Why did Databricks acquire Panther instead of building its own SIEM?

Databricks acquired Panther to compress years of work into a single deal. Competing with established SIEM platforms requires connectors to ingest security data from hundreds of sources and detection rules to find threats in it, and building both from scratch takes years. Panther brings 100+ pre-built integrations and popularized detection-as-code, accelerating Databricks' timeline against vendors like Splunk, Microsoft Sentinel, and Google SecOps.

How much did Databricks pay to acquire Panther?

The terms were not disclosed. Panther's last valuation was $1.4B, so the open question is whether Databricks paid that, more, or less. That number matters because it signals how competitive the process was. A premium would suggest multiple bidders saw security data and detection-as-code as strategic ground worth fighting for.

Will the Databricks-Panther deal force Snowflake to respond?

It raises the pressure. Snowflake is Databricks' fiercest competitor and holds the same data platform advantages, and it has been watching this play out. The deal could push Snowflake to make a comparable move in security data rather than cede the ground. The data platform layer is becoming contested territory in the SIEM market.

What does the Databricks acquisition of Panther mean for Cribl?

It puts Cribl in an awkward position. Cribl was listed as a Lakewatch ecosystem partner at launch, yet Cribl Lake is its own cloud-native data lake for security data. Databricks and Cribl now compete for the same data layer while technically remaining partners. That tension is one of the clearer signs the SIEM category is realigning.

What is the difference between a data platform and a SIEM?

A data platform stores and processes data at scale, but a SIEM needs more to find threats. It requires connectors to ingest security data from hundreds of sources and detection rules to identify threats inside it. Databricks already has a world-class Data Intelligence Platform, yet it acquired Panther because connectors and detections are what turn infrastructure into a working SIEM.

Databricks Just Bought Its Way Into the SIEM War

Q: How will incumbent SIEM vendors respond to Databricks entering the market?

Every major SIEM vendor just watched a $134B data and AI company enter their market through an acquisition that signals Databricks is serious. Cisco Splunk, CrowdStrike Falcon Next-Gen SIEM, Microsoft Sentinel, Google SecOps, Palo Alto Cortex XSIAM, Elastic SIEM, Datadog Cloud SIEM, SentinelOne Singularity AI SIEM, and Sumo Logic Cloud SIEM each now face a platform-scale entrant and will need a response.

Databricks just fired another shot at the SIEM market — this time with an acquisition.

In March, Databricks launched Lakewatch at RSA — their own agentic SIEM built on their data platform. The Data Intelligence Platform is world-class.

But to compete with Cisco Splunk, CrowdStrike Falcon Next-Gen SIEM, Microsoft Sentinel, Google SecOps, Palo Alto Networks Cortex XSIAM, Elastic SIEM, Datadog Cloud SIEM, SentinelOne Singularity AI SIEM, and Sumo Logic Cloud SIEM, you need more than infrastructure — you need connectors to ingest security data from hundreds of sources and detection rules to find threats in it. Building that from scratch takes years.

Acquiring Panther, which already has 100+ pre-built integrations and popularized detection-as-code, significantly accelerates that timeline. Panther recently expanded into Agentic SOC capabilities as well, giving Databricks an advantage over SIEM vendors who have not innovated as much in this area.

This acquisition raises a few questions:

What was the acquisition price? Panther's last valuation was $1.4B. Did they pay that, more, or less? The terms weren't disclosed, and that number will tell you a lot about how competitive the process was.
How will the incumbent SIEM vendors respond? Every SIEM vendor mentioned above just watched a $134B data and AI company enter their market with an acquisition that signals they're serious.
How will Databricks’ fiercest competitor Snowflake respond? They have the same data platform advantages Databricks does. They've been watching this play out. Does this force their hand?
And what about Cribl, the data pipeline company with greater data management ambition? They were listed as a Lakewatch ecosystem partner at launch, but they also have Cribl Lake — their own cloud-native data lake for security data. Databricks and Cribl are now competing for the same data layer, while technically still partners. That's an uncomfortable position to be in.

One thing is clear: this accelerates the SIEM disruption that's been building for years. The category is not going to look the same in 24 months.