Databricks Lakewatch: The First True Agentic SIEM for the Lakehouse
By Dillip Chowdary • Mar 24, 2026
The SIEM (Security Information and Event Management) market has been ripe for disruption for a decade, and today Databricks delivered the knockout blow. Unveiled at their Spring Security Summit, Databricks Lakewatch is being billed as the world's first "Agentic SIEM." Built natively on the Delta Lake architecture and powered by Anthropic's Claude 4.6 reasoning engine, Lakewatch moves beyond simple alerting into autonomous threat hunting and investigation.
Moving Security to the Data, Not the Other Way Around
Traditional SIEMs like Splunk or Sentinel require data to be ingested into proprietary silos, leading to massive egress costs and "data lag." Lakewatch flips the script by running security logic directly on the Lakehouse. This means security teams can analyze petabytes of historical logs without moving a single byte. By leveraging Unity Catalog for unified governance, Lakewatch can correlate network logs, cloud trail events, and application telemetry in a single, high-performance environment.
The "Agentic" part comes from the deep integration with Anthropic Claude. Unlike traditional AI assistants that simply summarize alerts, Lakewatch's agents can independently formulate a hypothesis, write SQL queries to test it, analyze the results, and then pivot to a different data source if the hypothesis is disproven. This mimics the workflow of a senior SOC (Security Operations Center) analyst at machine speed.
Autonomous Investigation Workflows
When Lakewatch detects a potential anomaly—such as a suspicious IAM role assumption followed by a large data transfer—it doesn't just fire an alert. It spawns a dedicated Investigation Agent. This agent immediately gathers context: Who owns the IAM role? What IP addresses were involved? Has this pattern occurred elsewhere in the industry? The agent then presents a complete, cited report to the human operator, often before the operator has even seen the initial alert.
Technically, Lakewatch utilizes Databricks' Serverless Compute to scale investigation resources on-demand. This is paired with a new feature called "Log-to-Logic" (L2L), which translates unstructured logs into a semantic graph that Claude can reason over. This solves the "dirty data" problem that has historically made AI-driven security difficult to implement at scale.
Technical Insight: The Anthropic Edge
Databricks chose Anthropic Claude for its superior tool-use reliability and lower hallucination rates compared to other frontier models. Claude's "Constitutional AI" framework also ensures that the security agents strictly adhere to corporate compliance policies during autonomous investigations.
Impact on the Security Operations Center
The goal of Lakewatch is not to replace security analysts, but to solve the "Alert Fatigue" crisis. By automating the first 30–60 minutes of every investigation, Lakewatch allows human analysts to focus on high-level strategy and complex response. Databricks claims that early beta testers saw a 70% reduction in Mean Time to Resolution (MTTR) for critical incidents.
The pricing model is also disruptive. Instead of charging per GB of ingestion, Databricks is charging based on Compute usage and Agent outcomes. This aligns the cost of the tool with the value it provides, a significant shift from the legacy "tax on data" model. Lakewatch is available in public preview starting today for all Databricks SQL customers.