Databricks Buys Panther Labs in $1.4B Cyber Play to Challenge CrowdStrike and Splunk

This article covers the company histories, the pre-existing integration, Databricks' earlier security buildout, the rationale for this specific deal, and how it reshapes competition in the security information and event management (SIEM) and broader cybersecurity market.

Company Histories

Panther Labs

Panther was founded in 2018 in San Francisco by Jack Naglieri, a former security engineering manager at Airbnb and Yahoo. While at Airbnb, Naglieri co-created StreamAlert, an open-source, serverless framework for real-time security data analysis that was later used by companies like Netflix and Coinbase.

The experience convinced him that legacy SIEM platforms could not handle cloud-scale data, leading him to build Panther as a cloud-native, detection-as-code platform that could ingest and normalize logs at petabyte scale and let teams write detection rules in Python. The company raised a $4.5 million seed round, a $15 million Series A in 2020, and a $120 million Series B in 2021, reaching a $1.4 billion valuation.

Databricks

Databricks is a data and AI platform company most recently valued at $134 billion. Founded in 2013, it commercialized Apache Spark and later developed the lakehouse architecture, which combines data lake flexibility with data warehouse reliability. In the lead-up to a widely anticipated IPO, the company began expanding aggressively into cybersecurity, positioning its platform as the central store for security telemetry and the engine for AI-driven detection and response.

Databricks' Yearlong Cybersecurity Buildout

The Panther acquisition is only the latest in a deliberate, well-funded push into security that began taking public shape in 2025.

September 2025 – Data Intelligence for Cybersecurity and Panther Partnership

In September 2025, Databricks launched “Data Intelligence for Cybersecurity,” a platform designed to unify fragmented security, IT, and business data on an open lakehouse and power AI agents for threat detection. Panther was named as a launch partner, and the companies jointly announced a private preview of an AI SOC platform that let security teams unify data and automate alert investigation directly on the Databricks Security Lakehouse.

March 2026 – Lakewatch Launch and Acquisitions of Antimatter and SiftD.ai

On March 24, 2026, Databricks entered the SIEM market directly with Lakewatch, an “open, agentic SIEM” that uses AI agents powered by Anthropic’s Claude to automate detection, investigation, and response. The company described Lakewatch as an alternative to legacy SIEMs from Splunk and Microsoft Sentinel, promising to slash costs by up to 80%.

Simultaneously, Databricks disclosed it had acquired two startups to underpin Lakewatch: Antimatter, for secure authentication and authorization of AI agents, and SiftD.ai, which brought detection engineering expertise from former Splunk engineers.

The Panther Acquisition: Details and Rationale

On June 16, 2026, Databricks announced it had agreed to acquire Panther Labs.

Deal terms

• Purchase price: Not publicly disclosed.
• Reference valuation: Panther was last valued at $1.4 billion in its 2021 Series B.

Strategic rationale
Databricks framed the deal as a way to “further establish the Security Lakehouse category” and “deliver what legacy SIEMs can't.” The official announcement highlighted several motivations:

• Add agentic SOC workflows: Panther's AI SOC platform triages and investigates every alert using swarms of agents, reducing the need for human analysts.
• Extend Databricks-native detection: Panther already allowed organizations to run real-time detections, threat hunting, and investigations directly on data stored in Databricks without moving it, duplicating it, or accepting proprietary lock-in.
• 100+ out-of-the-box integrations: Panther provides data connectors, detection-as-code, and workflows that plug immediately into the Databricks ecosystem.
• Replace legacy SIEMs: Databricks explicitly positions the combined offering as a replacement for traditional SIEM platforms, operationalizing agentic detection and response on a unified security lakehouse.

Panther's own website confirms that the platform runs inside a customer's AWS account, against their Snowflake or Databricks environment, keeping security data in the warehouse while the detection engine, workflows, and agents operate in place.

Competitive Implications

Databricks is now directly contesting a market historically dominated by two major incumbent categories: endpoint-centric platforms like CrowdStrike and data-analytics SIEMs like Cisco's Splunk.

vs. CrowdStrike
Multiple reports frame CrowdStrike as a primary competitor Databricks aims to challenge. CrowdStrike's strength lies in its endpoint detection and response (EDR) heritage and its Falcon platform's lightweight agent. Databricks' counter-argument is architectural: rather than routing security telemetry through a third-party cloud, Databricks enables organizations to run detections and AI-driven investigations directly on the data lake they already own and govern. Panther strengthens that story by providing the AI SOC layer that can automate triage and investigation natively on Databricks.

vs. Splunk
Cisco's Splunk is the legacy benchmark for SIEM and security analytics. Databricks' Lakewatch product and the Panther acquisition represent an attempt to shift the SIEM model from an appliance- or indexer-centric architecture to an open lakehouse architecture. The pitch is that customers can unify security, IT, and business data on one platform, apply AI agents to the whole dataset, and avoid the data duplication, infrastructure overhead, and vendor lock-in associated with traditional SIEMs.

The broader platform play
The cumulative sequence of acquisitions—Antimatter, SiftD.ai, and now Panther—shows that Databricks is not just bolting security features onto its data platform. It is assembling a complete security stack that spans data ingestion, threat analytics, agent authentication, and AI-powered SOC automation. Panther's existing customers, which Databricks says include Anthropic and other AI-native companies, give Databricks immediate credibility in defending the most demanding environments.

Open Questions

Several material details remain unclear from the available sources: the exact purchase price and deal structure; whether Panther will remain a standalone product or be merged into Lakewatch; and the precise go-to-market integration timeline. Also, Panther's reported acquisition of Datable in October 2025 could not be independently confirmed from the provided sources.