Databricks pitches Lakewatch as a cheaper SIEM — but is it really?

Databricks has previewed Lakewatch, an open agentic SIEM built on its lakehouse architecture. Unlike traditional SIEMs that charge per data ingested, Lakewatch charges based on compute usage, which Databricks claims can reduce total cost of ownership by up to 80% while enabling retention of years of queryable security data. Analysts partially agree — the ingestion cost problem in legacy SIEMs is real — but warn that costs shift to compute rather than disappear, and uncontrolled usage could negate savings. Lakewatch integrates Unity Catalog, Lakeflow Connect, and the Open Cybersecurity Schema Framework (OCSF) to centralize security operations. Analysts see it as more likely to complement existing SIEMs than replace them in the near term, with early adoption expected from large enterprises already on Databricks. The company's acquisitions of Antimatter and SiftD.ai suggest a broader long-term security portfolio ambition.