Databricks is bulking up its security ambitions, snapping up two small startups to anchor Lakewatch, a new AI-driven product built to monitor and protect the data lakehouse. The company confirmed acquisitions of Antimatter and SiftD.ai, moves that fold specialized agent-safety and human-in-the-loop tooling into a platform that fuses SIEM-style detection and investigation with conversational AI agents powered by Anthropic’s Claude.
Inside Lakewatch and the Acquisitions Driving Its Launch
Lakewatch extends Databricks’ core strength—centralizing and transforming massive datasets—into continuous threat detection, incident response, and compliance workflows. Instead of analysts hopping between consoles, Lakewatch aims to let teams query security telemetry, triage alerts, and generate investigations through natural language prompts, with AI agents automating the heavy lifting across petabyte-scale logs and events.
Antimatter brings a “data control plane” designed to deploy AI agents safely around sensitive information, enforcing fine-grained policies such as redaction, tokenization, and context boundaries. Its founder, security researcher Andrew Krioukov, is now leading the Lakewatch team at Databricks. The second deal appears closer to an acqui-hire: SiftD.ai built an interactive notebook for people and agents to co-investigate issues—useful scaffolding for Lakewatch’s analyst workflows. SiftD’s co-founder and CEO Steve Zhang previously served as Splunk’s chief scientist and created the widely used Search Processing Language, experience that is directly relevant to log-centric detection.
Terms were not disclosed. PitchBook has estimated that Antimatter previously raised $12 million, led by New Enterprise Associates. Both teams have joined Databricks, with Antimatter contributing intellectual property and SiftD.ai strengthening agent-centric analyst experiences.
Why Databricks Is Building An AI-First SIEM
Security operations centers are drowning in data—endpoint telemetry, cloud audit logs, application traces, identity events. Large enterprises routinely ingest tens of terabytes of security-relevant data daily, and traditional SIEM economics punish teams that scale. By treating security as a native workload on the lakehouse, Databricks is betting it can lower ingestion costs, unify analytics, and apply large models to reduce alert fatigue and accelerate investigations.
The timing is strategic. The SIEM and security analytics market has been reshaped by consolidation and AI promises alike. Cisco’s $28 billion acquisition of Splunk underscored the value of security data platforms. Meanwhile, cloud providers have pushed their own offerings, such as Microsoft Sentinel and Google Chronicle, and platform players like Palo Alto Networks and CrowdStrike tout AI-driven investigations. Databricks enters with a differentiator: many of its customers already centralize operational and business data on its lakehouse, which can enrich security detections with context that point tools lack.
Agent Safety And Data Controls As Table Stakes
Running AI agents across sensitive corporate data introduces new risks—prompt injection, data exfiltration, over-permissive actions, and compliance violations. Antimatter’s lineage addresses those concerns with guardrails that constrain what agents can see and do, aligning with guidance from frameworks like the NIST AI Risk Management Framework. Expect Lakewatch to emphasize policy-as-code for data access, automated masking of regulated data, and auditable decision trails so security leaders can prove control and meet regulatory scrutiny.
On the workflow side, SiftD.ai’s notebook model supports “human-on-the-loop” operations. Analysts can iteratively test hypotheses, orchestrate agent tasks, and capture reasoning steps in one place—useful for both rapid response and formal post-incident reviews. Industry case studies from leading SOC vendors suggest AI copilots can reduce triage and investigation times by 30–50%, a benchmark Lakewatch will be judged against as customers pilot the system.
What Adoption Could Look Like in Early Deployments
Early deployments will likely target high-volume log sources—cloud infrastructure, identity providers, and application telemetry—where AI can correlate signals and surface likely root causes. A typical scenario: Lakewatch flags anomalous data access in a storage account, cross-references IAM changes, summarizes probable insider risk, and generates a containment plan that can be executed via runbooks—while preserving an auditor-ready narrative of each step taken by agents and humans.
Pricing and architecture choices will be pivotal. Customers will ask whether Lakewatch runs fully within their Databricks environment, how it isolates model contexts, which Anthropic Claude versions power specific tasks, and how connectors ingest third-party telemetry without duplicating storage. Transparent unit economics for ingestion, storage, and inference will determine whether Lakewatch displaces incumbent SIEM contracts or augments them as an analytics co-pilot.
The Competitive Picture and the Road Ahead for Lakewatch
Databricks is not trying to out-SIEM every SIEM. Instead, it is pitching a lakehouse-native security analytics layer that can coexist with, or eventually replace, legacy stacks where data gravity already favors Databricks. Success will hinge on high-fidelity detections, explainable AI outputs, and measurable gains in mean time to detect and respond. With Krioukov’s control-plane expertise and Zhang’s search pedigree inside the tent, Lakewatch has credible DNA to compete in a market racing to operationalize AI—safely and at scale.
