Databricks Is Now a Security Company. Here's Why That Makes More Sense Than You Think.

The "agentic" part is where things get interesting. Lakewatch deploys what Databricks calls "Genie" agents — AI systems powered by Anthropic's Claude models — that continuously scan incoming data for threats, correlate signals across different sources, and can initiate automated responses without waiting for a human analyst to notice an alert at 3 AM. [3] This isn't a chatbot bolted onto a dashboard. Databricks is describing a system where AI agents handle the initial triage, investigation, and response workflow that currently requires teams of analysts working in shifts. The company claims this approach, combined with its data platform economics, can deliver up to 80% lower total cost of ownership compared to legacy SIEMs. [2] Adobe and Dropbox are among the first customers in the private preview — companies that already run massive Databricks deployments for their data operations. [1]

Why a Data Company Entering Security Makes Perfect Sense

To understand why this move is strategic rather than opportunistic, you need to understand what's broken about the security industry. Traditional SIEMs — Splunk, Microsoft Sentinel, IBM QRadar — charge based on the volume of data you ingest. The more logs you send them, the more you pay. This creates a perverse incentive: security teams routinely skip ingesting data they know would be useful because the cost of storing and analyzing it is prohibitive. [1] The result is a coverage gap that attackers love. If your SIEM only ingests 30% of your available telemetry because that's what the budget allows, the attacker only needs to find a path through the 70% you're not watching. Databricks already stores petabytes of organizational data at a fraction of the cost of traditional SIEMs. It uses open formats like Delta Lake and Apache Iceberg, which means data isn't locked into a proprietary schema that only one vendor's tools can query. When you're already sitting on the data, the marginal cost of running security analytics on top of it drops dramatically. [1][2] This is the fundamental insight: security is a data problem. And data companies are better at data problems than security companies are.

The Anthropic Connection

Databricks didn't build Lakewatch's AI capabilities alone. The company partnered with Anthropic to power its security agents using Claude models. [3] This partnership matters for a few reasons. First, Claude's ability to reason about complex, multi-step processes is particularly valuable in security operations, where a single alert might require correlating events across dozens of systems, checking against threat intelligence databases, and determining whether the behavior pattern matches known attack techniques. Second, the partnership reflects Anthropic's growing enterprise strategy. While OpenAI chases consumer products and government contracts, Anthropic has been methodically embedding Claude into the infrastructure layer — the places where AI does real work rather than generating tweets. Databricks Lakewatch is exactly that kind of deployment. [3] The combination is potent: Databricks' data infrastructure expertise plus Anthropic's reasoning models creates a security product that can handle volumes of data that would drown a traditional SOC team.

The Bigger Market Shift: Data Companies vs. Security Companies

Databricks isn't alone in making this move. Constellation Research analyst Liz Miller noted that Elastic and ServiceNow have made similar plays — companies that manage data or workflows entering the security market because they already have the foundational layer. [3] ServiceNow's $7.75 billion acquisition of Armis earlier this year was the first mega-signal. Now Databricks is building rather than buying (though it did acquire Antimatter and SiftD.ai to round out its capabilities). The thesis is the same: the companies that own the data layer have a natural right to own the security layer. [3] This should terrify traditional security vendors. Consider the economics: a mid-size enterprise might spend $2 to $5 million annually on a Splunk deployment. That same enterprise might already be spending $3 to $10 million on Databricks for its data and AI workloads. If Lakewatch can deliver comparable (or better) threat detection at 80% lower cost while eliminating the need for a separate SIEM platform entirely, the value proposition is almost impossible to argue against. [2] The global SIEM market is worth roughly $6 billion today and growing toward $10 billion by 2028. But the broader security operations market — including SOAR, XDR, and managed detection — is a $200 billion opportunity. Databricks isn't just entering the SIEM space; it's positioning to collapse multiple security product categories into its data platform. [2]

What This Means for Enterprise Security Teams

If you run a SOC or manage an enterprise security program, the vendor landscape is about to get turbulent. The traditional security stack — separate SIEM, SOAR, EDR, and threat intelligence platforms — is being challenged by unified platforms that do everything from data storage to threat response. Lakewatch is the latest salvo in that war. Data gravity matters more than ever. Where your data lives increasingly determines which security tools make economic sense. If your organization is already invested in Databricks for analytics and AI, evaluating Lakewatch for security operations is a no-brainer from a cost perspective. [1] AI-native security is the new baseline. Every security vendor will claim to be "AI-powered" by the end of 2026. The distinction is between vendors that bolted AI onto existing products and vendors that built their products around AI from the ground up. Lakewatch is the latter. [1][3]

The Risks Nobody Wants to Talk About

This isn't all upside. There are real concerns with the data-company-as-security-company model. First, security expertise matters. Detecting threats isn't just a data engineering problem — it requires deep knowledge of attacker behavior, vulnerability patterns, and the operational realities of incident response. Databricks is a data company with brilliant engineers, but building a world-class threat research team takes years. Second, concentration risk increases. If your data platform, your AI models, and your security monitoring all run on the same infrastructure, a compromise of that platform is catastrophic in a way that a compromised SIEM in a disaggregated architecture isn't. Third, the "80% cost reduction" claim needs scrutiny. That number likely compares Lakewatch's marginal cost (for customers already on Databricks) against the full cost of a standalone SIEM deployment. For organizations that don't already use Databricks, the savings are less dramatic.

The Bottom Line

Databricks entering the security market is one of those moves that looks obvious in hindsight. The company already has the data, the AI capabilities, the enterprise relationships, and the platform economics to make traditional SIEMs look expensive and inefficient. Whether Lakewatch lives up to its promises is an open question — the product is still in private preview, and real-world security deployments are infinitely more complex than product demos. But the strategic logic is sound, and the timing is right. Cyber threats are increasingly AI-driven, security budgets are under pressure, and the analyst shortage shows no signs of easing. The companies that already own the data are coming for the security market. The old guard should be worried.