Datadog Cloud SIEM

SOCaaS

Datadog Cloud SIEM is a self-service cloud SIEM and security monitoring product inside Datadog's observability platform. After an alert, Datadog generates security signals, notifications, cases and workflow hooks, while the buyer owns triage, investigation, containment, remediation and rule tuning.

Service
SOCaaS
Handles
Monitor and notify
Price
Published from $5 per 1M analyzed events/month
  • Monitor and notify
  • New York City, New York
  • 5,000+
  • Founded 2010
Visit website

Shortlist fit

Cloud-native teams already using Datadog for logs, infrastructure monitoring or APM

Provider handles

Service monitors or routes alerts. Your team investigates and responds.

Check before buying

Triage, investigation and response decisions after Datadog creates a signal

Also fits

  • Security and platform teams that want alerting tied to observability context
  • Buyers with internal staff to tune rules, review cases and run response
  • Organizations that need published usage-based SIEM pricing rather than a managed-service quote

Can replace

  • Some standalone cloud SIEM collection, detection and notification workflow
  • Some manual routing of security signals into cases, Slack, Jira or PagerDuty
  • Some separate dashboards for cloud, application and infrastructure security context

Coverage

Provider covers

  • Cloud SIEM detection rules that analyze ingested logs in real time
  • Security Signals Explorer for searching, filtering and assigning signals
  • Notification rules for routing high-severity security signals to teams

Your team still owns

  • Tuning detection rules, routing notifications and managing false positives
  • Connecting log sources, agents, cloud accounts and security integrations
  • Running containment actions through internal tools or customer-configured workflows

Tradeoffs

Works well

  • Clear first-lane fit for buyers that want security monitoring and notification, not outsourced response
  • Works naturally for teams already sending logs, traces and infrastructure telemetry to Datadog
  • Published event-based Cloud SIEM pricing is easier to compare than most managed SOC quotes

Watch out for

  • No Datadog-managed SOC analysts investigate or contain threats for the buyer
  • Buyers need internal security ownership for rule tuning, triage, response and after-hours coverage
  • Pricing can expand when Cloud SIEM is combined with log retention, CSM, AAP, workload protection or observability modules

Reviews

Review synthesis

Gartner Cloud SIEM reviews describe useful cloud visibility, log correlation and real-time detection, while critical themes focus on cost, learning curve and on-prem source forwarding. G2 and Reddit discussion are broader Datadog signals, but they repeat the same buying caveat: the platform can work well when teams govern usage and own tuning.

Customers like

  • Gartner themes mention cloud visibility, centralized log monitoring and event correlation
  • G2 reviewers value Datadog's ability to connect logs, metrics, traces and alerts during incidents
  • Reddit users often separate Datadog's technical value from its pricing complexity

Watch out for

  • Gartner critical themes mention high cost, setup effort and source-forwarding friction
  • G2 reviewers repeatedly describe a broad interface and learning curve
  • Reddit pricing threads warn that ingestion, indexing, retention and negotiated terms can make bills hard to forecast

Pricing

Price
Published from $5 per 1M analyzed events/month
Billing
Tiered, Custom

Questions to ask

  1. Which signals only notify our team, and which workflows can safely run without manual approval?
  2. What event volume, retention and Datadog log-management costs are assumed in the quote?
  3. Who will own rule tuning, case assignment, after-hours triage and containment when a high-severity signal fires?

Integrations

SIEM
  • Datadog Cloud SIEM
  • Datadog Log Management
EDR / Endpoint
  • CrowdStrike Falcon
  • Microsoft Windows
Cloud
  • AWS
  • Azure
  • GCP
  • Microsoft 365
  • Google Workspace
Other
  • AWS CloudTrail
  • Okta
  • Auth0
  • 1Password
  • Cisco Meraki
  • Palo Alto Networks
  • PagerDuty
  • Slack
  • Jira

Editorial notes

Why monitor and notify

Datadog Cloud SIEM creates security signals, notifications, cases and workflow triggers, but the buyer operates the SIEM. Public sources do not show Datadog analysts taking ownership of alert triage or incident response for this product.

Scope boundary

This profile covers Datadog Cloud SIEM and closely related security monitoring workflow, not Datadog's whole observability and cloud security portfolio. CSM, workload protection, application protection, code security and incident management can be separately licensed.

Pricing boundary

Datadog publishes Cloud SIEM event pricing, but buyers still need to model ingestion, retention, event volume, cloud egress and adjacent Datadog modules. Public reviews and Reddit discussions repeatedly warn that Datadog costs can be hard to forecast.

AI and workflow boundary

Datadog markets AI investigations and workflow automation, but those features support the buyer's team. They do not make Datadog a managed investigation or response provider unless a separate service owns that work.

Questions

Is Datadog Cloud SIEM an MDR service?
No. Datadog Cloud SIEM is a self-service SIEM and security monitoring product. It creates signals, notifications, cases and workflow hooks, but the buyer owns triage, investigation, containment and remediation.
Why is Datadog classified as Monitor and notify?
The public product evidence supports detection, alerting, notification, case tracking and customer-configured workflow automation. It does not show Datadog analysts investigating and responding to alerts on the buyer's behalf.
How is Datadog Cloud SIEM priced?
Datadog publishes Cloud SIEM pricing from $5 per 1 million analyzed events per month. Buyers should also model log management, retention, adjacent security modules, cloud data transfer and negotiated contract terms.