GigaOm Radar for Security Orchestration, Automation, and Response (SOAR)v3.0

1. Summary

Security orchestration, automation, and response (SOAR) emerged as a product category in the mid-2010s. At that point, SOAR solutions were based on playbooks and integrations. Since then, the platforms have developed beyond the initial capabilities to offer more holistic experiences to security analysts, with vendors intending to develop SOAR as the main workspace for practitioners.

Newer features offered by this holistic experience include case management, collaboration, simulations, threat enrichment, and visual correlations. Additionally, SOAR vendors have gradually implemented artificial intelligence (AI) and machine learning (ML) technologies to enable their platforms to learn from past events and fine-tune existing processes. This is the juncture where evolving threat categorization and autonomous operations become differentiators in the space. While these two metrics are not critical for a SOAR platform, they may offer advantages in terms of reduced mean time to resolution (MTTR), resilience against employee turnover, and overall flexibility.

We’ve found that SOAR vendors come from three distinct backgrounds:

• Pure-play SOAR vendors: Players that offer only a SOAR solution.
• Security players: Vendors that have a broader security portfolio and are either developing their SOAR platform or acquiring existing companies that have one.
• Cross-portfolio players: Vendors that have traditionally been active in other areas, such as IT automation or service management, and are now entering the security automation space.

We’ve observed many acquisitions in the SOAR space. This was to be expected, considering that automation is a must-have in any modern IT stack. Large security players have a wide selection of SOAR vendors to pick from, virtually all of them offering vendor-agnostic point-solutions, meaning they can essentially be acquired and integrated in a wider security portfolio.

However, this aggressive approach to acquiring point-solution SOAR vendors is very unlikely to spell the end of SOAR as we know it today. There are multiple reasons for this. Firstly, standalone and vendor-agnostic solutions have some inherent benefits that cannot be replicated otherwise, which is why large security players continue offering their SOAR platforms as vendor-agnostic and standalone solutions.

Second, SOAR solutions are increasingly capable of ingesting both non-SIEM (security information and event management) events and non-security events. This point further splits into two other implications, namely that SOAR tools can start running independently of SIEM tools to strengthen an organization’s security posture and automate non-security processes as well.

This GigaOm Radar report highlights key SOAR vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating SOAR Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our third year evaluating the SOAR space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Security data ingestion
• Third-party tool orchestration
• Workflow automation
• Reporting, dashboards, and customizable interfaces
• Integrations
• Standalone SOAR solution