Security Basics
What are the three main pillars of Datadog’s security suite?
Cloud Security Management (CSM), Application Security Management (App and API protection), and Cloud SIEM.
What data sources powers AppSec detections?
Application traces from APM
What cloud services does CSM integrate with out-of-the-box?
Da big three: AWS, Azure, GCP
What is the goal of Threat Detection & Response in Datadog?
To detect, investigate, and respond to security threats across infrastructure, applications, and cloud environments.
What does a “signal” represent in Datadog SIEM?
A correlated security alert generated from one or more log events.
What does SIEM stand for?
Security Information and Event Management.
Name one benefit of integrating AppSec
Instant visibility into vulnerable endpoints, attacker IPs, and exploit attempts, no extra agent required.
What does CSPM stand for, and what does it do?
Cloud Security Posture Management, scans cloud accounts for misconfigurations and compliance risks.
Which Datadog products contribute to TDR?
SIEM, CSM, AppSec
How can AEs describe Datadog’s detection rule system to customers?
Pre-built and customizable rules mapped to MITRE ATT&CK, no coding needed.
What kind of data does Cloud SIEM analyze? What kind of log sources?
Logs: from cloud, hosts, apps, and SaaS tools for security signals and anomalies. ALL of em
Name two features bundled under the Code Security package?
Static Code Analysis, Software Composition Analysis, Runtime Code Analysis, Infrastructure as Code Security, Supply Chain Security.
What kind of dashboards come OOTB with CSM? There is 3.
Misconfigurations, Vulnerabilities, Identity Risks
What is a “security signal” in Datadog?
A correlated alert generated when a detection rule is triggered by suspicious activity.
What are “out-of-the-box rules” based on?
Datadog’s security research, MITRE ATT&CK framework, and common attacker behaviors.
How does Datadog help customers detect runtime threats in workloads?
Through Workload Protection (formerly Cloud Workload Security), part of CSM, which monitors live process and file activity.
How is Datadog’s approach to AppSec different from a traditional Web Application Firewall (WAF)?
Datadog detects threats within the app layer using traces, not just traffic patterns, fewer false positives and better context.
How does Datadog align its security detections and dashboards with industry frameworks like MITRE ATT&CK and NIST, and why does that matter to customers?
Datadog translates security telemetry into framework-based, auditable insights, connecting technical detections to compliance and executive reporting.
Quickly demonstrate coverage and compliance to auditors or stakeholders.
Prioritize detections based on known attacker behaviors.
Standardize security visibility across teams without building rules from scratch.
How can customers speed up investigations from a signal in Datadog?
By pivoting from a security signal to related logs, traces, or host metrics in one click, no context switching.
How can customers reduce noise from false positives in SIEM?
By tuning detection rules and using suppression filters or tag-based scoping (e.g., env:prod).
What makes Datadog’s agent, single-platform architecture uniquely powerful for modern security operations compared to legacy security tools?
Datadog unifies observability and security at the data-collection layer, giving instant context for detection and response that legacy SIEMs can’t match.
How does Datadog Application Security help developers and security teams work together more effectively?
In short: ASM bridges Dev and Sec, visibility meets context.
ASM ties security findings directly to code, services, and traces, giving both teams shared context.
Developers see which endpoint or commit introduced a vulnerability, while security can validate and prioritize real risks instead of chasing false positives.
How does Datadog CSM reduce compliance and risk management effort for cloud environments at scale?
CSM automatically maps resources across all cloud accounts, runs continuous compliance checks, and links misconfigurations to real-time risk and ownership (which team or service).
Key takeaway: Continuous, automated posture visibility, not periodic audits.
How does Datadog use AI in Threat Detection & Response?
Bits AI automates triage, summarizes incidents, and suggests next investigation steps across signals and telemetry.
What’s a key differentiator of Datadog SIEM compared to Splunk or other security competitors like QRadar?
Unified platform: correlation across logs, infra, APM, and RUM for faster root-cause and less tool-switching.