Databricks Turns Its Data Lake Into a Security Weapon — What Lakewatch Really Signals

March 24, 2026
5 min read
Abstract visual of a cloud data platform with AI shield icons monitoring security logs

Databricks Turns Its Data Lake Into a Security Weapon — What Lakewatch Really Signals

Databricks isn’t just dabbling in security; it’s declaring that the future of cyber‑defence lives directly on your data platform. By launching Lakewatch and quietly buying two small startups to power it, the company is betting that SIEM as we know it will be rewritten by AI agents sitting on top of cloud data lakes. If your business runs on Databricks or Snowflake, this matters today, not in five years. In this piece, we’ll unpack what Lakewatch really is, why these acquisitions are more strategic than they look, and what this means for security vendors, data platforms and European enterprises.

The news in brief

According to TechCrunch, Databricks has introduced a new security product called Lakewatch, designed to perform traditional SIEM (Security Information and Event Management) tasks such as threat detection and investigation. The twist: Lakewatch runs on Databricks’ data platform and uses AI agents powered by Anthropic’s Claude to help analyse vast amounts of security data.

To underpin Lakewatch, Databricks acquired two small startups:

  • Antimatter, bought in a previously undisclosed deal that closed in 2025. The company had raised around $12 million in 2022 and built a “data control plane” for securely deploying agents while protecting sensitive data.
  • SiftD.ai, a very young startup whose interactive notebook product (a collaborative workspace for humans and agents) only launched in November 2025. This acquisition closed just days before Lakewatch was announced and looks largely like an acqui‑hire.

Both teams have joined Databricks, with Antimatter’s founder now leading the Lakewatch team. Databricks, fresh off a $5 billion funding round, told TechCrunch it intends to keep shopping for startups to close product gaps.

Why this matters

Lakewatch is not just “Databricks adds a security feature.” It’s Databricks arguing that the SIEM belongs in the data lake, not in a separate, specialised product.

The immediate winners are:

  • Databricks: Security is one of the most lucrative, sticky workloads. If Lakewatch gains traction, Databricks can increase revenue per customer and deepen lock‑in. Once your logs, metrics, traces and detections live in one platform, ripping it out becomes painful.
  • Existing Databricks customers: Many enterprises already stream security telemetry into Databricks for analytics or compliance. Lakewatch promises to turn that passive data lake into an active detection and response system, potentially simplifying architecture and reducing duplicate storage.
  • The acquired teams: Antimatter and SiftD.ai gain distribution, brand, and resources that would be almost impossible to match as tiny standalone players.

The potential losers:

  • Traditional SIEM vendors (think Splunk, QRadar, legacy log management tools) whose economic model depends on proprietary data stores and painful pricing. If security teams can build high‑quality detections directly on cheaper, more flexible data platforms, classic SIEM is squeezed from above by XDR platforms and from below by data lakes.
  • Smaller security analytics startups not anchored to a major data platform. Competing with Databricks’ scale, ecosystem and go‑to‑market muscle becomes significantly harder.

The AI angle matters, but not because “agents will replace analysts.” What’s important is where those agents live: on top of a massive, clean, queryable lake of security telemetry. That combination—data gravity plus AI—could be far more disruptive than yet another security chatbot.

The bigger picture

Lakewatch slots into several powerful industry trends.

1. Security data lake vs. traditional SIEM
For years, CISOs have complained that SIEM tools are:

  • Too expensive per ingested gigabyte
  • Too rigid in schema and storage
  • Too hard to integrate with modern data stacks

The response has been the rise of security data lake architectures: store security data in low‑cost object storage (often via platforms like Databricks or Snowflake), and run detections and hunting directly there. Vendors from CrowdStrike to Palo Alto now talk about consolidating security data into a common lake. Lakewatch is Databricks saying, “Why let security vendors own that story when the data’s already here?”

2. The AI‑powered SOC arms race
Since 2023, every major cloud and security vendor has promised some form of “AI copilot for security analysts” — Microsoft with Security Copilot, Google with Gemini‑based security tools, startups building LLM‑driven triage and investigation assistants. What Databricks is doing differently is starting from the data platform and layering AI on top, instead of starting from the SIEM and bolting on LLMs after the fact.

Here, the Antimatter acquisition is strategically important: secure agent deployment and data‑access control are exactly the problems that scare CISOs about putting LLMs near sensitive logs. If Databricks can convincingly say, “Our agents only see what they’re allowed to see, and we can prove it,” that’s a real differentiator.

3. Post‑Splunk world dynamics
Splunk, long the poster child of SIEM, has itself faced pressure from customers over cost and complexity, and eventually moved deeper into observability and cloud. With Cisco moving to acquire Splunk, the market is re‑opening for a new generation of security analytics stacks. Lakewatch is Databricks’ bid to be that new default—especially for organisations already centralising all other analytics with them.

For competitors like Snowflake, this is a shot across the bow. Security workloads were already a growth area; now they risk becoming a table‑stakes feature of any serious data platform.

The European angle: sovereignty, regulation and opportunity

For European organisations, Lakewatch lands in the middle of three regulatory cross‑currents: GDPR, NIS2, and the emerging EU AI Act.

First, data residency and sovereignty. EU regulators and many enterprises are wary of shovelling all security telemetry into US‑controlled clouds because of concerns around the CLOUD Act and cross‑border data access. Databricks does operate in European regions and on some sovereign cloud setups, but Lakewatch’s use of Anthropic’s Claude raises practical questions: where do the AI models actually run, and what data leaves the EU boundary during inference? Those details will make or break adoption in heavily regulated sectors like finance, public sector and healthcare.

Second, NIS2 significantly raises the bar for incident detection, logging and response across critical sectors by 2024–2025. Many European CIOs are discovering that their existing SIEMs are too costly or too brittle to scale to those requirements. A security data lake approach, with AI‑assisted investigation, is attractive—if vendors can provide strong guarantees around retention, access controls and auditability.

Third, the EU AI Act. Cybersecurity tooling is likely to enjoy more regulatory flexibility than, say, AI systems making hiring decisions, but transparency and risk‑management obligations will still apply. Vendors that can clearly document how their agents reason over data, and provide traceability for recommendations, will have an edge in public procurement.

There’s also a competitive angle. Europe has solid players in log management and security analytics (for example, Graylog out of Hamburg, Elastic deployments common across the region, and numerous managed SOC providers). Lakewatch doesn’t immediately kill these ecosystems, but it reshapes the value chain: more detection logic and analytics may move into the data platform, while regional players double down on managed services, playbooks and sector‑specific content on top.

Looking ahead

Lakewatch today is a first iteration, not the final shape of Databricks’ security ambitions. Several likely next steps stand out.

  1. From SIEM‑like to full security platform
    If Lakewatch gains traction, expect Databricks to fill gaps quickly: integrations with EDR/XDR vendors, threat‑intel enrichment, maybe even acquisitions in attack‑surface management or cloud security posture management. The more of the detection and investigation pipeline they can keep inside their platform, the stronger their lock‑in.

  2. Pricing and positioning battles
    The make‑or‑break question will be economics. Security budgets are under pressure; many enterprises are explicitly trying to reduce SIEM spend. If Lakewatch can undercut traditional SIEM pricing by reusing data already stored in Databricks, it will be compelling. If it turns into “Splunk, but on a different invoice,” enthusiasm will fade fast.

  3. AI hype vs. operational reality
    Security leaders will pilot Lakewatch for AI‑assisted triage, natural‑language search (“show me all failed logins from unusual countries in the last 48 hours”), and automated report generation. The risk is over‑reliance on LLMs in high‑stakes incident response: hallucinated explanations or missed edge‑cases can have real‑world impact. The winners in this space will be those who embed AI as a force multiplier for experienced analysts, not as an excuse to deskill the SOC.

  4. Consolidation continues
    Databricks has made it clear it will keep buying. Early‑stage security startups building agent tooling, data‑protection layers or SOC workspaces should assume that “get acquired by a data platform” is now a standard outcome. That’s good for founders seeking early exits, but it may also mean fewer independent, opinionated security vendors in the long run.

Over the next 12–24 months, watch for: real reference customers for Lakewatch, EU‑specific deployments, and whether Snowflake or other data platforms answer with their own deep security plays.

The bottom line

Lakewatch is Databricks’ clearest signal yet that the battle for the future of security analytics will be fought on data platforms, not in traditional SIEM silos. The acquisitions of Antimatter and SiftD.ai are small in price but big in direction: secure AI agents, closer to the data, guiding the SOC of the future. If you’re a European CISO or data leader, the question is no longer whether security will converge with your data lake, but whose platform—and legal jurisdiction—you’re comfortable betting on. Are you ready for your SIEM to become “just another workload” on your analytics stack?

Comments

Leave a Comment

No comments yet. Be the first to comment!

Related Articles

Portraits of outgoing EFF director Cindy Cohn and incoming leader Nicole Ozer
News

EFF’s Leadership Reset Comes Just in Time for the AI Surveillance State

EFF’s leadership change signals a shift from courtroom‑only fights to movement‑driven resistance against AI‑powered government surveillance.

5 min read
Two venture capital partners reviewing startup pitches in a modern office
News

BKR Capital Turns ‘Inclusive VC’ Into a Pure Alpha Bet

BKR Capital’s new fund backs Black founders as a pure arbitrage play. What its strategy reveals about inclusive VC, performance and the opportunity for Europe.

5 min read
Warehouse shelves with digital overlays showing AI-driven inventory and ERP data connections
News

Doss bets on unbundled ERP: why AI inventory is the next big systems war

Doss’s $55M round signals a new systems war: AI-native inventory layers unbundling ERP. What this means for mid-market firms and Europe’s SAP-heavy base.

5 min read

Stay Updated

Get the latest AI and tech news delivered to your inbox.