With the 2026 ETR Observatory for Observability Tools releasing April 21, we're revisiting last year's panel discussion. The conversation has only grown more relevant as AI capabilities mature, vendor consolidation pressures intensify, and the boundary between observability and security continues to blur.
Budgets are tightening, AI is seeping into every monitoring layer, and the line separating observability from security is dissolving faster than most organizations expected. ETR convened a panel of senior IT leaders to get a candid read on which vendors are winning, which are falling behind, and where the market is heading next.
What emerged is a competitive field where no single vendor dominates outright, AI capabilities are promising but uneven, and the best-of-breed versus consolidation debate remains very much unresolved.
Dynatrace remains the go-to platform for application performance monitoring, built on its end-to-end session view and automated root-cause analysis. "Dynatrace gives us the customer experience from the time they log in, to the time the transaction is being made," says one of the panelists. "It gives a second-by-second view of what exactly the journey looks like. Then we can look at it from their path perspective — where was the delay and all that?"
ETR data reinforces this position: in the ETR Observatory for Observability's Likelihood to Recommend analysis, Dynatrace holds the fourth-highest Net Promoter Score in the field, trailing only Datadog, Microsoft Azure Monitor, and Amazon CloudWatch.
Datadog is gaining ground as the perceived innovation leader. Another panelist is direct: "I think Datadog is by far the best in class, and the one that's innovating the most. APM, ITOM, or any type of OPS tracking. They're really growing from what they started out as a basic APM." Its DevSecOps automation is winning converts, and its generative AI (GenAI)-powered monitoring for large language models is drawing significant interest, particularly from financial services CIOs. In ETR survey data, Datadog ranks as the most innovative vendor overall, while Microsoft and AWS top the list of vendors users would choose if rebuilding their tech stack from scratch.
Splunk holds steady as the default log aggregator for infrastructure and security telemetry. Several panelists note it has effectively replaced legacy tools like SolarWinds following the latter's high-profile breach. Its customizable dashboards earn consistent praise. "Creating the more tailored dashboarding within Splunk definitely is a huge strength that I've seen," says one of the panel leaders. Some question whether Splunk arrived late to full-stack observability, but its footprint in enterprise environments remains deeply entrenched.
Grafana earns mentions for unrivaled dashboard customization and network-flow visualization, particularly as organizations consolidate data centers and networks take on greater strategic importance. Cloud-native tools, including Microsoft Azure Monitor and Google Cloud Platform, are gaining interest on the strength of tight ecosystem integration and cost efficiency advantages.
Cloud-monitoring vendors are racing to embed AI features, and panelists are candid: most implementations are still works in progress. "I think in most of the ones that are on the list here, we're sort of premature at this point," says one executive. "We have to give it till the end of the year, and then we'll sort of see what actually materializes."
The more established platforms are further along. Dynatrace Davis AI, Datadog Bits AI, and New Relic Grok are already improving anomaly detection, root-cause analysis, and resolution times through machine learning baseline modeling. Early AI releases from newer entrants have disappointed. CrowdStrike's Charlotte AI was described as "a miserable product" at launch, though panelists acknowledge it has since improved.
The next frontier, according to one CIO, is domain-specific large language models that create "fingerprints" of normal system behavior at the semantic level, catching anomalies that traditional statistical methods miss. "They're beginning to integrate organizational knowledge bases, and they surface automatically the relevant documentation and past incidents during troubleshooting. It's extremely helpful, not only to focus on faster resolution, but also the preventative side as well."
For now, the more established suites have a meaningful lead on the field.
Budget pressure is steering some organizations toward single-vendor platforms, with consolidation promising stronger pricing leverage and simpler skill requirements. Microsoft Azure Monitor benefits from tight integration with Azure Cost Management, making it increasingly attractive for cost-conscious teams already invested in the Azure ecosystem.
Not everyone is convinced. "I think that you're at more of a risk putting all of your eggs in one basket, especially when that basket may contain players that are not necessarily the leaders in the space," one panelist cautions. The same executive points to history as a warning: "Microsoft starts off slow, but they may catch up. Look at the Teams effect. We're on Zoom, right, but it took Teams a long time to get there."
Panelists are equally skeptical of open-source and freemium tools at enterprise scale. The consensus: tools like Grafana and Elastic offer value in development and user acceptance testing environments, but lack the enterprise support, scalability guarantees, and 24/7 coverage that mission-critical systems require. "Freemium and open-source tools often rely on community forums and documentation for support, which puts large enterprises at risk, especially if you need immediate, comprehensive, and guaranteed 24/7 support, and especially if you have mission-critical systems."
The risk compounds at scale. "Ultimately, companies often end up with a Frankenstein stack of multiple open source tools, and that leads to integration issues, fragmented visibility, and operational complexity," says one CIO.
There are a number of vendors gravitating toward larger product portfolios, but panelists suggest they may be encroaching on a market that mature, purpose-built players already own.
LogicMonitor earns a notable call-out for hybrid environments, offering infrastructure, application, and server monitoring across AWS, Azure, and GCP in a single platform. "It seems like they have a very good integration with all the cloud players, whether it's AWS, Azure, or GCP, so if you have things running on these, it can easily do it. It's a cost-effective solution."
An observability platform's value is demonstrated by how fast it pinpoints trouble and trims downtime. For several panelists, mean time to resolution (MTTR) is the priority metric. "Rather than kind of fishing around, pulling network traces, and calling different teams, [Dynatrace] really speeds up the finding of what the issue is to be able to address it," says one panelist.
Others cite mean time to detect (MTTD), incident frequency, and reductions in engineering hours spent on troubleshooting as core measures. "Very often the incidents are being measured by people days lost, or some other business impact, like dollars, pounds, or euros. The best practice is to use real-time monitoring, alerting, and comprehensive dashboards to actually maintain that visibility and drive continuous improvement."
Transaction-level metrics, including time to first byte (TTFB), allow organizations to enforce strict performance SLAs across every customer interaction. Notably, Dynatrace gathers detailed KPIs without degrading website performance, a differentiator several panelists called out by name.
The boundary between observability and security is actively dissolving. Splunk has evolved from a monitoring dashboard into a full-blown security information and event management (SIEM) system. CyberArk's identity and privilege-access tools now perform operational risk assessments on anomalous login behavior. Vendors like Datadog, Dynatrace, and Elastic are positioning as unified platforms serving development, operations, and security teams from a shared data pipeline.
Identity is emerging as a key dimension of this convergence. Observability tools are incorporating zero-trust principles, including continuous verification of system behavior, to serve both operational and security purposes simultaneously. "I think the rise of DevSecOps has driven companies to look for tools that provide a single source of truth across development, operations, and security teams," says one executive. "Identity is becoming a very important dimension in both security and observability."
Not all panelists embrace full convergence. One executive questions whether app teams and security teams will realistically share the same tooling in practice, noting that some functions, including log aggregation, tend to remain organizationally separate even when the underlying data is shared.
The longer-term view from panelists: observability shifts "upstream" and becomes as routine as unit testing, aided by natural language interfaces that make dashboards accessible to both junior engineers and C-suite executives. "The distinction between development, declarations, and security tools will continue to kind of dissolve because we recognize that resilient systems require seamless visibility across all domains."
Dynatrace, Splunk, and Datadog lead in adoption, each with distinct strengths. Dynatrace leads in application performance monitoring and root-cause automation. Splunk remains the default for log aggregation and security telemetry. Datadog is the perceived innovation leader, particularly in AI-powered DevSecOps and end-to-end observability.
Cloud-native tools are gaining interest, with caution attached. Azure Monitor benefits from ecosystem integration and cost alignment with Azure Cost Management. Open-source tools like Grafana and Elastic deliver value in controlled environments but raise support and scalability concerns at enterprise scale.
AI capabilities are real but uneven. Established platforms lead on anomaly detection and root-cause automation. Newer entrants are still catching up. Most panelists expect meaningful AI maturation by year-end, with domain-specific large language models as the next significant frontier.
Observability and security are converging. Log analysis, anomaly detection, and API monitoring increasingly serve both functions. Identity and zero-trust principles are entering the observability layer, and the product category boundaries are dissolving as a result.
The best-of-breed vs. consolidation debate has no clear winner. Some organizations favor consolidation for pricing leverage and operational simplicity. Others warn against concentrating on platforms that are not category leaders in each discipline. The market remains fragmented, with no single dominant vendor.
One panelist puts the long-term stakes plainly: "Perhaps most exciting is how observability is becoming increasingly democratized. Once it required kind of specialized knowledge, but it's becoming quite accessible through natural language interfaces and automated insights, and that allows everyone from very junior people to senior executives to gain meaningful understanding. The winners in this space perhaps will not be determined by who has the most features, but who can kind of transform that complexity into very nice and actionable clarity."
Looking ahead: The 2026 ETR Observatory for Observability Tools releases April 21. In the meantime, review the 2025 Observatory for Observability Tools summary here.