Databricks, 새로운 오픈 에이전트 기반 SIEM인 Lakewatch 발표

Today, we're announcing Lakewatch, a new open, agentic SIEM designed to help organizations defend against increasingly sophisticated agent attackers. Lakewatch unifies security, IT, and business data into a single, governed environment for AI detection and response. With open formats, Lakewatch enables customers to ingest, retain and analyze unprecedented volumes of multi-modal data, while slashing costs and eliminating vendor lock-in. Security teams gain complete visibility across the enterprise and can deploy defensive security agents to automate threat detection and response at massive scale. Lakewatch is launching today in Private Preview, with customers including industry leaders like Adobe and Dropbox.

We are also launching an “Open Security Lakehouse Ecosystem,” which includes leading security and delivery partners to help customers automate the normalization of telemetry into open formats, and respond to threats with the unified scale they need to meet modern threats with automated, machine-speed defense.

Security for the Agentic Era

Security is fundamentally changing. Cyberattacks are no longer just human-operated. They're increasingly AI-driven and automated. LLMs have discovered 500+ zero days in open-source code, AI agents have become top-ranked hackers on bug bounty platforms, and state-sponsored groups are weaponizing AI to automate intrusions. Attackers now operate at machine scale, working 24/7 to construct exploits and coordinate attacks.

In the face of these machine-scale attacks, even the best security operations teams face structural constraints. Today's security tools require analysts to manually enrich alerts, hand-author detection rules, and test threat hunting hypotheses over days or weeks. These workflows could be effective against human-paced threats. Against AI-driven attacks operating 24/7 and at machine speed, the architecture itself becomes the bottleneck. ZeroDayClock.com found that the mean time to exploit has collapsed from 23.2 days in 2025 to just 1.6 days in 2026.

The problem compounds when you look at the data. Large enterprises generate terabytes, or even petabytes, of security data daily, but traditional SIEMs couple storage with compute, creating a financial penalty on every byte ingested. Teams respond by limiting ingestion, filtering data through routing layers, deleting historical data, and ignoring multimodal sources like chat logs and video entirely. This creates a dangerous asymmetry: attackers use AI agents to analyze everything and attack anywhere, while defenders see only a fraction of their own data. Traditional SIEMs can't process multimodal data, yet it's exactly where social engineering attacks, insider threats, and prompt injection attempts hide.

This isn't just a cost or scale problem. It's a fundamental architectural mismatch between the threats we face and the tools we have to fight them. We've solved this exact problem before. Data warehouses had the same limitations: expensive ingestion, siloed data, limited to specific use cases. The lakehouse disrupted that model with open formats, cheap storage, and support for any data type. Now we're bringing that same transformation to security.

Lakewatch brings the economics and architecture of the lakehouse to security operations. You can ingest and retain 100% of your security telemetry (including multimodal data), analyze it alongside all your business data, and deploy AI-powered agents for detection and response at a fraction of legacy costs.

How Lakewatch Changes Security Operations:

Complete Visibility Across All Data

Organizations already possess the context needed to investigate threats. HR systems, collaboration platforms, application logs, and transaction data sit in the lake today, but traditional security tools can't access it without costly duplication. Lakewatch flips the model: security runs directly on the lakehouse. Built on Unity Catalog, your security data sits alongside everything else. When an alert fires, you can instantly correlate across any data source without moving files or switching tools. Modern attacks exploit gaps between systems and rely on social engineering, insider context, and multimodal signals that legacy tools can’t process. With all context in one place, analysts can detect and contain threats in minutes instead of days.

Lakewatch makes this possible through:

• Enterprise-wide governance: Fine-grained access control at table, row, column, and attribute levels with full auditability across all data.
• Open standards: Built on the Open Cybersecurity Schema Framework (OCSF) so your data never locks into proprietary formats.
• Automated ingestion: Lakeflow Connect handles ingestion and normalization of major security sources (AWS, Okta, Zscaler, etc) into standardized tables.
• True data ownership: Store data in Delta Lake or Apache Iceberg in your own cloud storage, run queries across any cloud, and prevent vendor lock-in.

Fight Agents with Agents

Traditional SIEMs rely on bolt-on AI features that can't access the full context of your data. Lakewatch brings embedded AI directly to where your security data lives. Genie automates critical workflows such as ingesting and parsing new log sources to OCSF, authoring net-new detections based on the latest threat intelligence, modifying existing rules to reduce false positives, and translating natural language questions into SQL queries. Genie Spaces lets security teams query petabytes of data using plain English instead of specialized query languages, democratizing threat hunting across skill levels.

Key Capabilities Include:

• Genie Code: AI Assistant to automate ingestion, authoring net-new detections, modify rules to reduce false positives, and translate natural language questions into SQL queries for investigation.
• Genie Spaces: Natural language query interface and agentic harness allows any user to perform complex multi-step threat hunting, asking questions of their data without learning complex query languages.
• Detection-as-Code: Define detection rules in YAML with SQL queries or Python notebooks, backtest against historical data, and deploy through CI/CD pipelines.
• Custom ML Detections: Train and deploy machine learning models directly on your security data using MLflow, Feature Store, and Model Serving, enabling anomaly detection, behavioral analytics, entity risk scoring, and more.
• Powerful dashboards: Create executive, operational,and compliance dashboards with AI-enhanced visualizations for real-time monitoring.

Efficient SecOps at Petabyte Scale

By decoupling storage from compute, you can store petabytes of full-fidelity security telemetry in your own cloud storage and only pay for compute. Run analytics only when needed using Serverless compute. Maintain years of hot-queryable data instead of weeks. You own the data. You control the costs.

This translates to:

• Own your data: Security telemetry stored in cloud object storage you control (S3, ADLS, GCS) using open formats.
• Long-term retention: Meet compliance requirements and power threat hunting over multi-year periods without cost penalties.
• Predictable economics: Store full-fidelity logs at scale without incurring per-byte license fees.
• Elastic compute on demand: Provision powerful analytics and ML workloads only when needed with fine-grained cost control.
• Serverless 성능: 관리할 인프라가 없습니다. 쿼리에 대해서만 비용을 지불하세요.

Anthropic과의 파트너십 강화

두 회사의 기존 전략적 파트너십의 성공을 바탕으로 Databricks와 Anthropic은 에이전트 보안 운영을 제공하기 위해 협력을 강화하고 있습니다. Anthropic의 Claude 모델은 Lakewatch에 전력을 공급하며, Claude의 고급 추론 기능을 사용하여 보안, IT 및 비즈니스 데이터 전반의 신호를 상관시켜 위협을 더 빠르게 탐지합니다. Anthropic은 또한 Databricks를 자체 보안 레이크하우스에 사용하여 보안 및 비즈니스 데이터 전반에 대한 완전한 가시성을 확보하고 위협을 더 일찍 탐지합니다.

개방형 보안 레이크하우스 생태계

Databricks는 오늘날의 위협에는 고객이 자체 데이터에 대한 완전한 제어권을 갖는 생태계 전반의 개방형 협업이 필요하다고 믿습니다. 그렇기 때문에 저희는 Akamai, Anvilogic, Arctic Wolf, Cribl, Deloitte, Obsidian, Okta, 1password, Palo Alto Networks, Panther, Proofpoint, Rearc, Slack, TrendAI, Wiz (현재 Google Cloud의 일부), Zscaler를 포함한 최고의 보안 공급업체 및 제공 파트너의 빠르게 성장하는 그룹인 “개방형 보안 레이크하우스 생태계”를 발표하게 되어 기쁩니다.

Zscaler는 Databricks의 개방형 생태계에 대한 약속을 공유합니다. 저희는 개방형 보안 레이크하우스 생태계에 참여하여 상호 고객에게 AI 네이티브 공격을 AI 네이티브 솔루션으로 방어하는 데 필요한 데이터와 도구를 제공하게 되어 기쁩니다. — Eddie Parra, VP Solutions Architect Partner Ecosystem, Zscaler

사이버 위협이 AI 기반의 대규모 공격으로 진화함에 따라 조직은 보조를 맞추기 위해 근본적으로 새로운 아키텍처가 필요할 수 있습니다. Lakewatch는 보안 운영의 발걸음을 나타내며, Databricks 레이크하우스의 강력한 기능을 SOC에 제공하여 팀이 데이터를 활용하고, 지능형 에이전트를 배포하고, 진화하는 위협보다 앞서 나갈 수 있도록 지원합니다. — Jennifer Vitalbo, Managing Director, and Government and Public Services Cyber Defense and Resilience Offering Leader, Deloitte & Touche LLP

Antimatter 및 SiftD.ai 인수를 통한 보안 리더십 확장

개방형 에이전트 SIEM 접근 방식을 발전시키기 위해 Databricks는 Antimatter와 SiftD.ai 모두를 인수한다고 발표합니다. Antimatter는 AI 에이전트에 대한 검증 가능한 인증 및 권한 부여의 기초를 마련한 UC Berkeley 보안 연구원들에 의해 설립되었습니다. Splunk의 검색 처리 언어(SPL) 제작자와 Splunk의 검색 스택의 수석 아키텍트들에 의해 설립된 SiftD.ai는 대규모 탐지 엔지니어링 및 최신 위협 분석 분야의 깊은 전문성을 제공할 것입니다.

자세히 알아보기

Lakewatch는 보안 운영 방식의 근본적인 변화를 나타냅니다. 개방형 보안 레이크하우스로서 경제성이 뛰어나고 아키텍처가 더 유연하며 AI 기능은 추가된 것이 아니라 기본적으로 내장되어 있습니다.

Lakewatch는 더 광범위한 가용성을 위해 노력함에 따라 비공개 미리 보기로 출시됩니다. 비용 압박, 보존 제한에 직면했거나 대규모 보안 워크로드를 데이터 플랫폼으로 가져오려는 경우 여러분의 의견을 듣고 싶습니다.

SOC를 현대화하는 방법에 대해 자세히 알아보려면 Lakewatch 제품 페이지를 방문하세요.

(이 글은 AI의 도움을 받아 번역되었습니다. 원문이 궁금하시다면 여기를 클릭해 주세요)