Databricks has decided to fully enter the cybersecurity market with the launch of Lakewatch, a new platform that the company describes as an open and agentic SIEM designed to address a reality that is already concerning many organizations: attackers are also beginning to use AI agents to scan systems, detect vulnerabilities, and automate offensive campaigns at machine speed. The product was announced on March 24, 2026, and is currently in Private Preview.
Databricks’ proposition starts with a direct critique of traditional SIEMs. According to the company, many security teams still work with fragmented architectures, high ingestion costs, and incomplete visibility over their own data. Databricks claims that these limitations lead some organizations to discard up to 75% of their telemetry due to cost, precisely when attackers can operate with more automation, persistence, and speed.
A SIEM built on the concept of “security lakehouse”
Lakewatch is presented not just as a new security console but as an extension of the lakehouse approach that Databricks has been advocating for years in analytics and AI. The idea is to unify security, IT, and business data within a governed environment, without constantly moving or duplicating data, and to keep it in open formats to avoid vendor lock-in. Databricks states that this allows retention and analysis of unprecedented volumes of information, even over years, with a Total Cost of Ownership (TCO) up to 80% lower than traditional SIEMs. Nonetheless, this figure is part of the company’s marketing promise and is not backed by a detailed public methodology in the announcement.
The company also emphasizes that Lakewatch is designed for multimodal data, not just classic logs and events. It explicitly mentions the ability to analyze audio and video to detect social engineering, insider threats, or anomalies. This is one of the most striking parts of the announcement, as it broadens the SIEM concept beyond infrastructure event logging to a security platform capable of ingesting almost any signal within the enterprise.
Agents to defend against agents
The core message of Lakewatch is its agentic nature. Databricks suggests that if attackers begin operating with autonomous agents, defenders will need to respond with another kind of automation. That’s why Lakewatch relies on Agent Bricks to build, optimize, and deploy security agents capable of managing complex detection, triage, and investigation workflows end-to-end. Additionally, it integrates Genie to automate parts of analysis, reduce alert fatigue, and help plan multi-step responses.
This approach aligns with Databricks’ overall strategy, which in recent weeks has also introduced Genie Code and has strengthened its narrative around enterprise agents and advanced automation. However, in security, the promise carries a greater expectation: any automation must operate within governance, traceability, and damage control, because operational errors impact not only productivity but also the response capabilities of a real SOC. Databricks addresses this concern by emphasizing governance and the fact that agents run within a pre-governed environment.
Open ecosystem, detection as code, and compliance
Another key aspect of the announcement is the creation of an Open Security Lakehouse Ecosystem, a network of partners and manufacturers including names like Akamai, Arctic Wolf, Cribl, Okta, Palo Alto Networks, 1Password, Panther, Proofpoint, Slack, Wiz — now part of Google Cloud — and Zscaler, among others. Databricks aims to convey that Lakewatch is not a closed system but can integrate with existing tools and operate over a cloud-agnostic architecture based on open standards.
The platform also introduces a layer of Detection-as-Code, with version-controlled rules management and automated deployments, and leverages Unity Catalog for governance and compliance. Databricks explicitly mentions regulatory frameworks like NIS2 and DORA, which are increasingly referenced when vendors target security solutions for large European or highly regulated organizations. The overarching idea is to compete not just on analytic capability but also on control, long-term retention, and traceability in demanding compliance environments.
Anthropic and two acquisitions to strengthen the offensive
The launch of Lakewatch is accompanied by three strategic moves. First is a deepening partnership with Anthropic: Databricks confirms that its Claude models help drive Lakewatch by leveraging their reasoning capabilities to correlate signals across security, IT, and business data. The company also notes that Anthropic itself uses Databricks for its internal security lakehouse. This collaboration builds on a prior partnership announced in March 2025 for integrating Claude into the Databricks platform.
The second and third moves are acquisitions of Antimatter and SiftD.ai. According to Databricks, Antimatter brings expertise in verifiably secure authentication and authorization for AI agents, while SiftD.ai adds deep knowledge in large-scale threat analytics and search engines inspired by the technical legacy of Splunk, as it was founded by the creators of SPL and architects of Splunk’s search stack. Financial details of these acquisitions have not been publicly disclosed in the official material.
An ambitious move targeting the heart of modern SOCs
Databricks’ entry into SIEM makes strategic sense. The company has been growing as a platform for data, AI, and enterprise agents, and security appears as a natural extension: if data and AI already reside in the lakehouse, the next step is to bring detection and response there as well. The company claims that clients like Adobe and Dropbox are already using Lakewatch to unify data and detect threats more quickly, though availability remains limited to private preview for now.
The challenge now is to demonstrate whether this ambition can translate to real security operations. The SIEM market is not empty, and competing in it requires more than just compelling AI narratives. It demands robust integrations, analytical accuracy, genuinely lower costs, and operational trust so that a SOC can delegate parts of its triage to automated agents. Databricks has already set its message: security is also wanting to be lakehouse, open, and native for the agent era. It now needs to prove that this vision works beyond the promotional stage.
Frequently Asked Questions
What is Databricks Lakewatch?
Lakewatch is an open and agentic SIEM announced by Databricks to unify security, IT, and business data within a governed environment, enhancing detection and response with AI.
Is Lakewatch available to all customers now?
No. Databricks has stated that Lakewatch is currently in Private Preview, so it is not yet generally available.
What role do Anthropic and Claude play in Lakewatch?
Databricks states that Anthropic’s Claude models assist in correlating signals from security, IT, and business to accelerate threat detection.
What acquisitions has Databricks announced alongside Lakewatch?
The company announced the acquisitions of Antimatter and SiftD.ai to bolster its open, agentic SIEM approach.
via: databricks