Databricks announced Lakewatch on March 24, 2026 — a new open, agentic SIEM (Security Information and Event Management) platform designed to help organizations defend against increasingly sophisticated AI-driven attackers.
The product is a significant moment for the company. Databricks built its reputation on data analytics and AI. Now, it is planting a flag in the cybersecurity market — and it brought one of the most powerful AI models on the planet to help it do so.
Lakewatch performs classic SIEM tasks like detecting and investigating threats, but it does so with the help of AI agents powered by Anthropic’s Claude. That partnership is at the heart of what makes this launch stand out from the crowded field of security vendors.
Why Does This Matter?
Cybersecurity has a speed problem. Attackers are no longer just humans sitting at keyboards. They are AI systems running automated campaigns around the clock.
The mean time to exploit a vulnerability has collapsed from 23.2 days in 2025 to just 1.6 days in 2026. That is not a gradual decline — it is a cliff edge. Security teams built around manual workflows simply cannot keep up.
Large enterprises generate terabytes, or even petabytes, of security data daily, but traditional SIEMs couple storage with compute, creating a financial penalty on every byte ingested. Teams respond by limiting ingestion, filtering data through routing layers, and deleting historical data.
The result? Security teams are flying blind. They are making decisions based on incomplete data because storing everything costs too much.
Lakewatch is designed to fix that problem from the ground up.
What Exactly Is Lakewatch?
Think of Lakewatch as a security operations center powered by AI — built natively on top of a data lakehouse so your information never needs to move.
Lakewatch unifies security, IT, and business data into a single, governed environment for AI detection and response. With open formats and an open ecosystem, it enables customers to ingest, retain, and analyze unprecedented volumes of multi-modal data, while slashing costs and eliminating vendor lock-in.
Here is what makes it different from traditional SIEM tools:
- AI agents do the heavy lifting.Swarms of AI agents automate detection, triage, and threat hunting to meet machine-speed attackers with machine-speed defense.
- Your data stays where it is.Lakewatch lets users avoid vendor lock-in while analyzing data where it is already stored, without moving or duplicating it.
- It handles video and audio too.Lakewatch is designed to work with structured and unstructured data, including audio and video, to support long-term retention and identify social engineering or insider threats.
- Costs drop significantly.Databricks states that the total cost of ownership can be up to 80% lower than traditional SIEMs.
The Anthropic Partnership: Claude Is the Brain Behind the Operation
One of the most consequential details in this launch is the role Anthropic’s Claude models play inside Lakewatch.
Anthropic’s Claude models help power Lakewatch, using advanced reasoning capabilities to correlate signals across security, IT, and business data to surface threats faster.
This is not a surface-level integration. Claude is doing the analytical work — reading signals from across an entire enterprise, connecting dots that human analysts would take days or weeks to find, and surfacing threats in near real time.
Building on the success of the two companies’ existing strategic partnership, Databricks and Anthropic are deepening their collaboration to deliver agentic security operations. Anthropic also uses Databricks for its own security lakehouse to gain complete visibility across its security and business data and detect threats earlier.
In other words, Anthropic is not just a technology partner here — it is also a customer. That is a meaningful signal of confidence in the platform.
Automated Triage and the “Genie” Agent
One of the standout features of Lakewatch is its integration with Genie — Databricks’ AI agent framework.
Integrated with Genie, Lakewatch automates triage, plans multi-step approaches, and helps enterprises reduce alert fatigue, leaving more time for analysts to focus on high-impact threats.
Alert fatigue is one of the most persistent problems in security operations. Analysts receive hundreds or thousands of alerts daily. Most are false positives. The real threats get buried in the noise. Genie-powered triage helps Lakewatch sort through that noise automatically, so human analysts can focus where it counts.
Databricks Made Two Acquisitions to Build This
Launching a new security product is one thing. Building real technical depth is another. Databricks did not go it alone.
Databricks bought two startups to underpin Lakewatch: Antimatter, in an undisclosed deal that closed last year, and SiftD.ai, in a deal that closed just days before the announcement.
What did each company bring?
- Antimatter, founded by UC Berkeley researchers, brings expertise in secure authentication and authorization for AI agents. As AI agents operate autonomously inside enterprise systems, controlling what those agents can access is a critical security requirement in itself.
- SiftD.ai, co-founded by the creator of Splunk’s Search Processing Language, adds deep knowledge in large-scale threat analytics and search, inspired by the technical legacy of Splunk.
Both teams have joined Databricks, with Antimatter’s founder, Andrew Kriouko,v now leading the Lakewatch initiative. That is a strong signal that this is not a rushed product launch — it is a carefully assembled team with deep domain expertise.
Who Is Already Using It?
Lakewatch is currently in Private Preview, meaning it is not yet available to the general public. But it already has some notable early customers.
Lakewatch is launching in Private Preview, with customers including industry leaders like Adobe and Dropbox.
“As the volume of security data grows, organizations need new ways to analyze and act on that information quickly and at scale,” said Karthik Venkatesan, Security Engineering Lead at Adobe. “Databricks provides the foundation needed to move from data-driven to AI-driven approaches for security operations, and Lakewatch is an important step toward bringing security intelligence closer to where data already lives.”
Having Adobe and Dropbox in your early access program is not a small thing. Both companies manage vast volumes of sensitive user data and operate at a massive scale. Their participation lends real credibility to Lakewatch’s enterprise-grade ambitions.
An Open Ecosystem Built for the Long Term
Databricks is not trying to build a closed, proprietary fortress. Its strategy is openly collaborative — and that matters for enterprise adoption.
Databricks’ new Open Security Lakehouse Ecosystem is a fast-growing group of leading security vendors and delivery partners, including Akamai, Anvilogic, Arctic Wolf, Cribl, Obsidian, Okta, Palo Alto Networks, 1Password, Panther, Proofpoint, Rearc, Slack, TrendAI, Wiz (now part of Google Cloud), and Zscaler.
Additionally, Lakewatch supports Detection-as-Code, meaning teams can manage detections as code with automated testing and deployment to ensure defense is always version-controlled and verified.
This approach treats security rules the same way software engineers treat application code — with version control, testing, and repeatable deployments. It is a modern methodology that many enterprise security teams have been pushing toward for years.
What the CEO Says
Databricks co-founder and CEO Ali Ghodsi did not mince words about the state of enterprise security.
“Security teams can no longer rely on manual workflows to outpace AI-driven attacks,” Ghodsi said. “With Lakewatch, we are giving enterprises a new open data architecture and agentic capabilities to replace stagnating SIEM tools. Defenders must have even better visibility and speed than today’s agent attackers.”
That last sentence captures the core logic of Lakewatch: if attackers are using AI, defenders need AI too. And they need it to be faster, smarter, and more scalable than anything that came before.
The Bigger Picture: A Data Company Becomes a Security Company
Lakewatch is not just a product launch. It represents a strategic shift for Databricks.
The companies that manage your data are entering the market to secure it, too. If you believe security is a data problem at its core, the moves by Databricks — as well as Elastic and ServiceNow — make sense.
There is a compelling logic here. Databricks already holds an enormous amount of enterprise data. It already knows how to process that data at scale. Adding a security layer on top of that infrastructure is a natural evolution — and potentially a disruptive one for legacy SIEM vendors who have not kept pace.
Databricks is betting it can capture market share from enterprises resisting the platformization pitch from the likes of CrowdStrike and Palo Alto Networks.
Bottom Line
Lakewatch is a genuinely ambitious product. It combines AI agents, Claude’s advanced reasoning, a lakehouse data architecture, and a growing open ecosystem — all aimed at a cybersecurity market that has been ripe for disruption for years.
The threat landscape is evolving at machine speed. AI has given hackers tools to wage more sophisticated attacks, and they are doing it faster than ever. Traditional security platforms were not built for this reality.
Whether it delivers on that promise at scale remains to be seen. But the combination of Databricks’ data platform strength, Anthropic’s Claude models, two targeted acquisitions, and early backing from enterprise heavyweights like Adobe and Dropbox makes this one of the most credible new entries in enterprise security in years.
