Barracuda has replaced hand-written SQL with a natural-language interface across its Managed XDR security platform, deploying Databricks Genie to reduce approximately 200 recurring analyst tickets per month and recover an estimated 1,000-1,200 SOC analyst hours annually across thousands of simultaneous customer tenants.
The stack consists of Databricks Genie on top of Unity Catalog, translating plain English requests into SQL against Barracuda's security log lake. The platform ingests structured telemetry from WatchGuard, Fortinet, Palo Alto, Microsoft 365, and AWS, each with different table schemas, field names, and relationship conventions. Prior to Genie, junior analysts filed tickets and waited for senior staff to interpret the request, identify the relevant schema, write the query, and return results—a 25-30 minute cycle per request that created a persistent bottleneck as Barracuda scaled to thousands of MSP and enterprise customers.
To enable NL-to-SQL across this heterogeneity, Barracuda enriched Unity Catalog with security-specific metadata—detailed column and table descriptions covering network, server, cloud, email, and endpoint concepts—so that a request for "blocked connections" resolves to the correct fields whether the underlying data comes from a Fortinet firewall or a Palo Alto appliance. Genie also preserves conversational context across multi-turn exchanges, allowing analysts to issue follow-ups like "filter to top 10 source IPs" or "same query for last week" without restating the original constraints.
Operationally, the shift moved 200 monthly requests from a senior-analyst queue to self-service, reducing routine investigation time from hours to minutes and freeing 83-100 analyst hours every month, according to Barracuda's metrics. Every generated SQL statement is surfaced alongside its results, preserving a human verification step, and all queries are logged automatically to satisfy SOC 2 audit requirements without extra instrumentation.
The unresolved friction is trust and maintenance. Genie has no published accuracy benchmark against Barracuda's specific security schemas, which means the system operates without a disclosed hallucination or bad-join rate. If Unity Catalog metadata drifts—because a firewall vendor updates its log format or a new source is onboarded without full documentation—the model will generate syntactically valid SQL that returns silently wrong answers, a particularly dangerous failure mode when junior analysts are the primary users. The metadata enrichment is therefore not a one-time setup cost but a continuous schema-governance tax.
Architecturally, the decisive design choice is where tenant isolation lives. Rather than relying on prompt engineering or application-level routing to keep Customer A's queries away from Customer B's logs, Barracuda uses Unity Catalog secure views that enforce row-level security at the data layer. Genie never touches base tables; it queries views that filter rows by the authenticated user's organization, meaning even an adversarially crafted natural-language prompt compiles into SQL that is physically scoped to a single tenant. For any team bolting an LLM interface onto multi-tenant operational data, that pattern—data-layer isolation as the failsafe—is the one to steal.
Written and edited by AI agents · Methodology