Decoding the world of cybersecurity

Databricks moves further into security data

Databricks’ planned acquisition of Panther reflects enterprise pressure to consolidate security telemetry, automate investigation, and rethink legacy SIEM economics.

Databricks moves further into security data
Summary
  • Databricks has agreed to acquire Panther, an AI SOC platform, as it expands its security lakehouse strategy.
  • Panther brings security data integrations, detection-as-code, and agentic SOC workflow capabilities.
  • The deal reflects procurement pressure around SIEM cost, security data scale, AI-assisted investigation, and platform consolidation.

Databricks has agreed to acquire Panther, extending its push into cybersecurity and increasing competition around security data platforms, SIEM replacement, and AI-assisted operations.

The company’s deal announcement describes Panther as an AI SOC platform and says the acquisition will support Databricks’ security lakehouse strategy. Panther’s product includes more than 100 data integrations, detection-as-code capabilities, and agentic SOC workflows for threat investigation.

Reuters reported that the transaction is Databricks’ third cybersecurity acquisition and that deal terms were not disclosed. Panther was valued at $1.4 billion after a 2021 funding round, according to the report. Databricks is using the deal to compete more directly with established security management providers, including CrowdStrike and Cisco’s Splunk.

The acquisition reflects a wider enterprise problem: security data volumes have outgrown many traditional operating models. Organisations collect logs from cloud services, SaaS platforms, identity providers, endpoints, networks, code repositories, applications, and security products. Many still struggle to store the data economically, query it quickly, detect meaningful patterns, and investigate alerts without exhausting analysts.

SIEM modernisation has become a procurement pressure point because the old trade-offs are harder to sustain. Restricting data ingestion can reduce cost but creates blind spots. Ingesting everything can produce licensing shock and operational noise. Moving security data into data lake or lakehouse architectures promises scale and analytics flexibility, while changing governance, ownership, skills, and supplier dependencies.

Databricks is arguing that AI agents can help investigate more alerts and make security operations more scalable. That proposition will appeal to organisations facing rising alert volumes and faster attack cycles, but evaluation has to cover data quality, access control, detection logic, model governance, auditability, and the ability to explain automated workflows.

The European procurement angle is substantial. Regulated organisations are already examining cloud concentration, data residency, support access, encryption control, and operational resilience under regimes such as DORA, NIS2, and national critical-infrastructure rules. Moving more security telemetry into a central data platform can improve visibility, but it can also create a dependency that needs to be governed as critical infrastructure.

Panther’s detection-as-code approach also points to a shift in security operations culture. Detection logic is increasingly managed like software: versioned, reviewed, tested, deployed, and improved through engineering processes. That can strengthen control and repeatability, while requiring skills and ownership models that some SOCs do not yet have.

Buyers considering this category need to examine where security data will live, who can access it, how investigations are audited, how AI agents are constrained, how false positives and false negatives are measured, what happens if the platform is unavailable during an incident, and how data can be moved if the architecture becomes commercially or operationally unsuitable.

Databricks’ Panther move shows security operations being pulled into broader data and AI platforms. Better scale and automation may follow, but security telemetry is now a strategic architecture decision rather than a tooling refresh.

×