Security orchestration, automation, and response (SOAR) has undergone a major transformation in the past few years. Features in each of the words in its description that were once exclusive to SOAR have bled into other tools. For example, responses can be found now in endpoint detection and response (EDR) tools. Orchestration is now a joint effort with security information and event management (SIEM) tools. Many of these features are now found in managed security products that go by other names, such as threat and incident response or cloud security posture management (CSPM). And many of the SOAR tools are no longer just focused on security but have expanded to cover the wider context of how an enterprise infrastructure operates.[ Download our editors’ PDF security orchestration, automation, and remediation (SOAR) tools buyer’s guide today! ]
In this buyer’s guide
- SOAR definedWhy you might need SOARTrends in the SOAR marketKey SOAR features to look forThe major SOAR providers and their offeringsWhat about the price of SOAR?Questions to ask your team and your SOAR vendorEssential reading The SOAR category originated back in 2015, the term created by Gartner, when virtualization and containers were first coming into enterprise networks and applications, greatly expanding the threat and attack surface areas.SOAR helps to orchestrate and integrate a wide tool collection using automation to perform repetitive and simple tasks, and to produce predefined playbooks that IT staff can use to reduce their risk profiles and response to attacks by bad actors. The category has seen major changes, with numerous acquisitions as the major vendors such as Checkpoint, Cisco, Google, IBM, Microsoft, and Palo Alto Networks have bulked up their platforms with SOAR-like features.Some analysts have soured on SOAR as it has undergone this transformation and as its features can now be found in other products. Ironically, Gartner has said that SOAR tools have not kept pace with changing requirements, putting them at the very bottom of their “hype cycle”, meaning that the innovation portion of SOAR is mostly a thing of the past. But even they admit that SOAR functionality has staying power and can be found in numerous other security tools.Forrester Research partitions SOAR products into several categories: platforms, products that focus on threat intelligence, and those that are more centered around automation tasks. GigaOm divides the space into its own three categories of SOAR-only pure plays, full security platforms that integrate with other tool collections, and crossover products that originate from IT service management and automation segments. However you slice it, the SOAR market segment has more than 30 vendors.
Why you might need SOAR
The core reason for SOAR originally was it would be a major kingpin in an organization’s defensive posture. They were the first tools to not just discover a potential threat but automate a way to remove it and improve overall security. The goal was, and still is, to reduce the amount of time before a threat is found and resolved.As security alerts have proliferated, the need to quickly classify and resolve them has gotten greater. “Day-to-day tactical activities take up too much time,” said Forrester’s Allie Mellen in the SOAR report. “SOAR technology provides security teams a way to automate some of these repetitive tasks and coordinate across tools from a single technology.”However, in recent years, as malware has gotten sneakier and attackers more adept, SOAR is just one weapon against these threats. Security has become more nuanced and integrated with case management and collaboration tools to become more effective. Some SOAR vendors have added machine learning techniques so that past events can help improve detection and eliminate false positives annoyances. Machine learning is of course not unique to SOAR and further blurs the lines between SOAR and other security tools that tout more autonomous operations and threat responses.These are all great reasons, but one mitigating factor against SOAR is that these are expensive products, with prices around $300,000 per year or more. While there could be savings in not hiring additional SOC analysts or in finding malware quickly with the right SOAR, it could also mean that you might require hiring other analysts who need to be experienced with creating automated workflows to operate these products.
Trends in the SOAR market
Large security vendors have widened their integrations with other vendors’ SOAR products, with some offering hundreds of third-party integrations. This means they can ingest various security signals such as SIEM tools, log analyzers, and endpoint detectors. This means “that SOAR tools can start running independently of SIEM tools to strengthen an organization’s security posture and automate nonsecurity processes as well,” said GigaOm’s Andrew Green in his October 2024 report linked above.One example of this trend is the recently announced Security Incident Response service from AWS. This brings together a collection of various signals from across the entire AWS collection, tying together its GuardDuty and Security Hub monitoring services along with a human incident response team.Many vendors have tied their SOAR and SIEM tools together, such as Palo Alto Networks’ Cortex, Microsoft’s Sentinel, and Netwitness’ Orchestrator. Swimlane and D3Security offer only a SOAR product, and both have wide third-party integrations.Another trend is from a growing threat from API-based attacks and increasing sophistication. Kong has found in its latest survey that half of respondents have experienced these threats in the past year. This means that better detection and response automation is needed, with a broader scope to figure out what is going on across an enterprise network.One way to do this is to leverage AI and machine learning. For example, according to AIM Research, “vendors are broadening their offerings with genAI-powered AI agents, copilots, context-aware AI assistants, automation and analytics security platforms, and attack training simulators. We are now noticing a rise in the integration of generative AI-specific capabilities into cybersecurity tools.” Swimlane Turbine SOAR and BlinkOps both have their AI copilots and AI-infused low-code playbook generators. Fortinet has its FortAI and Google has its Gemini AI SecLM module that can provide more contextual guidance and execute commands.Anomali has taken another approach. It doesn’t sell a separate standalone SOAR product, but adds its functionality with its AI-based copilot to its SIEM Security Analytics and ThreatStream intelligence tools. OpenText does something similar with its Enterprise Security Manager, essentially tossing in SOAR and AI functionality as part of the overall package.But AI by itself means a staff needs to coordinate what is being automated and when. Forrester’s Mellen recommended in 2022 that security teams should “coordinate with other automation talent in other parts of the business,” such as with staff of a “center of excellence” to help build better SOC automation processes. “Often, companies have a lone analyst who maintains their SOAR tool,” and this collaboration could have big payoffs.Finally, the best SOAR products come in a variety of packages: for on-premises installations as either a dedicated hardware appliance or standalone software and one of three virtual configurations including as a virtual machine image, a public cloud service or as full SaaS/managed service. This gives these tools flexibility in where they are placed across an enterprise infrastructure and what they are protecting. No SOAR vendor offers all these options. Fortinet, Rapid7, and ServiceNow offer hardware options (but not all of the others), while Palo Alto Networks, Swimlane, and Tines offer all other options except the hardware package.
Key features to look for
SOAR products span a wide range of features and protective measures. Here are a few of the key features that can differentiate them:
- How wide is the third-party integration envelope? Each SOAR vendor claims to have hundreds of integrations to others’ products, which is part of the product category’s secret sauce. But that means the SOAR experience can vary widely from installation to installation. Just citing the raw number of integrations is meaningless: for example, a vendor can integrate with dozens or more AWS services, or just S3, so it pays to get the specifics. We have linked to the online catalogs where available.How many prebuilt workflows come included? BlinkOps claims thousands of automated flowflows, but just as important is the process to create custom ones. Some vendors offer visual low-code editors or AI-enhanced creation tools.How does the product avoid alert fatigue and false positives? The best tools cross-reference their signals to filter out false positives, such as leveraging multiple threat intelligence sources. Tines has a rather innovative way to use a Notion database combined with Elastic Security. D3Security claims its product can eliminate at least 90% of alerts automatically and has a free ROI calculator that possibly can quantify their benefit. Microsoft claims its tool eliminates up to 84% of false positives.What about finding zero-day threats? Again, combining signals and feeds with automation processes can help to more quickly identify and neutralize zero-days.Does the product serve nonsecurity or general orchestration purposes? As mentioned in the individual specifics of each product, some of the SOAR tools have branched out into nonsecurity areas, such as tracking file access and network traffic, or tracking employee life cycle and asset management or synchronizing with trouble ticketing systems and general application development alerts. Many vendors, with the notable exceptions of Google’s SOAR and Microsoft’s Sentinel, are already moving in this direction.
The major SOAR providers and their offerings
BlinkOps from Blink has hundreds of integrations listed here that span a wide variety of third-party software tools. It has thousands of prebuilt automated workflows (for example, Google Cloud Platform has 360 such automations) that span those that can run on preset schedules or with particular web hook triggers. It comes with two different AI copilots, one for building new workflows and one for automated case management. It also supports non-security automation and orchestration uses. Pricing starts at $17,500 per year.D3Security Smart SOAR has more than 600 connectors to a variety of tools. The company says it will build anything that isn’t in this list for free. It has automations that handle incidents, search for false positives, and trigger mitigation responses. D3 also handles nonsecurity cases, such as employee onboarding and offboarding. The minimum annual price is $100,000. It plans to add a series of AI-based tools in early 2025 to help make customization more productive and effective.Fortinet FortiSOAR has more than 600 connectors to a variety of other tools as well as tight integrations with other Fortinet products such as its SIEM, firewall, and XDR. Data is enriched with hundreds of threat intelligence sources, and the companion FortAI tool provides more analysis, creates playbooks, and executes simple commands. It can also be used for nonsecurity tasks such as employee onboarding or offboarding and equipment provisioning. It is available in SaaS, on-premises software, and cloud versions. Pricing comes in two tiers: starter and enterprise.Google Security Operations SOAR is just one module of many components that have their roles in its Chronicle observability service. It supports more than 250 third-party integrations across all major security categories, including gathering data from various Google security and cloud services. It requires a SIEM connection (Google’s or others) to collect data. It works with Mandiant’s threat intelligence and alerts are sent in near real-time to the SOAR dashboard. It has a three-tier pricing structure.IBM QRadar SOAR on-premises. In early 2024, IBM sold its QRadar SaaS version to Palo Alto Networks, keeping the Open Shift and virtual machine. It supports more than 300 third-party integrations listed in its marketplace, along with connectors to its Guardium and Verify product lines. QRadar also integrates with its Watson AI-based app dev studio, which when coupled with its Playbook Designer can be used to develop custom playbooks and workflows. It has been extended to nonsecurity use cases, such as employee onboarding and management. Unlike most of its competitors, it has a very transparent pricing estimator, based on the number of authorized users, that starts around $10,000 per year.Microsoft Sentinel is a cloud-native dual SIEM and SOAR service that uses Azure analytic services. It can collect data from multiple cloud and on-premises sources with a variety of connectors, including prebuilt ones for its own Defender products as well as third-party tools such as AWS S3, various Google Cloud services, Jira Audit, and Okta that can be found on the Azure Marketplace. Microsoft has also written extensive migration plans from Splunk and QRadar SOAR tools and has AI-enhanced automation of workbooks with its Azure Logic Apps tool. It is available as a preview version with various usage-based pricing tiers but without the need for an 365/E5 Defender license, and free to try out for the first month with certain usage limits.Palo Alto Networks Cortex XSOAR has more than 1,000 third-party integrations that can be reviewed on its marketplace covering both security and nonsecurity tools. The product has integrations with other security, network, and cloud tools from the vendor. It uses AI-enhancements to group and filter duplicate alerts, eliminate false positives, and create playbooks as well as learning from manual analyst interactions. XSOAR also works with a variety of large language models, including ChatGPT, Anything LLM, and Ollama, to analyze and interact with incident data.ServiceNow Security Incident Response supports hundreds of third-party integrations across a wide variety of security products to enrich its data collection of incidents. This includes connecting with many ServiceNow modules for security, network, compliance, asset collection, and other IT-related issues. It works with three AI-based tools: Flow Designer, a visual drag-and-drop workflow creator; Predictive AIOps, for analyzing event logs; and Now Assist, for case management.Splunk SOAR. Cisco completed its acquisition of Splunk early in 2024 and it now integrates with more than 300 third-party tools and Splunk’s Enterprise Security and Attack Analyzer products. It comes with more than 2,800 prebuilt automated workflows that can be easily tied to playbooks that can be constructed with a visual editor. A future integration is promised with Cisco’s Talos Intelligence threat feed. Splunk has an AI assistant for its Search Processing Language, enabling natural language prompting of queries. Splunk can also be applied to nonsecurity cases such as IT operations.Swimlane Turbine has a wide catalog of hundreds of third-party integrations to a variety of security tools. This is enabled thanks to support for a variety of connections, including general Rest APIs, webhooks, various telemetry sensors, and business logic tools. Swimlane claims to be the largest independent SOAR provider, meaning that it doesn’t offer any of its own SIEM or XDR companion products. It does have Turbine Canvas, an AI-based low-code automator, and Hero AI, used to automate playbooks for case management. Pricing starts at $720,000 per year, with additional usage fees (such as for AI consumption) on top of this.Tines has an extensive ecosystem of dozens of prebuilt third-party integrations with vulnerability management, the three major cloud platforms, and various EDR and SIEM vendors. Users can quickly build workflows to automate processes, including using its AI-powered Workbench. It can also automate various nonsecurity tasks such as employee onboarding or offboarding and asset management. There are both always-free and for-fee versions that start at $170,000 per year and can easily be double that amount for more complex installations.Other SOAR providers include Exabeam, NetWitness, and SentinelOne; these providers declined to provide any specifics on their SOAR products.
What about the price of SOAR?
Unlike IBM and Microsoft, few of the SOAR vendors offer full public and transparent pricing. Three counter examples are Tines’s pricing page, Splunk’s pricing page, and Google’s pricing page. All of these are long on details on how their prices are calculated without providing any actual dollar amounts. The others just ignore pricing altogether.We obtained pricing from cloud providers’ managed service offerings, which may or may not be representative of other packaging options. The range is quite large, starting at about $20,000 per year. The top cost goes to Swimlane, which starts at the jaw-dropping annual fee of $720,000 and can go a lot higher for usage surcharges. Clearly, SOAR isn’t just an acronym, and the lack of pricing transparency means the sky is the limit. Potential customers will have to negotiate with vendor sales teams to obtain meaningful pricing.
Questions to ask your team and your SOAR vendor
- Does the product offer more protection and automation features than using either an XDR or SIEM tool?How wide and agnostic is your support for multiple third-party security vendors?What integrations (to other security tools offered by the same vendor) are available? How is this data enriched and combined within the SOAR?How is your workflow automation enabled?What large language models and AI tools are used to enhance its features?
Essential Reading
- What is SIEM? How to choose the right one for your businessCSPM buyer’s guide: How to choose the best cloud security posture management toolSOAPA vs. SOAR: How these security terms differ
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3622920/soar-buyers-guide-11-security-orchestration-automation-and-response-products-and-how-to-choose.html
