Databricks Buying Panther Labs to Fight Splunk With AI

The Databricks panther acquisition is a strategic response to a new reality in cybersecurity. Databricks, the $134bn data-and-AI titan, is purchasing startup Panther Labs to bolster its security portfolio. The urgency comes from AI: attackers now use artificial intelligence to find and exploit software vulnerabilities in a fraction of the time it used to take. As CEO Ali Ghodsi warns, “If they’re going to attack you with agents, you have to defend with agents.” This move positions Databricks to offer a next-generation SIEM replacement built on its data lakehouse, aiming to give defenders an AI-powered edge in a rapidly evolving threat landscape.

What Is Panther Labs and How Does It Fit Into Databricks?

To understand the Databricks panther acquisition, you first need to know what Panther Labs actually does. Think of it as a security data platform that acts like a central hub for all your security information. Instead of security teams manually sifting through logs from dozens of different tools, Panther pulls a company’s security data into one place so AI agents can triage alerts and investigate threats automatically. This means less time chasing false alarms and more focus on real dangers.

Databricks panther acquisition - real-life example
Bild: Alexas_Fotos / Pixabay

This capability is exactly what Databricks is after. By integrating Panther, Databricks can offer AI threat detection directly from its data lakehouse. The idea is simple: your security data already lives in the lakehouse, so why not let AI analyze it there without moving it to another system? Panther’s technology makes that possible, automating the routine work of alert triage and letting human analysts concentrate on complex investigations.

It’s worth noting that Panther already has a notable customer in Anthropic, the AI safety company. While the exact reason Anthropic chose Panther remains unclear, it suggests the platform works well for organizations that prioritize both security and cutting-edge AI.

This acquisition is also part of a pattern. Panther is Databricks’ third security purchase, following Antimatter and SiftD.ai. Each buy adds a different piece to the puzzle — data masking, threat detection, and now automated investigation. Together, they build toward a unified security offering that competes directly with Splunk.

Databricks’ ‘Security Lakehouse’ vs. Legacy SIEM Solutions

With Panther Labs now in the fold, Databricks is positioning the combined technology as a ‘security lakehouse’ — a modern alternative to traditional Security Information and Event Management (SIEM) software like Splunk. Instead of keeping data locked in separate silos for indexing and search, this approach centralizes everything in a single data lake and applies AI for real-time analysis. The idea is to give you faster threat detection and a more unified view of your security posture, all without the complexity of older tools.

The security lakehouse concept builds on what Databricks already started earlier this year. Back in March, the company launched Lakewatch, its own take on a security lakehouse. That product aimed to unify data pipelines and AI models for security teams. Now, with the Databricks panther acquisition, the platform gains automated investigation capabilities, making it even more practical for incident response. You get the storage and analytics of a lakehouse plus the hands-off triage that Panther Labs provides.

This move directly targets legacy SIEM vendors. Traditional systems like Splunk often require you to predefine schemas and pay high licensing costs for indexed data. A security lakehouse aims to remove those limits by using cloud-cost storage and open formats. At the same time, Databricks is stepping into competition with dedicated security platforms like CrowdStrike. While exact details on how the security lakehouse outperforms these rivals are not yet public, the strategy is clear: offer a simpler, AI-driven alternative that consolidates security data and workflows in one place. For you, this could mean fewer tools to manage and faster answers when a threat emerges.

Databricks’ Three-Year Pursuit of Panther: An Acquisition Strategy Emerges

That goal of simplifying security operations didn’t happen overnight. The Panther acquisition caps a multi-year effort and reveals Databricks’ deliberate strategy to build a comprehensive security portfolio through targeted buys. In fact, this is now Databricks’ third security acquisition, which signals a focused M&A strategy rather than a one-off purchase.

Inspiration for Databricks panther acquisition
Bild: singielmama / Pixabay

Panther joins two earlier cybersecurity acquisitions: Antimatter and SiftD.ai. Antimatter brought encryption and data-privacy capabilities to the table, while SiftD.ai added AI-powered data classification. With Panther, Databricks gets a cloud-native security information and event management (SIEM) platform that can ingest and analyze logs at scale. Together, these three buys form a growing security stack that Databricks can weave into its existing data lakehouse.

The companies did not disclose the price, but context helps here. Panther was last valued at $1.4 billion in 2021, so this deal likely involved a significant investment. Still, integration challenges from combining Antimatter, SiftD.ai, and Panther are not addressed yet. Merging different product architectures, teams, and customer workflows takes time, and Databricks will need to prove it can deliver a seamless experience. For you, this means the full value of the Databricks Panther acquisition may take a few product cycles to materialize.

What’s clear is that Databricks is betting big on a unified security platform, built on its own data infrastructure. If the integration goes smoothly, you could see a single pane of glass for threat detection, data protection, and compliance — all powered by AI.

How AI Agents Are Reshaping the Cybersecurity Landscape

That unified platform vision is timely because the ground is shifting under security teams’ feet. Attackers have already weaponized AI to shorten the window between discovering a software flaw and exploiting it. Instead of manually scanning for weaknesses, they now use AI agents to hunt faster than any human defender can respond. This flips the old cat-and-mouse game: the attacker now holds the speed advantage.

Databricks CEO Ali Ghodsi put it bluntly: “If they’re going to attack you with agents, you have to defend with agents.” That statement captures the logic behind the Databricks panther acquisition. It’s not just about adding more logs or alerts to a dashboard — it’s about deploying defensive AI that can fight back at machine speed.

Panther Labs brings exactly that capability. Its platform uses AI agents to automate the two most time-consuming stages of incident response: triage and investigation. Instead of a human analyst sifting through thousands of raw security events, Panther’s agents can classify alerts, correlate suspicious activity across data sources, and even kick off containment actions without waiting for a person to click. This kind of cybersecurity automation directly addresses the attacker’s speed advantage — it shortens the mean time to detect and respond, which is the only metric that matters when every second counts.

By weaving these agent-based defenses into a data lakehouse architecture, Databricks aims to give defenders a real-time edge. You get a system that learns from the full context of your network logs, user behavior, and threat intelligence, then acts on that knowledge autonomously. The attacker advantage of speed doesn’t disappear, but you level the playing field — your AI agents are watching, correlating, and responding while human analysts focus on the tough decisions.

Integration Hurdles and Implications for Databricks’ IPO Plans

So you have a smarter security team ready to fight back with AI agents. But the path to that future isn’t without its bumps. With the Databricks Panther acquisition, the company now owns a handful of security tools — including Antimatter and SiftD.ai — and merging them into one cohesive security lakehouse is a significant challenge. Databricks hasn’t publicly addressed how it plans to combine these different codebases, data models, and engineering teams. That silence is notable because integration challenges can slow down product updates and frustrate customers who just want a single, reliable platform.

There’s also the question of timing. Public disclosures for the deal are missing key details, like the timeline for regulatory clearance and the expected close date. Without that information, you’re left wondering how soon Panther’s capabilities will actually show up in your Databricks environment. Delays in closing could give competitors — including Splunk — time to adjust their own AI strategies.

Then there’s the elephant in the room: the IPO impact. Databricks has been widely expected to go public, and every acquisition adds complexity to that narrative. While the company hasn’t discussed how this deal affects its IPO plans, investors and analysts will be watching closely. A large security acquisition can signal growth, but it also means absorbing new costs and integrating teams — all while trying to present a clean, focused story to the market. For you, the practical takeaway is that the acquisition timeline and smooth integration will determine whether this move pays off in the short term or becomes a longer road to a unified security platform. Keep an eye on how Databricks communicates its next steps; that will tell you a lot about its broader ambitions.

Frequently Asked Questions

How does the Databricks Panthera acquisition change how you use AI in cybersecurity?

The Databricks Panthera acquisition brings AI-powered threat detection directly into your data lakehouse. Instead of sending security logs to a separate SIEM tool, you can run machine learning models on your data where it already lives. This makes detection faster and reduces the complexity of moving data between systems. You get real-time analysis without the high cost of traditional log indexing.

What is the security lakehouse, and how does it differ from legacy SIEM solutions?

A security lakehouse combines a data lake’s storage flexibility with a data warehouse’s query performance, all on one platform. Legacy SIEM solutions require you to ingest logs into a proprietary store, which is expensive and limits scalability. With a security lakehouse, you keep your raw data in an open format, run AI models directly on it, and only pay for the compute you use. This practical approach cuts costs and gives you more control over your security analytics.

Why did Databricks buy Panther Labs now instead of building a similar tool?

Databricks bought Panther Labs to accelerate its entry into the cybersecurity market with a proven, AI-ready platform. Building a comparable security detection engine from scratch would take years of development and domain expertise. By acquiring Panther, Databricks gains an open-source-based, schema-on-read architecture that fits naturally with its lakehouse. This move lets you immediately use advanced threat detection without waiting for a new product to mature.


Add Comment