Databricks’ $134B Data Empire Now Wants to Own Your Security Stack — Lakewatch by Databricks Takes on Splunk and Microsoft

The SIEM market has operated under the same basic economics for two decades: the more data you store, the more you pay. Databricks thinks that model is broken, and it’s betting two acquisitions and a new product called Lakewatch on proving it.

On March 24, 2026, Databricks officially entered the cybersecurity market with Lakewatch — an open, agentic SIEM platform that unifies security, IT, and business data into a single governed environment. The timing is not accidental. Databricks, valued at $134 billion after a $5 billion funding round in February, is assembling its product portfolio ahead of what everyone expects to be one of 2026’s biggest IPOs.

What Lakewatch Actually Does

At its core, Lakewatch is a SIEM built on top of Databricks’ existing Data Intelligence Platform. But calling it “just another SIEM” misses the architectural shift Databricks is pushing.

Traditional SIEMs like Splunk and Microsoft Sentinel ingest security logs into proprietary storage formats and charge based on data volume. This creates a painful tradeoff: security teams need to retain more data to catch threats (the average attacker dwell time exceeds 200 days), but the cost of storing that data forces most organizations to keep only 30–90 days of hot data. The rest gets deleted or archived where it’s effectively invisible.

Lakewatch takes a different approach. Telemetry lands in your own cloud object storage — Amazon S3, Azure Blob, or Google Cloud Storage — in open formats: Delta Lake, Apache Iceberg, and OCSF (Open Cybersecurity Schema Framework). Databricks charges based on compute work performed, not data volume stored. The company claims this can reduce total cost of ownership by up to 80% compared to legacy platforms.

The data pipeline follows a Bronze-Silver-Gold architecture. Raw telemetry ingests via Lakeflow Connect at the Bronze layer, gets normalized into OCSF schema at Silver, and powers detection rules at the Gold layer through Detection-as-Code practices. Databricks’ Genie AI handles the conversion of collected data into standardized formats and powers a natural language chat interface where administrators can query security data in plain English.

Then there are the AI agents. Lakewatch deploys autonomous security agents powered by Anthropic’s Claude models that follow a perception-planning-execution-adaptation-resolution cycle. These agents can ingest multi-modal security signals, execute SQL queries and API calls in isolated sandbox environments, pivot investigations based on evidence, and generate reasoning summaries for human analysts to review. As CEO Ali Ghodsi put it: “This will be the year we see AI killing the SIEM,” adding that Databricks’ approach enables fighting “agents with agents” to handle the hundreds of daily alerts that human teams simply cannot process.

Two Acquisitions Tell the Real Story

Databricks didn’t just build Lakewatch in-house. The company simultaneously announced the acquisitions of two security startups, and the choice of targets reveals a lot about its strategy.

Antimatter Inc. was founded by UC Berkeley security researchers and had raised $12 million in 2022. The company built a SaaS data security platform using secure enclaves — processor-based encryption that provides provably secure authentication and authorization. In the context of Lakewatch, Antimatter’s technology addresses a critical question: how do you let AI agents access sensitive security data without creating new attack surfaces? When your SIEM is powered by autonomous agents making API calls and running queries, the authentication and authorization layer becomes the most important piece of the puzzle.

SiftD.ai brings a different kind of expertise. The company was founded by the creator of Splunk’s Search Processing Language (SPL) and lead architects of Splunk’s search stack. These are people who literally built the technology that dominates the SIEM market today. SiftD was focused on agentic automation for security engineering — essentially, they were already building the future that Databricks envisions, just without the data platform underneath.

Together, these acquisitions give Databricks deep expertise in both the security infrastructure layer (Antimatter) and the detection engineering layer (SiftD). The financial terms were not disclosed, but Databricks indicated it is actively seeking additional acquisition targets, suggesting more security M&A is on the way.

How Lakewatch Stacks Up Against Splunk and Microsoft Sentinel

The SIEM market in 2026 is dominated by three players, and Lakewatch is positioning itself against each one differently.

Splunk (now owned by Cisco) holds roughly 47% market share and remains the default choice for large enterprises with complex environments and mature SPL-capable teams. Its strength is deep customization and the Splunkbase ecosystem. Its weakness is cost — Splunk’s ingestion-based pricing means that as data volumes grow, bills grow proportionally. For organizations processing 35TB of security data daily, the math gets painful fast.

Microsoft Sentinel has grown rapidly as the cloud-native SIEM for Azure and Microsoft 365-heavy organizations. Its integration with Microsoft Copilot for Security represents the most mature AI assistant in the SIEM market. However, Sentinel’s economic advantage erodes quickly when ingesting third-party data outside the Microsoft ecosystem.

Lakewatch is betting on a different value proposition entirely: keep 100% of your telemetry, pay commodity storage prices, and let AI agents do the heavy lifting on detection and triage. According to Databricks’ own modeling, for an organization ingesting 35TB daily with 365-day retention, Lakewatch enables a 250% increase in data volume and four times the retention period at the same total cost as legacy alternatives.

The catch? Lakewatch is currently in private preview. It’s not generally available yet, and production-hardened it is not. Splunk and Sentinel have years of battle-tested deployments, thousands of pre-built integrations, and massive communities. Databricks is starting from zero on that front.

The IPO Angle Nobody’s Ignoring

It’s impossible to talk about Lakewatch without talking about Databricks’ IPO. The company closed a $5 billion funding round at a $134 billion valuation in February 2026, with annualized revenue exceeding $5.4 billion (65% year-over-year growth) and positive free cash flow. AI products alone generate $1.4 billion in annualized revenue.

Entering the cybersecurity market — projected to exceed $520 billion globally in 2026 — gives Databricks a compelling growth narrative for public market investors. It’s not just a data platform anymore; it’s a data platform that also secures your enterprise. The SIEM market specifically is ripe for disruption because the incumbents’ pricing models are fundamentally misaligned with the reality of exponentially growing data volumes.

Early customers include Adobe and Dropbox. Adobe’s Security Engineering Lead, Karthik Venkatesan, said: “Databricks provides the foundation needed to move from data-driven to AI-driven approaches for security operations, and Lakewatch is an important step toward bringing security intelligence closer to where data already lives.”

That last phrase — “where data already lives” — is the key insight. Many Databricks customers already store massive amounts of data on the platform. Adding a security layer on top of data that’s already there is a much easier sell than asking companies to ship their data to yet another vendor.

What Could Go Wrong

The biggest risk for Lakewatch is execution. Building a SIEM is one thing; building the ecosystem of integrations, detection rules, compliance frameworks, and incident response workflows that security teams depend on is another entirely. Splunk has over 2,000 apps and add-ons in Splunkbase. Microsoft Sentinel benefits from native integration with the entire Microsoft security stack. Lakewatch has… a private preview and two recently acquired startups.

There’s also the question of whether security teams trust a data company to handle their most sensitive workloads. Databricks has no track record in cybersecurity. The Antimatter and SiftD acquisitions bring credibility, but integrating acquired teams and shipping a production-grade security product takes time.

And then there’s the competitive response. Splunk, Microsoft, Google (Chronicle), and Palo Alto Networks are not going to watch Databricks walk into their market without a fight. Expect aggressive pricing, feature announcements, and customer retention plays from all of them in the coming months.

FAQ

What is Lakewatch by Databricks?
Lakewatch is an open, agentic SIEM (Security Information and Event Management) platform built on Databricks’ Data Intelligence Platform. It unifies security, IT, and business data into a single environment and uses AI agents powered by Anthropic’s Claude to automate threat detection, triage, and response.

How much does Lakewatch cost?
Databricks has not disclosed specific pricing. The key difference from competitors is the pricing model: Lakewatch charges based on compute work performed rather than data volume ingested or stored. Databricks claims this can reduce total cost of ownership by up to 80% compared to legacy SIEM platforms like Splunk.

Is Lakewatch available now?
Lakewatch launched in private preview on March 24, 2026. Early access customers include Adobe and Dropbox. No general availability date has been announced.

How does Lakewatch compare to Splunk?
Splunk charges based on data ingestion volume, which gets expensive at scale. Lakewatch stores data in open formats on commodity cloud storage and charges for compute instead. Notably, Databricks acquired SiftD.ai, founded by the creator of Splunk’s SPL language, suggesting deep knowledge of Splunk’s architecture and its limitations.

Who are Antimatter and SiftD, and why did Databricks acquire them?
Antimatter is a security startup founded by UC Berkeley researchers that built secure enclave technology for AI agent authentication. SiftD.ai was founded by ex-Splunk engineers specializing in agentic security automation. Together, they provide Databricks with the security expertise and technology foundation needed to build a credible SIEM product.

Top AI Product

Leave a comment Cancel reply