year, Datadog has gone from no security offering to a fairly full-featured security monitoring solution, which has at least “hundreds” of customers per the earnings call.

For 2021, the CEO identified a few major areas of focus for product development. These start with continuing to build out the foundational elements of observability, acknowledging that each facet must keep evolving to match competitive feature sets. Another thrust is to continue expanding the security offering, as the CEO sees a large opportunity to capture demand momentum and capitalize on the convergence of DevSecOps. Finally, Datadog is extending into adjacent segments that have natural ties into observability, most notably incident management and development workflows.

These product expansions serve to increase the addressable market and provide customers with a broader set of offerings to consume from a single platform. It is likely that many large enterprises will look to consolidate the number of vendors they use to support DevOps and security functions. If a best-of-breed provider, like Datadog, can check multiple product boxes, then the customer can make an efficiency argument by reducing the number of vendors to manage.

Observability Extensions

Datadog leadership plans to continue building out their general observability platform. Observability spans eight monetized offerings that are both long-time products and relatively newer developments, including infrastructure monitoring, log management, APM, synthetics, RUM, network monitoring, serverless and continuous profiling. As hosting infrastructure and software delivery continues to evolve, these offerings benefit from incremental capability extensions. Also, foundational to all product offerings are general platform capabilities, like data ingestion, system integrations and visualization. Datadog continues enhancing these core platform capabilities, which benefits all offerings.

In November, they introduced Log Rehydration, as part of their Logging without Limits feature set. This capability allows customers to efficiently archive all logs, and later pull archived logs back into the Datadog platform to analyze and investigate old events. This provides a cost efficiency, as keeping log data in active indices can incur more expense. There are many cases where old logs are low value in real-time, but can be critical for refresh on a specific trigger. A security event is the most common case, where the SecOps team will want to scrub activity from a prior historical period once it becomes clear that a breach occurred during that time. A recurring, but rare, system failure might be another case in which looking at historical data might provide insight into current behavior.

Additionally, over the quarter, Datadog delivered many smaller product improvements.

• Added a much deeper view of Kubernetes workload activity into the Live Containers functionality. This provides DevOps teams with more granular troubleshooting of Kubernetes activity by allowing for slicing by multiple dimensions, like availability zone, namespace, pod, etc.
• Expanded the Network Performance Monitoring (NPM) solution to monitor Windows hosts.
• Enabled DevOps teams to correlate front-facing user session activity with backend applications traces. This new capability allows operators to connect Real User Monitoring (RUM) observations on the front-end with Application Performance Monitoring (APM) traces in back-end services. This is increasingly important for newer application architectures that de-couple the front-end web or mobile app client from a bevy of micro-services that feed them data and application logic.
• Added deployment tracking to the APM product. Deployment Tracking allows DevOps teams to visualize and compare key performance data related to various version deployments. As code deployments are becoming increasingly frequent and span multiple applications, automation is needed to quickly tie new application performance issues back to the associated release where the the change was introduced.
• Extended Network and Synthetics monitoring with DNS performance measurement. External calls from front-end applications to back-end micro-services or third parties can be impacted by issues with DNS resolution. A time-out in that call could be caused by DNS, versus a performance issue with that service. DevOps teams can more quickly troubleshooting application issues if they can attribute root cause to a DNS configuration or resolution problem.

Over the course of the quarter, Datadog further expanded the external services to which the platform integrates beyond the more than 400 existing ones. New or enhanced integrations included: AWS Network Firewall, Azure Monitor, Azure Stack HCI with Datadog, GitHub, MarkLogic, Microsoft 365 audit logs, Oracle Cloud Infrastructure Logging, Snyk, Twilio, and the VMware Tanzu Application Service.

Finally, in February, Datadog announced the acquisition of Timber Technologies, the developers of Vector, a high-performance observability data pipeline. With Vector, customers can collect, enrich and transform logs and other signals across multiple tools and data sources for both on-premise and cloud environments. They can then route this data to the destination of their choice, either other data processing engines or long-term storage. Transformation and aggregation can be performed using packaged components or custom scripts, executed by the Vector engine.

Datadog plans to leverage Vector to extend their Logging without Limits product and enhance support for sourcing data from on-premise environments. Vector is akin to log streaming agents provided by competitive observability platforms, like Splunk’s Universal Forwarder and Elastic’s Logstash. This new capability wouldn’t be sold on a stand-alone basis by Datadog, but improves their relative feature set across multiple observability products.

Security Expansion

The second area of focus for 2021 highlighted by Datadog’s CEO is security. This is timely for a couple of reasons. The SolarWinds attack has shined a spotlight on security in general and raised the priority of security monitoring and breach prevention across the board at both enterprises and government agencies. Also, security teams are working more closely with DevOps as many security issues are associated with or initiated from application infrastructure. In these cases, the security operations team can leverage the same infrastructure monitoring platform to provide inputs and warnings about possible nefarious activity. While the security team will employ other tools to prevent breaches and protect all endpoints, they do collaborate with DevOps to monitor application delivery environments and gather signals about activity that may be used to enhance their defense posture.

Another aspect of security monitoring that is important for investors to consider is the trend towards DevSecOps. While broadly this encourages more collaboration between previously silo’ed security, system operations and developer teams, it also emphasizes a “shift left” of security prevention to earlier stages of the application development cycle, rather than just monitoring activity once an application is in production. This implies integrating security checks into the activities of developers, including code scans, configuration checks and testing environments. It engenders a bias towards developer tooling and the DevOps audience, which hasn’t been the emphasis of traditional security providers, who tend to focus on activity in the live environment, whether production workloads or the corporate network.

To address this, in December, Datadog and Snyk launched a GitHub integration to help customers identify code-level security issues and get them prioritized to be fixed. This is accomplished through a GitHub Action, which allows a developer to associate code with the trigger of a pre-defined event in GitHub, like a code commit or push. Datadog created a GitHub Action for vulnerability analysis. This leverages Synk’s Vulnerability Database to continuously monitor code for external dependencies or known vulnerabilities before it is deployed. This allows DevSecOps personnel to flag potential issues for developers to address before reaching production. This underscores the idea of “shift left”, where security exploits in applications are raised before deployment.

This capability is integrated with Datadog’s Continuous Profiler product. Continuous Profiler analyzes code to identify patterns that lead to common problem areas. These have traditionally been tied to application performance, like deadlocks, garbage collection, memory leaks and inefficient loops. Recommendations are provided to the DevOps team to forward to developers to address. Now, this feedback loop in code is being extended to security vulnerabilities, expanding the usage and providing another reason for customers to utilize the Continuous Profiler product.

While shift left is important, Datadog’s expansion into production environment security has been rapid and broad. As investors will recall, Datadog started their foray into security with a basic security monitoring solution in April, 2020. This is now viewed as a core offering within the overall platform, on equal footing to core observability products.

Security Monitoring allows DevSecOps teams to add security context, filtering and triggers to all the observability data being collected. Personnel can easily configure rules to trigger certain types of alerts and aggregate activity across security related dimensions, like login activity or suspicious processes. Filters can also be pre-selected from external sources, most notably the MITRE ATT&CK framework. This all provides a baseline for security monitoring.

In August, Datadog added Compliance Monitoring to the product suite. This service is geared towards checking server configurations that could result in a security event if misconfigured. In setting up new cloud environments, DevOps personnel sometimes forget to overwrite default settings or leave open access to system ports or accounts. Hackers employ tools to scan the Internet for these types of issues and can quickly converge on a system that appears to offer an opening. A 2019 survey indicated that system misconfigurations were a leading cause of breaches for cloud-based infrastructure.

Compliance monitoring continuously examines the customer’s cloud environment to identify issues with configuration of common hosting settings like security groups, storage buckets, load balancers, databases, and other popular cloud services. Additionally, the Datadog Agent is resident on many hosts and can review local configuration information for servers, containers and Kubernetes clusters. It can also monitor the integrity of files and folders on those instances for indications of any issues. Compliance monitoring can be used to document adherence to external standards like PCI (credit card processing) and SOC 2.

In November, Datadog introduced Runtime Security as a beta product offering. While the foundation of Security Monitoring has been based on log analysis, Runtime Security examines the other side of monitoring for suspicious activity, which is within the server runtime itself. Through the Datadog Agent, Runtime Security is able to examine every system call made by a host and identify activity at a kernel level. This data is aggregated and compared to a set of packaged detection rules. Potential compromises are surfaced to security personnel for review, with all relevant data and recommendations for remediation.

These indicators are all integrated with the overall Datadog visualization system for observability, allowing users to correlate runtime activity with relevant logs and infrastructure performance. This can also be tied back to compliance monitoring for the source of an issue and network activity to understand how an attacker might be leveraging it. Runtime Security is included as another aspect of Security Monitoring.

Runtime Security was quickly followed in December by the introduction of Threat Intelligence. The out-of-the-box detection rules provided by security monitoring and runtime security are helpful for identifying patterns of malicious activity as they are occurring. Threat intelligence takes this a step further by introducing data on actively engaged actors in near real-time. This threat intelligence is fed into the Datadog security monitoring system from outside partners, who maintain updated data on nefarious activity. Potential issues can then be proactively surfaced as they are happening during scans of system logs and runtime activity, if the behavior is associated with a known threat.

As an example, a primary indicator of a potential threat is the source IP address. Through partners like IPinfo and GreyNoise, Datadog receives regularly updated feeds of IP addresses that have been active in carrying out attacks, scanning activity or anonymizing. Then, if a suspicious IP engages with a customer system under monitoring, that event is surfaced to security personnel with the appropriate context of past behavior associated with that IP. In the case of GreyNoise, they maintain an internet-wide sensor network that passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. This threat intelligence data is then cleaned up and fed to Datadog to incorporate into its real-time security monitoring. This use of multiple, third-party threat intelligence services by Datadog helps enrich their own out-of-the-box vulnerability detection rules with active threat data. If they stitch together enough of these threat intel partnerships, then their threat identification capabilities should approach other cloud-based threat hunting services.

Finally, as part of the Q4 earnings report, Datadog announced the acquisition of Sqreen, which provides a solution for runtime application protection (RASP). Sqreen is a SaaS-based security platform that enables enterprises to detect, block and respond to application level attacks. In addition to RASP, Sqreen’s solution includes a web application firewall (WAF). Security issues in the application layer are challenging to manage, as the owner needs to allow legitimate traffic, while blocking nefarious activity. Sqreen offers a popular solution for this and already has hundreds of customers.

What is interesting about Sqreen is that it shifts Datadog into protection, in addition to security monitoring. This is enabled by Datadog’s presence on every infrastructure host as a consequence of their monitoring agent. Having the agent on every device allows for more active monitoring of security-related activity and the ability to take action to prevent further damage once malicious activity is detected.

Sqreen has about 60 employees listed on their company page. These should supplement Datadog’s own security expertise, an additional benefit given the high demand for security engineering talent. The company also appears to have French roots, which aligns well with Datadog’s co-founders (who are also French).

It is worth noting that Sqreen is very similar in capabilities and market position to Signal Sciences, which investors will recognize as an acquisition of Fastly from 2020. Signal Sciences is powering the foundation for Fastly’s Secure@Edge product offering. Both Sqreen and Signal Sciences provide a RASP and WAF solution. Fastly’s intent is to incorporate Signal Sciences’ technologies into their edge compute platform, as a means of protecting applications that customers host on it.

For Datadog, Sqreen provides the ability to offer (once fully integrated) application-level protection to their customers of observability and security monitoring. This is an important market expansion for investors to note, as it further shifts Datadog into active versus passive application security. Because the Datadog Agent is installed on every host being monitored, it is a natural extension to leverage this presence and expand into other offerings. Given the velocity of Datadog’s move into security solutions, their continued momentum and alignment against competitors will be important to watch.

Other Opportunities

Datadog has been expanding into a few areas that are tangential to observability and security, which could lead to future product expansions. These are incident management and pre-production environments. This progression continues to expand the Datadog platform of offerings and provides incremental revenue streams. As an example, Incident Management was introduced in August 2020 as a beta product and is now in GA with pricing.

Incident Management streamlines on-call response workflows for DevOps teams by unifying alerting data, documentation, and collaboration into a centralized view. Incident response benefits from being accessed alongside the actual observability data associated with the service issue, as in Datadog’s interface. This allows DevOps personnel to initiate an incident from signals or events surfaced in an observability tool. An example would be Synthetic Monitoring indicating a time-out for a web page request. To facilitate on-call communications, Datadog’s incident management solution includes integration with their mobile app and a dedicated issue response Slack channel.

This product was launched in beta as part of Datadog’s annual Dash conference in August 2020 and was moved to GA in February 2021. Incident Management is billed starting at $20/month/user. A user is defined as someone who contributes comments or signals (graphs, links, etc.) to an incident. Anyone who only opens/closes an incident or simply views the incident is not counted as an active user. This makes sense and would follow a typical incident response workflow, where there would be a few primary responders working the incident and a lot of other interested parties viewing or tracking the work.

I think adding incident management to the Datadog product set is a very natural extension of their offering. The audience for observability tools and incident management is largely the same (DevOps). For applications delivered over the Internet, incidents are usually initiated in response to a signal noted in an observability system. Even if the issue is first raised by customer service, DevOps personnel usually quickly associate it with data in their monitoring system, like a time-out on a web page or API request. Investigation is also driven through observability systems, as DevOps personnel dig through logs, graphs, APM, security data, etc. to identify root cause. Having the incident management tool deeply integrated with the observability platform makes it very easy to assemble and share troubleshooting data. All of this information could be attached to the incident management ticket that is then used by DevOps personnel to address the issue.

From an addressable market perspective, Datadog’s Incident Management product overlaps with aspects of PagerDuty’s Incident Response offering. While Datadog’s Incident Management product description includes reference to integration with other on-call notification services like PagerDuty and OpsGenie, that service integration only refers to PagerDuty’s core on-call management and notifications product. As PagerDuty investors may know, the company started in on-call notifications, and layered additional workflow and visibility products around this over time to grow their reach. Incident Response has been a source of incremental revenue for PagerDuty beyond basic on-call management. Datadog’s move into this space is a logical extension for them, as most of the incidents for a customer organization would be associated with an event surfaced by one of Datadog’s observability tools. Given that Datadog already has the context for the incident in its interface, including incident management in the same toolset provides greater efficiency for the DevOps team that responds.

While PagerDuty has faced competition before from other vectors, like Atlassian’s OpsGenie and ServiceNow, I would posit that Datadog’s move into this space is potentially more disruptive, as it is based on the foundation of observability, rather than tools for workflow and ticket management. Coupled with Datadog’s other moves into developer workflow, I think we will likely see more expansion by Datadog into the broader ecosystem of tooling around managing service uptime and response in the future.

Along with their Q2 earnings results in August 2020, Datadog announced that they had acquired Undefined Labs, which provides testing and observability capabilities for developer workflows before pushing to production. As Datadog’s products have traditionally been focused on the production environment, this acquisition extends their visibility into pre-production development and test cycles. Undefined Labs’ Scope tool is integrated into existing CI/CD platforms, like CircleCI and Jenkins, to enable developers to automatically take advantage of monitoring and testing capabilities within their existing workflows. Scope allows developers to execute unit tests, measure performance, tie test failures back to source code and view summarized results in a consolidated dashboard.

This acquisition aligns Datadog more closely with developers during the design and test phases of software development, as opposed to the DevOps teams responsible for managing the production environment. Undefined Labs tools are leveraged by developers when they are creating the first pass of their code and testing it locally on their own machines. This is often before the developer even merges their code with the main branch in their team’s central repository. Because of this, Datadog will have access to all code changes and application behaviors from initial code creation to the finalized form for deployment. This will yield a higher level of insight into the full development process for an engineering team and could provide a launching pad for other developer productivity offerings in the future. This tie-in between progressive code changes through the development and test processes to the final form of the code in production will represent a unique data input for the future Datadog platform. Combined with production code performance, profiling tools will yield valuable insights that Datadog could share with developers early in the code design process.

The plan disclosed in August for absorbing the Undefined Labs product set was to sunset their existing products and rebuild them on the Datadog platform, so that full integration is realized off the bat. The engineering team has been actively engaged in this work. I assume we will hear about new product announcements associated with this in the future.

Datadog’s move in this arena is primarily focused on extending performance monitoring, test execution and compliance into the pre-production environment. They have made it clear they don’t intend to roll a code repository or CI/CD toolset. Connecting pre-production with production represents a smart strategy by Datadog and provides significant value for engineering teams, as it combines DevOps with developer activities. I could see future product extensions along this vector, which would logically be easier from the full Datadog platform. Investors should pay attention to future developments in this area, as it could represent a significant advantage over other observability and security vendors.

Partnerships

Over the last year, Datadog has formed strategic partnerships with all of the major cloud vendors. Most recently, they expanded their partnership with Azure and GCP in Q4, which should be fully available to the market in 2021. They are also adding availability in new regions, such as Amazon’s GovCloud. Datadog’s goal is to extend their distribution across vendors and regions and meet customers wherever they are located.

For Amazon, Datadog participated in a number of announcements as part of the AWS re:Invent Conference. They added monitoring support for Amazon EKS Distro, the ability to monitor Amazon EC2 Mac Instances, integration between Datadog Compliance Monitoring and the AWS Well-Architected Tool, and the ability to monitor AWS Lambda functions deployed using container images.

Competitive Activity

When asked about the competitive environment, Datadog leadership contends that the opportunity is greenfield and that the majority of new deals are replacing open source tools and in-house monitoring solutions, or are associated with brand new workloads. They also think this open playing field will last for the “foreseeable future”. This justifies their heavy investment in product development and go-to-market capabilities. As noted previously, Datadog expanded the workforce by 56% in 2020, with the majority of new hires allocated to R&D and S&M.

In terms of the competitive landscape, it’s a bit boring in that we haven’t seen any noticeable change in the past year I would say so pretty much the same situation as it was before, where the bulk of the opportunity is greenfield. A lot of our competition is open source do it yourself. And then occasionally, we’re going to have some large lands from customers that already had something before and switch to us, but that’s not the dominant motion.

Datadog CEO, q4 2020 earnings Call

The number of companies providing a solution that addresses a use case within the observability and security spheres more broadly is increasing. There are the traditional observability players like Dynatrace, New Relic and Splunk, along with newer players like SumoLogic. We also have Elastic, which is more of a toolkit for building customized observability and security solutions. Finally, endpoint and network security players are coming from the other direction, adding workload protection and offshoots into observability.

To untangle this web of providers and create a grid of feature comparisons is really no longer feasible or useful. We could try to compare observability providers along the lines of the three pillars of observability, and whether they support infrastructure, APM and logging use cases. That was useful in 2019-2020, as monitoring vendors expanded coverage across all observability segments. We could also layer security monitoring on top of this base, as most observability providers have done recently. At this point, most providers check all the boxes.

Looking at the feature comparison grid at this point, it is hard to distinguish between providers and one could conclude that observability has become a commodity. However, system monitoring is still a critical aspect of any modern software delivery stack. As both Internet-native and traditional enterprises create more customer experiences online as part of digital transformation, their hosting infrastructure footprint is ballooning. All these software services need to be monitored – for performance, user satisfaction and security. The value of this function will not diminish and CTO’s appreciate that some portion of their infrastructure budget will continue to be allocated for it. If anything, the tangle of micro-services, external APIs and varied hosting environments is making granular automation of monitoring a necessity.

Assuming Datadog leadership is correct in representing the monitoring opportunity as largely “greenfield”, then success will be determined by the go-to-market effort and speed of product development. I think we have established that Datadog’s product development cadence is rapid. Compared to peers in observability, I would posit that they are moving faster than other players like Splunk, Dynatrace and New Relic. In some ways, zooming out to a long term historical view provides the best perspective. Splunk (2003), New Relic (2008) and Dynatrace (2005) were all founded before Datadog (2010). Yet, Datadog sprinted ahead to reach the three pillars of observability before these peers and in a shorter time. Their execution pace isn’t slowing down, and even appears to be accelerating.

Datadog’s product leadership is also driven by evangelism and buzz within the DevOps community. While this is a softer measure, history provides a similar perspective. In the 2000’s, Splunk was the go-to solution for logging. In the early 2010’s, New Relic was the leading choice for APM. Options for infrastructure monitoring included many open source packages. However, as we have transitioned into the 2020’s, the most commonly referenced solution for observability for progressive Internet-native DevOps teams is Datadog. This statement is based on my own anecdotal observations, but I hear of few engineering-first companies choosing something other than Datadog for observability.

As Oracle has taught us, technology adoption can be influenced by a strong go-to-market effort. In this area, Datadog has been investing heavily. While peers were slowing down hiring in 2020, Datadog added 56% more employees. This hiring was clustered around product development and sales, implying relative growth in those departments would be even higher. Datadog took advantage of layoffs at smaller companies to acquire sales talent, particularly individuals with enterprise sales experience. Assuming that these sales hires are ramped up for 2021 and put on performance plans, then the math itself would point to revenue growth at the same ratio. Datadog leadership even seemed to imply this on the earnings call. For comparison, Splunk, Dynatrace and New Relic hired at a much slower pace in 2020.

Another way to short-circuit a full competitive analysis is simply to look at customer acquisition. Solutions from observability peers are fully baked at this point. If competitors were going to cut into Datadog’s share going forward, it certainly would have happened in Q4. Yet, Datadog added a record number of new customers and nearly doubled the number spending more than $1M a year. Similarly, existing customers are growing spend greater than 30% a year (DBNRR over 130% for many quarters). They continue to add on new product offerings, as over 72% now use two or more products and 22% use four or more.

To summarize, I think that Datadog will be able to avoid competitive infringement, at least in the near term, for these reasons:

• Market is still largely greenfield
• Product release cadence is rapid and accelerating, with many avenues for new revenue streams
• Investment in go-to-market team is highest among peers as evidenced by 56% headcount increase in 2020
• Customer growth metrics show no signs of deal loss

Other Competitive Risks

While I am confident about Datadog’s competitive position relative to other traditional observability players, disruption can often come from unexpected places. There are two developments that are worth monitoring. I don’t think either of these introduces execution risk for Datadog for the next 12-18 months, but will be worth monitoring over the long term.

Crowdstrike and Humio

On Feb 18, Crowdstrike announced the acquisition of Humio for $400M. Humio provides a highly scalable streaming log management platform, which has applications for security monitoring and observability. The platform can ingest any type of log data, like system logs, metrics, traces, etc. and rapidly aggregate it for visualization. They list about 50 supported integrations with common infrastructure services. Humio has accumulated a number of active customers, including Bloomberg, HPE, Lunar and Michigan State University.

Humio is built to ingest and retain streaming data as quickly as it arrives, regardless of volume. Alerts, scripts, and dashboards are updated in real time. Live tailing and stored data searches exhibit almost no latency. This is due to Humio’s proclaimed advantage that it is index-free (schema on read), eliminating latency normally associated with the creation of indexes (which arguably has largely been reduced by popular index-based data processing engines). Humio can ingest data in both structured or unstructured formats.

While the platform could be applied to a number of IT Ops use cases, it appears to have been gaining the most traction in enterprise security. Humio collects data through either an API feed or a Data Shipper that runs on a monitored host. In this way, it lacks the ability to peer into the system runtime, like other observability agents do. However, the Falcon Agent does have access to full host telemetry data and a view into runtime activity down to the process level. The combination of outside log data collection with system-level agent monitoring should provide Crowdstrike with a powerful combination for deep system operations insights.

It will be interesting to see how Crowdstrike applies this acquisition. One might infer that this represents Crowdstrike’s foray into observability. However, a full observability solution goes beyond log management and data collection for security use cases, and includes purpose-built application performance measurement tools, like distributed tracing, synthetics, RUM, code profiling tools, error tracking, deployment notation, etc. Humio brings log management technology to allow Crowdstrike to rapidly ingest logs from many sources and surface insights for security monitoring. The initial planned application is to enhance the performance and reach of Crowdstrike’s EDR product to address what the industry is now calling eXtended Detection and Response (XDR). XDR essentially builds on the same capabilities enabled by EDR, but casts a wider net of data collection across a customer’s infrastructure.

I’m delighted to announce that CrowdStrike has agreed to acquire Humio, a leading provider of high-performance cloud log management and observability technology, to help accelerate our plans to deliver more of the innovation that customers need in this next generation of XDR.

Crowdstrike CTO, Blog Post

While XDR appears to be the initial application for Humio into the Crowdstrike platform, Crowdstrike leadership does leave the door open for future expansion into broader observability use cases. Crowdstrike provided insight into their intentions in both the press release announcing the acquisition and a blog post from their CTO.

Humio’s native ability to ingest and analyze both unstructured and semi-structured data will enhance how the CrowdStrike platform addresses enterprise IT challenges, including those within the increasingly sophisticated DevOps and DevSecOps environments. Together, Humio and CrowdStrike deliver an enterprise-grade solution that finally addresses the challenge of operationalizing massive and ever-growing volumes of event and log data, empowering organizations to collect, observe, analyze and act on all structured and unstructured data in their environment

crowdstrike Press release, feb 18, 2021

In this regard, the Humio acquisition is aligned against the security log analysis functions and broader observability capabilities of the existing observability providers, including Elastic, Splunk, Datadog, Dynatrace and others. It certainly buttresses Crowdstrike from the ongoing encroachment of security monitoring use cases by the observability vendors. Also, XDR solutions are being promoted by traditional Crowdstrike competitors like Palo Alto, McAfee and Cisco. Enhanced signal collection allows Crowdstrike to counter this noise.

As it relates to Datadog, at least for the near term, I think it would be a stretch for Crowdstrike to move into the traditional observability space. First, the buyer for observability solutions is much different than for a security solution. Granted, with DevSecOps, the groups are slowly converging. But, it would seem strange at first blush for a CTO or CIO to buy an APM solution from Crowdstrike. This could change over time with product marketing, assuming Crowdstrike wants to evolve in this direction.

Additionally, as we have seen with observability, the checklist of features considered table stakes is expansive. Use cases include not just Humio’s sweet spot for log analysis, but includes infrastructure, network, APM, RUM, Synthetics, code-level profiling, error tracking, CI/CD checkpoints, etc. Also, the set of system integrations would need to be extended substantially. DevOps teams would expect all these capabilities before seriously considering an observability solution.

I think Crowdstrike’s acquisition of Humio will land somewhere in the middle. It substantially improves their capabilities to broaden the data ingestion aperture and counter claims from security competitors about XDR being an improvement over Crowdstrike’s existing EDR. It also provides more data to inform Crowdstrike’s threat intelligence and breach prevention. As a large cloud-based data collector at its core, Crowdstrike could leverage these new data stream processing capabilities to expand into other adjacent use cases. I am also a CRWD shareholder and am excited to see incremental business driven by these new capabilities.

Built on Snowflake

It seems no discussion of software infrastructure providers can be had these days without mentioning Snowflake (SNOW). As readers likely know, Snowflake brands themselves as a cloud data platform that could span all data workloads for the enterprise. To be clear, this primarily involves analytical workloads, not transactional (OLTP – connected directly to a consumer app). However, their offline, large-scale analytical data processing function does parallel the same set of steps taken by observability platforms to ingest, aggregate and query data for contextually informed visualizations.

While Snowflake leadership doesn’t currently have aspirations to become an observability solution provider, they have no problem allowing other companies to build observability products on top of Snowflake as the data processing engine. The benefit for Snowflake is the sale of their core storage and compute for the data processing by these providers. The benefit to the observability partner is that they don’t need to build a data ingestion and processing platform themselves, in the same way that New Relic, Datadog, Splunk and Elastic did.

Snowflake even offers an architectural reference for potential customers/partners to consider in building an observability solution. An example of a company doing this is Observe, which announced $35M in funding in October 2020 and brought its beta product out of stealth mode. They offer a toolset for observability use cases that ingests log, metrics and traces data into Snowflake and allows operators to visualize the activity of system resources and correlate behavior between them.

When asked about the choice to build on top of Snowflake, the CEO said “rather than build another data lake platform, it makes more sense to make an observability platform available using a software-as-a-service (SaaS) application model based on an existing cloud service.” Pricing of Observe is determined by data storage volume and the number of queries run, which likely ties back to cover Snowflake charges for storage and compute, with a mark-up to for Observe’s interface on top.

This will be an area to watch. In some ways, I think these new observability vendors built on Snowflake are similar to past providers that built their solutions on top of open source projects, like Elasticsearch. The value of these solutions will be determined not by the underlying data processing platform, but by the breadth and usability of the tooling provided to DevOps personnel. In this regard, existing observability providers like Datadog and their peers have a large head start. However, building on top of Snowflake does reduce the time to market for new entrants and piggy backs on data ingestion that may already be happening for other analytics use cases. So, this will be another development to monitor.

Datadog Take-Aways

The most notable take-away for Datadog coming out of the Q4 results is the implication that the slow decline in annualized revenue growth since Q2 2020 will stabilize and re-accelerate as 2021 progresses. This conclusion is based on the increasing sequential revenue growth rates, which have been ticking steadily back up to pre-COVID levels over the past couple of quarters. This overhang provides a favorable set-up for 2021, if we are willing to wait until Q2 2021 passes. On the earnings call, leadership reinforces this notion that Q2 2020 created a gap for annual revenue growth rates until it can be lapsed in Q2 2021. This is because Datadog’s annual revenue growth is driven by fairly consistent quarterly sequential additions.

We are pleased with the usage growth of existing customers which showed continued adoption of our platform and their cloud migration even in the face of the macro pressures. To go into a little more detail, growth of existing customers was broadly in line with long-term trends and meaningfully better than the level experienced in Q2 of last year. As a reminder, even though we have now experienced two quarters of usage growth that was approximately in line with pre-pandemic levels, Q2 was meaningfully pressured, and that pressure will impact our year-over-year metrics including revenue growth and net retention until we lap that compare.

Datadog Q4 2020 EArnings CAll

Using round numbers, the Q1 2021 revenue estimate is for $186M at the midpoint. If Datadog beats by the same $14M amount they did in Q4, then they would deliver $200M in Q1 revenue for a sequential growth rate of 12.7%. Looking further ahead, if we project sequential growth at the same 12.5% for Q2, Datadog could deliver $225M in revenue. The key is that because of the one-time dip in Q2 2020, the year-over-year comparable becomes easier, allowing annual revenue growth to re-accelerate back to 60+% later in 2021. Sequential growth of 12.5% may even be conservative, if we look at pre-pandemic performance.

            Revenue    Annual    Sequential
Q2 2020     $140.0M     68%          6.9%
Q3 2020     $154.7M     61%          10.5%
Q4 2020     $177.5M     56%          14.7%
Q1 2021     $200M       52%          12.7%
Q2 2021     $225M       61%          12.5%
Q3 2021     $253M       63%          12.5%
Q4 2021     $285M       61%          12.5%

* 2021 numbers are my estimates

This growth trajectory is justified by customer metrics. Combining the high DBNER, still over 130%, with new customer growth of 35% implies revenue growth should land over 60%. Granted, that is not an exact formula, but is directionally reliable for sizing future revenue growth. Large customer increases are compelling as well, with a near doubling of greater than $1M ARR customers during 2020. This has been driven by customer spend expansion to adopt new product offerings. Datadog’s continued product development and acquisition activity keeps adding new revenue streams to help support rapid growth.

Shifting to the bottom line, Datadog demonstrates strong operational leverage. Gross margins are high, providing plenty of financial fuel for sales and R&D investments. Cost centers are scaling well, with relative spend in all three departments gradually dropping as a percentage of revenue. This is creating generous Non-GAAP operating margins of around 10% now and with a long-term target around 20%. Similarly, Datadog is an efficient cash allocator, with FCF margins continuing to increase along the same trajectory.

Datadog’s product development cadence is high. They are frequently adding new product lines, mostly through organic development. They now have ten separate product offerings in GA, up from one over four years ago. Datadog actually spends more on R&D (GAAP $67.7M) than sales and marketing (GAAP $60.0M). This is rare, but indicative of their heavy investment in product development and the efficient go-to-market model.

The rapid pace of hiring in 2020 should also support high revenue growth. Datadog increased headcount by a staggering 56%, with most of that allocated towards go-to-market and R&D. If the sales headcount increased by at least this amount, then it is probable that overall sales generation would scale proportionally. Datadog leadership claims that most new customer lands are greenfield, meaning there isn’t competitive displacement. If this is true, then the winner in this space could simply be determined by who fields the largest sales team.

While there are many players offering observability solutions, Datadog is considered the best-of-breed in pre-packaged observability platforms. While most providers now offer all the basic observability features, Datadog continues to add new capabilities at a rapid clip. Datadog’s expansion into incident management, code profiling and pre-production support also provides deeper penetration into traditional DevOps workflows. Customer additions and expansion across multiple product lines for Datadog further highlight that they are performing favorably in the competitive environment.

The stock price chart for DDOG over the past year shows a period of consolidation from July 2020 to present. DDOG stock peaked in early July 2020 around $100 after an impressive run from its IPO in late 2019. Since then, the stock has largely flatlined, most recently in a range from $95 – $110.

DDOG’s current market cap is about $30B and its P/S ratio is 52. The P/S ratio has come down from a high of 65, when revenue was in the 60% range. If annual revenue growth re-accelerates through 2021, we could see DDOG stock’s valuation multiple retrace to prior levels. Additionally, if Datadog can maintain 12.5% sequential quarterly growth, 2021 revenue could reach $950M. I think these factors could push DDOG stock over $150 this year.

Investment Plan

I have been covering Datadog for almost a year, starting in April 2020 with an initial analysis and then reviewing their Q1 and Q2 results. However, I hadn’t initiated a position, due to proximity to its IPO in late 2019 and then out of concern for revenue deceleration. I certainly missed out on some growth early in 2020, but benefitted from the flatlined stock price since July 2020. In September, I formally set a 5 year price target of $215, when the stock was trading at $80.

Given the momentum for Datadog coming into 2021 and likelihood for annual revenue growth to re-accelerate in the second half of the year, I think DDOG provides a favorable set up. With the stock trading at about $100 currently, I think DDOG could pass $150 later this year, representing a 50% gain. For me, this represents a reasonable return for 2021, after many software stocks doubled or tripled last year.

Given this optimistic view for DDOG, I built up a 15% allocation in my personal portfolio following the Q4 results. It is now a mid-sized position. I may add further as 2021 unfolds and will continue to provide quarterly updates on Datadog’s progress.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.