If you came here looking for the Gartner Magic Quadrant for SOAR (Security Orchestration, Automation and Response), let’s get the spoilers out of the way first. No, there isn’t one yet. It doesn’t exist at the time of writing this post. If Gartner releases one, we’ll make sure to update this post and link to it.
In its absence, the next-best resource you can refer to is Gartner’s 2022 Market Guide for SOAR, which mentions D3 Security as a representative vendor. You can download the latest edition of the report from our resource library to get Gartner’s expert analysis and recommendations on the SOAR market.
Quadrant analysis is a powerful decision-making framework that uses a 2×2 matrix as a scatterplot to analyze anything on two parameters. It’s also incredibly simple to do on a whiteboard or a sheet of paper. In this post, we’ll also give you a framework to do your quadrant analysis of the SOAR market and share our perspective on where we see NextGen SOAR positioned on it.
What is SOAR, Explained
For those who are unfamiliar with the term, we have an extensive SOAR 101 page that does a great job of explaining what SOAR is and why it is important for security teams. Here’s a nugget from that page, to save you a click:
A security orchestration, automation, and response (SOAR) platform collects or ingests data from a variety of sources—SIEM, EDR, cloud, email, etc.—and then orchestrates tailored responses using playbooks that combines security tool integrations, automated workflows, and human input.
Gartner coined the term SOAR in 2017. Since then, this category of cybersecurity software has quickly become an indispensable capability for Security Operations Center (SOC) teams.
Magic Quadrant, Explained
The Gartner Magic Quadrant is a simple two-by-two matrix visualization that condenses their research and analysis on vendors from a specific tech category. On the horizontal axis, you have Completeness of Vision, and on the vertical axis, you have Ability To Execute. According to Gartner, it uses 15 weighted criteria to plot vendors on the chart. A vendor’s ability to execute is evaluated on parameters such as products/services offered, overall viability, market responsiveness, track record, customer experience, and operations capabilities. Completeness of vision is evaluated on parameters such as market understanding, marketing, sales and product strategy, business model, and more.
The vendors are divided into four quadrants:
These companies are usually large and have financial resources, but lack strong vision, innovation, or an overall understanding of market needs.
Companies that have a lot of satisfied customers, are financially strong, can influence the direction of the market, and usually have product-market fit.
Companies that cater to a specific industry. They have a limited ability to innovate or beat other vendors in the larger market.
Companies that reflect Gartner’s idea of how a market will evolve but have a less established capacity to deliver on that vision. Visionaries fall into the higher-risk-higher-reward category for vendors and customers.
An important point to note here is that the Leaders’ quadrant isn’t necessarily synonymous with the best in a category. Challengers, Visionaries, and Niche players might be a good fit for you, depending on your business needs.
DIY SOAR Quadrant Analysis: Ability to Execute
Now that you know what a Magic Quadrant is, you can do your own evaluation of SOAR providers based on publicly available information. You can analyze and quantify a company’s ability to execute based on:
Quantity and Quality of Integrations
It helps to know if a vendor’s SOAR integrations are vendor-managed or community-made because it tells you who is responsible in case a particular integration doesn’t work, or needs to be updated. At D3 Security, our integrations are fully managed in-house, and we have a large, dedicated team working on adding new integrations and keeping our existing integrations up to date. It’s helpful to note down the number of tech integrations supported by the vendor and correlate it with all the security tools in your SOC. Other points to ponder: Are these integrations deep or superficial? How easy is it to do custom integrations?
Independent or Suite-Based
Is the solution vendor-neutral, or a suite-based solution offered by a tech conglomerate? We strongly believe independent SOAR is the way to go, as it prevents vendor lock-in, and offers you the freedom to choose the best components in each security domain.
SOAR is a complex technology with a lot of moving parts – the size and experience of the development team will have a direct impact on the quality of the code base, the integrations, and the pace with which new features are released and bugs are squashed. While you can easily ascertain the size of a pure-play SOAR company like D3 Security by checking out our LinkedIn profile, it’s harder to do so for tech conglomerates that acquired a SOAR product.
Reviews on Gartner Peer Insights
Peer Insights by Gartner is a great resource to evaluate the efficacy of a SOAR product. The reviews are all made by real customers, and you also get to see the industry, firm size, and deployment architecture to see if their views are relevant.
DIY SOAR Quadrant Analysis: Completeness of Vision
To evaluate their completeness of vision, look at the features and capabilities offered by the vendor. Here’s a checklist of SOAR capabilities that you can find in NextGen SOAR that you can use to benchmark other SOAR platforms:
No-code playbook editor
Managing SOAR playbooks without needing developer resources can fundamentally improve the speed and maintainability of incident response playbooks. You can essentially drag and drop security technologies into and out of the playbook with NextGen SOAR without affecting your security operations. Other notable features of our playbooks include:
- A library of out-of-the-box playbooks based on the NIST 800-61 and SANS incident-handling methodologies.
- Hundreds of pre-built utility actions to perform actions like enrichment, searches, and more.
- Test playbooks and actions before publishing.
- Access and version controls.
- Nested playbooks for reusability and maintainability.
SOC reporting and metrics
- Custom dashboards that track metrics such as MTTR, MTTD, incidents by type, analyst performance, and more.
- Automated report generation on SOC trends.
The ability to fully segregate client sites and data while being able to reuse non-client-specific data such as playbooks, integrations, and utility actions. This feature is a must-have for large multinational companies and managed security service providers.
The flexibility to host SOAR on a public cloud, in an on-prem environment, or in a hybrid environment, where you’re hosting the SOAR solution on the cloud, but you need access to on-prem infrastructure.
Full Case and Investigation Management Capabilities
SOAR is the ideal place to do case management so as it already is the central hub where security info is ingested, enriched, and incident response is automated. NextGen SOAR gives you the ability to manage the full incident lifecycle from within the platform, from triage, analysis, and response, to reporting. It gives analysts the ability to collaborate with teams outside the SOC and supports role-based access controls to be able to investigate insider threats.
Evaluating SOAR Vendors? We Can Help
We believe D3 Security falls in the Leaders category on the Magic Quadrant. As an independent SOAR vendor, D3 Security has worked on hundreds of SOAR implementations, including market leaders in every major vertical. Check out our new case studies on our implementations in finance, healthcare, and manufacturing verticals to get an idea of outcomes enabled by NextGen SOAR. We’ve also worked with MSSPs and MDR providers on custom integrations and use cases that have had a transformative impact on their bottom line. Schedule a one-on-one demo with us to learn how we can help you work smarter, not harder.
Disclaimer: The views mentioned in this blog are our own and do not represent Gartner’s viewpoint.