Professional Documents
Culture Documents
Gartner Reprint
Gartner Reprint
Overview
Key Findings
Large security teams looking to automate well-established processes remain the main
buyers of pure-play SOAR solutions — using it for productivity, efficiency and
consistency improvements. Many use cases supporting security operations beyond
threat monitoring and detection, vulnerability management, threat intelligence, and
incident response and threat hunting remain nascent.
Cloud services are the default for many organizations now, but SOAR remains at the
basic end of the spectrum in terms of usage for security operations use cases for
cloud services.
Security orchestration and automation (SOA) tools have not been adding meaningful
threat intelligence platform (TIP) features, and it is often the case that more advanced
clients need both an SOA and a TIP to achieve Gartner’s full definition of SOAR.
Recommendations
Security and risk management leaders responsible for security operations must:
Examine in detail the requirements for the use of a SOAR tool. Focus not just on initial
deployment, but also how to continually develop new use cases that improve the
efficiency of your security operations program with SOAR.
Put a contingency plan in place in the event a SOAR vendor is acquired by another
vendor, in case their roadmap substantially changes. Contingency plans could be
minor (like ensuring roadmap support for tools you have in place) or could include
considering a replacement
Demand that vendors in your security ecosystem deliver comprehensive APIs in their
products when you renew or procure solutions. Having poor APIs in your ecosystem
directly impinges your security operations effectiveness and SOAR’s ability to deliver
value.
Assess potential use cases as today’s overall coverage maturity remains more basic
for coverage of business-critical cloud services, particularly SaaS applications. Some
clients are now using automation and orchestration capabilities in non-security-
centric use cases, as there is some crossover with enterprise automation use cases
typically delivered by low-code application platforms (see Magic Quadrant for
Enterprise Low-Code Application Platforms).
Evaluate any managed detection and response (MDR) provider’s use of SOAR as it is
an indicator of their ability to provide better threat detection and response capabilities
for your organization.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 2/18
2/5/23, 10:13 PM Gartner Reprint
Market Definition
This document was republished on 9 August 2022. The document you are viewing is the
corrected version. For more information, see the Corrections page on gartner.com.
Gartner defines SOAR as solutions that combine incident response, orchestration and
automation, and threat intelligence platform management capabilities in a single
solution.
SOAR tools can be used for many security operations tasks, including:
Workflows can be orchestrated via integrations with other technologies, and automated
to achieve desired outcomes — example use cases include:
Incident triage.
Incident response.
Newer use cases that are starting to arise. Gartner is seeing some clients use SOAR
solutions for more IT-based workflows, as well as in other areas like “low code”
solutions (see Magic Quadrant for Enterprise Low-Code Application Platforms).
Market Description
SOAR solutions are the amalgamation of three historically distinct technologies that
have some common attributes and some common users consuming them. These
technologies were historically distinct and offer utility to security operations teams in the
form of a product that can relieve significant amounts of manual labor for a number of
security operations functions. Products that have been developing as this market
continues to mature into SOAR are:
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 3/18
2/5/23, 10:13 PM Gartner Reprint
Support a wide range of security products across multiple existing point solution
markets (for example, endpoint, firewalls, intrusion detection and prevention systems
[IDPSs], SIEM, secure email gateways, SSE and vulnerability assessment
technologies).
Support the ability to do event correlation and aggregation for the purpose of
improving security operations processes and alerting with better event enrichment. A
key way to do this is through the implementation of low-code “playbooks,” which allow
for the codification of processes where automation can be applied to improve
consistency and time savings.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 4/18
2/5/23, 10:13 PM Gartner Reprint
Have the ability to be deployed either on-premises or as a cloud solution (like SaaS).
Support the ingestion of a wide variety of sources and formats of threat intelligence
from third-party sources, supporting open-source, industry and government
(information sharing and analysis centers [ISACs] and computer emergency response
teams [CERTs]) and commercial providers.
Bidirectional integrations with IT operations solutions like ticketing systems for case
management and collaboration tools, like messaging applications for better real-time
communications.
Gartner clients continue to see problems with their environments where they have alert
fatigue exacerbated further by complexity and duplication of tools. In principle,
automation continues to show promise to assist with many of these persistent issues.
SOAR solutions are primarily adopted to create consistency in security processes and
improve threat detection and response by providing context enrichment and improving
downstream prioritization. In most cases, this is a key deliverable of end-user
organizations and service providers that operate security operations centers (see SOC
Model Guide).
SOAR tools also offer levels of flexibility, allowing them to be applied to a variety of
security operations use cases. SOAR tools are mostly used for improving threat
detection and incident response and the automation of workflows (or for a combination
of the two). TIP functionality in SOAR tools coming from an automation heritage remains
more basic in nature.
Market Direction
The SOAR market remains niche overall in the broader security marketplace and is
primarily consumed by organizations that have larger and more-mature security
operations programs, as well as by security services providers. Organizations that are
less mature, or that tend to outsource their security operations, have shown little interest
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 5/18
2/5/23, 10:13 PM Gartner Reprint
in SOAR tools. However, MDR continues its rapid growth trajectory, and SOAR is a key
element of a majority of MDR services today.
SIEM vendors have been both acquiring and building out SOAR capabilities in their
solutions for some years now. This functionality is usually delivered as a premium add-
on (see Critical Capabilities for Security Information and Event Management).
SIEM (see Magic Quadrant for Security Information and Event Management)
If organizations are not ready, SOAR can be too complex to operate and configure for
smaller security teams looking to take advantage of its benefits. This is leading security
vendors to embed orchestration and automation (SOAR-lite) features and, in some
cases, incident management capabilities in their products. These products are
preprogrammed and optimized to complement a specific technology — for example,
email security orchestration use cases.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 6/18
2/5/23, 10:13 PM Gartner Reprint
Demand for SIEM technology remains prevalent for larger organizations (see Magic
Quadrant for Security Information and Event Management), with threat management
now the main driver — while compliance use cases are still expected features. Almost all
SIEM vendors are organically enhancing their investigation capabilities and introducing
integrations for response actions via natively built (or acquired) capabilities or third-party
integrations with SOAR solutions.
XDR (see Innovation Insight for Extended Detection and Response) is an emerging
market, and vendors are focused on providing a better user experience around their
multiple threat-focused security technologies. This is especially true of the unification of
alerts from across tools such as endpoint protection platforms (EPPs), endpoint
detection and response (EDR), network detection and response (NDR) and firewalls into
a common data store, and a single user interface (UI). Credible XDRs (see Market Guide
for Extended Detection and Response) must offer some similar functions to SOAR tools,
including localized incident and case management, and orchestration and automation
activities. However, these capabilities will be primarily delivered across the vendor’s own
tool ecosystem, rather than through the expansive set of vendor-neutral integrations that
SOAR offers. These SOAR capabilities are more often preprogrammed by the vendor —
primarily focused inward at their own products — and may lack the ability to support the
level of customization available in dedicated SOAR solutions.
Although XDR and SIEM have some features replicated in a dedicated SOAR solution,
buyers who prefer the best-of-breed approach will find that SOAR offers capabilities that
can provide flexibility, genuine vendor-neutrality and potential room for nonsecurity use
cases.
Market Analysis
While certainly valuable, the total number of use cases implemented by SOAR buyers is
still relatively small, with a focus on the use of the tool for time-consuming, manual
processes performed by people who can benefit from automation.
The most common use case mentioned by Gartner clients who are planning to
implement, or who have already implemented a SOAR solution, is automating the triage
of suspected phishing emails reported by end users. This is a good example of a
process that follows a repeatable process, dozens to hundreds of times per day, with the
goal of determining whether the email (or its content) is malicious and whether it
requires a response. It is a process ripe for the application of automation. These kinds of
repetitive actions that have levels of mitigation and enrichment remain very popular use
cases for SOAR.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 7/18
2/5/23, 10:13 PM Gartner Reprint
Determining operational security maturity means that security leaders can evaluate their
readiness to adopt new products, including SOAR solutions. This readiness should be
evaluated through at least five areas (see SOAR: Assessing Readiness Through Use-
Case Analysis):
Operational metrics
Defined processes
Trained analysts
Documented workflows
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 8/18
2/5/23, 10:13 PM Gartner Reprint
handling, implying an integration with existing ticket systems solutions and other SOAR
tools.
Buyers’ use cases can define the most productive way forward when choosing the best
type of product to meet your organization’s specific needs. Below are the most common
use cases mentioned by Gartner customers:
SOC optimization
However, organizations looking to evaluate SOAR on technical merits should start with
capabilities at a high level — those aspects include:
Alert triage and prioritization: This is the ability to take alert inputs from different
sources and apply a process of data enrichment and correlation. This reduces,
rationalizes and prioritizes the number of incidents that will have a more-significant
impact and high probability of causing damage to your organization. The goal is to
leave no alerts behind and concurrently produce accurate incidents that deserve
genuine attention from analysts.
Orchestration and automation: Security teams are often dealing with a number of
point-solution tools with a singular focus. The ability to better orchestrate and
automate horizontal “processes” across a number of solutions continues to prove to
be a key feature of SOAR. The complexity of combining resources involves the
coordination of workflows with manual and automated steps (which, in turn, involve
many components affecting information systems and, often, humans).
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 9/18
2/5/23, 10:13 PM Gartner Reprint
Dashboard and reporting: Dashboard and reporting provides the ability to aggregate
security telemetry that allows an understanding of the SOC’s situation, the evolution of
incident response processes, and performance results. SOC data should be presented
to different audiences, such as the SOC manager, SOC analyst and chief information
security officer (CISO).
Architecture: This includes items like form factor (cloud or on-premises), redundancy
of the solution to support high availability, and performance — to include how
prioritization can be applied to playbook execution. It also includes role-based access
control (RBAC) for functions that support a wider range of users who use the tool
during incidents (like usage of a war room). Architecture also covers licensing models
that encourage better adoption and usage rather than punishing for expanding usage,
and integration with your existing vendor ecosystem.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 10/18
2/5/23, 10:13 PM Gartner Reprint
activities — such as EPP and, particularly, EDR and security service edgie (SSE).
Traditional controls, such as firewalls and IDPSs will be less relevant during this time due
to the sharp increases in remote working and usage of cloud services driving different
traffic patterns.
Acquisitions are still happening, and will shape the state of the SOAR market in the
coming years (see Table 1).
Date Event
Vendors have been steadily acquiring SOAR solutions to fill gaps in existing products like
SIEM and XDR or to enter the SOAR market, as well as building out their own native
capabilities. These acquisition scenarios however require end users to create a
contingency plan for vendor acquisition of their current SOAR solution. Generally
speaking, SOAR products must be vendor-agnostic to maintain their best value
proposition. This is due to the need for integration, and this will be the reality for some
time. Independent solutions will continue to do a better job with their singular focus on
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 11/18
2/5/23, 10:13 PM Gartner Reprint
Alerting and providing notifications to a customer when a potential threat has been
detected is no longer sufficient given the speed at which attacks can progress in an
environment. Customers have expectations that their security services providers will
have the ability to actively contain or disrupt a threat to their environment. SOAR plays an
essential role in helping providers to deliver services that include active response. This
makes multitenancy a mandatory capability for SOAR in these services.
Security services providers can work through different tenants to offer a personalized
workflow for your specific environment. However, they also benefit from having a wider
view of threats across their client base and can take learnings from one client and apply
remedies to their entire client base. This view can then feed back into service
improvement, often via their SOAR technology.
Another evaluation criterion to consider is the need for bidirectional integration with your
own technologies to collect data for analysis and to power more-effective incident
investigations and response activities.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is
intended to provide more understanding of the market and its offerings.
Market Introduction
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 12/18
2/5/23, 10:13 PM Gartner Reprint
Table 2 provides a list of vendors. It is not — nor is it intended to be — a list of all vendors
or offerings on the market, or a competitive analysis of the vendors’ features and
functions. This is also not a definitive list of each provider’s services. For more
information, see Note 1.
Anomali ThreatStream
D3 Security D3 SOAR
Honeycomb SOCAutomation
LogicHub SOAR+
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 13/18
2/5/23, 10:13 PM Gartner Reprint
NSFOCUS ISOP
Rapid7 InsightConnect
Revelstoke Revelstoke
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 14/18
2/5/23, 10:13 PM Gartner Reprint
Tines Tines
Note: There are providers in this list that — while they offer a SOAR solution — in practice
prefer to offer, and have more clients consuming, their SOAR solution as part of a larger
offering. SIEM and XDR solutions are relevant examples of this situation today.
Market Recommendations
Security and risk management leaders should consider using SOAR tools in their
security operations to improve security operations efficiency and efficacy. SOAR
solutions are made up of the following major capabilities:
When selecting a solution, security and risk management leaders should favor SOAR
solutions that:
Are compatible with the collection of existing products installed in the organization
environment. Also, plan to update the skill sets of your security team and, where
required, the internal development team, to help on the customization of the solution
to your specific security operations program. Operational security metrics related to
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 15/18
2/5/23, 10:13 PM Gartner Reprint
Buying a SOAR solution should primarily be driven by your existing processes (for
example, security operations optimization, threat monitoring and response, threat
investigation and hunting, and operationalizing threat intelligence).
Offer the capability to easily code an organization’s existing processes into functional
playbooks via an intuitive UI (using a low- or no-code model), so that the tool can then
automate these playbooks. The ability to create playbooks and then execute them
regularly is a key capability for a SOAR solution and should be a key design principle
for you in your implementation of SOAR.
Optimize the collaboration of analysts, for example, with a chat or instant messaging
framework that makes analyst communication more efficient, or with the ability to
work together on complex cases across multiple security and nonsecurity teams.
Have a pricing model that is aligned with the needs of the organization, is predictable
and encourages the creation and usage of the tool. Avoid pricing structures based on
the volume of data managed by the tool or based on the number of playbook
executions. These metrics carry an automatic penalty for more frequent use of the
solution.
Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-
premises or as a hybrid of these. Deployment should accommodate the organization’s
security policies and privacy considerations, or its cloud-first initiatives.
Evidence
The overall list of representative providers has been validated by responses to client
inquiries and in collaboration with the cohort of Gartner analysts that cover the security
operations markets that include SOAR.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 16/18
2/5/23, 10:13 PM Gartner Reprint
The sample vendors listed in this publication are listed in alphabetical order and are
representative only. The sample vendor list is not intended to be an exhaustive list. The
vendors and solutions provided are those that most closely illustrate the marketplace
trends described and provide the individual capabilities described in each section that
Gartner sees in day-to-day coverage of the SOAR market.
Additionally, there are providers in the list that — while they offer a SOAR solution — in
practice prefer to offer, and have more clients consuming, their SOAR solution as part of
a larger offering. SIEM and XDR solutions are relevant examples of this situation today.
© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained
in this publication has been obtained from sources believed to be reliable, Gartner disclaims all
warranties as to the accuracy, completeness or adequacy of such information. Although Gartner
research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication
are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or
influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 17/18
2/5/23, 10:13 PM Gartner Reprint
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 18/18