Datadog Launches Application Security Monitoring

On Thursday, while investors were poring over Amazon and Apple’s earnings results, Datadog snuck out another product release. In this case, they brought their Application Security Monitoring product to general availability. This isn’t a surprise, as Application Security had been announced in private beta as part of the Dash user conference in October. With that said, this represents another product offering in Datadog’s security arsenal that can be monetized.

Application Security Monitoring provides protection against application-level threats by identifying attacks that target code-level vulnerabilities. Examples are SQL injections and cross-site scripting (XSS) exploits targeting web applications or API’s. These attacks typically involve the user interface and data inputs associated with an application. The hacker will try to manipulate user input processing routines to gain access to data from other users or elevated permissions. This type of activity can be prevented by actively monitoring the inputs and outputs of the web application, and its underlying APIs that provide data exchange between the client and the server.

This capability leverages the acquisition of Sqreen, announced in February 2021 and closed in April of the same year.  Sqreen is a SaaS-based security platform that enables enterprises to detect, block and respond to application level attacks. To do this, they provide a solution for runtime application protection (RASP). In addition to RASP, Sqreen’s solution includes a web application firewall (WAF). Security issues in the application layer are challenging to manage, as the owner needs to allow legitimate traffic, while blocking nefarious activity.

At the time of the acquisition, Datadog leadership signaled that they would be taking the technology behind Sqreen and incorporating that into the Datadog platform. With the beta release of Application Security, we have the output of that integration. Prior to the acquisition, Sqreen claimed to have over 800 customers. These likely offer some cross-sell opportunities for Datadog.

These capabilities push Datadog further forward into active application protection and deeper into the security space. By having the Datadog agent on every infrastructure host observing activity at a granular level, Datadog can easily turn on these new security capabilities without requiring additional deployment by their customers. Having the agent on every device allows for more active monitoring of security-related context. It also offers the ability to take action to prevent further damage once malicious behavior is detected.

Application Security Monitoring represents a necessary additional layer of protection beyond what can be monitored at the network perimeter or even host level. By screening the application inputs for exploit attempts, this represents a different security function from normal endpoint or cloud workload protection. For that reason and because the Datadog agent is already on the web servers processing user inputs, it will be straightforward for interested customers to activate.

Datadog’s Growing Security Suite

Application Security Monitoring joins Datadog’s other security products, further rounding out their capabilities. Datadog’s security strategy focuses on the application and cloud-based server side of enterprise software infrastructure. They have no stated intention to expand into user device endpoints, competing with the likes of Crowdstrike or Sentinel One in that space.

This distinction makes a lot of sense, if we think about where Datadog’s agent runs. In order to perform its core observability functions around infrastructure, application performance and network monitoring, the Datadog agent is installed on most servers and supporting infrastructure within a customer’s cloud footprint. Expanding the functions of the Datadog agent into security use cases is logical and fairly straightforward.

With Application Security Monitoring, Datadog’s security platform now covers a multitude of products:

• Cloud SIEM. Monitors log data for indications of exploit activity. Provides out-of-the-box detection rules and allows the security team to construct their own. Charged based on log volume, with a list price of $0.20 per GB per month.
• Cloud Workload Security. Conducts threat detection for hosts and containers in a customer’s cloud installation. Monitors signals like file access and process activity deep in the operating system, even down to the kernel level using eBPF. Priced at $15 per host per month.
• Cloud Security Posture Management (CSPM). Performs configuration checks across cloud accounts, hosts and containers for common misconfigurations and unnecessarily open access controls. Also validates compliance with industry standards like PCI, HIPAA and GDPR. Alerts on misconfigurations. Priced at $7.50 per host per month.
• Sensitive Data Scanner. Monitors log data for sensitive data leakage based on preconfigured or custom detection rules. Integrated with alerts and dashboards for notification and investigation. Priced at $0.30 per GB per month.
• Application Security Monitoring. Threat detection for web apps and APIs based on preconfigured rules that identify common exploit behavior like XSS and SQL injection. Priced at $31 per host per month.

Because Datadog’s agent is already on a customer’s cloud infrastructure for monitoring, expansion into security use cases represents a low friction glide path. In many cases, this may be easier than expanding from user device endpoints. Most enterprises and certainly start-ups will install an observability suite early in their application hosting lifecycle. Adding security monitoring and protection may represent a second wave of updates, being driven by the heightened threat environment we are currently experiencing.

Activating these security features on the same infrastructure that is already being monitored by Datadog is as simple as updating a setting in the Datadog Admin console. This may explain the rapid uptake of Datadog’s security features among customers. During the Q4 earnings call in February, this trend was highlighted several times. In the CEO’s opening remarks, he noted that Datadog already has thousands of customers using their cloud security products. Considering these products were released over the last year and that Datadog reported 18,800 total customers in the quarter, “thousands” of customers would represent pretty significant adoption in a short amount of time.

And we’re now very pleased with our early momentum in security as we have thousands of customers using our cloud security products today.

Datadog CEO, Q4 2021 EArnings Call

This rapid uptake underscores the ease of adoption and my earlier point about expansion from their foothold in observability. Activating these security features on hosts already being monitored is a button push for the customer. Customer DevSecOps teams don’t need to test and deploy a new software agent in order to activate cloud application and host level security protection.

Datadog’s Expanding Product Offerings

With Application Security, the number of Datadog products with individual pricing has expanded to 15. This has grown by 50% from 10 top-level monetized products at the beginning of 2021. As investors know, Datadog has a strong customer expansion motion in continually growing the number of product subscriptions per customer. Leadership provides updates each quarter on the percentage of customers using 2 or more, 4 or more and most recently 6 or more products (already at 10%, up from 3% a year prior). These subscription increases drive Datadog’s phenomenally high dollar-based net retention rate above 130%. Combined with their sustained addition of new customer accounts, we can understand how Datadog has been able to maintain elevated revenue growth.

In the upcoming earnings report for Q1, we should get more data points on security product uptake and the durability of revenue growth in general. While there may be some volatility due to macro effects, I think that Datadog’s strategy of continually expanding customer counts, product uptake and the total number of products offered will bear fruit. This is the crux of their go-to-market motion.

With “observability” generalizing into the idea of monitoring any system, security was a natural extension beyond application, log and infrastructure monitoring. Datadog likely has other enterprise systems that could benefit from being made more “observable”, whether in business performance, financial operations or organizational effectiveness. These could represent new growth opportunities for Datadog to expand their addressable market further.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.