Datadog Breaks Its SaaS-Only Model with BYOC and Federated Logs

Datadog spent more than a decade defining observability as a SaaS-only category. This week at DASH, that posture ended. The vendor began supporting analysis of metrics, logs and traces stored in customer-controlled cloud infrastructure, launched federated logs search against external stores, and bolted on a new AI Agent Console to track token spend across its own Bits AI and third-party agents from Anthropic and OpenAI.

What Happened

The headline number isn't a dollar figure, it's a category shift: zero to three. Datadog went from zero customer-controlled storage options to three distinct ones (BYOC, federated logs, and a hosted MCP server that lets external agents query its detections) in a single keynote cycle. As TechTarget reported, Datadog was previously strictly SaaS, with all telemetry landing in its cloud. Zara Boddula, a product manager at Datadog, framed the change around what she called petabyte-scale telemetry volumes driven by AI workloads and cross-geography compliance pressure.

The federated logs search extends Log Explorer to query Databricks, ClickHouse and Snowflake without ingesting that data into Datadog first. Carlos Casanova at Forrester noted that Cisco/Splunk is on the same federated path, and that done properly the pattern reduces ingest, storage and compute costs without losing fidelity. That is the pitch.

On the AI side, Datadog introduced an Agent Console that monitors usage and costs for Bits AI agents plus third-party agents from Anthropic and OpenAI. AI Guard, an agentic security tool, shipped in limited preview. A new hosted MCP server spans both observability and security. Datadog also previewed a Runtime Prioritization Engine that auto-detects "crown jewel" systems from telemetry rather than user tags, and decoupled its Bits Security Analyst from its SIEM so it now works against Splunk and Microsoft Sentinel. The source does not disclose pricing for BYOC or federated logs, which matters because the entire business case for moving off SaaS storage is cost.

Technical Anatomy

BYOC and federated search are two different architectures pretending to be one announcement, and engineering teams need to read them separately.

BYOC keeps the data plane in the customer's cloud account. The control plane (queries, dashboards, alerting) stays in Datadog's SaaS. That is the standard pattern that Snowflake-native and ClickHouse-native observability startups have been shipping for two years. The tradeoff is well understood: you pay your hyperscaler for storage and compute on telemetry retention instead of paying Datadog's per-GB ingest rate, and in exchange you accept query latency that depends on your own object store and compute provisioning. The source does not specify which clouds are supported at GA, nor whether BYOC covers all three telemetry types (metrics, logs, traces) at parity. The realistic bound: if BYOC ships AWS-first with logs-only at launch, this is a defensive product. If it ships day-one with metrics and traces across AWS, GCP and Azure, it's a genuine architectural pivot.

Federated logs is a different beast. Instead of moving data, Log Explorer issues queries against Databricks, ClickHouse and Snowflake in place. This is the pattern Carlos Casanova flagged as the same one Cisco/Splunk is pursuing. The engineering question is query pushdown: how much of the filter, aggregation and join work executes on the external warehouse versus getting pulled into Datadog's query layer. If pushdown is shallow, "federated" becomes a polite word for "we egress your warehouse and bill you for the bandwidth twice."

Then there's the lock-in residue. Torsten Volk at Omdia was blunt: Datadog still requires its proprietary agent (or its own OpenTelemetry distribution) for database monitoring, data observability and cloud network monitoring. The upstream OpenTelemetry collector gets you base functionality only. Volk contrasted this with Elastic, which supports vanilla OTel collectors across all its observability services. So BYOC moves the storage boundary but not the collection boundary. Unknown but testable: what percentage of a typical Datadog customer's telemetry volume requires the proprietary agent? If the answer is north of 50 percent, BYOC is cosmetic.

Who Gets Burned

The first cohort exposed is the BYOC-native startup tier. Vendors that built their entire pitch around "your data, your cloud" against Datadog's SaaS lock-in just lost their cleanest differentiator. They still have an argument (no proprietary agent, true OTel-native ingestion, simpler pricing), but the marketing slide that read "unlike Datadog, your data never leaves your account" is dead.

The second cohort is enterprise platform teams who already signed multi-year Datadog contracts on SaaS-only assumptions. They now have to decide whether to renegotiate. If BYOC pricing is materially cheaper than SaaS ingest, finance will ask why. If it isn't, the announcement is theater. Eric Swanson, a senior SRE at Denver-based MagicSchool AI, captured the skepticism at the keynote: he lost count of the "proud to announce" features, noted that many of them are AI-based with per-use token costs, and that is before you get to the existing complexity of APM, logs, traces, RUM and profiles all billed separately and workload-dependent.

The third cohort is SIEM incumbents. Datadog decoupling Bits Security Analyst from its own SIEM and pointing it at Splunk and Microsoft Sentinel is a direct play for accounts where Datadog has observability but lost the security data lake. Expect Splunk and Sentinel field teams to start hearing "we'll just use Datadog's analyst on top of you" in renewal conversations within 90 days.

The unanswered question for all three cohorts: does Datadog's pricing for AI features scale linearly with token consumption, or are there bundled tiers? The source confirms the Agent Console reports costs but does not disclose the billing model. Until that lands, AI feature adoption inside cost-sensitive engineering orgs will be cautious.

Playbook for Engineering Teams

If you run Datadog at scale, three concrete moves this quarter.

First, audit your agent footprint. Inventory which features in your current contract require the proprietary Datadog agent versus which run on the upstream OpenTelemetry collector. That ratio is your real lock-in coefficient. Volk's framing of "degrees of lock-in" is the right mental model: BYOC reduces storage lock-in but does nothing about collection lock-in. If database monitoring and cloud network monitoring are load-bearing in your stack, you are still firmly inside the walled garden.

Second, model federated logs against your current ingest bill before you migrate. Pick one high-volume log source (application logs are usually the cheapest test), route it to Snowflake or ClickHouse, and benchmark query latency from Log Explorer against your existing SaaS-ingested baseline. Yanbing Li's small-model-then-frontier-LLM pattern for AI Guard is worth borrowing here: route the cheap, high-volume queries to federated storage and keep the latency-sensitive incident-response paths on hot SaaS storage. Google Cloud's architecture guidance on tiered data retention applies cleanly to this split.

Third, set a hard budget on AI agent spend before you turn anything on. The Agent Console gives you visibility, not control. Define per-team token budgets, wire them to the console's reporting, and treat overruns as paging events. Katie Norton at IDC was right that the Runtime Prioritization Engine is the most significant application security update here, because tags go stale and ownership goes unclaimed. The same logic applies to AI cost ownership. Without an assigned owner per agent, the Agent Console becomes a report nobody reads.

Key Takeaways

• Datadog ended its strict-SaaS posture with BYOC plus federated logs search against Databricks, ClickHouse and Snowflake, matching the Cisco/Splunk federation direction.
• The proprietary agent requirement for database monitoring, data observability and cloud network monitoring keeps a meaningful lock-in surface intact. Elastic remains the cleaner OTel-native alternative.
• The Agent Console reports AI spend across Bits AI, Anthropic and OpenAI agents but the source does not disclose Datadog's own billing model for AI features, which is the actual variable that determines adoption.
• Bits Security Analyst now standalone against Splunk and Microsoft Sentinel is a direct competitive move on SIEM incumbents. Expect renewal pressure within 90 days.
• Testable prediction: if BYOC pricing lands more than 30 percent below equivalent SaaS ingest at GA, expect at least one publicly-announced enterprise migration off pure-SaaS Datadog by Q4 2026. If the gap is smaller, BYOC adoption stays in the single digits and the announcement was defensive.