Analysis

Databricks pushing an LLM-first approach to security changes the economic axis from data storage to compute/workload pricing, which should accelerate ingestion of high-cardinality telemetry into inexpensive lakes and concentrate margin flow into model execution layers. That is a structural threat to legacy SIEM economics (subscription + indexed storage) because customers can now choose to keep raw logs in cheap object stores and only pay for intermittent, high-value model runs; this compresses annuity revenue and lengthens sales cycles for incumbent vendors. Second-order winners are firms that supply scalable GPU/CPU cycles, model orchestration, and observability primitives rather than pure-play detection products; conversely, vendors whose multiples rest on predictable per-GB indexing are most exposed. Adoption cadence will be uneven — expect pilot deployments and enterprise proofs-of-concept to drive visible churn in SIEM vendor renewal rates within 6-18 months, but measurable topline erosion is likelier on a 12-36 month horizon as SOCs validate false-positive/false-negative tradeoffs. Key risks that could blunt this disruption: regulatory controls on sensitive-data model inference, well-capitalized incumbents bundling LLM features at low incremental cost, or operational failures where hallucinations create costly security gaps — any of which would re-anchor buyers to incumbents' proven UIs and compliance pedigrees. Monitor early customer win rates, retention on integrated lakes (not just demos), and Databricks’ ability to monetize higher-frequency model inference without reintroducing storage-linked economics.