Executive Summary
SOC automation is connective tissue. It wires your detections to your tickets, your enrichment to your containment, and your analysts to every other tool in the stack. You can’t rip it out and replace it over a weekend. That makes the stability of the vendor behind it a legitimate buying criterion, alongside features and price.
This paper offers a vendor-resilience framework any security team can use, and then applies it to one common situation: running Rapid7 InsightConnect. Two facts are worth weighing. Rapid7 has publicly reported activist-investor involvement and a stated push to transform its strategy for the AI-SOC market. And in March 2026 it acquired Kenzo Security, an agentic-AI security operations startup, to move its workflows toward machine-speed investigation.
D3 Morpheus, the autonomous SOC platform from D3 Security, is built so the automation you create stays yours. It’s independent and SIEM-agnostic. The investigation logic, the playbooks, and the audit trail belong to you, not to a roadmap you don’t control. The rest of this paper shows how to evaluate that, with a scorecard, a lock-in diagram, and a free 60-day migration path.
What “vendor resilience” actually means for a SOC
Vendor resilience is the likelihood that the platform you automate on today will still serve your needs, on terms you can live with, three to five years out. It has three parts. Ownership: can you export and reuse what you built? Continuity: is the product’s direction stable, or mid-rebuild? Independence: does the automation layer assume one vendor’s SIEM, or work across whatever you run?
None of this requires predicting any vendor’s future. It requires treating portability as a feature you can verify now, while the decision is still cheap to change.
Table of Contents
Why You Can’t Swap Automation in a Weekend
SOC automation is the most embedded layer in the stack, which is exactly why it’s the hardest to move. A SIEM swap is painful but bounded. Migrating automation means re-deriving the logic of how your team actually responds, and that logic lives in dozens of interconnected workflows that took months to tune.
Picture the real cost. Every InsightConnect workflow encodes a decision your team made: which alerts to enrich, when to isolate a host, who approves a block. Those decisions are spread across plugins, custom connectors, and the small exceptions analysts added at 2 a.m. during an incident. Move platforms and you re-discover, re-test, and re-validate all of it. The institutional memory doesn’t export cleanly.
The four costs that make automation sticky
Logic re-derivation
Workflows encode tribal knowledge about your environment. Rebuilding them means re-interviewing the people who wrote them, if they’re still there.
Integration rebuild
Each connector to your EDR, SIEM, ticketing, and identity tools has to be re-established and re-authenticated on the new platform.
Audit continuity
Your evidence trail for past incidents may not move with you, which matters for regulators and for breach response.
Retraining
Analysts trust automation they understand. A new engine resets that trust and slows the team until confidence rebuilds.
This stickiness is normal and even healthy. It only becomes a liability when the platform under your automation starts to change shape and you have no way to take your work with you. That’s the scenario worth planning for.
Why this is on the table for InsightConnect users now
Two public developments make vendor resilience a fair question for Rapid7 customers. Neither is a prediction. Both are sourced and on the record.
First, the activist-investor situation. In March 2025, Rapid7 reached a cooperation agreement with JANA Partners, which had disclosed a roughly 13% economic interest and named operational execution, governance, and board composition among its concerns. Rapid7 added three new directors, including a JANA partner. Public reporting has tied this to a broader push to enhance shareholder value, with the company describing a strategy to lead in the AI-SOC market.
Second, the Kenzo Security acquisition. On March 26, 2026, Rapid7 acquired Kenzo Security, an agentic-AI security operations startup, to accelerate its move from AI-assisted workflows toward AI-driven, machine-speed operations on its Command Platform. Acquiring a new agentic engine is a normal way to modernize. It’s also a re-platform signal worth noting if your automation runs on the older workflow model.
A Vendor-Resilience Scorecard for Any SOC Platform
A vendor-resilience evaluation scores a platform on how well your automation survives changes in the vendor’s ownership, roadmap, or pricing. Use the same six criteria for every vendor you consider, including the one you already run. Score each from 1 (high lock-in risk) to 5 (you own your work and can leave on your terms).
The criteria below are deliberately vendor-neutral. They ask about your exposure, not about anyone’s reputation. Run them on InsightConnect, on D3 Morpheus, and on every alternative, then compare. A low score isn’t a verdict on a product. It’s a measure of how much rebuilding you’d face if the ground shifts, and how much leverage you keep in the renewal conversation.
| Criterion | What to verify | Low risk looks like |
|---|---|---|
| Logic ownership | Can you export every workflow’s logic in a portable, readable form and reuse it elsewhere? | Full export |
| SIEM independence | Does the automation work across your tools, or assume one vendor’s SIEM and telemetry? | Agnostic |
| Audit portability | Does the per-incident evidence trail travel with you if you change platforms? | One trail/incident |
| Roadmap continuity | Is the engine stable, or are you being asked to re-platform onto something newer? | No forced rebuild |
| Integration durability | When a vendor API changes, who fixes the connector and how fast? | Self-healing |
| Exit cost | What does it actually take, in weeks and dollars, to move off? | Funded migration |
How the three platforms tend to score on independence
The table below maps each criterion to what is publicly verifiable today. The InsightConnect column reflects the workflow-automation model and the public signals above. The D3 Morpheus column reflects D3’s published capabilities.
| Criterion | Rapid7 InsightConnect | D3 Morpheus |
|---|---|---|
| Logic ownership | Workflows tied to platform | You own playbooks & logic |
| SIEM independence | Strongest in Rapid7 ecosystem | SIEM-agnostic by design |
| Roadmap continuity | Kenzo agentic re-platform signal | Four modes, one engine, no rebuild |
| Integration durability | Plugin upkeep on you / vendor | 800+ self-healing, 18-min MTTR |
| Exit cost | Full rebuild to leave | Free 60-day migration program |
Assessments indicate relative lock-in exposure, not product quality. InsightConnect assessments reflect publicly available information and the workflow-automation model as of June 2026; they are not statements about Rapid7’s corporate intentions.
Where Lock-In Hides, and How Portability Removes It
Lock-in is anything that makes leaving cost more than staying, regardless of whether the product still fits. In SOC automation it hides in four layers. The contrast below sets a vendor-coupled model, where each layer binds you tighter to one platform, against a portable model, where each layer can leave with you.
Vendor-Coupled Model — each layer deepens lock-in
Workflow logic stored in proprietary format. Integrations re-built per platform on exit. Telemetry and SIEM tuned to one ecosystem. Audit trail doesn’t export cleanly. Exit equals a full rebuild.
Portable Model (D3 Morpheus) — each layer leaves with you
You own the playbooks: portable, readable logic. 800+ self-healing integrations, 18-min MTTR on API drift. SIEM-agnostic telemetry that works across your stack. One audit trail per incident, unified and exportable evidence. Exit equals configuration, not rebuild.
Figure: Vendor-coupled vs. portable automation. In the portable model, the logic, the connectors, and the audit record stay yours.
The difference isn’t cosmetic. In the coupled model, leaving means re-deriving logic, re-building integrations, re-tuning to a new SIEM, and reconstructing your evidence trail. In the portable model, the logic, the connectors, and the audit record are yours to keep. You move on your terms, not on a vendor’s timeline.
Portability is testable before you commit. Ask any vendor to export a real workflow and its audit trail in a readable format, then read it. If you can’t, that’s your lock-in, measured in advance.
What an Independent, SIEM-Agnostic Platform Buys You
D3 Morpheus is an independent, SIEM-agnostic autonomous SOC platform, which means your automation isn’t a hostage to any single vendor’s roadmap. It runs a real SOAR engine (Security Orchestration, Automation and Response) and then adds autonomous investigation on top, across whatever tools you’ve connected.
Attack Path Discovery: autonomous L2 investigation you can audit
Attack Path Discovery is D3’s read-only Level-2 investigation engine. It traces every alert across identity, endpoint, cloud, and email, maps the blast radius, aligns findings to MITRE ATT&CK, and drafts remediation. Up to 95% of alerts get triaged and L2-investigated in under two minutes. Every step is a real tool query, timestamped and attributed, so an analyst can challenge any conclusion.
Four autonomy modes on one engine
You set how much autonomy to grant, and you change your mind by configuration. You adjust a setting. The same engine and the same audit format run underneath all four modes.
Deterministic
classic SOAR
AI-Assisted
analyst in loop
AI-Led
approval gates
Autonomous
bounded action
This matters for resilience. Moving up or down the autonomy ladder is a setting, not a migration. You’re never forced into a rebuild to adopt more automation, and you’re never stranded if you want to pull human approval back in. Contrast that with the usual upgrade path, where a vendor’s next-generation engine arrives as a separate product and your existing work has to be ported onto it. That’s the kind of forced rebuild a resilience evaluation is meant to catch before you’re already committed.
Governance you can defend
Every autonomous action is governed by your chosen mode and approval gates, explainable as a chain of real tool queries, and recorded in one unified audit trail per incident. That single trail is what makes the evidence portable and the work defensible for frameworks like SEC Item 1.05, NYDFS 23 NYCRR 500, DORA, NIS2, and EU AI Act Article 14.
Questions for Your Evaluation
Ask these of every SOC automation vendor you consider, including your current one. The answers turn vendor resilience from a gut feeling into a scored decision.
- Can I export every workflow’s logic and its audit trail in a readable, portable format today? Can you show me a sample export before I sign?
- Does your automation assume one vendor’s SIEM, or does it work across the tools I already run?
- If you ship a next-generation engine, will my existing automation move by configuration, or will I be asked to rebuild it?
- When a connected vendor changes an API and breaks a connector, who fixes it, and what’s your measured time to restore?
- What does it actually cost me (in weeks and dollars) to leave your platform?
- Is there a funded migration path onto your platform, and will you put a timeline and scope in writing?
- How do you keep one unified audit trail per incident, and can my auditors read it without your help?
Next Steps
Score your current stack this week
Run the six-criterion scorecard on your existing automation. Note where exit cost and roadmap continuity land. This takes an afternoon and costs nothing.
See Morpheus on your real alerts
Book a 30-minute demo at d3security.com/demo. Live on real alerts, no slides. Bring a workflow you’d want to port and watch it run.
Map a no-cost migration
The Legacy SOAR Migration Program is free and runs 60 days with migration architects on staff. Get a written scope and timeline before you commit.
D3 Security: Company Summary
D3 Security builds D3 Morpheus, the autonomous SOC platform that triages, investigates, and helps respond to alerts with a governed, accountable AI engine. Agentic on architecture. Autonomous on outcomes. Accountable on every decision. Morpheus runs 800+ self-healing integrations, four autonomy modes on one engine, and one audit trail per incident, deployed on Microsoft Azure with US, Canada, EU, and Japan data residency. D3 is a Microsoft Intelligent Security Association member and SOC 2 Type II certified, trusted by teams including PwC, Scotiabank, S&P Global, and the London Stock Exchange. Learn more at https://d3security.com.
