Panther x Databricks Private Preview: AI SOC Platform on Your Security Lakehouse

Request early access to the Private Preview

Many modern SOCs spend as much time on data engineering as on stopping threats.

From maintaining custom log parsers and pipelines to managing SIEM licensing costs and noisy alerts, operational overhead diverts resources that should go toward threat detection and response.

Panther and Databricks are teaming up to solve this: our Private Preview integration automatically unifies business and security data on your Databricks Security Lakehouse. It delivers end-to-end AI-powered SIEM and security operations on an enterprise-ready, open data lake.

The result? Comprehensive threat coverage, lower infrastructure and licensing costs, and automated triage that accelerates incident response by over 80%.

Technical Benefits

• Automatic data unification: No custom pipeline development or maintenance

• Open data formats: Delta Lake and Iceberg compatibility with any analytics tool

• Serverless scaling: Automatic compute scaling based on data volume and threat activity

• Production-Ready AI SOC Analyst: End-to-end automation, grounded in your organizational context

• Extensible architecture: Custom ML pipelines and integrations through standard protocols

Data Unification: The Engineering Tax You Shouldn't Pay

Modern security operations require data from dozens of sources, including cloud logs, endpoint telemetry, network traffic, and SaaS applications. Each source comes with its own format, schema changes, and quirks.

Many teams end up writing custom parsers and transformations for every source—CloudTrail, Office 365, firewall logs, and more. When AWS adds a new CloudTrail field or a vendor changes their log format, those pipelines break, creating visibility gaps. 

Data engineers spend 40% of their time evaluating or checking data quality, according to Monte Carlo's 2022 survey of over 300 data professionals¹. More than half of respondents ranked building or fixing pipelines as taking the most time throughout the day¹. It’s not just data engineers. Security teams face the same tax—spending time building and fixing pipelines instead of detecting threats.

The result: new data sources take weeks to integrate, pipeline failures create blind spots, and security teams become accidental data engineers.

Panther customers, such as Snyk, avoid this tax with flexible, pre-built pipelines—onboarding new log sources in hours instead of the weeks or months it can take with a legacy SIEM. 

SIEM Economics: Centralization vs. Budget Reality

Legacy SIEMs are priced by data volume, creating a cost barrier to complete visibility. Centralizing all security data often costs more than the security team's entire budget.

Teams respond predictably: they selectively ingest high-priority data and accept fragmented visibility across the rest. Security analysts investigate incidents by manually correlating data across multiple tools and systems. Attack patterns that span multiple data sources often get missed because the correlation never occurs.

Even teams that centralize face a second challenge: vendor lock-in through proprietary formats, making it expensive and complicated to move or replatform their data.

Panther breaks this tradeoff with modern, cost-efficient infrastructure–customers like Cockroach Labs have cut SecOps costs by $200k while increasing ingestion 5x. 

Manual Alert Triage Doesn't Scale

SOC teams receive an average of 4,484 alerts daily and spend nearly three hours a day manually triaging them². Security analysts are unable to address 67% of the daily alerts received, with 83% reporting that these alerts are false positives².

The average security analyst will spend 75 percent of their time (approximately six hours per shift) triaging alerts, with an average of ten minutes spent on each security incident they review³. Half that time (five minutes) is spent manually correlating disparate data sources to obtain complete context³.

Point AI tools can automate narrow tasks, such as scoring or enrichment, but they don’t integrate seamlessly. Teams end up stitching together multiple solutions instead of gaining true end-to-end automation.

The fundamental problem: security operations built around human analysts can't match the scale and velocity of modern attack patterns.

Panther AI changes this by handling initial triage with complete context from the SIEM and customer environment, delivering highly contextual AI-driven automation with a unique emphasis on transparency and trust.  

Technical Architecture: Serverless SIEM on Databricks

Panther's serverless security platform automatically ingests, parses, and enriches logs. Security data flows into tables in the Databricks Unity catalog without custom pipeline development.

The serverless architecture scales compute based on the actual data volume—processing billions of events per minute and scaling down during quiet periods. No capacity planning or infrastructure management required.

Your security data remains in standard formats that integrate seamlessly with any analytics tool or ML framework. Teams retain complete portability with no lock-in or costly, complex extraction processes.

AI Agents for Autonomous Security Operations

Panther’s AI agents automate complete security workflows end to end — not just isolated tasks. They triage alerts across all data sources, investigate incidents with full organizational context, and integrate with existing tools through the Model Context Protocol (MCP).

These agents leverage Databricks’ unified data platform to correlate signals across petabytes of telemetry. Unlike point solutions, they maintain deep context with the rest of your detection and response configurations. The result is powerful, fully autonomous analytics that cut investigation times from days or weeks to minutes.

And customers are already seeing the impact:

"Panther AI cuts triage time by at least 50%, especially in more complex investigations."

Robert Kugler, Head of Security, IT & Compliance at Cresta | Read the full story.

Deployment and Integration

Security teams can accelerate onboarding with Panther’s extensive library of out-of-the-box integrations for sources like CloudTrail, Google Workspace, and CrowdStrike. Hundreds of pre-built detections—rooted in real attack patterns, not noisy generic rules—can be enabled instantly.

The platform also ships with built-in enrichment from high-value sources such as IPInfo and Tor exit nodes, giving context that sharpens detection and investigations.

Detection and analytics can be extended further with custom logic or ML pipelines running directly in Databricks. And because Panther uses transparent, open data formats, teams retain full interoperability—able to bring any AI model or analytics framework without lock-in or limitations.

Implementation

Early customers in our Private Preview are already seeing measurable impact: comprehensive visibility without engineering overhead, cost-effective centralization at scale, and AI-powered operations that filter out the noise so practitioners can focus on securing the business.

The joint integration leverages the strengths of each platform: Databricks provides a unified data architecture and advanced analytics, while Panther offers a catalogue of security integrations, high-scale ingestion pipelines, out-of-the-box detections, and agentic AI capabilities that automate detection and response at enterprise scale.

Ready to evaluate the platform? 

Be among the first to experience the Panther x Databricks AI SOC Platform. 

Request early access to the Private Preview

References

1. Monte Carlo. (2022). Data Engineers Spend Two Days Per Week Firefighting Bad Data, Data Quality Survey. Based on survey of 300+ data professionals. Source: Monte Carlo Data Quality Survey
   
   

2. Vectra AI. (2023). 2023 State of Threat Detection Research Report. Survey findings on SOC alert volumes and analyst capabilities. Source: Security Magazine
   
   

3. Axonius. (2023). Reducing the Alert Triage Time in the Security Operations Center (SOC). Analysis of SOC analyst time allocation and alert processing workflows. Source: Axonius Blog