SEC-18536: clarify agentless costs

DataDog · Jan 28, 2025 · edb6720 · edb6720
1 parent 1cde8b7
commit edb6720
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/.../en/security/cloud_security_management/agentless_scanning/deployment_methods.md b/.../en/security/cloud_security_management/agentless_scanning/deployment_methods.md
@@ -17,10 +17,12 @@ further_reading:
 
 There are two recommended ways to deploy Agentless scanners in your environment, either using cross-account scanning, or same account scanning.
 
-**Note**: When using Agentless Scanning, there are additional costs for running scanners in your cloud environments. To optimize on costs while being able to reliably scan every 12 hours, Datadog recommends setting up Agentless Scanning with Terraform as the default template, as this also avoids cross-region networking. 
+**Note**: When using Agentless Scanning, there are additional costs for running scanners in your cloud environments. To optimize on costs while being able to reliably scan every 12 hours, Datadog recommends setting up Agentless Scanning with Terraform as the default template, as this also avoids cross-region networking.
 
 To establish estimates on scanner costs, reach out to your [Datadog Customer Success Manager][1].
 
+The scanner cost is under $1 per host per year for accounts following the [recommended configuration](#recommended-configuration).
+
 {{< tabs >}}
 {{% tab "Cross-account scanning" %}}
 
@@ -47,6 +49,16 @@ The following diagram illustrates how Agentless scanning works when deployed wit
 {{% /tab %}}
 {{< /tabs >}}
 
+## Recommended configuration
+
+To improve the scanner's efficacy, ensure your setup follows those guidelines:
+
+- Scanners are deployed in a single AWS account
+- A scanner is deployed in each region that has either:
+  - More than 250 hosts
+  - Any data store if using [Cloud Storage Scanning](/security/cloud_security_management/agentless_scanning#cloud-storage-scanning)
+
+Datadog will automatically schedule scans to the right region in order to maximize the scanner's efficacy and minimize the cross region costs.
 
 **Note**: The actual scanned data remains in your infrastructure, and only the collected list of packages, as well as information related to collected hosts (hostnames/EC2 Instances), are reported back to Datadog.