What’s the Difference Between SOAR and SAO?

Security Orchestration, Automation and Response (SOAR) is a relatively new product category – in fact, it just turned five. Research and consulting firm Gartner is credited with coining the term around April 2017, judging by the earliest web artifacts that we found on Google. Great minds think alike—Forrester Research, another research and consulting firm, coined the more economical term Security Automation And Orchestration (SAO) at around the same time. But do they refer to the same thing? To answer that, let’s walk you through the official definitions.

Official Definitions of SAO and SOAR

Forrester Research defines SAO as (emphasis ours):

“Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, making security operations faster, less error-prone, and more efficient.”

Gartner defines SOAR as (emphasis ours):

“Solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform. SOAR tools are also used to document and implement processes (aka playbooks, workflows and processes); support security incident management; and apply machine-based assistance to human security analysts and operators. Workflows can be orchestrated via integrations with other technologies, and automated to achieve desired outcomes, such as:

Incident triage

Incident response

TI curation and management

Compliance monitoring and management

Forrester’s compact definition describes SAO in terms that even a person working outside of the cybersecurity industry could make sense of: “automated, coordinated, and policy-based action”. These words describe SAO’s capabilities of automation, orchestration, and incident response. It also highlights the value of SAO – making SecOps “faster, less error-prone, and more efficient”.

Forrester’s 2017 report, titled Breakout Vendors: Security Automation and Orchestration (SAO) adds that SAO tools (emphasis ours):

  •  Act as security middleware
  •  Inform and educate analysts
  •  Enable automation without the need for coding skills
  •  Enable automated response

The elements of SOAR, according to Gartner
In contrast, Gartner’s definition doesn’t dwell much on outcomes – it’s specific and gets into the weeds of the capabilities of a SOAR solution. Gartner sees SOAR as a convergence of three formerly distinct technologies:

■ Security incident response platforms (SIRPs)

■ Security orchestration and automation (SOA)

■ Threat intelligence platforms (TIPs)

The first line from Gartner’s definition emphasizes the combination of these three distinct technologies. The next line describes SOAR’s utility, highlighting the capabilities of SOA and SIRP tools. Playbooks and workflows fall under the SOA umbrella, whereas documentation and incident management fall under SIRP’s purview. The term ‘machine-based assistance’ is kind of vague – but implies using automation as a force multiplier. The line about workflows describes features that fall under the purview of TIPs and SIRPs.

Difference between SAO and SOAR

After a close reading of the two definitions, we can say that the two definitions refer to the same product category – D3’s SOAR platform ticks every feature mentioned by the official definitions from Forrester and Gartner on SAO and SOAR respectively. However, Forrester’s definition of SAO doesn’t explicitly mention case/incident management and integrated threat intelligence as tentpole features of the product category.

Read: 8 Things Gartner Gets Right About SOAR (And 1 Thing They Get Wrong)

SOAR vs SAO on Google Trends

SAO vs SOAR: Which term is more popular?

Analysis of Google Trends for these two terms informs us that SOAR is now the more popular industry term – though it wasn’t always the case. Between 2017 and 2018 – SAO was the more popular term. For now, the market prefers to use the term SOAR over SAO. As for why, it might have something to do with the fact that SOAR simply has a better ring to it than SAO. Try saying SAO a few times in a conversation and it becomes clear where SOAR got its wings.

Of late, even Forrester has used the term SOAR in their analysis and communication. In a blog post written in 2020, Forrester Principal Analyst Josh Zelonis acknowledged that the market had adopted SOAR over SAO.  “Security orchestration, automation, and response” (SOAR) is not a term that Forrester has used in the past, but its prevalence in the market is such that I’ve decided it’s better to use a slightly broken acronym that’s adopted by the market than to continue to leverage the different and more concise “security automation and orchestration” (SAO) acronym that we’ve been using.”

The Rise of SOAR

Acronyms aside, the Google Trends chart also highlights the growing popularity of SOAR. SOAR has become an indispensable tool for SOCs as it mitigates many long-standing issues in the cybersecurity space – a shortage of security talent, security alert fatigue, an increasing number of security tools, and increasing sophistication of attacks. SOAR tools automate a lot of repetitive manual tasks that make an analyst’s work frustrating and time-consuming. It speeds up triage and response times and helps junior analysts accomplish tasks that are beyond their scope of expertise.

Read: The Time for SOAR is Now

Going Beyond SOAR 1.0

As one of the early pioneers in the SOAR space, D3 had a SOAR solution out in the market before the category had been defined by either of these firms. NextGen SOAR, D3’s next-generation SOAR solution, goes beyond the scope of both these definitions by supporting cross-enterprise case management, and orchestration and automation workflows beyond the SOC.D3’s SOAR platform has been through several iterations over the past five years, through which it has had many category firsts. It was the first to use MITRE ATT&CK TTPs (tactics, techniques, and procedures) to enrich and correlate security events and incidents to detect patterns of malicious activity. Our platform now has over 500 out-of-the-box integrations with leading security vendors, reducing the need for python coders to script and manage integrations. Schedule a one-on-one demo with us to learn how you can transform your security operations.

Social Icon
Shriram Sharma

Shriram is a Marketing Content Writer at D3. A former journalist, he chronicled high-profile data breaches, cyber-attacks, and conducted interviews with white and grey hat hackers. He likes to share his fascination for the field of cyber security by creating accessible and engaging content.