Databricks introduces Lakewatch, an open agentic SIEM for machine-speed defense

What Databricks announced

Databricks said on March 24, 2026 that it is launching Lakewatch, a new open, agentic SIEM designed for what the company calls the security needs of the agentic era. In the official launch post on the Databricks blog, the company says Lakewatch unifies security, IT, and business data in a single governed environment so AI agents can automate detection, investigation, and response at massive scale. Databricks also says the product is entering Private Preview with customers including Adobe and Dropbox.

The argument behind the launch is direct: attackers now operate with AI agents at machine speed, while most security operations are still built around human-paced workflows. Databricks points to a threat landscape where AI systems have discovered hundreds of zero days in open-source code, bug bounty leaderboards already include AI agents, and mean time to exploit is collapsing. The post cites ZeroDayClock.com data saying average time to exploit fell from 23.2 days in 2025 to 1.6 days in 2026.

How Lakewatch is positioned

Databricks says Lakewatch brings lakehouse economics and architecture into security operations. Instead of coupling storage and compute in a way that punishes every byte ingested, the company says customers can retain 100% of telemetry, including multimodal data such as collaboration traces, chat logs, and video, and analyze it alongside the rest of the enterprise’s data estate. That matters because modern attacks often exploit the gaps between tools, departments, and data silos.

The company also emphasizes built-in AI. Databricks says Genie can help normalize new log sources into OCSF, author new detections from threat intelligence, adjust rules to reduce false positives, and translate natural-language questions into SQL queries. In other words, Lakewatch is being pitched not as a SIEM with an AI checkbox, but as a platform where defensive agents work directly where the organization’s governed data already lives.

Why it matters

This is a notable signal because the AI infrastructure race is moving deeper into security operations. Databricks is not just proposing another analytics integration. It is arguing that legacy SIEM economics and architecture are structurally mismatched to an environment where attackers can search, coordinate, and probe continuously with agents. If defenders still limit ingestion, discard historical data, or ignore multimodal sources because the cost model is too steep, the asymmetry gets worse.

Lakewatch therefore matters as both a product launch and a market thesis. The product claim is that defenders need open formats, cheap retention, governed joins across business context, and agentic automation in one stack. The market claim is that security tools designed for human-speed investigation are no longer enough once offensive AI becomes persistent and cheap. Whether Lakewatch delivers on that promise will depend on execution, but the direction is clear: SIEM competition is shifting toward data scale, multimodal coverage, and AI-native response loops.