Revolutionizing cloud security with observability context: Dynatrace Cloud Security addressing CADR

Traditional security tools can't keep up with today's cloud- and AI-native environments. Built for static corporate IT, they struggle with the highly dynamic, short-lived workloads behind modern digital services. Securing critical applications within each organization's digital environments requires a new approach: one that protects production in real-time and brings end-to-end observability context into AI-powered security analytics. AI-powered Dynatrace Cloud Security meets this need and corresponds to what the market recognizes as Cloud Application Detection and Response (CADR).

Why traditional security falls short for modern workloads

Incomplete security controls: Our analytics shows that many organizations still have blind spots, risking critical vulnerabilities, and are exposed to significant attack paths despite the multiple existing security controls and tools in place. For example, 50% of Fortune 500 companies are still vulnerable to Spring4Shell vulnerability. Applications-often the main revenue drivers-remain one of the top sources of risk, frequently exploited for initial access.

Outdated compliance practices: Traditional quarterly or annual audits are becoming obsolete; auditors now validate continuous compliance, even between scheduled audits. Compliance is tightly connected to correctly configured systems, demanding real-time configuration analytics, specifically for rapidly changing cloud environments.

Rules and regulations on breach hygiene: Modern regulations (e.g., GDPR requirements in Europe or SEC in the US) demand near-instant reporting of breaches or even suspected breaches within 48 to 72 hours. Organizations need continuous, real-time insights and monitoring, not delayed, point-in-time reports derived from static log archives.

Ineffective threat detection: XDRs and SIEMs (predominantly optimized for corporate assets such as laptops, phones, email, and Office365) often lack the deep, real-time runtime visibility needed for dynamic environments like containers, microservices, and serverless functions. Gartner reviews highlight a gap in real-time, context-aware visibility for dynamic environments. These workloads require tailored, context-aware detections and the ability to investigate across ephemeral components that disappear within minutes, closing the coverage blind spot.

CADR: Security for cloud- and AI-natives

As organizations shift to the cloud, the focus has increasingly centred on securing containerized applications and microservices: the core of modern digital services. Security teams need real-time runtime protection that empowers them to take immediate, autonomous action. Unlike traditional tools that generate isolated alerts, CADR provides rich application context, enabling security operations to understand the full story behind an incident, from exploitability to understanding the impact of the attack. While the CADR market is still emerging, it represents the need to focus on applications and their underlying infrastructure at runtime. This represents a natural evolution and strategic refinement of the Cloud Native Application Protection Platform (CNAPP) category.

Application and SRE teams need to be able to make cloud security alerts operational by simplifying incident response and enabling the SOC to act with clarity and speed. Numerous tools address the various security threats and their types. However, the solution isn't to pile up even more tools to cover each threat. Rather, it's smarter analytics of unified data brought into context. This is where the convergence of observability and security brings the foundational difference, through end-to-end coverage including real-time analytics for logs, traces, user behavior, security events, topology, and more.

Security isn't solely about acquiring a SIEM; it's about effectively addressing specific challenges. Often, SIEM is a broadly used term, obscuring the true requirements of modern cloud environments. CADR transforms this discussion: shifting from static log collection to achieving dynamic, interconnected security outcomes spanning vulnerability management, workload protection, compliance, and automated response. Our approach isn't merely about replacing a SIEM; it's about empowering organizations to ask more pertinent questions about their business-specific use cases and gain actionable insights. When people ask if Dynatrace is a SIEM, the answer is Yes, and we then delve into their specific needs and desired outcomes.

The biggest barrier to effective threat response in the cloud is the lack of unified context. Application and security teams often operate without full visibility into how threats impact the broader digital service environment, business objectives, or operational ownership. Making cloud security truly actionable requires converging it with observability. Only by combining deep, real-time insights into application behavior, context and topology information, infrastructure performance, and user interactions can organizations prioritize threats accurately, identify the right teams to respond, and automate remediation with minimal human intervention. This convergence ensures the speed and precision needed to reduce risk before it escalates. It also provides entirely new indicators of compromise, impossible without observability context.

The true value of leveraging a unified platform is coverage across the attack steps from initial access, over lateral movement, to exfiltration, with the additional benefit of coverage for MITRE ATT&CK as well as MITRE ATLAS. Dynatrace implements a layered security approach by leveraging full-stack observability, real user monitoring, and automatic log collection to evolve how organizations identify indicators of compromise and achieve comprehensive coverage. These efforts are further empowered by analytics using Dynatrace Query Language (DQL) on Grail and AutomationEngine. By that, Dynatrace not only provides security findings across the full stack but adds response automation, threat detection, and investigation on top of a combined security, observability, and threat intel data set. The Dynatrace MCP server makes runtime findings accessible for both agentic AI remediation automation and information distribution. This brings, for example, runtime vulnerability remediation into the developer's IDE.

Convergence of observability and security enables improved CADR

Leveraging the abilities of AI-powered unified observability and security, Dynatrace CADR integrates the following three critical security capabilities to secure modern applications and their infrastructure:

Threat Detection & Investigation (TDI):

• Leverages our powerful Grail data lakehouse, Logs app, and Security Investigator capabilities to analyze security and observability data in full context. Dynatrace log management enables seamless ingestion, indexing, and querying of massive volumes of log data with lightning-fast performance and low overhead. Combined with ingested threat intelligence data, ingested third-party findings, and Dynatrace's own security findings, this empowers real-time, high-fidelity threat detection and investigation, even across ephemeral and dynamic workloads. Together, these capabilities facilitate proactive threat hunting, deep forensics, and accelerated root cause analysis.

Runtime Vulnerability & Exposures Analytics (RVA) + Runtime Application Protection (RAP)

• Pinpoints and prioritizes vulnerabilities and exposures in real time across applications, infrastructure, and operating systems.
• Blocks malicious traffic from within the application at runtime, using rich observability context to trace threats from entry to impact and prevent exploitation (RAP).

Security Posture Management (SPM)

• Continuously detects misconfigurations, standards compliance violations, and security policy issues that attackers exploit for persistence and privilege escalation.
• Supports modern compliance needs by providing real-time status and reporting capabilities, crucial for adhering to strict reporting deadlines required by regulations.

+ Agentic AI response automation & integration

• Automates remediation workflows through seamless integration with CI/CD pipelines and ITSM tools, reducing the window of exposure and operational friction.
• Enables operationalization in organizations, allowing developers to fix vulnerabilities (Dev, e.g. connecting into the IDE via the Dynatrace MCP server), SREs to fix config issues, and SecOps teams to create detections and act on findings, all within familiar contexts and workflows.

+ AI-powered contextual risk prioritization

• Dynatrace's causal AI, when leveraged for security solutions, understands the risks thanks to the vector graph, Smartscape, that prioritizes issues based on real-time topology knowledge and access to the various attack paths. It also leverages intelligent automation for tasks such as automatically disqualifying false positives and automatically dispatching positives of vulnerabilities to responsible development teams for remediation.

A realistic attack path, and how Dynatrace stops it

Attackers typically follow a path when targeting modern applications.

1. Initial access: Attackers often gain access by exploiting application vulnerabilities. Dynatrace already monitors these applications for availability and performance; adding security capabilities is a simple extension. Runtime Vulnerability Analytics (RVA)/Runtime Application Protection (RAP) identifies and prevents exploitation at runtime.
2. Persistence & privilege escalation: Attackers use misconfigurations or compliance gaps to maintain access and escalate privileges within the environment. Dynatrace Security Posture Management (SPM) identifies these risks in real time.
3. Discovery & exfiltration: Attackers discover sensitive data and attempt to exfiltrate it. Dynatrace Threat Detection and Investigation (TDI) detects and investigates suspicious behaviour using deep observability context, providing full traceability.

By integrating RVA/RAP, SPM, and TDI, Dynatrace CADR offers a comprehensive, unified approach that maps directly to these attack stages, allowing you to detect, respond to, and manage security risks effectively across your modern workloads.

Final thoughts: Why CADR is the logical next step

• Organizations can't secure what they can't see. Dynatrace not only delivers complete visibility into digital environments but also maps the dependencies between assets, providing critical topology insights. By leveraging layered security insights and converging observability and security, Dynatrace makes securing modern applications actionable, automated, and accessible to the teams who already use Dynatrace for observability, having security deeply integrated.
• Whether consolidating basic log management or needing advanced runtime threat detection, Dynatrace offers the platform to address these needs.
• CADR is the natural next step for any Dynatrace customer running modern workloads and the fastest path to proactive, real-time cloud application security for any organization facing the unique challenges of the modern attack surface.