Contrast links ADR with Datadog SIEM to cut alert noise

Contrast Security has integrated its Application Detection and Response product with Datadog Cloud SIEM to feed verified application runtime threat data into Datadog's security platform.

The new link focuses on application-layer attacks. It aims to cut the time security teams spend validating low-value alerts from perimeter tools.

The integration sends confirmed attack signals from Contrast ADR directly into Datadog Cloud SIEM. It then uses those signals as triggers for response workflows inside Datadog.

Security teams use Datadog Cloud SIEM to analyse logs and security events across infrastructure and applications. Contrast ADR runs inside applications and APIs and observes runtime behaviour.

Contrast said many Security Operations Centres face a backlog of alerts that lack context. It said this backlog slows incident response and leaves high-risk attacks hidden in general noise.

"Security teams are under pressure to cut Mean Time to Respond (MTTR), but struggle with noisy alerts that lack context," said Faya Peng, General Manager of ADR and Head of Product, Contrast Security.

"By delivering verified runtime intelligence into Datadog, we're giving SecOps the contextual fidelity to confidently automate triage and response without fear of false positives. Adding Contrast data to the Datadog Cloud SIEM completes the overall security picture, drastically reducing the time required to stop application breaches."

Contrast cited Datadog's State of Application Security report as evidence of the alert quality problem. The report found that organisations face thousands of vulnerabilities. It said only 3% of critical vulnerabilities represent genuinely high-priority risks.

Contrast also referred to its own Software Under Siege 2025 report. The study found that applications face attacks every three minutes on average. It said more than 31% of viable exploits target weaknesses such as unsafe deserialization.

Perimeter security products often miss those weaknesses. Traditional tools focus on network and edge traffic rather than code-level behaviour inside applications.

Contrast said many teams rely on web application firewall alerts as early warning. It said those alerts correlate to real exploits less than 0.25% of the time.

This low correlation rate leads analysts to investigate a large volume of events. Many of those events do not represent genuine attacks.

Contrast ADR sits inside the application runtime. It detects and blocks attacks from within the software rather than at the network boundary.

The system verifies whether an incoming request leads to a real exploit path. It then flags only those confirmed attacks as alerts.

The new integration streams those verified alerts into Datadog Cloud SIEM. It includes context about the affected application, route, and vulnerability.

Datadog users can route these alerts into Datadog Workflows. They can then connect those workflows into ticketing, chat, and case management tools.

Contrast said this setup allows security teams to automate triage. It said teams can reduce manual validation steps because upstream alerts have already been confirmed at runtime.

Joint customers can configure rules inside Datadog that treat Contrast alerts as high-confidence events. These rules can trigger incident creation, escalation, and notifications.

The integration targets application-layer threats that often evade traditional defences. Examples include untrusted deserialization and OGNL injection, which attackers use for data exfiltration and ransomware.

In such attacks, malicious input exploits logic in application code. Network-layer defences may not see this behaviour if traffic appears legitimate.

Contrast said the combination of runtime detection in ADR and event correlation in Datadog Cloud SIEM reduces mean time to respond from days to minutes for some application attacks.

The company said that faster detection and automated hand-off into workflow tools shorten the full response cycle. It said this includes investigation, containment, and remediation steps.

Contrast also highlighted its SmartFix AI feature as part of the response chain. SmartFix AI identifies the correct code fix for a given vulnerability.

The tool then generates pull requests with ready-to-merge code changes. Development teams can review and merge those changes through their existing version control systems.

Contrast said this process speeds repairs and reduces the manual work required from developers. It said this also supports security teams that lack in-house application security expertise.

Datadog customers can access Contrast ADR within the Datadog platform. They can then enable the integration as part of their existing Datadog Cloud SIEM setup.

Contrast positions its runtime approach as a way to uncover application-layer risks that edge tools do not see. It embeds threat sensors inside software components and monitors live traffic and code paths.

The company said this method provides continuous defence at the application layer. It said this aligns security monitoring with the way modern applications and APIs operate.

Peng said demand for runtime signals inside centralised monitoring platforms is growing. "Adding Contrast data to the Datadog Cloud SIEM completes the overall security picture, drastically reducing the time required to stop application breaches," said Peng.