Databricks Lakewatch: Transforming Cybersecurity Through Open Data and Agentic Defense

Databricks has launched Lakewatch, an open and agentic SIEM platform built to combat the rise of advanced AI-driven threats. By consolidating security, IT, and corporate data into one governed space, it provides a unified foundation for AI-powered threat detection. Because Lakewatch uses open formats, organizations can process massive amounts of diverse data without the high costs or restrictive silos typically associated with traditional security implementations.

From our viewpoint, Lakewatch represents a shift from reactive to proactive defense by neutralizing the data tax that previously forced organizations to gamble on which 25% of their telemetry was worth keeping. By leveraging an open lakehouse architecture to ingest multi-modal data, Databricks is eroding the attacker's primary advantage, the ability to hide within the dark data that traditional SIEMs found too expensive to process.

This transition to an agent-on-agent warfare model means that security is no longer a human-scaling problem, but a computational one where defense can finally achieve the same lateral speed as a coordinated breach. As such, Lakewatch transforms the SIEM from a passive historical archive into an active, autonomous nervous system capable of identifying subtle human-centric threats such as social engineering across previously siloed communication channels.

Scalable and Open Agentic SIEM for the Modern Enterprise

Lakewatch leverages the power of an open security lakehouse to provide autonomous, agent-driven protection at a massive scale. By using Agent Bricks, security teams can develop and launch specialized agents that manage complex investigative workflows from start to finish. These agents automatically process and refine telemetry across hundreds of data formats, significantly accelerating detection and response times while keeping all operations within a secure, governed data environment.

To combat analyst burnout, the platform integrates Automated Security Intelligence powered by Genie. This system streamlines the triage process and orchestrates multi-step defense strategies, allowing human experts to move past alert fatigue and concentrate on the most critical, high-impact security threats. This intelligence is supported by a truly Open Ecosystem, which consolidates structured and unstructured data into a cloud-agnostic hub. This architecture integrates seamlessly with a broad network of industry leaders—including Okta, Palo Alto Networks, and Wiz—to identify everything from insider threats to sophisticated social engineering.

The platform further modernizes security operations through a Detection-as-Code approach, ensuring all defensive measures are version-controlled, rigorously tested, and readily deployable. This technical agility is balanced by robust Governance and Compliance features managed through Unity Catalog. This framework provides automated policy enforcement and economical long-term data storage, helping global organizations satisfy stringent regulatory requirements such as DORA and NIS2. Today, key players such as Adobe and Dropbox rely on Lakewatch to centralize their security data and achieve rapid, AI-driven threat mitigation.

Databricks Lakewatch: Disrupting the SIEM Market with Agentic Defense and Open Data Economics

With the debut of Lakewatch, we see Databricks pivoting from a data analytics focus to challenge the established SIEM landscape. This move places the company in direct competition with established leaders such as Splunk (Cisco) and IBM QRadar, whose rigid, rule-bound systems can incur high ingestion costs. Furthermore, Databricks is taking on cloud-centric giants such as Microsoft Sentinel and Google Chronicle by providing a cloud-agnostic alternative, while simultaneously competing with XDR specialists like CrowdStrike and Palo Alto Networks by breaking down the silos that typically isolate security logs from broader business intelligence.

From our perspective, one of the platform's key advantages is its decoupled economics, which removes the financial penalty for high-volume data ingestion. Unlike traditional SIEMs that force teams to discard the majority of their telemetry to manage costs, Lakewatch charges based on compute usage rather than data volume. By maintaining information within the customer's own Delta Lake, organizations can achieve up to an 80% reduction in total cost of ownership, enabling them to store and monitor petabytes of data for years without leaving dark data vulnerable to attackers.

Beyond cost, Lakewatch introduces Agentic Machine-Speed Defense, moving away from manual dashboard monitoring toward autonomous response. By using Agent Bricks, leveraging advanced LLMs like Anthropic Claude, the system deploys independent security agents capable of hunting for threats and executing complex mitigation strategies at the same velocity as modern AI-driven attacks. This is complemented by native multi-modal analysis, which enables the platform to inspect non-traditional data sources such as audio, video, and chat transcripts to uncover insider threats and social engineering attempts that standard log-based tools often miss.

Overall, Databricks differentiates itself through an open security ecosystem that prioritizes data sovereignty and integration. Through Delta Sharing and Unity Catalog, partners such as Okta, Wiz, and Zscaler can stream telemetry directly into a single, governed environment without the need for expensive data replication. By consolidating security intelligence within the same space where the core business data already resides, Databricks eliminates the latency and fragmentation inherent in traditional, siloed security architectures.

Strategic Convergence: How Databricks Leverages Anthropic and Specialized Acquisitions to Architect the Agentic SIEM Era

Databricks is solidifying its position in the security market by deepening its partnership with Anthropic and acquiring key startups Antimatter and SiftD.ai to accelerate the development of its agentic SIEM, Lakewatch. By integrating Anthropic’s Claude models, Databricks leverages advanced reasoning to correlate signals across disparate business and security data, while Anthropic itself has adopted the Databricks platform for its own internal security operations. The acquisitions of Antimatter and SiftD.ai further bolster this effort, bringing in UC Berkeley researchers specializing in AI agent authentication and the architects behind Splunk’s search language to refine threat analytics.

From a market perspective, we find this talent-and-tech blitz as indicating a tactical offensive against established providers such as Cisco/Splunk, aiming to replace established rule-based systems with a modern, agent-driven architecture. This move can create a new barrier to entry for other SIEM competitors by combining competitively advantageous reasoning models with the foundational security protocols required for autonomous agents to act with authority. These strategic integrations can transform the SIEM into a high-trust, intelligent data layer, encouraging cybersecurity decision makers to prioritize shifting from simple log aggregation toward provably secure, autonomous remediation.