Databricks is tackling the cybersecurity market with Lakewatch. Previously positioned as “the Data and AI company,” the vendor is taking a new step.
This next-generation SIEM (Security Information and Event Management), built directly on its analytics and AI backbone, promises a total cost of ownership (TCO) reduction of up to 80% compared with traditional solutions.
A SIEM built for the AI agent era
Lakewatch’s positioning states that in the face of attackers who now rely on AI agents capable of operating at machine speed and at scale, traditional security tools show their limits. To address this, Databricks adopts a philosophy it summarizes as: “fight agents with agents.”
Lakewatch unifies logs, events, IT and business data in a governed environment, based on open formats. The data remains stored in the client’s cloud objects (S3, ADLS or GCS) and is leveraged directly in the lakehouse, without duplication. The tool integrates AI agents as well as the Genie assistant to automate detection, triage, threat hunting in natural language, and incident response.
A break with traditional SIEMs
Traditional SIEMs suffer from two main drawbacks. On the one hand, they cannot ingest the entire telemetry due to cost: ingestion-based billing or billed-by-indexed volume forces security teams to operate with partial visibility. On the other hand, fragmentation between security data and business data requires costly copies and duplications.
Lakewatch reverses this model by running security on the lakehouse. Rather than moving data to a SIEM warehouse, security operates directly on the lakehouse governed via Unity Catalog, where IT, security, and business data coexist. Pricing is indexed to software usage rather than the volume of stored data — a major economic shift that puts pressure on traditional players.
The tool is also built on the Open Cybersecurity Schema Framework (OCSF), reducing proprietary lock-in on schemas and data, where many SIEMs still impose their own internal formats and query languages.
An already structured ecosystem
To accompany this launch, Databricks announces an Open Security Lakehouse Ecosystem bringing together leading partners: Okta, Palo Alto Networks, 1Password, Wiz (integrated with Google Cloud), Zscaler, and Slack.
On the customer side, Adobe, Dropbox and the National Australia Bank are among the early adopters. Anthropic, for its part, contributes to powering the platform’s cybersecurity capabilities via its integrated models.
Profound implications for the market
The arrival of Lakewatch applies direct pressure to the business model and architecture of established SIEMs. By offering a data/AI backbone already widely deployed across enterprises, Databricks makes it easier to replace or offload analytical workloads to the lakehouse, threatening players like Splunk or Elastic in their own turf.
In the medium term, Lakewatch accelerates the convergence of data platforms, AI, and security, and could redefine the role of legacy SIEMs, relegating some to mere log sources rather than central security operations systems.
A strategic launch ahead of the IPO
This shift toward cybersecurity comes in a particular context for Databricks. Valued at around $134 billion, the company is preparing an initial public offering that could occur as early as 2026. Penetrating a reconfiguring SIEM market significantly strengthens its growth narrative for investors, adding a new lever to a platform already deeply embedded in large global enterprises.
