Databricks Didn't Announce a Security Product. It Announced a Different Way to Think About Security Spending.
Organizations use security information and event management (SIEM) platforms to monitor threats and investigate incidents. Many have a pricing model that charges based on how much data is ingested and stored. The more you want to see, the more you pay. In practice, security teams respond by discarding up to 75% of their security data before it is ever analyzed. They are not doing this because the data is unimportant. They are doing it because keeping it is too expensive.
That is not a technical problem but a decision forced by vendor pricing, and it creates a real risk gap. Adobe's security engineering team, an early Lakewatch customer, described the problem directly: as data volumes grow, organizations need new ways to analyze and act on information quickly and at scale. Dropbox, also among the first customers, faces the same constraint, managing large volumes of sensitive user data across millions of accounts.
Databricks decouples storage from compute. Organizations keep all their security data in their own cloud environment and pay only for analysis when it runs. The company claims up to 80% lower total cost of ownership (TCO) compared to traditional SIEM platforms. That figure reflects storage and licensing savings. It does not include migration costs or retraining, which any honest evaluation needs to model separately.
Security as a Native Extension, Not a Separate Tool
The Lakewatch architecture is straightforward. Most organizations already store business data, HR records, financial transactions, and application activity in a data platform. Traditional security tools cannot access that context without duplicating it into a separate system. Lakewatch runs security analysis on the same platform where everything else already sits. When an alert fires, the surrounding context for the data is already present.
Anthropic, the AI (Artificial Intelligence) company whose Claude models power part of LakeWatch’s threat analysis capability, runs Databricks as its own production security platform. That is worth noting because it is not a co-marketing arrangement. It is a live deployment. Reference architectures that exist only in press releases are common. This one is in production at a company whose entire business depends on getting security right.
The mean time from a vulnerability being discovered to attackers actively exploiting it dropped from 23 days in 2025 to 1.6 days in 2026. Human analysts reviewing alerts in sequence cannot operate at that pace. Lakewatch uses AI agents to run detection and triage continuously, without waiting for a person to start the process.
Image Source: Databricks Blog
Target Audience and Use Cases
Databricks gets consistently high marks from their customers and has been focused on being a reliable data infrastructure solution for many years. Customers have given Databricks a Net Emotional Footprint Score of +95 on SoftwareReviews. Launching Lakewatch is a good next step: bringing security as close to the data as possible, using infrastructure that is already trusted and already running.
For organizations already running Databricks for data and analytics, this is a materially simpler decision than a greenfield security deployment. The vendor relationship exists, the data infrastructure is in place, and the evaluation scope narrows to a suitability question: do Databricks' security capabilities meet the organization's detection and compliance requirements, and does platform consolidation outweigh the maturity advantages a dedicated SIEM may still hold? That is a different exercise than selecting a new vendor from scratch, but it is still an exercise. Databricks is entering security from a position of data platform strength, not security product depth, and organizations with complex SOC workflows or established SIEM integrations should assess fit carefully before treating consolidation as the default.
For organizations not yet on Databricks, the bar is higher. Switching a core security platform means migrating historical data, retraining analysts, and unwinding vendor relationships built over years. The business case needs to be more than directionally interesting.
Image Source: Databricks Blog
Market Positioning and Industry Dynamics
Splunk, now part of Cisco, and Microsoft Sentinel have enterprise security relationships built on years of incident response, hands-on support, and institutional knowledge. When something goes wrong at 2am, security buyers call the vendor they trust. Databricks does not have that history yet.
The acquisition of SiftD.ai by Databricks fills that gap. SiftD.ai was founded by the creator of Splunk's core search technology and lead architects of its search stack. Bringing that expertise in-house is Databrick’s commitment to security operations depth. Whether it is sufficient will be visible in enterprise sales cycles over the next 12 to 18 months, not in an announcement.
The second acquisition, Antimatter, addresses a different problem: how AI agents authenticate and authorize each other in automated workflows. That question is unresolved across the entire security industry. Addressing it at the platform layer is a defensible long-term position, but it is early stage work in a market that has not yet standardized.
Our Take
Databricks has grown by being essential yet low-profile, and Lakewatch continues this approach. Rather than chasing trends, the company leverages its central position in enterprise data infrastructure; since security needs to occur where data resides, Databricks is well-suited to handle security operations.
This announcement is really for IT and data leaders inside existing Databricks customers, not CISOs shopping for a new security product. The question it raises is practical – you are already paying for a data platform and a security tool. One of them is making you throw away 75% of your security data because storage costs too much. Lakewatch says that tradeoff does not have to exist.
Convincing organizations to leave established SIEM providers is a harder problem. Security platform decisions carry operational risk, institutional memory, and vendor relationships that do not transfer cleanly. The SiftD.ai acquisition is a credible answer to the credibility question; Databricks can build credibility in security through incidents managed, as Lakewatch is adopted.
One underappreciated dimension: Lakewatch lets security analysts write detection rules in the same tools data engineers already use – standard coding languages managed in version control, rather than a proprietary query language that requires specialized training. For organizations that have invested in data talent, that removes a real skills boundary. It is not a headline feature, but it matters operationally.
The 80% TCO reduction claim deserves scrutiny before it anchors a business case. It reflects storage and licensing savings under favorable assumptions. It does not model migration costs, retraining, or the disruption of switching a platform your security operations center depends on. Run the full transition cost before presenting this to a CFO.
Databricks frames Lakewatch around open data formats, which means organizations can export their raw data. That is accurate. It is also incomplete. The detection rules, AI models, investigation workflows, and institutional knowledge built on top of Lakewatch are not portable in the same way. Committing to this platform is a platform bet, not a data portability decision. Open formats and open architecture are different things.
The partner list includes Palo Alto Networks and Zscaler, both listed as ecosystem collaborators while also competing with Databricks in adjacent parts of the security market. That is not unusual in enterprise technology, but it creates ambiguity about where cooperation ends and competition begins. Organizations relying on any of those integrations should get specific commitments in writing before building on them.