The 28 Datadog security checks Black Cat runs
Black Cat SSPM evaluates 28 security policies against your Datadog configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable SAML SSO in Datadog organization settings
Enable SAML strict mode to require SSO for all users
Assign the Datadog Admin role to at least two users for redundancy
Reduce the number of admin users to limit blast radius of compromised accounts
Remove admin privileges from users outside the organization's email domain
Ensure all active users have completed email verification or re-send the invitation
Remove disabled users from the organization directory to reduce attack surface
Review and justify external user accounts or remove those no longer required
Restrict dashboard access by limiting edit permissions to specific roles
Add role-based restrictions to read-only dashboards that may contain sensitive data
Remove admin privileges from service accounts with external email domains
Remove admin privileges from service accounts and assign a least-privilege role
Review service account custom roles and replace with least-privilege built-in roles where possible
Restrict application key scopes to read-only permissions where write access is not required
Add explicit scopes to application keys to prevent implicit full-permission inheritance from the key owner
Review and justify external service accounts or remove those no longer required
Ensure admin users complete email verification or remove unverified admin accounts
Remove the admin role from disabled users or delete the account entirely
Reduce application key scopes to the minimum required set
Immediately rotate API keys older than two years
audit
Enable Audit Trail to capture user activity and configuration changes
Increase audit log retention to at least 90 days
Increase audit log retention to at least 30 days to meet the minimum regulatory floor
data leakage
Disable public dashboard widget sharing at the organization level
Revoke the public URL for the flagged dashboard to prevent unauthenticated access
key management
Revoke or rotate API keys that have not been used recently
Rotate API keys older than 365 days to reduce the risk of long-lived credential exposure
sharing
Set publicly shared dashboards to read-only or revoke the public URL