Datadog Cloud SIEM pricing in 2026: per-host, per-GB, and the real total
The independent Datadog Cloud SIEM pricing reference. Per-host infrastructure base, per-GB log ingest, indexing tiers, Flex Logs, and Cloud SIEM rates, with five real cost scenarios from startup to enterprise. Updated May 2026.
List rates from datadoghq.com/pricing as of May 2026. Negotiated discounts are commonplace above $250K committed annual spend.
How Datadog Cloud SIEM pricing actually works
Datadog packages Cloud SIEM as an add-on layered on top of Datadog Logs. That structural decision has the largest single effect on what your real bill becomes. Cloud SIEM by itself is genuinely inexpensive at $0.20 per analyzed log GB. The line item that swallows budgets is the underlying Logs product, where indexed retention runs $1.70 per million events at 15 days and $2.50 per million events at 30. Most enterprise log mixes average 6,000 to 10,000 events per GB, which means a 50 GB-per-day environment indexes roughly 9 to 15 billion events per month, generating an indexed-log bill of $15K to $40K per month before any Cloud SIEM charge appears.
Datadog also charges separately for the host telemetry that originates many of those logs. Infrastructure Pro lists at $15 per host per month, Enterprise at $23. For a 200-host environment, that base alone is $36K to $55K per year before any log spend at all. Customers who arrived at Datadog through Application Performance Monitoring or Infrastructure Monitoring already absorb this cost; customers buying Datadog as a standalone SIEM see it as a Cloud SIEM line item even though it lives on a different product.
The Cloud SIEM analyzed-log line is small relative to the underlying Logs spend it implies. Cloud SIEM's $0.20 per analyzed GB on the 50 GB-per-day environment above is roughly $3,650 per year. The Logs bill it sits on top of is $74K. That ratio is the reason single-line-item comparisons against Splunk or Sentinel mislead: Cloud SIEM's headline rate is the smallest part of the real bill.
Datadog launched Flex Logs in 2024 to address the indexing tax. Flex Logs combines ingestion ($0.05 per GB) with long-term storage ($0.0017 per GB per month) and removes the per-event indexing line. Queries against Flex Logs run in minutes rather than seconds and are not interactive, which suits compliance retention but not real-time investigation. Cloud SIEM detections work against Flex Logs data, so security signal generation continues even when you have moved 90-day-plus retention out of the indexed tier. For organisations where most logs are written once and read rarely, Flex Logs cuts the long-tail retention bill by roughly an order of magnitude.
Discounts are routine. Datadog's quarter-end pressure produces 20-30 percent off list at committed annual spend above $250K, and multi-year commitments push that towards 35 percent. List pricing is genuinely the worst price you should pay on any meaningful deployment.
Datadog SKU reference for Cloud SIEM deployments
| SKU | List rate | What it actually buys |
|---|---|---|
| Infrastructure (Pro) | $15 / host / month | Required base for any Datadog deployment that originates host telemetry |
| Cloud SIEM | $0.20 / analyzed log GB | Layered on top of Logs. Pays for detection rules, signals, and threat intelligence |
| Logs (ingestion only) | $0.10 / GB | Base ingestion charge. Logs sit in Datadog but are not indexed or queryable yet |
| Logs (15-day retention) | $1.70 / million events | Indexed for fast search. The line item that actually surprises customers |
| Logs (30-day retention) | $2.50 / million events | Indexing scales linearly with retention |
| Flex Logs (ingestion + storage) | $0.05 / GB ingest + $0.0017 / GB / mo | Cheap long-term tier. Slower queries, no indexing, replaces archive workflows |
Real-world Datadog Cloud SIEM cost scenarios
| Scenario | Profile | Infra | Logs | Cloud SIEM | Total |
|---|---|---|---|---|---|
| Startup | 30 hosts, 8 GB/day logs, Cloud SIEM, 15-day retention | $5,400/yr | $8,500/yr | $580/yr | $14K-$18K/yr |
| Mid-market | 200 hosts, 50 GB/day logs, Cloud SIEM, 30-day retention | $36K/yr | $74K/yr | $3.6K/yr | $120K-$160K/yr |
| Enterprise | 1,200 hosts, 250 GB/day logs, Cloud SIEM, 30-day retention | $216K/yr | $370K/yr | $18K/yr | $650K-$820K/yr |
| Logs-only adopters | 0 hosts, 100 GB/day logs into Cloud SIEM, Flex Logs for 90+ days | $0 | $15K/yr (Flex) | $7.3K/yr | $24K-$32K/yr |
| High-host / low-log | 800 hosts, 20 GB/day logs, Cloud SIEM, 15-day retention | $144K/yr | $22K/yr | $1.5K/yr | $170K-$200K/yr |
Estimated, triangulated from public list pricing, vendor blog posts, and engineer write-ups on Reddit and LinkedIn during Q1 2026. Negotiated discounts of 20-30 percent are routine at $250K-plus committed spend.
Datadog Cloud SIEM vs Splunk and Sentinel at 50 GB per day
Same ingest, three vendors, all-in licence and platform spend. Excludes analyst staffing, professional services, and storage beyond standard tiers.
Sentinel wins on raw price at this size. Datadog wins where you already buy infrastructure monitoring and want to consolidate. Splunk wins where investigation depth and the ES content library are the binding constraint.
Five Datadog Cloud SIEM cost optimisations that genuinely work
Drop debug logs at the agent
30-50% on log spendDatadog's agent supports include / exclude filters per source. Most teams ship debug-level traces by default. Filtering them at the agent before they hit the ingest API is the single highest-leverage move on the bill.
Move long-retention logs to Flex Logs
70-90% on storage tierIndexed logs cost roughly $1.70 per million events at 15 days. Flex Logs replaces that with a $0.05/GB ingest plus $0.0017/GB/month tier. For compliance retention with rare query needs, Flex Logs is roughly an order of magnitude cheaper.
Sample APM and trace volume aggressively
20-40% on indexed spansDatadog charges per indexed span as a separate line. Defaulting to head-based sampling at 5-10% on high-throughput services typically holds detection signal while cutting span spend by half or more.
Right-size Cloud SIEM detection rules
10-15% on Cloud SIEMCloud SIEM bills per analyzed log GB, not per signal. Out-of-the-box rule packs scan everything; pruning packs that target log sources you do not ingest reduces analyzed volume without losing real coverage.
Negotiate EA at $250K-plus committed spend
20-30% listDatadog's quarter-end list discount band sits at 20-30 percent for committed annual spend above roughly $250K. Multi-year commits push this towards 35 percent. The lever exists; ask for it.
When Datadog Cloud SIEM is the right SIEM
Datadog Cloud SIEM is unambiguously the right pick in three buyer profiles. First, organisations already on Datadog for application performance monitoring or infrastructure monitoring who want to consolidate security on the same data plane. The marginal cost of adding Cloud SIEM is genuinely small once the underlying Logs spend is sunk. Second, cloud-native engineering teams who value the API-first product and the one-vendor billing model over best-of-breed depth. Third, security teams whose detection content is built around application telemetry rather than network and endpoint correlation, where Datadog's APM and trace data is a real edge.
Datadog is the wrong pick for compliance-heavy regulated industries that need long-running investigations across 24-month data sets. The indexed-retention bill at that profile is brutal, and even Flex Logs has interactive-query limitations that workflow-heavy SOCs find frustrating. It is also wrong for environments where logs originate primarily from network appliances and endpoints rather than hosts: the per-host base inverts the unit-economics argument, and Sentinel or QRadar typically win cleanly.
Pricing model evolution worth watching: Datadog has been adding bundled Cloud SIEM allowances to enterprise contracts since late 2024. If your renewal comes up in 2026, push hard for a bundle that absorbs Cloud SIEM into committed Logs spend rather than billing it separately. The negotiation lever exists and is being used.