Databricks Panther Labs to Replace Legacy SIEM

Databricks just made its biggest cybersecurity bet of 2026. On June 16, the company announced it agreed to acquire Panther Labs, an AI-powered Security Operations Center (SOC) platform. The Databricks Panther Labs deal was unveiled at the company’s annual Data + AI Summit in San Francisco. Financial terms were not disclosed. This is Databricks’ third cybersecurity acquisition this year, and it puts the $134 billion data giant squarely in competition with CrowdStrike and Cisco-owned Splunk.

What the Databricks Panther Labs Deal Actually Is

Databricks Panther Labs is a combination built to solve one urgent problem. Attackers today use AI tools to find and exploit software vulnerabilities faster than any human security team can respond. The acquisition comes as cybersecurity teams face a growing challenge: attackers are using AI to identify and exploit software vulnerabilities at unprecedented speed.

Panther Labs is an AI SOC platform. It pulls security-relevant data from across an organization into a single place. Then AI agents scan that data, detect threats, and trigger responses with minimal human input. Panther Labs was last valued at $1.4 billion after a $120 million Series B round in 2021, with backers including Snowflake Ventures and Coatue.

If you’ve been following the latest developments in enterprise cybersecurity threats, this kind of AI-driven SOC platform is exactly what security teams have been asking for.

Who Built Panther Labs and What It Does

Panther Labs was founded by the leader of the open source StreamAlert project originally created at Airbnb, and has grown into a cloud-native SIEM and AI SOC platform built on detection-as-code and security data lakes. The founder and CEO is Jack Naglieri.

The platform works differently from traditional SIEMs. Instead of manually writing alert rules, security engineers write detection logic in Python. An AI module can also generate that code from a simple plain-language prompt. If a false positive happens, a separate AI module traces the root cause and suggests a code fix automatically.

Panther uses filters that remove unnecessary parts from system log data, cutting data collection costs while helping organizations secure more of the data needed for intrusion analysis. It organizes collected data into an easy-to-analyze format and applies customers’ pre-built detection code to identify signs of threats within the data.

Databricks Panther Labs combined will offer over 100 pre-built data integrations out of the box. These cover cloud infrastructure, identity providers, SaaS applications, network systems, and endpoints.

The AI startup funding wave in 2026 has been pouring into exactly this kind of agentic security infrastructure. Panther Labs was built at the center of that wave.

Why Databricks CEO Said Legacy SIEM Is “Dead”

Databricks CEO Ali Ghodsi did not hold back at the Summit. Speaking to Reuters during the company’s Data + AI Summit, Ghodsi said: “If they’re going to attack you with agents, you have to defend with agents. You have to fight fire with fire.”

He has a point. SIEMs are held back by high costs, limited data, and manual, labor-intensive workflows. As a result, most organizations analyze only a fraction of their security data, leaving them blind to many of the new agent-driven attacks in their environments.

The Databricks Panther Labs approach replaces that. Instead of manually triaging every alert, the platform automates investigation from the moment a threat surfaces. Ghodsi called the old model dead and said Databricks Panther Labs would replace it with an agentic, always-on defense layer.

The scale of damage possible when threat detection lags is well documented. Events like the GitHub breach that exposed 3,800 repositories through a compromised coding tool show exactly what happens when attackers move faster than defenders.

Lakewatch and Panther Labs: How They Work Together

In March 2026, Databricks launched Lakewatch, its own agentic SIEM product. Lakewatch collects and analyzes security logs from multiple sources within a governed data lakehouse environment.

The planned integration of Panther into Lakewatch includes embedding AI agents directly into core SOC workflows to automate triage and suggest contextual next steps when handling security alerts.

That is the core of what Databricks Panther Labs delivers together. No more hand-managing data ingestion. No more writing detection rules by hand. No more investigating every alert manually. The AI agents do that work continuously, at scale.

Panther Labs also has its own query language called PantherFlow, which lets analysts move through large data sets faster. The Databricks Panther Labs combination gives security teams 100+ pre-built, deeply parsed integrations across critical cloud infrastructure, identity providers, endpoints, networks, and SaaS applications, delivering immediate, out-of-the-box ingestion without the complex mapping required by legacy SIEMs.

Anthropic is among Panther’s customers, with Tim Nguyen, Head of Defense at Anthropic, saying: “Building frontier AI requires security operations that are programmable and deeply integrated with the way modern engineering teams work. Panther has helped us bring a software engineering approach to detection and response.”

Anthropic, which recently released Claude Opus 4 with major coding advances, is exactly the kind of AI-native organization that needs this level of security infrastructure. The fact that they trusted Panther Labs before the Databricks Panther Labs deal was announced speaks clearly.

For Databricks Panther Labs, the Lakewatch connection means customers already using Databricks for data and analytics can now layer enterprise-grade SOC automation on top of the same platform. No separate vendor. No additional SIEM licensing. Just one security lakehouse.

Databricks’ Three Cybersecurity Acquisitions in 2026

The Databricks Panther Labs acquisition does not stand alone. It is the third cybersecurity deal the company has made in a short stretch.

In March 2025, Databricks acquired Antimatter, a security startup that specializes in data protection, authorization, and secure governance for AI agents. That deal was kept confidential until March 2026, when Databricks launched Lakewatch. The same month, Databricks also bought SiftD.ai, an early-stage security startup focused on agentic AI-human collaboration tools and deep expertise in large-scale detection engineering.

Now with Databricks Panther Labs, the stack is more complete. Antimatter handles data governance and protection. SiftD handles automated incident response. Panther Labs handles detection, investigation, and agentic SOC workflows. Lakewatch ties it all together as the unified platform underneath.

This kind of aggressive M&A strategy in cybersecurity mirrors what we saw earlier this year with large-scale AI infrastructure investments like the Google and Blackstone $5 billion partnership. Major tech players are not waiting for the market to come to them.

Databricks is reportedly considering a new funding round that could begin within the next month, potentially boosting its valuation to between $165 billion and $175 billion.

What Enterprise Security Teams Should Know

For security professionals, the Databricks Panther Labs deal has real practical implications.

First, it signals that the SIEM market is under serious pressure. The deal marks Databricks’ push to challenge industry incumbents like CrowdStrike and Cisco Systems’ Splunk as it moves to offer AI agents that detect and mitigate digital threats with minimal human intervention.

Second, Databricks Panther Labs addresses a real coverage problem. Most enterprise security teams today are not analyzing all of their data. The cost and manual effort required by older platforms means threats can hide in the logs that never get reviewed.

Panther’s platform includes natural-language detection authoring, automated false-positive root-cause analysis, and supports customer-provided detections implemented in Python. That makes it accessible to security engineers who work the way modern software teams do, with code, automation, and version control rather than static point-and-click dashboards.

The damage from gaps in security coverage can be severe. As seen in the Coinbase insider attack that resulted in roughly $400 million in losses, the cost of not having full visibility into your security data is enormous. The Databricks Panther Labs platform is designed to close exactly those kinds of blind spots.

Jack Naglieri, CEO of Panther Labs, put it clearly in his statement: “The SOC is at an inflection point. AI is changing how attacks are launched and defenders can now finally keep pace with them. Together with Databricks, we can arm defenders with sophisticated agents that scale detection, investigation, and response.”

Final Thoughts

The Databricks Panther Labs acquisition is one of the most significant cybersecurity moves of 2026 so far. Databricks is no longer a data analytics company that dabbles in security. With Lakewatch, Antimatter, SiftD, and now Databricks Panther Labs, it is building a full-stack security platform designed for the AI era.

The legacy SIEM model was not built to handle the speed of AI-driven attacks. Databricks Panther Labs is betting that the security lakehouse can replace it. Given the company’s reach across 70% of Fortune 500 data teams, that bet has real weight behind it.