Databricks, the data and AI platform valued at $134 billion, announced Lakewatch on March 24 — an agentic SIEM (Security Information and Event Management) platform that puts the company in direct competition with Splunk, Microsoft Sentinel, and CrowdStrike. The product uses AI agents to automate threat detection, triage, and investigation workflows that security teams currently handle manually.
“Security teams can no longer rely on manual workflows to outpace AI-driven attacks,” CEO Ali Ghodsi said in Databricks’ announcement. “Defenders must have even better visibility and speed than today’s agent attackers.”
Lakewatch is now in private preview. Adobe and National Australia Bank are early customers, according to CNBC. Anthropic’s models are also running inside the platform for cybersecurity purposes.
How It Works
Lakewatch runs on top of Databricks’ existing lakehouse architecture. Instead of requiring customers to pipe security data into a separate SIEM vendor’s system, the product analyzes data where it already lives. Databricks claims this approach can cut total cost of ownership by up to 80%, per the press release.
The core features center on AI agents that handle tasks traditionally performed by human analysts:
- Agentic triage and investigation: Security agents built with Databricks’ Agent Bricks framework parse telemetry across formats, enriching alerts and reducing mean time to detect and respond.
- Automated security intelligence: Integrated with Databricks’ Genie AI agent, the system automates multi-step triage plans and prioritizes alerts to reduce fatigue.
- Detection-as-code: Security detections are managed as version-controlled code with automated testing and deployment.
The platform supports multi-modal data including video and audio for detecting social engineering and insider threats, according to the announcement.
The Pricing Bet
Databricks is taking a different approach to pricing than incumbents. Rather than charging based on data volume — the standard SIEM model — Lakewatch charges based on compute workload performed.
“The prevailing pricing model is at odds with protecting against this avalanche that’s coming our way, because it’s just too prohibitively expensive to get all your data in there,” Ghodsi told CNBC.
The traditional volume-based pricing creates a perverse incentive: Databricks claims security teams currently discard up to 75% of their data because ingestion costs are too high, per the press release. That means the SIEM is only seeing a quarter of what’s actually happening on the network.
Two Acquisitions Behind the Launch
Databricks acquired security startup Antimatter in 2025, whose technology is now integrated into Lakewatch. The company has also agreed to acquire SiftD, a small firm whose three founders collectively spent 39 years at Splunk, according to CNBC. Xin, a Databricks co-founder, told CNBC the SiftD team “were instrumental in creating” the search interface that security practitioners value in Splunk.
The open ecosystem angle is notable: Lakewatch’s launch partners include Palo Alto Networks, Okta, 1Password, Wiz (now part of Google Cloud), CrowdStrike competitor Arctic Wolf, and Zscaler, per the announcement.
Why This Matters
The timing is strategic in two directions. RSA Conference 2026 is running this week in San Francisco, with agentic AI security as the dominant theme across the exhibition floor. Launching during RSA maximizes attention from the exact buyer Databricks needs to reach: enterprise CISOs evaluating their next SIEM investment.
The second piece is the IPO. Ghodsi said in December he wouldn’t rule out a 2026 public offering, according to CNBC. Expanding from data infrastructure into cybersecurity adds a new revenue category that could help justify the $134 billion valuation to public-market investors who have punished SaaS stocks this year. The WisdomTree Cloud Computing Fund is down about 19% in 2026, per CNBC.
For the SIEM incumbents — Splunk (now Cisco), Microsoft Sentinel, Google Chronicle, CrowdStrike — the threat is real. Databricks is already inside enterprise data stacks. If Lakewatch can deliver credible security outcomes at significantly lower cost, the switching incentive for customers who already use the Databricks platform is obvious. Ghodsi acknowledged the competitive dynamics: “Databricks will definitely partake in that disruption,” he told CNBC.