The DAIS 2026 Speaker Spotlight is a series where we hand the mic to the speakers heading to Data + AI Summit and let them answer five short questions, in their own voice, no press-release polish.
Below, Kristin Dahl on why security is the next big workload to move onto the lakehouse, what broke in SOC economics last year, and the opinionated reference architecture she's bringing to the stage. Lightly edited for length, otherwise the words are hers.
“
Security is the next big workload to move onto the lakehouse, the way analytics and ML already did. The advantage goes to whoever can trust and use all their data, not just a filtered slice.
— Kristin Dahl
The topic
What is your talk about, and who is it for?
How to design an open security lakehouse you can trust, for data practitioners who are new to SecOps, and security engineers who are new to Databricks.
Why this, why now
What's changed in the last 6–12 months that makes this topic urgent right now?
Two things broke in the last year. Attackers are now running agentic swarms. The Zero Day Clock puts mean time-to-exploit at just over a day, and last November Anthropic disclosed a China-linked actor that used Claude Code to run 80–90% of an espionage campaign against ~30 organizations. Defenders, meanwhile, face thousands of alerts a day, most never investigated. The old SIEM economics, pay per gigabyte to throw most of your data away, no longer scale.
The personal stake
Why are you the person giving this talk?
I've believed for a long time that cybersecurity is fundamentally a data problem, and that's what brought me to Databricks. Fifteen years in defense and intelligence showed me the same thing: teams who had the data but couldn't get to it when it mattered. Now I lead the cyber practice here, working with Fortune 500 SOCs. This talk isn't theoretical for me. It's the problem I came here to work on.
What you'll leave with
What will someone be able to do on Monday morning that they couldn't do before?
You'll walk out with an opinionated reference architecture you can hold up against whatever you're building today. Concretely: how to pick the right ingestion path for each source (Lakeflow Connect, Auto Loader, or Structured Streaming), why bronze stays append-only and raw so you can always reprocess when normalization changes, and a read on the economics of augmenting versus replacing your SIEM.
The bigger picture
How does this fit into where Databricks, and data and AI more broadly, is heading?
Security is the next big workload to move onto the lakehouse, the way analytics and ML already did. That's where Databricks is betting: one open, governed foundation that agents can reason over. As agents take on more of the work on both attack and defense, the advantage goes to whoever can trust and use all their data, not just a filtered slice.
Part of the DAIS 2026 Speaker Spotlight series, more voices dropping in the weeks ahead. Got a DAIS speaker you'd love to hear from next? Mention them in the comments, we're always listening.
