Cloud Security Posture Management

Cloud Security Posture Management is not currently available in this site.

Datadog Cloud Security Posture Management (CSPM) makes it easier to assess and visualize the current and historic security posture of your cloud resources, automate audit evidence collection, and remediate misconfigurations that leave your organization vulnerable to attacks. By continuously surfacing security weaknesses resulting from misconfigurations, teams can mitigate risks while ensuring compliance with industry standards.

Detect misconfigurations across your cloud resources

Strengthen your security posture and achieve continuous compliance by detecting, prioritizing, and remediating misconfigurations across all your cloud resources using Datadog’s out-of-the-box detection rules.

View a high-level overview of your security posture on the Overview page. Examine the details of findings and analyze historical configurations with the Security Findings Explorer.

Cloud Security Posture Management overview page

Maintain compliance with industry frameworks and benchmarks

CSPM comes with more than 400 out-of-the-box detection rules that are maintained by a team of security experts. The rules map to controls and requirements within compliance standards and industry benchmarks, such as PCI and SOC2 compliance frameworks.

View compliance reports to see how well you’re doing against each control in a compliance framework. The reports include details such as resources with the most failed findings, a comprehensive breakdown of the number of resources with pass/fail findings, and the top three high-severity rule failures.

Cloud Security Posture Management compliance frameworks

Manage out-of-the-box and custom detection rules

Out-of-the-box detection rules surface the most important risks so that you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account. Customize the rules by defining how each rule scans your environment, create custom rules, and set up real-time notifications for failed findings.

Cloud Security Posture Management detection rules

Set up real-time notifications

Send real-time notifications when a new misconfiguration is detected in your environment, so that your teams can take action to mitigate the risk. Notifications can be sent to Slack, email, PagerDuty, webhooks, and more.

Use template variables and Markdown to customize notification messages. Edit, disable, and delete existing notification rules, or create new rules and define custom logic for when a notification is triggered based on severity and rule type.

Cloud Security Posture Management rule notification setup page

Review and remediate findings

Investigate details using the Security Findings Explorer. View detailed information about a resource, such as configuration, detection rules applied to the resource, and tags that provide additional context about who owns the resource and its location within your environment. If a finding does not match your business use case or is an accepted risk, you can mute the finding up to an indefinite period of time.

Cloud Security Posture Management security findings explorer


Security posture score
Percentage of your environment that satisfies all of your active Datadog OOTB Cloud and Infrastructure detection rules. Formula: (# of evaluation:pass findings) / (total # of findings). Datadog then weighs this formula by severity: low severity detection rules have a weighting of “1” and critical severity detection rules have a weighting of “5”. This means critical severity detection rules impact scores five times more than low severity detection rules to put greater emphasis on the detection rules that pose greater security risk. The score is also normalized to treat all resource types and resource volumes the same (for example, 500 failing containers are weighted the same as three failing S3 buckets in the computed score). This normalization factor allows scores to be comparable across your cloud accounts, without the risk that they are heavily skewed if one account has more containers, or another has fewer storage buckets.
A group of controls representing a single technical or operational topic, such as Access Management or Networking. The regulatory framework PCI DSS, for example, has 12 requirements.
A specific recommendation for how technology, people, and processes should be managed; typically based on a regulation or industry standard.
A configurable entity that needs to be continuously scanned for adherence with one or more controls. Examples of AWS instance resources include hosts, containers, security groups, users, and customer-managed IAM policies.
A rule evaluates the configuration of a resource to validate an element related to one or more controls. Rules may map to multiple controls, requirements, and frameworks.
A finding is the primary primitive for a rule evaluation against a resource. Every time a resource is evaluated against a rule, a finding is generated with a Pass or Fail status.
A collection of requirements that map to an industry benchmark or regulatory standard.

Get started