The cybersecurity industry has spent the better part of two decades building increasingly complex systems designed to process logs, correlate alerts, and identify anomalies across sprawling enterprise environments. Yet by 2026, the core economics and architectural assumptions underpinning traditional security operations have begun to fracture under the weight of AI-driven attacks, exploding telemetry volumes, and enterprise-scale data fragmentation.
Databricks believes the future of security operations will not be built around conventional SIEM platforms at all.
Instead, the company is betting that cybersecurity will become another large-scale data and AI workload running natively on a unified enterprise lakehouse architecture. That strategic thesis now sits at the center of Lakewatch, the company’s newly launched AI-native security analytics platform announced alongside acquisitions of security startups Antimatter and SiftD.ai.
The move represents far more than a product expansion. It is a direct challenge to the established order of enterprise cybersecurity infrastructure dominated by vendors such as Splunk, Microsoft Sentinel, Palo Alto Networks Cortex, and a broader ecosystem of security analytics providers whose pricing models and architectural limitations increasingly look misaligned with the realities of AI-scale computing.
Databricks is entering the market at a moment when enterprise security teams face simultaneous pressures from three converging trends. First, AI-assisted cyberattacks are accelerating the speed of exploitation and reconnaissance. Second, organizations are generating unprecedented quantities of telemetry data across cloud infrastructure, SaaS environments, APIs, AI applications, endpoints, and operational technology systems. Third, enterprise boards and regulators are demanding deeper visibility into cyber risk without tolerating runaway infrastructure spending.
Lakewatch attempts to address all three dynamics simultaneously.
The platform is positioned as an “agentic SIEM” built around open data formats, lakehouse economics, and AI-driven automation. In practical terms, Databricks wants enterprises to stop treating security data as a specialized silo and instead absorb it into the same governed data architecture already supporting analytics, AI, and operational intelligence workloads.
That vision could significantly reshape the economics of enterprise security operations over the next decade.
It could also expose the growing tension between legacy SIEM architectures and the realities of machine-scale cyber defense.
Why Security Analytics Is Being Rebuilt Around Data Platforms
The cybersecurity market rarely undergoes foundational architectural resets. Most transitions are incremental, layered onto existing infrastructure through acquisitions, integrations, and incremental tooling.
What makes the Lakewatch announcement notable is that Databricks is effectively arguing the SIEM market itself has reached structural limits.
Traditional SIEM systems emerged during an era when enterprise data volumes were measured primarily in gigabytes and terabytes rather than petabyte-scale streams. Their pricing models evolved around ingestion-based economics, where organizations paid according to how much data they stored and analyzed. That framework became increasingly problematic as enterprises migrated toward cloud-native operations.
The result was a deeply counterproductive operational reality: organizations often dropped logs, reduced retention periods, or narrowed visibility simply to manage cost escalation.
Databricks is framing this as both a security weakness and a business inefficiency.
According to the company, Lakewatch is designed to allow enterprises to retain “100% of telemetry” while reducing total cost of ownership by as much as 80% compared with traditional SIEM deployments.
That cost narrative matters enormously in the current enterprise environment.
Global cybersecurity spending continues to rise sharply. Gartner has projected worldwide information security spending to exceed $215 billion in recent market forecasts, while cloud security and security analytics remain among the fastest-growing categories. At the same time, large enterprises increasingly report dissatisfaction with escalating SIEM costs, particularly as AI workloads generate additional telemetry and observability data.
The economic mismatch has become especially acute inside multinational enterprises operating across multi-cloud environments.
A large financial institution can now ingest tens of terabytes of security telemetry daily. National Australia Bank, one of Databricks’ Lakewatch design partners, disclosed that it processes more than 30TB of security data each day.
Under traditional SIEM pricing structures, retaining and analyzing that volume at full fidelity becomes prohibitively expensive.
Databricks’ broader strategic advantage lies in the fact that many enterprises already use its lakehouse architecture for large-scale analytics and AI processing. The company is effectively arguing that security data should simply become another governed workload inside the same environment.
That proposition mirrors a wider trend reshaping enterprise technology infrastructure.
Over the last five years, organizations have steadily consolidated fragmented analytics stacks into unified data platforms capable of handling structured, semi-structured, and unstructured workloads together. The same consolidation logic is now arriving in cybersecurity.
Lakewatch is therefore less a standalone security product than an extension of the broader “data intelligence platform” strategy Databricks has pursued aggressively since the rise of generative AI.
The timing is not accidental.
The AI Threat Landscape Is Changing Faster Than Enterprise Security Operations
The emergence of generative AI has altered the asymmetry between attackers and defenders in ways the cybersecurity industry is still struggling to quantify.
Databricks cited research indicating that the average time between vulnerability disclosure and exploit development has fallen dramatically, with AI-enabled attacks rising sharply year over year.
That acceleration changes the operational assumptions underpinning modern security operations centers.
Historically, SOC teams relied heavily on human analysts to investigate alerts, correlate events, and escalate incidents. While automation existed, most workflows still depended on relatively manual triage processes.
AI-native attacks fundamentally disrupt that model.
Adversaries can now automate reconnaissance, generate phishing campaigns at scale, identify vulnerable infrastructure, and accelerate exploit development using large language models and agentic systems. The volume and sophistication of attacks increase simultaneously.
Databricks CEO Ali Ghodsi has framed Lakewatch as a direct response to this dynamic, arguing that enterprises must “fight agents with agents.”
This framing aligns with a broader industry shift toward autonomous or semi-autonomous security operations.
Across the market, vendors are racing to integrate AI copilots, automated detection engineering, natural language threat hunting, and autonomous investigation workflows into their platforms. CrowdStrike, Palo Alto Networks, Microsoft, and Google Cloud have all intensified AI security investments over the past two years.
What differentiates Databricks is its attempt to anchor security operations inside a broader enterprise data architecture rather than treating security as an isolated domain.
That distinction has profound implications.
Security telemetry increasingly overlaps with business data, operational analytics, and AI governance workflows. Insider threats, AI misuse, prompt injection attempts, and data exfiltration often require contextual analysis spanning multiple enterprise systems simultaneously.
Traditional SIEM environments struggle to integrate that context efficiently.
Lakewatch’s architecture instead attempts to unify security, IT, and business telemetry inside a governed environment powered by open formats and centralized governance through Unity Catalog.
In effect, Databricks is positioning cybersecurity as a data correlation problem at massive scale.
That is a very different worldview from legacy SIEM design.
The Strategic Importance of Open Security Architectures
One of the most consequential aspects of the Lakewatch launch is not the AI functionality itself but the company’s emphasis on openness.
The cybersecurity industry has historically been dominated by proprietary data architectures. Many SIEM platforms rely on specialized schemas, closed ecosystems, and vendor-specific tooling that create significant switching costs.
Databricks is explicitly targeting that model.
Lakewatch is built around open standards such as the Open Cybersecurity Schema Framework (OCSF), alongside open lakehouse formats and Delta Sharing capabilities.
This matters because enterprises increasingly view vendor lock-in as both a financial and operational liability.
Security teams today operate across sprawling hybrid environments involving multiple cloud providers, SaaS applications, operational systems, and AI platforms. Data portability and interoperability have become strategic requirements rather than technical preferences.
The emphasis on open ecosystems also reflects a larger enterprise infrastructure trend driven by AI.
As organizations adopt generative AI systems, they increasingly want governance, lineage, observability, and security controls operating consistently across all data domains. Closed security platforms can become obstacles to broader enterprise AI strategies.
Lakewatch’s positioning therefore aligns closely with Databricks’ existing strengths in data governance and AI orchestration.
The company is effectively leveraging the same architectural logic that helped popularize the lakehouse model in analytics and extending it into cybersecurity operations.
That creates competitive pressure on traditional SIEM vendors whose architectures were never designed for AI-scale data unification.
The Acquisitions Behind the Strategy
The acquisitions of Antimatter and SiftD.ai provide additional insight into Databricks’ long-term ambitions.
Antimatter focuses on authentication and authorization frameworks for AI agents, an increasingly critical area as enterprises deploy autonomous systems across business workflows. SiftD.ai, meanwhile, brings expertise from engineers associated with Splunk’s search architecture and detection engineering ecosystem.
Taken together, the acquisitions reveal that Databricks is not merely building security analytics tooling. It is attempting to establish foundational infrastructure for AI-era cyber defense.
That distinction is strategically important.
The next generation of enterprise security will likely revolve around securing not only human users and traditional applications but also autonomous agents interacting dynamically across enterprise systems.
This creates entirely new attack surfaces.
AI agents can access sensitive data, trigger workflows, interact with APIs, and make operational decisions autonomously. Ensuring authentication, authorization, observability, and policy enforcement across those systems becomes dramatically more complex than traditional identity management.
Antimatter’s expertise therefore complements Databricks’ broader AI infrastructure strategy.
Meanwhile, SiftD.ai strengthens the company’s credibility in the highly specialized domain of security analytics engineering. Splunk’s search processing language became foundational to modern SIEM operations, and acquiring talent associated with that ecosystem gives Databricks institutional expertise in how security analysts actually work.
That operational credibility will matter if Lakewatch is to compete seriously against entrenched security vendors.
SIEM Economics Are Under Pressure
The economics of enterprise SIEM platforms have become one of the most contentious issues in modern cybersecurity procurement.
Traditional SIEM vendors built highly profitable businesses around ingestion pricing, where customers pay according to the volume of data processed and retained. That model functioned reasonably well during earlier eras of enterprise infrastructure.
AI changes the equation entirely.
Generative AI systems, agentic architectures, cloud-native workloads, IoT deployments, and software-defined infrastructure collectively generate extraordinary telemetry growth. Organizations simultaneously need more visibility while facing mounting cost pressures.
This creates a strategic opening for platforms built around cloud-scale storage economics.
Databricks argues that decoupling storage and compute allows organizations to retain vast quantities of telemetry at dramatically lower cost.
That architectural advantage mirrors the same economic logic that disrupted traditional data warehouses.
The comparison is not coincidental.
Databricks’ founders built much of the modern lakehouse movement precisely around separating storage from compute-intensive analytics workloads. Applying the same model to cybersecurity could significantly alter procurement patterns inside large enterprises.
If organizations can dramatically reduce SIEM costs while increasing visibility and retention, incumbent vendors may face growing pricing pressure.
This is particularly relevant because cybersecurity budgets are no longer insulated from broader enterprise efficiency mandates.
Boards increasingly demand demonstrable ROI from security investments. Investors likewise scrutinize operational efficiency more aggressively as enterprises balance AI spending against macroeconomic uncertainty.
In that context, a platform promising both enhanced visibility and lower operational costs becomes strategically attractive.
Especially for organizations already standardized on Databricks infrastructure.
The Convergence of Security and Data Governance
One of the least discussed but most important dimensions of the Lakewatch strategy involves governance.
Enterprise AI adoption has created mounting concern around data lineage, access controls, model governance, and regulatory compliance. Security operations increasingly intersect with these governance frameworks.
Databricks is positioning Unity Catalog as the governance backbone for Lakewatch, allowing organizations to apply fine-grained access controls, auditing, and lineage tracking across security telemetry.
This integration matters because modern cyber investigations increasingly require contextual analysis spanning multiple business systems.
A sophisticated insider threat investigation may involve HR data, application logs, cloud activity, identity systems, AI model interactions, and collaboration platform telemetry simultaneously.
Traditional security tools often struggle to unify that context cleanly.
By embedding security analytics directly into a governed data platform, Databricks is effectively collapsing the boundary between security operations and enterprise data governance.
That convergence aligns with broader regulatory trends globally.
European regulators continue expanding digital operational resilience requirements under frameworks such as DORA. The United States Securities and Exchange Commission has intensified cyber disclosure obligations. Financial institutions, healthcare providers, and critical infrastructure operators face increasingly stringent reporting and governance expectations.
Organizations therefore require unified visibility across operational, business, and security data domains.
Lakewatch’s architecture appears designed precisely for that reality.
Competitive Implications Across the Cybersecurity Industry
Databricks’ entry into cybersecurity creates ripple effects far beyond the SIEM market alone.
The company sits at the intersection of several strategically critical technology domains simultaneously: cloud data infrastructure, AI platforms, governance systems, and analytics engineering.
That positioning gives it unusual leverage.
Unlike pure-play cybersecurity vendors, Databricks already operates as core infrastructure inside many large enterprises. Its installed base includes organizations deeply invested in lakehouse architectures for analytics and AI workloads.
Adding security operations into that environment becomes a logical expansion path.
This mirrors broader platform consolidation trends across enterprise technology.
Over the last decade, organizations have increasingly preferred integrated platforms capable of supporting multiple strategic workloads rather than fragmented point solutions. Cybersecurity may now be entering the same consolidation cycle.
That poses difficult questions for incumbent vendors.
Traditional SIEM providers must now compete not only on detection capabilities but also on data architecture, AI integration, governance frameworks, and infrastructure economics.
Meanwhile, hyperscale cloud providers are simultaneously expanding their own security platforms aggressively.
Amazon Web Services, Microsoft Azure, and Google Cloud increasingly view cybersecurity as a strategic cloud workload tied directly to broader infrastructure adoption.
Databricks occupies an unusual middle position in this competitive landscape.
It is not a traditional security company, yet it already owns significant portions of enterprise AI and analytics infrastructure. That gives it credibility with CIOs and data leaders even if CISOs remain cautious initially.
The broader implication is that cybersecurity may increasingly become embedded into enterprise data platforms rather than purchased as standalone infrastructure.
That would fundamentally alter competitive dynamics across the market.
AI-Native Security Will Require New Operational Models
Perhaps the most important implication of the Lakewatch launch is what it signals about the future structure of enterprise security teams themselves.
Security operations centers were historically organized around alert triage, incident response, and rule-based detection engineering. AI-native environments demand different workflows.
Lakewatch emphasizes autonomous agents capable of threat hunting, investigation summarization, detection engineering, and natural language querying.
This suggests a future where security analysts increasingly supervise AI systems rather than manually processing alerts themselves.
That transition could reshape workforce requirements across cybersecurity.
The industry already faces persistent talent shortages. AI-driven automation may alleviate portions of that burden while simultaneously increasing demand for specialists capable of governing AI-enabled security operations responsibly.
The shift also raises governance concerns.
Autonomous security agents introduce risks involving explainability, model integrity, false positives, and adversarial manipulation. Enterprises will require robust frameworks governing how AI systems interact with sensitive operational environments.
Databricks appears aware of this challenge, highlighting its AI Security Framework alongside Lakewatch’s broader architecture.
Still, the operational maturity required to deploy truly autonomous security workflows safely remains uneven across the enterprise market.
Many organizations will likely adopt hybrid operational models where AI systems augment rather than replace human analysts for years to come.
The Financial Stakes Behind Databricks’ Expansion
Databricks’ move into cybersecurity also reflects broader financial realities shaping the AI infrastructure market.
The company has grown rapidly into one of the world’s most valuable private software firms, with recent funding rounds valuing it at tens of billions of dollars.
Maintaining that growth trajectory requires expanding into adjacent enterprise markets.
Cybersecurity offers a particularly attractive opportunity because it combines recurring enterprise spending with rapidly growing demand tied directly to AI adoption.
The global SIEM market alone represents billions in annual spending, while adjacent categories such as security analytics, cloud security, identity governance, and AI security continue expanding rapidly.
By integrating security into its broader data platform strategy, Databricks can potentially increase platform stickiness while capturing larger portions of enterprise infrastructure budgets.
The acquisitions of MosaicML, AI partnerships with Anthropic and OpenAI, and now Lakewatch collectively illustrate an increasingly aggressive platform expansion strategy.
Databricks is no longer simply competing in analytics infrastructure.
It is attempting to become foundational enterprise infrastructure for the AI era.
Cybersecurity becomes an essential component of that ambition.
Enterprise Adoption Will Depend on Operational Trust
Despite the architectural appeal of Lakewatch, enterprise adoption will not happen automatically.
Security operations remain among the most risk-sensitive functions inside large organizations. CISOs tend to favor proven operational reliability over architectural elegance, especially in mission-critical environments.
Databricks therefore faces several challenges.
First, the company must prove Lakewatch can operate reliably at massive enterprise scale under real-world attack conditions.
Second, it must demonstrate that AI-native workflows genuinely improve operational outcomes rather than merely introducing complexity.
Third, it must convince enterprises that open architectures can deliver equivalent or superior security compared with tightly integrated proprietary systems.
That trust-building process takes time.
The company appears aware of this dynamic, emphasizing partnerships with organizations such as NAB and ecosystem alliances involving established cybersecurity vendors including Okta, Zscaler, and Wiz.
Those partnerships help position Lakewatch as part of a broader open ecosystem rather than a closed replacement stack.
Still, competitive resistance will intensify rapidly if the platform gains traction.
Established cybersecurity vendors are unlikely to concede the SIEM market quietly.
Infrastructure Modernization Is Becoming a Security Imperative
One of the clearest signals emerging from the Lakewatch launch is that cybersecurity modernization is increasingly inseparable from infrastructure modernization.
Organizations cannot defend AI-native environments effectively using architectures designed for pre-cloud infrastructure.
This is especially true as AI systems themselves become operational actors inside enterprise environments.
The convergence of AI, analytics, governance, and security creates pressure for unified platforms capable of handling all four domains cohesively.
Databricks is betting that the lakehouse model provides that foundation.
Whether the company ultimately dominates security analytics is less important than the broader trend it represents.
Enterprise cybersecurity is evolving from a specialized tooling ecosystem into a large-scale data and AI problem.
That transition will reshape vendor categories, procurement strategies, infrastructure architectures, and workforce models over the next decade.
The implications extend far beyond SIEM platforms alone.
Figure 1: Estimated Growth in Enterprise AI and Security Data Volumes
| Year | Average Daily Enterprise Security Telemetry | Primary Drivers |
| 2020 | 5–10 TB | Cloud migration, SaaS expansion |
| 2022 | 10–20 TB | Remote work, endpoint growth |
| 2024 | 20–35 TB | Multi-cloud observability, AI workloads |
| 2026 | 30–60 TB | Agentic AI systems, multimodal telemetry |
Industry estimates synthesized from enterprise cloud security trends, Databricks customer references, and broader SIEM market observations.
The Broader Industry Shift Toward Security Lakehouses
Lakewatch also validates the growing influence of “security lakehouse” architectures across the market.
For years, organizations experimented with exporting security telemetry into data lakes for advanced analytics. What Databricks is now attempting is to formalize that pattern into a complete operational model for security operations itself.
The distinction is important.
Traditional approaches treated the data lake as an adjunct analytics environment supporting specialized investigations. Lakewatch instead positions the lakehouse as the primary operational foundation for security workflows.
That architectural inversion changes how organizations think about data retention, governance, AI deployment, and threat analysis.
It also aligns with broader enterprise priorities around data sovereignty and operational flexibility.
As geopolitical tensions rise and regulatory environments fragment globally, organizations increasingly want control over where security data resides and how it is governed. Open architectures and customer-controlled storage environments become strategically attractive.
This trend is especially pronounced in heavily regulated industries such as banking, healthcare, telecommunications, and critical infrastructure.
The NAB partnership highlighted by Databricks underscores precisely this point.
Financial institutions face some of the world’s most demanding cyber resilience requirements. If security lakehouse architectures prove viable there, adoption could spread rapidly across other sectors.
The Future of Security Will Be Multimodal
Another underappreciated dimension of the Lakewatch strategy involves multimodal security telemetry.
Traditional SIEM systems evolved primarily around structured logs and event streams. AI-era threats increasingly involve audio, video, behavioral analytics, prompt interactions, and unstructured data.
Deepfake-enabled social engineering campaigns, AI-generated phishing, autonomous agent misuse, and prompt injection attacks all produce signals outside conventional log formats.
Databricks explicitly highlights multimodal analysis as a differentiator for Lakewatch.
This capability becomes increasingly important as enterprises deploy generative AI applications at scale.
Security platforms capable of correlating structured operational telemetry with unstructured AI interaction data may gain significant advantages in detecting emerging attack patterns.
That again reinforces the logic behind unified data architectures.
Multimodal AI security requires infrastructure capable of handling enormous data diversity efficiently. Lakehouse environments are arguably better suited to that challenge than legacy SIEM systems designed around rigid schemas and structured event processing.
A Turning Point for Enterprise Cybersecurity Architecture
The launch of Lakewatch ultimately represents something larger than a new Databricks product announcement.
It marks a broader inflection point in how the enterprise technology industry conceptualizes cybersecurity itself.
For years, security operated largely as a parallel infrastructure domain adjacent to analytics and enterprise data platforms. AI is collapsing those boundaries.
The future security stack increasingly appears likely to merge with broader enterprise AI and data infrastructure rather than remain operationally isolated.
That convergence will not happen overnight. Large enterprises move cautiously, especially in cybersecurity. Incumbent vendors retain enormous installed bases and deep operational relationships.
But the architectural logic behind AI-native security analytics is becoming increasingly difficult to ignore.
Organizations require unified governance, scalable economics, multimodal visibility, AI-native workflows, and interoperable architectures simultaneously.
Lakewatch reflects an attempt to deliver all of those capabilities inside a single platform strategy.
Whether Databricks ultimately wins the market battle remains uncertain.
What seems increasingly clear, however, is that the cybersecurity industry is entering a new infrastructure cycle shaped fundamentally by AI, cloud-scale data economics, and the convergence of analytics with security operations.
The companies that define the next era of enterprise cybersecurity may not look like traditional cybersecurity vendors at all.
They may instead emerge from the platforms already powering the world’s AI infrastructure.
For CIOs, CISOs, and enterprise strategists, that possibility now deserves very close attention.
For more enterprise AI and analytics coverage, explore Avanmag Data & Analytics and Avanmag Cybersecurity Insights. Additional background on the Lakewatch announcement is available via Databricks Official Announcement, Databricks Lakewatch Platform Overview, and TechCrunch Enterprise Coverage.
