When Databricks officially entered the security market in late March 2026 with Lakewatch, it was not just another product launch. The message behind it was far more direct. Databricks is openly challenging the structure of the existing SIEM market, arguing that traditional models are becoming too expensive, too limited, and increasingly misaligned with how modern threats actually evolve.
This criticism is not entirely new, but the clarity and positioning are. Databricks explicitly points out that many organizations are forced to discard large portions of their security data. Not because the data lacks value, but because the cost of ingesting and storing it within traditional SIEM platforms is too high. Pricing models based on data volume create a structural trade-off. The more visibility you want, the more expensive it becomes.
A senior security engineer at a global enterprise describes the situation in simple terms. Security teams are not optimizing for maximum visibility, but for what is financially sustainable. As a result, data is filtered, reduced, or not collected at all. The problem becomes visible when dealing with more complex or non-standard attack patterns, where missing context can significantly impact detection and response.
This is where Lakewatch positions itself differently. Rather than presenting itself as a traditional SIEM, Databricks frames it as an open, data-centric security architecture. The idea is straightforward but strategically significant. Instead of pushing security data into a specialized tool, security becomes a use case on top of an existing data platform. Logs, events, and telemetry are analyzed alongside IT and business data within a unified environment.
A CTO at a technology company sees this as a notable shift in perspective. Security has historically operated in isolation, with dedicated tools, data pipelines, and cost structures. Moving security into a central data platform changes that dynamic. It allows organizations to correlate technical events with business context more effectively. At the same time, it raises new questions around access control, governance, and data ownership.
Another aspect emphasized by Databricks is openness. Traditional SIEM platforms often rely on proprietary data formats and tightly controlled ecosystems. Lakewatch, in contrast, promotes open standards and flexible integration across multiple data sources. This is not only a technical choice but also a strategic positioning. Organizations are encouraged to build their own security architecture rather than being locked into a single vendor’s model.
An industry analyst notes that this approach introduces both opportunities and challenges. Open platforms offer greater flexibility but also require a higher level of internal expertise. Organizations need to understand how their data is structured, how analytics are applied, and how the platform itself is secured. Responsibility shifts from using a predefined tool to actively designing and maintaining a security architecture.
Lakewatch also introduces a strong focus on what Databricks describes as agentic attackers. The argument is that the threat landscape is evolving toward more autonomous, adaptive attack methods. These attacks do not follow static patterns and can change behavior in real time. Traditional detection mechanisms, which often rely on known signatures or predefined correlations, may struggle to keep up.
A researcher in threat intelligence highlights that modern attack campaigns are becoming increasingly dynamic. Instead of following predictable sequences, attackers adjust their methods based on the environment. Detecting such activity requires a broader and more contextual data foundation. The more data available, the better the ability to identify subtle anomalies. This is where Databricks positions its core strength, the ability to process large volumes of data and analyze them in near real time.
At the same time, questions remain about how well this model integrates into existing security operations. A senior consultant in security operations points out that many SOCs are built around structured workflows. Alerts are generated, triaged, and investigated in a defined sequence. Shifting to a data-driven model may require significant changes in how these processes are designed and executed.
From a broader perspective, the strategic implication is what makes this development particularly interesting. Databricks is not a traditional security vendor. Its core business lies in data and AI. By entering the SIEM space, it challenges the assumption that security platforms must originate from within the security industry itself. The key question is not only whether Lakewatch delivers technically, but whether it signals a shift in how SIEM is fundamentally defined.
Will SIEM remain a specialized security tool, or will it evolve into a layer built on top of general-purpose data platforms. Databricks is clearly betting on the latter. The argument centers on more data, lower cost, richer context, and tighter integration between security and business analytics.
Whether this approach gains traction will depend less on the underlying technology and more on the willingness of organizations to rethink their existing models. What is already clear is that the conversation is changing. When a major data platform provider begins to treat security as a core workload, it suggests that the boundaries between data analytics and security are starting to dissolve.
