4 SOAR Purchasing Mistakes to Watch Out For

Purchasing a security orchestration, automation, and response  (SOAR) platform is a major decision. If you make the right choice, this powerful technology can become the heart of your security operations, intaking data from across your environment and orchestrating workflows to shut down threats. However, it’s no small undertaking to purchase and implement a SOAR platform, so you want to get it right the first time. No one wants to go to the trouble of selecting a tool just to scrap it after six months and start over.

So with that in mind, here are four all-to-common SOAR purchasing “gotchas”— in other words, the things that might not be obvious in a sales pitch, but in the long term can come back to bite you.


1. Pricing Based on Data Volume

It is unfortunately quite common for SOAR vendors to have dynamic month-to-month pricing based on the volume of data flowing through the SOAR tool. This data would include all the alerts being ingested from the SIEM, endpoints, and other integrated tools. This pricing model might look affordable when you’re comparing vendors, but it is a nightmare for budget planning, particularly in the long term. Do you think you can accurately predict the amount of data you will use? That’s hard enough to do with your personal cell phone, let alone a highly complex security tool.

The worst part about this pricing model is that your costs can skyrocket at the worst possible time. Your data usage will be highest during a major security incident, so in addition to dealing with the chaos of the incident, you’ll have to explain to your bosses why you’re way over budget.


2. Per-User Pricing that Won’t Support Growth

While we’re on the subject of pricing, just because you’re not being charged for data volume, doesn’t mean you’re in the clear. Pricing based on the number of user licenses is preferable, but only if additional users can be added at a reasonable price.

At some point in the future, if your SOAR project has been successful, you’ll want to add more users than you initially licensed from the vendor. You might want to add more security analysts to capitalize on the successes you’ve been having, or you might want to expand the scope of your SOAR usage to incorporate other groups like the compliance team. Some vendors charge a reasonable per-user price for the initial base package of licenses but make it prohibitively expensive to add additional users.


3. Reliance on User Scripting of Integrations

Quantity and quality of integrations are important factors to consider when evaluating SOAR platforms. You’ll want a platform that can work seamlessly with your existing tools to intake data and orchestrate actions. Fortunately, most SOAR platforms offer lots of integrations with other security tools. Unfortunately, there’s a catch.

Many vendors rely on their clients to do significant scripting to set up their integrations. Instead of being ready to go out of the box, these integrations require heavy modifications before they can do the things that the vendor promised. If you don’t have a ton of Python scripting experience, or if you do but would prefer to not commit valuable internal time and resources to it, look for platforms with lots of out-of-the-box integrations.


4. Playbook Rigidity

During the evaluation process, SOAR vendors will show you playbooks for a few of your most important use-cases. A Proof-of-Concept will give you the opportunity to experiment with those playbooks yourself and see how they work. The more difficult thing to see in the evaluation process is the level of customization that those playbooks support. All SOAR platforms should come with some out-of-the-box playbooks, but those workflows might not support your specific needs, especially as those needs change over time.

For a successful long-term SOAR implementation, you’ll want playbooks that you can easily edit yourself. Some vendors’ playbooks are very difficult to modify, often requiring you to pay them for custom development.

Here at D3, we do our best to give clients the solutions, services, and support they need to have successful and cost-effective SOAR projects in the long term. To learn more about evaluating SOAR platforms, check out our guide for a successful PoC. Or if you’re ready to see our technology in action, schedule a demo today.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.