What Is SOAR (Security Orchestration, Automation and Response) In Cybersecurity?

QA image

What is Security Automation?

Automation is when software and systems can do things by themselves, usually to affect other systems and applications. Security automation completes security tasks, such as enriching an alert, updating a firewall blacklist, or querying a SIEM for contextual data, without human intervention.

QA image

What is Security Orchestration?

Orchestration is the coordination of software, systems, and people to complete a workflow. Orchestration includes, but is not limited to, automated actions. Security orchestration involves multiple technologies working together via integration, and usually refers to one tool’s ability to act across other tools.

QA image

What is the Difference Between Automation and Orchestration?

Not all security automation is orchestration and not all orchestration is automated, although people often use the terms interchangeably. One can orchestrate a workflow using automation. Orchestration generally refers to complex sequences of actions, while automation might mean a single action or simple sequence.

QA image

What is Incident Response?

Incident response is the process of assessing and resolving potential security events. Incident response tools provide methods for effective resolution, such as prebuilt playbooks, ticketing, and even security automation. Incident response platforms were one of the technologies that evolved into SOAR, when they were upgraded with integration and automation features to create more advanced security orchestration platforms.

QA image

What is a SOAR Platform?

SOAR platforms collect data from various sources, such as security tools, cloud services, and email systems. They then use playbooks to create customized responses by combining automated workflows, orchestrated actions, and human input.

Elements of SOAR (Security Orchestration, Automation and Response), according to Gartner


SOAR platform is the quarterback of your security strategy and architecture. It analyzes incoming information and draws on available knowledge or intelligence, orchestrating plays to achieve the best outcome.

SOAR helps Security Operation Center (SOC) and Computer Security Incident Response Teams (CSIRT) teams with integrations, automations, playbooks, case management, and reporting for security operations.

What are the Types of SOAR Platforms?


Product-Oriented SOAR

SOAR is a tool that helps manage cyber threats by bringing together incident response, coordination, automation, and threat information management all in one place. However, some orchestration and automation capabilities are emerging in other security systems, such as EDR, SIEM, and email protection. Gartner calls this product-oriented SOAR, because the SOAR capabilities are specific to the function of a single product.


Broad-Based SOAR

Most enterprise and MSSP security teams need a broad-based SOAR solution. This is especially true for teams that use the best tools or have lots of different tools. This also applies when companies add teams, such as during a merger or acquisition.

Broad-based SOAR helps manage and automate tasks across many tools. This offers flexibility, easy connections with different systems, and more ways to use it beyond just security. Even companies that work with just a few vendors should consider broad-based SOAR. It lets them keep using their preferred tools while easily connecting to other tools when needed.


Suite-Based SOAR

It’s no secret that many SOAR vendors have been acquired in the last few years. This has resulted in SOAR platforms being rolled into larger suites of security products. These SOAR platforms can be suitable for companies who already use that suite of tools, but can be limiting when users have a diverse stack of best-of-breed products. The quantity and quality of integrations beyond the vendor’s suite will vary greatly and be unlikely to have the full support of the vendor’s team.

QA image

How Are SOAR and XDR Different?

While they work toward similar goals, there are significant differences between how XDR and SOAR function. XDR usually integrates a set of security tools from one company. On the other hand, SOAR platforms work with hundreds of different tools.

Another difference is how they handle incidents. SOAR platforms use playbooks to help organize how the system responds and give tasks to staff. They also learn from what users do to get better at automatic actions. XDR solutions typically lack this ability and instead automate single actions in response to analyzing incoming data. This is the reason many XDR vendors maintain separate security orchestration solutions in their offerings.

ReadXDR & Smart SOAR: Everything You Need to Know

QA image

What makes SOAR so important for cybersecurity teams?

Automation and orchestration are vital to your security strategy. They give you the means to rapidly validate and disrupt threats while strengthening your security posture. SOAR technology saves time by automating enrichment and response, getting rid of data silos, and reducing false positives. Advanced platforms go further than just adding information and basic scenarios. They help responders and hunt teams with Tier-2 and Tier-3 security tasks.

SOAR works with threat intelligence platforms and other tools. It helps automate and coordinate security operations, incident response, and threat hunting tasks among different teams. No other security product enhances your team’s capabilities and reduces response times as effectively. Pick one that fits your security needs, focusing on how flexible, open, and thorough it is.

Yes, teams that handle security operations and respond to incidents have used tools and playbooks for years. But, without SOAR, the people who respond to cyber incidents can’t manage everything they need. This includes their plans, standard procedures, tool connections, threat information, cases, and reports. Plus, it’s hard for them to keep up with the growing number of complex threats.

However, when equipped with the right solution, security teams can drive better alerting, enrichment, response, and investigations. Put simply, the right SOAR solution will make your team vastly more efficient and will help you to rapidly validate and disrupt threats.

Solving Cybersecurity Challenges with SOAR

Why do companies need SOAR? Because SOAR directly tackles many of the most entrenched challenges in cybersecurity. These are the challenges that leave enterprises exposed to risk and make it difficult for MSSPs to effectively scale their businesses.

Alert Icon

Alert Overwhelm

Many SOCs face hundreds or thousands of security alerts every day, meaning that they can’t investigate most of those alerts. SOAR tools perform automated triage, risk scoring, and threat intelligence enrichment, enabling most—or even all—alerts to be confirmed and investigated. SOAR puts the most important, high-priority alerts at the top of analysts’ queues and gives them useful information that helps them understand the situation quickly.

Secure Messaging

Too Many Security Tools

The average SOC has close to a dozen security tools, added gradually as needs change. They are often costly and take a lot of work to replace. Usually, there’s no specific plan for how all these tools should work together. This means SOCs have tools that don’t communicate well with each other. It leads to segregated data and forces analysts to switch between many different systems. SOAR connects all these tools, bringing data from different sources together to coordinate actions across systems.

Secure Network

Lack of Security Analysts

The cybersecurity skills gap isn’t going away any time soon. On average, SOCs are understaffed, especially in highly-skilled positions. The efficiencies brought by SOAR tools help security teams do more with less. Automating repetitive and time-consuming tasks frees up analysts for more important work. Playbooks codify best practices, enabling less experienced analysts to perform at a higher level.

Kill chain

Evolving Cyber Threats

New threats require new tools. Simply relying on your firewall to keep your company’s data safe is not enough anymore. The number of places where cyber attacks can happen has increased. Attackers are now smarter and often get help from unfriendly governments or criminal groups. Security orchestration tools provide the speed, agility, and advanced capabilities needed to fight back against sophisticated attackers.

What Are Common SOAR Use Cases?

Checked Icon


Assessing and responding to potential phishing incidents is one of the most essential SOAR use cases. This is because large organizations get a lot of real or suspected phishing attempts. Most major breaches start with a phishing or spearphishing attack. SOAR makes it easier to handle phishing threats at large volumes. With just a few clicks, it quickly checks each possible phishing incident, examines suspicious emails, tests any harmful attachments in a safe environment, and decides the best action to take.

Read: How to Automate Incident Response to Phishing

Checked Icon


SOAR helps companies investigate suspected ransomware incidents, confirm true positives, and take the appropriate steps to minimize the impact. The initial threat point for ransomware attacks is typically phishing, for which SOAR tools offer streamlined response. When an EDR or other tool detects potential ransomware, it runs a playbook to assess the threat. It locates any other instances of the malicious file and quarantines the affected hosts.

Checked Icon

Endpoint Incident Response

Security teams have a scattered response process without SOAR. They miss crucial details, lack important context, and switch between screens a lot, limiting their ability to investigate, track and report effectively. When an EDR identifies a potentially risky endpoint, SOAR evaluates the threat level and decides on the appropriate action. Response actions may include checking the suspicious file in a safe location and searching for it on other endpoints. Subsequently, taking necessary steps to tackle the threat is also a crucial part of the process. These steps may include removing the file, blocking its signature, and isolating the affected endpoints.

Read: How Does SOAR Fit in an EDR-Centric SOC?

Checked Icon

Vulnerability Management

Security teams often struggle to run regular vulnerability scans and effectively turn the results into action. SOAR streamlines this process by automating workflows triggered by vulnerability scans. When an integrated tool scans endpoints and identifies a security weakness, SOAR automatically interprets the scan report and triggers a playbook to address the vulnerability.

Read: Automated Incident Response with Rapid7 and Smart SOAR

Checked Icon


Cryptojacking—hijacking a machine to run cryptomining scripts—is a common attack against enterprise cloud environments, such as AWS EC2 instances. Cryptomining scripts can potentially be detected by Amazon GuardDuty or an application performance monitoring tool like Datadog APM, but neither tool has the ability to fully investigate and remediate the threat on its own. Cryptojacking alerts can be escalated to SOAR for investigation and response, including actions like domain analysis and EC2 instance analysis.

What Are the Key Benefits of SOAR?

Improved Mean Time to Detection and Remediation

The longer a security incident goes undetected, the more damage it does. One of the primary benefits of SOAR is how it drastically shortens the time it takes to detect and respond to incidents. SOAR automates alert enrichment, orchestrates actions across tools, and automates incident response playbooks.

False Positive Reduction

Without SOAR, Tier 1 security analysts can easily spend the majority of their time on alerts that turn out to pose no actual risk. By automating triage, correlation, threat intelligence enrichment, and risk scoring, SOAR can quickly identify false positives, and in many cases, automatically resolve them.

Operational Efficiency

SOAR helps security teams move faster while using less resources. Integrating tools through one interface saves time that would be wasted on screen-switching, navigating data silos, and copy-pasting data between systems. Playbooks keep incident responders on track, following proven best practices. Collaboration features help enforce SLAs and reduce duplicated work.

SOAR aggregates a substantial amount of security data, which enables the creation of reports and metrics that offer insights into bottlenecks, inefficiencies, and areas for improvement

Staff Onboarding and Retention

Recruiting, hiring, and training security personnel requires time and resources. Therefore, when you onboard them, it makes sense to keep them happy and engaged with their work. Too many SOC analysts burn out from handling a high volume of unimportant alerts every day. It gives them little opportunity to apply and develop their skills. SOAR cuts down on busywork and repetitive tasks, enabling analysts at all tiers to stay focused on real threats.

SOAR turns incident response playbooks into proven workflows and simplifies complex toolsets to a single interface. This helps new hires get up to speed quickly and provide value to the team beyond their level of experience.

How Does SOAR Work with Other Tools?

    SIEM Image

    A common misconception is that if you have a SIEM (security information and event management) tool, you don’t need SOAR. In fact, SOAR and SIEM complement each other. It improves investigation and response capabilities through its wide range of integrations and security automation use cases.

    SIEM tools store large amounts of log and network data. It lacks the playbooks and automations necessary for managing incident response. It also lacks user-friendly integrations and can’t generate important SOC metrics. After orchestrating a response to a SIEM event, SOAR updates or closes records in the SIEM system, ensuring completeness of data.

    ReadSIEM & Smart SOAR: Everything You Need to Know

  • Threat Intelligence Platform + SOAR

    Threat intelligence is a key pillar of SOAR. Some SOAR tools have proprietary TIPs built in, and others can integrate with virtually any intelligence source. When a SOAR tool gets an alert, it adds more details to enrich it. It does this by checking things like files, IP addresses, and URLs against threat intelligence sources to figure out the risk.

    Read: Take Action on Threat Intelligence with Smart SOAR

  • Endpoint Protection + SOAR

    SOAR integrates with EDRs and other endpoint protection tools to investigate and enrich potential endpoint security incidents. It can orchestrate a range of actions via the endpoint tool. Actions range from malware detection to file removal, blocking file hashes, stopping malicious processes from running, quarantining endpoints, and others.

    Read: Improve Endpoint Security Operations with SOAR


    Organizations can use SOAR and ITSM to collaborate across teams and add automation and orchestration to ITSM tickets. ITSM can escalate tickets to SOAR, for threat intelligence enrichment, and investigated using incident response playbooks. Conversely, if an IT task requires an automation workflow, SOAR can generate an ITSM ticket from the playbook.

    Read: Automated Incident Response with ServiceNow and Smart SOAR

  • Firewall + SOAR

    SOCs need to act quickly to block a threat when detected. SOAR tools integrate with firewalls to orchestrate changes to firewall rules, block malicious IOCs, update blacklists, and more.

    Read: Automate Network Security with the Best Independent SOAR for Palo Alto NGFW

  • IT Services + SOAR

    The integration of IT services within your security workflows are critical for rapid response and collaboration. SOAR integrates with email senders, notification engines, collaboration spaces and other cloud communication platforms. Beyond communication and alerting, popular IT service integrations also include meeting management and video conferencing such as Zoom.

    Read: Why Smart SOAR is the Best SOAR for Slack

  • Email Protection + SOAR

    Many major incidents start with a simple phishing email. SOAR integrates with email tools to ingest reports of suspicious emails. It pulls those messages from the server and parses out IOCs for investigation. If the SOAR tool spots a harmful email, it blocks the sender and deletes that email from all company mailboxes

    Read: How to Protect Against Business Email Compromise Phishing with Smart SOAR

  • Identity Management + SOAR

    Identity is an important element of security incidents. SOAR tools work with identity management systems, adding employee details and login history to incidents. This helps understand the impact of compromised credentials. It also manage responses, such as turning off user access and requiring password changes.

    Read: Why Smart SOAR is the Best SOAR for Active Directory

  • Vulnerability Management + SOAR

    SOAR turns the information from vulnerability scans into automated response workflows. SOAR tools ingest and parse vulnerability scan reports. Next, they orchestrate tasks to remediate vulnerabilities. Finally, they search across past reports during threat hunting.

    Read: Automated Incident Response with Rapid7 and Smart SOAR

Threat Intelligence Platform + SOAR

Threat intelligence is a key pillar of SOAR. Some SOAR tools have proprietary TIPs built in, and others can integrate with virtually any intelligence source. When a SOAR tool gets an alert, it adds more details to enrich it. It does this by checking things like files, IP addresses, and URLs against threat intelligence sources to figure out the risk.

Read: Take Action on Threat Intelligence with Smart SOAR

How Is MITRE ATT&CK Used for SOAR?

TTP Mapping

Some SOAR tools ingest TTP information from detection tools and map incoming alerts on the ATT&CK Matrix. SOAR enriches alerts and puts them into context, making attacker behaviors a key facet of the investigation

Kill Chain Investigations

SOAR tools improve investigation by matching alerts with the ATT&CK Matrix. This helps investigators map out the attack’s kill chain, which may involve several alerts. Understanding the kill chain allows investigators to see how advanced an attack is and predict the attacker’s next move.

Visibility into Trends

Tagging alerts with ATT&CK TTPs enables trend reporting on the occurrence of each adversary technique in the environment. This enables security teams to identify their high-risk areas and determine which root causes they need to address.

Mitre Attack for Dummies

MITRE ATT&CK for Dummies

Discover how to put the MITRE ATT&CK Matrix to work in your security operation. Review use cases and tips designed to help you shift from ad hoc response to proactive countering of known, dangerous threats.

Evaluating SOAR Platforms

What differentiates some SOAR platforms from others?

Selecting the best SOAR platform for your needs is a major decision. The term SOAR can apply to a wide range of security orchestration solutions. Some are simple automation engines, best suited to quickly responding to everyday incidents. Some emphasize case management, making them ideal for complex investigations. Others integrate best with a particular suite of products, which might not be the same tools you use in your SOC.

The criteria by which potential buyers evaluate SOAR platforms include:



SOAR platforms vary in the amount and quality of their integrations. Buyers should look for a broad set of out-of-the-box integrations, including high-quality integrations with the tools they use.


Coding Burden

Leading SOAR platforms are moving towards a low-code/codeless model for playbooks and integrations. Some, however, still require substantial Python coding from users. Buyers should assess their internal coding expertise and available resources and pick a platform that matches their needs.


Incident Response

Even as SOAR evolves, the heart of the platform is still incident response (IR). Some platforms deliver quick, simple responses, often through a single orchestrated action. Others support more complexity and depth. Buyers can compare IR capabilities to their needs and the skills of their users.


Threat Hunting

Beyond incident response, SOAR platforms also support threat hunting with automation and orchestration. Buyers evaluating platforms’ threat hunting abilities should consider how platforms turn threat intelligence into automated threat hunting, search for indicators of compromise (IOCs) linked to new incidents, and monitor critical IOCs and tactics, techniques, and procedures (TTPs).


Alert Volume Reduction

Automating your response to confirmed incidents is valuable, but there are also massive productivity improvements to be gained by automating at the alert level to assess risk and filter out false positives. The worst-kept secret in cybersecurity is that most alerts simply don’t get investigated. When evaluating SOAR platforms, it is wise to look for one that will help you reduce the number of alerts that your team has to deal with each day.


MSSP-Focused Features

SOAR is a must-have for managed security service providers (MSSPs) that want to grow their business without growing their costs. Unfortunately, not every SOAR platform is designed with the unique needs of MSSPs in mind. SOAR buyers at MSSPs should look for a platform that can integrate seamlessly with all the tools used by their clients, as well as support multitenancy to keep client data and workflows securely segregated.


Metrics and Reporting

SOAR platforms provide a wealth of data that can help organizations optimize their security operations. Metrics and reporting capabilities are a key factor when selecting a SOAR tool.


Availability and Error-Handling

Your SOAR platform should become the nerve center of your SOC, so it is important that your SOAR is as reliable as possible. If an error does happen, you need to know about it right away. Otherwise, you could not realize that alerts are not ingesting properly, for example. This is a huge problem for enterprise security teams, and even more so for MSSPs, who are responsible for the security of many clients.

How Do MSSPs Use SOAR?

SOAR is a highly valuable tool for MSSPs who want to improve their services and increase profits.

Increased Client Capacity

SOAR streamlines MSSP operations just like it does for in-house SOC teams. It makes operations quicker, reduces time spent on unimportant tasks, and improves the ability to assess incoming threats. The result for many MSSPs is a significant increase in the number of clients they can support without adding to their headcount.

Revenue opportunities with SOAR

Scalable Security Operations

In a multitenant SOAR environment, client sites can be segregated, while still allowing MSSPs to deploy proven playbooks broadly across their client base or customize them as needed. SOAR also enables better reporting, which gives visibility to clients without tying up resources.

Operational Improvement

MDR Service Enablement

SOAR gives MSSPs the tools to do more than just handle alerts, with a full set of incident response tools. This has enabled many MSSPs to offer full-lifecycle, Tier 1-3 services. They can handle end-to-end response, instead of simply alerting the client’s team of threats. This means that MSSPs can compete with the MDR providers that have been rapidly gaining market share in the managed services space.

MDR Service

SOAR Case Studies

SOAR for Enterprise and MSSP


Managed Services

How a Global MDR Leader Achieved Hyperscalability

This US-based Managed Detection and Response (MDR) provider had ambitious goals and complex technical requirements that were not being met by their existing SOAR tool. Performance and data ingestion issues at scale, lack of multitenancy, and failing support contributed to their frustration. They also wanted to offer managed XDR services, to be facilitated by the SOAR platform. After a thorough evaluation, they migrated from a leading SOAR platform to D3’s Smart SOAR.

Smart SOAR for MSSPs

Get Started with D3 Security

One platform to stop alert overwhelm. Transform how your security team works, by focusing its resources on real threats.