Datadog Application Security

Datadog Application Security

Category: RASP
License: Commercial
Visit Website →

Datadog Application Security Management (ASM) provides runtime application protection integrated directly with Datadog’s observability platform, combining RASP capabilities with distributed tracing and APM data.

What is Datadog Application Security?

Datadog ASM embeds security protection into applications using the same tracing libraries that power Datadog APM.

This approach means security instrumentation deploys automatically wherever APM is already installed, eliminating the need for separate security agents or network-based protection.

The RASP capabilities come from Datadog’s 2021 acquisition of Sqreen, a pioneer in application-level security.

Sqreen’s technology operates inside the application runtime, giving it visibility into how requests flow through code and the ability to block attacks before they reach vulnerable code paths.

What makes Datadog ASM distinctive is the integration between security and observability.

When an attack is detected, security teams see not just the attack signature but also the full request trace, the services affected, the user responsible, and the code paths involved.

This context dramatically accelerates incident investigation and response.

Key Features

In-Application WAF

The in-app WAF operates inside your application rather than at the network perimeter.

This positioning provides several advantages:

  • Sees requests after TLS termination without additional decryption
  • Understands application context like user sessions and business logic
  • Blocks attacks that network WAFs miss due to encoding or evasion techniques
  • Works in environments where network-based WAFs are impractical (microservices, serverless)

Detection rules cover the OWASP Top 10 including SQL injection, XSS, command injection, path traversal, and SSRF.

Custom rules can be created to address application-specific threats.

Distributed Tracing Integration

When an attack is detected, Datadog ASM links the security event to the corresponding distributed trace.

This integration shows:

  • The complete request path through your microservices
  • Latency impact of the malicious request
  • Database queries and external API calls triggered
  • The specific code functions that processed the malicious input

Security teams investigating an incident can follow the request from ingress through every service it touched, understanding exactly what the attacker accessed.

Threat Intelligence and User Tracking

Datadog ASM correlates attacks with threat intelligence feeds to identify known malicious actors.

User tracking associates security events with authenticated users, enabling:

  • Identification of accounts engaged in suspicious behavior
  • Detection of credential stuffing using known breached credentials
  • Account lockout recommendations based on attack patterns
  • Attribution of attacks to specific users for forensic purposes

Code-Level Vulnerability Detection

Beyond blocking attacks, Datadog ASM identifies vulnerabilities in your code based on how requests are processed.

When the tracer observes dangerous patterns like unsanitized user input reaching database queries, it flags the specific code location for developer attention.

This approach finds vulnerabilities that static analysis misses because it observes actual runtime behavior rather than theorizing about code paths.

Installation

Datadog ASM is enabled through the same tracing libraries used for APM.

If you already use Datadog APM, enabling ASM typically requires only configuration changes.

Java Installation

# Download the Datadog Java agent
curl -L https://dtdg.co/latest-java-tracer -o dd-java-agent.jar

# Run your application with ASM enabled
java -javaagent:dd-java-agent.jar \
  -Ddd.appsec.enabled=true \
  -Ddd.service=my-service \
  -Ddd.env=production \
  -jar your-application.jar

For application servers like Tomcat, add to CATALINA_OPTS:

export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/opt/datadog/dd-java-agent.jar -Ddd.appsec.enabled=true"

Node.js Installation

npm install dd-trace

Initialize the tracer with ASM enabled:

// Must be the first line of your application
const tracer = require('dd-trace').init({
  appsec: true,
  service: 'my-service',
  env: 'production'
});

// Your application code follows
const express = require('express');
const app = express();

Python Installation

pip install ddtrace

Run your application with the Datadog tracer:

DD_APPSEC_ENABLED=true DD_SERVICE=my-service ddtrace-run python app.py

For Django or Flask:

DD_APPSEC_ENABLED=true ddtrace-run gunicorn myapp.wsgi:application

Kubernetes Deployment

Use the Datadog Admission Controller to automatically inject the tracer:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    admission.datadoghq.com/enabled: "true"
  annotations:
    admission.datadoghq.com/java-lib.version: latest
spec:
  template:
    metadata:
      labels:
        admission.datadoghq.com/enabled: "true"
      annotations:
        admission.datadoghq.com/java-lib.version: latest
    spec:
      containers:
        - name: my-app
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"
            - name: DD_SERVICE
              value: my-service

Integration

CI/CD Pipeline Security Gates

Use Datadog ASM findings to gate deployments:

# GitHub Actions example
name: Deploy with Security Check

on:
  push:
    branches: [main]

jobs:
  security-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Deploy to staging
        run: ./deploy-staging.sh

      - name: Run integration tests (generates ASM data)
        run: ./run-integration-tests.sh

      - name: Check ASM findings
        env:
          DD_API_KEY: ${{ secrets.DD_API_KEY }}
          DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
        run: |
          # Query for high severity security signals
          SIGNALS=$(curl -s "https://api.datadoghq.com/api/v2/security_monitoring/signals" \
            -H "DD-API-KEY: $DD_API_KEY" \
            -H "DD-APPLICATION-KEY: $DD_APP_KEY" \
            -G --data-urlencode "filter[query]=env:staging service:my-service status:high" \
            --data-urlencode "filter[from]=now-1h")

          COUNT=$(echo $SIGNALS | jq '.data | length')
          if [ "$COUNT" -gt 0 ]; then
            echo "Found $COUNT high severity security signals"
            exit 1
          fi

      - name: Deploy to production
        if: success()
        run: ./deploy-production.sh

# GitLab CI example
stages:
  - deploy
  - test
  - security
  - release

deploy-staging:
  stage: deploy
  script:
    - ./deploy-staging.sh

integration-tests:
  stage: test
  script:
    - ./run-integration-tests.sh

security-gate:
  stage: security
  script:
    - |
      # Check for ASM alerts during test run
      ALERTS=$(curl -s "https://api.datadoghq.com/api/v2/security_monitoring/signals" \
        -H "DD-API-KEY: $DD_API_KEY" \
        -H "DD-APPLICATION-KEY: $DD_APP_KEY" \
        -d '{"filter": {"query": "env:staging", "from": "now-1h"}}')

      HIGH_ALERTS=$(echo $ALERTS | jq '[.data[] | select(.attributes.status == "high")] | length')
      if [ "$HIGH_ALERTS" -gt 0 ]; then
        echo "Security gate failed: $HIGH_ALERTS high severity alerts"
        exit 1
      fi

deploy-production:
  stage: release
  script:
    - ./deploy-production.sh
  needs: [security-gate]

SIEM and Alerting Integration

Configure Datadog to forward security signals to external systems:

{
  "webhooks": {
    "security_signals": {
      "url": "https://your-siem.example.com/api/events",
      "headers": {
        "Authorization": "Bearer ${SIEM_TOKEN}"
      },
      "payload_format": "json"
    }
  }
}

Security signals automatically appear in Datadog monitors, allowing teams to create alerting rules:

# Datadog monitor configuration
name: High Severity ASM Alert
type: security-signal
query: "status:high"
message: |
  High severity attack detected: {{signal.title}}
  Service: {{signal.attributes.service}}
  User: {{signal.attributes.user}}
notify:
  - "@pagerduty"
  - "@slack-security-alerts"

When to Use Datadog Application Security

Ideal for organizations that:

  • Already use Datadog for APM and want integrated security
  • Run microservices architectures where network WAFs struggle
  • Need security context linked to observability data
  • Want to detect vulnerabilities through runtime analysis
  • Require user-level attribution of security events
  • Deploy across multiple languages supported by Datadog tracers

Consider alternatives if:

  • You need standalone RASP without APM requirements
  • Your applications use languages not supported by Datadog tracers
  • You prefer network-based protection over in-application agents

Datadog ASM represents a shift in how security and operations teams collaborate.

By embedding security into the observability platform developers already use, it removes the traditional barrier between security alerts and the context needed to understand and fix them.

Note: Now branded as Datadog App and API Protection

Other RASP Tools

Contrast Protect
Contrast Protect

Application Detection and Response (ADR) Beyond RASP

Dynatrace
Dynatrace

Full-Stack Observability with Built-in Security

Imperva RASP
Imperva RASP

Combines with Imperva WAF

Waratek
Waratek

Java Runtime Protection & Virtual Patching

See all RASP tools