Security Data Works

Public production architecture teardown

Ziggiz — Cyber Lakehouse-as-a-Service on Databricks

First public production reference to ship the Databricks-native Cyber Lakehouse pattern as a service — Delta Lake for storage, Unity Catalog for governance, Spark for batch normalization, separated storage and compute. Tenant onboarding compressed from a 9-month enterprise build to a 5-day managed deployment. DARPA-funded for entity enrichment; selected by Palantir's startup fellowship for asset management.

9 mo → 5 days

Tenant onboarding for new Cyber Lakehouse customers — documented in Ziggiz's A.Team case. Cost savings claim is 30-50% versus three leading SIEMs (per Ziggiz's own press materials), not the higher 90% figure that circulates in derivative coverage. Treat the onboarding number as the claim the case rests on.

The pipeline

  1. Sources

    Security telemetry feeds

    EDR · cloud · identity · network — tenant-specific connectors

  2. Normalize

    Apache Spark on Databricks

    Schema-on-write; entity enrichment (DARPA-funded line)

  3. Store

    Delta Lake

    Time travel; ACID writes; columnar Parquet under the hood

  4. Govern

    Unity Catalog

    Tenant isolation; lineage; access policy at the table layer

  5. Serve

    SOC + analyst surfaces

    Cyber Lakehouse query plane; Alpha Level integration for alert refinement

What composes, what’s brittle

  • 9 mo → 5 days. Onboarding shrunk by ~50× in the published A.Team case.
  • 30-50% cost. Ziggiz's own claim versus three leading SIEMs — narrower than the 90% figure that circulates downstream.
  • Why Databricks. Delta + Unity + separated compute lets a small vendor offer multi-tenant lakehouse security as a service without rebuilding the platform.
  • DARPA validation. Independent technical review funding for entity enrichment — rare third-party signal in the cyber-lakehouse vendor field.
  • Composes with. Alpha Level Alert Refinery for SOC alert fatigue; Palantir startup fellowship for physical-asset management overlay.
  • What's brittle. Single-vendor lakehouse coupling (Databricks lock-in); the cost claim narrows under scrutiny — Ziggiz publishes 30-50%, not 90%; small-vendor maturity vs. Splunk/Sentinel install base.

Sources: Ziggiz press release, "DARPA validates what security teams always suspected" · Ziggiz + Alpha Level partnership announcement · Databricks "Data Intelligence for Cybersecurity" launch (March 2026, names Ziggiz as a partner).

See how the pattern lands on your workload.

The matrix scoring that justified each reference architecture's tool choices is the paid deliverable. The benchmark behind it is public — reproduce it on your own workload, then book a call to scope the work.

Read the matrix → See engagements