diff --git a/datadog-integration/modules/regional-stacks/main.tf b/datadog-integration/modules/regional-stacks/main.tf
index 41e2c79..323e5e3 100644
--- a/datadog-integration/modules/regional-stacks/main.tf
+++ b/datadog-integration/modules/regional-stacks/main.tf
@@ -40,7 +40,7 @@ module "vcn" {
   vcn_cidrs                = ["10.0.0.0/16"]
   vcn_dns_label            = "ddvcnmodule"
   vcn_name                 = local.vcn_name
-  lockdown_default_seclist = false
+  lockdown_default_seclist = var.lockdown_default_seclist
 
   subnets = {
     private = {
diff --git a/datadog-integration/modules/regional-stacks/variables.tf b/datadog-integration/modules/regional-stacks/variables.tf
index c5ac420..a761a05 100644
--- a/datadog-integration/modules/regional-stacks/variables.tf
+++ b/datadog-integration/modules/regional-stacks/variables.tf
@@ -51,3 +51,10 @@ variable "subnet_ocid" {
     error_message = "If provided, subnet_ocid must be a valid subnet OCID starting with: ocid1.subnet.oc[0-9]."
   }
 }
+
+variable "lockdown_default_seclist" {
+  type        = bool
+  description = "If true, removes the default OCI security list rules (SSH/ICMP) from Datadog-created VCNs."
+  default     = true
+}
+
diff --git a/datadog-integration/regional_stack.tf b/datadog-integration/regional_stack.tf
index 8e81826..2938ac8 100644
--- a/datadog-integration/regional_stack.tf
+++ b/datadog-integration/regional_stack.tf
@@ -65,7 +65,7 @@ resource "null_resource" "regional_stacks_create_apply" {
       --config-source ${path.module}/modules/regional-stacks/dd_regional_stack.zip  --variables '{"tenancy_ocid": "${var.tenancy_ocid}", "region": "${each.key}", \
       "compartment_ocid": "${module.compartment.id}", "datadog_site": "${var.datadog_site}", "api_key_secret_id": "${module.kms[0].api_key_secret_id}", \
       "home_region": "${local.home_region_name}", "region_key": "${local.subscribed_regions_map[each.key].region_key}", \
-      "subnet_ocid": "${lookup(local.region_to_subnet_ocid_map, each.key, "")}"}' \
+      "subnet_ocid": "${lookup(local.region_to_subnet_ocid_map, each.key, "")}", "lockdown_default_seclist": ${var.lockdown_vcn_default_seclist ? "true" : "false"}}' \
       --wait-for-state ACTIVE \
       --max-wait-seconds 120 \
       --wait-interval-seconds 5 \
diff --git a/datadog-integration/schema.yaml b/datadog-integration/schema.yaml
index d947ea7..f8556d0 100644
--- a/datadog-integration/schema.yaml
+++ b/datadog-integration/schema.yaml
@@ -32,6 +32,7 @@ variableGroups:
     variables:
       - ${show_advanced_options}
       - ${compartment_id}
+      - ${lockdown_vcn_default_seclist}
       - ${domain_id}
       - ${user_email}
 
@@ -125,6 +126,16 @@ variables:
     default: null
     visible: ${show_advanced_options}
 
+  lockdown_vcn_default_seclist:
+    title: Lock down VCN default security list
+    type: boolean
+    description: |
+      Removes the default OCI ingress rules (including SSH on port 22) from Datadog-managed VCNs when enabled.
+      Disable only if you require Oracle's default security list behavior.
+    required: false
+    default: true
+    visible: ${show_advanced_options}
+
   existing_user_id:
     title: User ID
     type: string
diff --git a/datadog-integration/variables.tf b/datadog-integration/variables.tf
index eb7634b..bad1248 100644
--- a/datadog-integration/variables.tf
+++ b/datadog-integration/variables.tf
@@ -77,6 +77,12 @@ variable "logs_enabled" {
   default     = false
 }
 
+variable "lockdown_vcn_default_seclist" {
+  type        = bool
+  description = "When true, removes the default OCI security list ingress rules (including SSH) from Datadog-managed VCNs."
+  default     = true
+}
+
 variable "domain_id" {
   type        = string
   description = "The OCID of the Identity Domain to use for the Datadog QuickStart stack"