X
December 4, 2025
Contrast Security has released a new integration with Datadog Cloud SIEM that delivers context-rich, runtime-verified signals directly into Datadog Workflows. By moving detection from the perimeter to the application runtime, Contrast solves the data accuracy problem that limits most modern security operations centers (SOCs). This integration provides the verified data security teams need to distinguish benign probes from successful exploits, automate response, and accelerate mean time to respond (MTTR) from days to hours.
The primary blocker to automating an incident response workflows isn’t a lack of tooling; Datadog Workflows provide powerful and flexible automation capabilities. It’s a lack of trustworthy attack data from the application layer. Security teams are hesitant to automate actions on noisy alerts from perimeter tools like WAFs, which our research shows have less than a 0.25% correlation to real exploits. An alert that might be a threat creates a queue for human investigation; a high-quality alert from inside the application runtime is a trigger for automated action.
The Contrast Security Application Detection and Response (ADR) integration provides this trigger.
The Contrast Security ADR integration with Datadog solves the data quality problem by moving detection from the perimeter to the application runtime. By analyzing code as it executes, Contrast uses behavioral detection to identify genuine threats with high accuracy.
This provides comprehensive coverage against critical attack techniques, including various forms of Injection (SQL, Command) and Path Traversal, as well as Cross-Site Scripting (XSS). It also provides deep visibility into sophisticated threats such as Untrusted Deserialization, which accounts for 31% of the viable attacks observed by Contrast research.
When Contrast detects and blocks a verified attack, it streams context-rich security Logs to Datadog. This signal contains the exact line of code, the attacker's full payload, and the specific data flow that enabled the attack. Our integration includes out-of-the-box custom rules that generate Datadog Signals from these Logs, giving you a curated view of verified threats ready to power your automated response workflows.
Here is a practical example of turning a high-context alert from Contrast into an automated triage workflow:
Detection and response: When Contrast detects and blocks a critical unsafe deserialization attack, it automatically creates a detailed Jira ticket and notifies the application owner in Slack with zero human intervention.
The Trigger: A high-confidence security signal. Our integration’s pre-built rule generates a high-confidence signal whenever a Contrast Log contains contrast.attack.type:unsafe-deserialization with a high or critical severity. Because this signal’s trustworthiness is inherited directly from the verified Contrast runtime log, you can confidently automate the next steps.
The Action: Create and enrich a Jira ticket. Within Datadog Workflows, add an action to create a Jira ticket. The power is in using the rich context from the Contrast alert to make the ticket immediately actionable. Map the alert details directly to the ticket fields:
This automated ticket provides developers with a direct link from the security incident to the full vulnerability details in the Contrast platform. To further accelerate remediation, Contrast SmartFix can be configured to have an AI agent automatically generate a pull request with the suggested code-level fix. By the time the application owner is notified, the attack has been blocked, a ticket has been created, and a ready-to-review fix is waiting for approval.
The Notification: Alert the right team. Add another action to the workflow to send a notification to the application owner's Slack channel, including a direct link to the new Jira ticket.
By connecting high-fidelity runtime intelligence from Contrast to Datadog's automation engine, you can fundamentally compress the incident response lifecycle. Verified alerts replace manual validation; information gathering is replaced by rich, code-level context; and automated workflows replace communication delays. This allows your teams to reduce Mean Time to Respond (MTTR) from days to minutes, freeing them to focus on protecting your applications.
Maarten Buis serves as Sr. Product Marketing Manager at Contrast Security. He translates complex application security capabilities into clear advantages for SecOps professionals, helping them fortify their defenses and honor their commitment to upholding that trust.
