Security teams are being asked to defend against threats that are moving faster, operating at greater scale, and increasingly using AI themselves. In that context, Databricks’ launch of Lakewatch feels less like a product extension and more like a signal that security operations may be entering a new architectural phase.
Databricks' Lakewatch is an open, agentic SIEM that unifies security, IT, and business data in one governed environment for AI-powered detection and response.
In our view, what makes this launch exiting is not just the SIEM label. It is the combination of three ideas that sit behind it:
- open data architecture,
- embedded AI agents,
- and a cost model designed for scale.
Databricks is effectively applying the lakehouse model to security, arguing that traditional SIEMs have become structurally mismatched to the nature of modern threats.
Why the traditional SIEM model is under pressure?
It starts with a real shift in the threat landscape.
Cyberattacks are increasingly automated and AI-driven, while analysts are still working with tools and processes built for slower, more human-paced operations. The newest research is showing that mean time to exploit has dropped from 23.2 days in 2025 to 1.6 days in 2026, which dramatically compresses the window defenders have to detect and respond.
That speed problem becomes even more serious when paired with the economics of legacy SIEMs.
The traditional platforms typically couple compute and storage, which means every additional byte ingested adds cost pressure. In practice, that means defenders may be working with only a fraction of the context they actually need.
From our perspective, that is the heart of the issue. This is not only a tooling problem. It is an architecture problem. When attackers can use AI to analyse everything, defenders cannot afford platforms that force them to choose between visibility and cost.
The core Lakewatch proposition
Lakewatch is Databricks’ answer to that mismatch. The platform is designed to let organisations ingest and retain 100% of their security telemetry, including multimodal data. Customers can store data in open formats such as Delta Lake or Apache Iceberg, keep it in their own cloud storage, and avoid proprietary lock-in.
That matters because valuable context often sits in HR systems, collaboration tools, application telemetry, transaction records, and other operational datasets. Lakewatch runs directly on the lakehouse and uses Unity Catalog for enterprise-wide governance. That allows alerts to be correlated across security, IT, and business data without costly duplication or constant tool switching.
For us, this is one of the strongest parts of the launch. Security operations become more powerful when they are not isolated from the rest of the data estate.
Fighting agents with agents
The second major theme is agentic AI. Databricks is clearly betting that security teams need more than dashboards and bolt-on AI assistants. Lakewatch brings Genie, Genie Code, and Genie Spaces directly into security workflows.
These capabilities can help:
- log ingestion and normalisation,
- authoring new detections,
- tuning rules to reduce false positives,
- translating natural language into SQL,
- and enabling multi-step threat hunting without requiring specialist query languages.
There is also a broader engineering story here. Lakewatch supports detection-as-code with YAML, SQL, and Python notebooks, plus model development and deployment using MLflow, Feature Store, and Model Serving.
In other words, Databricks is not positioning security AI as a side feature. It is positioning it as something that can be engineered, tested, backtested, deployed, and monitored as part of a larger data and AI operating model.
The economics may matter as much as the AI
The third theme is cost. Lakewatch’s decoupled storage-and-compute model can reduce costs by up to 80% while enabling petabyte-scale retention and years of hot-queryable data. It also emphasises ownership and flexibility: customers keep telemetry in their own cloud object storage, provision compute only when needed, and use serverless performance for analytics and ML workloads.
This may be one of the most commercially important parts of the story. Security leaders often know they need broader retention and richer context, but their architecture punishes them for keeping too much data.
Summary
Lakewatch stands out because it brings together themes we are seeing across the market: open architectures, governed data foundations, AI embedded into operations, and growing pressure to reduce cost without sacrificing scale or control.
The bigger takeaway is this: security operations are starting to look more like the broader data platform world. The winning model is likely to be one that combines:
- unified context across security, IT, and business data
- open formats and customer-owned storage
- governance built into the platform
- AI agents that help teams move faster
- and economics that support retention at scale
That does not mean every organisation should rush to replace its SIEM tomorrow. But means it is no longer only about which alerts your platform can raise. It is also about whether your security architecture can keep up with machine-speed attacks, use all the data you already have, and operationalise AI in a way that is governed, scalable, and economically sustainable.
