The Problem Databricks Is Solving
Modern SOC teams are drowning. Threat volumes are exploding, attacks are increasingly AI-driven, and the tools defenders rely on were never designed for this environment.
Legacy SIEMs require manual data ingestion, hand-written detection rules, and alert-by-alert investigation. That’s a losing equation when attackers are moving at machine speed. The result is alert fatigue, missed threats, and burned-out analysts.
Databricks has been building toward a different answer: the security lakehouse — a unified platform that brings together security, IT, and business data under one governed architecture, with AI agents doing the heavy lifting.
Panther is the missing piece that makes that vision operational.
What Panther Actually Brings to the Table
Panther isn’t a generic security startup. It was founded by Jack Naglieri, the engineer behind StreamAlert — the open-source security data pipeline originally built at Airbnb. That DNA shows in the product.
Here’s what Panther adds to the Databricks stack:
100+ Pre-Built Data Integrations
Panther ships with over 100 deeply parsed, out-of-the-box integrations across cloud infrastructure, identity providers, endpoints, networks, and SaaS applications. No complex mapping. No months-long implementation. You connect your data sources and you’re ingesting immediately.
That’s a direct shot at one of the most painful parts of legacy SIEM deployments.
Detection-as-Code
Panther treats detection logic the way modern engineering teams treat software — versioned, testable, and programmable. Security teams can write, review, and deploy detection rules like code, which means faster iteration and tighter collaboration between security analysts and engineers.
Anthropic’s Head of Defense, Tim Nguyen, called this out directly: Panther gave their team “the flexibility to adapt quickly as their environment evolves.” That’s not marketing language — that’s a frontier AI lab describing how they actually operate.
Agentic SOC Workflows
This is the core of the acquisition’s strategic value. Panther embeds AI agents directly into SOC workflows so that triage, context gathering, and response recommendations happen automatically — not after a human manually pulls logs and cross-references five different dashboards.
Every alert gets investigated. That’s the promise. And at scale, that’s only possible with agents doing the work.
How This Fits Into Lakewatch
Earlier in 2026, Databricks launched Lakewatch — its security lakehouse product designed to unify security data and enable agentic detection and response at enterprise scale. The pitch is straightforward: ingest everything, retain it affordably, and let AI agents surface what matters.
Panther plugs directly into that architecture and makes it production-ready for SOC teams.
Together, Lakewatch and Panther give security teams:
- A unified data layer that doesn’t force trade-offs between cost and retention
- Pre-built integrations that eliminate the ingestion bottleneck
- Agentic workflows that scale investigation without scaling headcount
- Detection-as-code that keeps rules maintainable and auditable
Databricks CEO Ali Ghodsi framed it plainly: “Legacy SIEM was never designed for AI.” The combination of Lakewatch and Panther is Databricks’ answer to what comes next.
Why This Acquisition Pattern Matters
Panther is Databricks’ third security acquisition, following Antimatter and SiftD.ai. That’s not coincidence — it’s a deliberate platform build-out.
Databricks already holds the data trust of 70% of the Fortune 500. Adding a serious security layer on top of that data foundation creates a compounding advantage. The more data you have unified in the lakehouse, the more effective your detection becomes. The more effective your detection, the harder it is for competitors to replicate the value.
This is the classic platform play: make the core indispensable, then expand into adjacent workflows where the data advantage compounds.
For enterprise security buyers, this signals something important. The security tooling market is consolidating around data platforms, not point solutions. If your organization already runs on Databricks, the path to a modern SOC just got significantly shorter.
What SOC Teams Should Do Right Now
Watch Lakewatch + Panther closely. The combined platform isn’t fully integrated yet — the acquisition is still subject to regulatory clearance — but the roadmap is clear. Agentic detection and response on a unified lakehouse is where enterprise security is heading.
Audit your current SIEM costs. Legacy SIEMs are expensive to run, painful to scale, and increasingly inadequate against AI-driven threats. If you’re already paying for a platform that can’t investigate every alert, that’s a gap worth quantifying now.
Consider the detection-as-code model. If your security team doesn’t already treat detection logic as software, Panther’s approach is worth studying regardless of what platform you’re on. The engineering discipline it introduces pays dividends in speed and reliability.
The Bigger Picture
The SOC is at an inflection point — Panther’s own CEO said it, and the evidence backs it up. AI is changing how attacks are launched, and defenders who rely on manual workflows are already behind.
Databricks is making a clear bet: the organizations that win on security will be the ones that unify their data, automate their investigation workflows, and fight AI-driven attacks with AI. The Panther acquisition isn’t just a product addition — it’s a statement about what enterprise security looks like in the agentic era.
The legacy SIEM had a good run. Its replacement is being built right now, and Databricks just accelerated the timeline considerably.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!