2/5/23, 10:13 PM Gartner Reprint

Licensed for Distribution

Market Guide for Security Orchestration,

Automation and Response Solutions
Published 13 June 2022 - ID G00735883 - 22 min read

By Craig Lawson, Al Price

As a pure-play technology, SOAR continues to mature, but remains a relatively niche

market. It is being consumed into other markets such as SIEM, XDR and MDR.
Security and risk management leaders should evaluate how SOAR can support and
optimize their broader security operations capabilities.

Overview
Key Findings
Large security teams looking to automate well-established processes remain the main
buyers of pure-play SOAR solutions — using it for productivity, efficiency and
consistency improvements. Many use cases supporting security operations beyond
threat monitoring and detection, vulnerability management, threat intelligence, and
incident response and threat hunting remain nascent.

Orchestration and automation, incident and case management, and operationalizing

threat intelligence are expected functionality for SOAR tools. However, these
capabilities are also being embedded in existing security technologies, such as
security information and event management, extended detection and response (XDR),
and email security.

SOAR is also becoming a popular enabling technology in managed security services

and is already ubiquitous in managed detection and response (MDR) services. Its
utility is with helping providers improve speed and consistency when detecting and
responding to threats improves SLAs. Over the last three years, other larger markets
are demonstrating strong convergence trends (for example, SSE and XDR). This will
prove to be advantageous to organizations that have a dedicated SOAR in place or
that are evaluating them for the first time and want to develop sophisticated
workflows.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 1/18
2/5/23, 10:13 PM Gartner Reprint

Cloud services are the default for many organizations now, but SOAR remains at the
basic end of the spectrum in terms of usage for security operations use cases for
cloud services.

Security orchestration and automation (SOA) tools have not been adding meaningful
threat intelligence platform (TIP) features, and it is often the case that more advanced
clients need both an SOA and a TIP to achieve Gartner’s full definition of SOAR.

Recommendations
Security and risk management leaders responsible for security operations must:

Assess your organization’s maturity as it will be problematic to start a SOAR project if

the processes you want to improve are not mature.

Examine in detail the requirements for the use of a SOAR tool. Focus not just on initial
deployment, but also how to continually develop new use cases that improve the
efficiency of your security operations program with SOAR.

Allocate adequate resources for initial implementation, as well as the ongoing

operation of an SOAR tool. The initial effort of deployment is a given, but it may be the
ongoing management that defines the success of SOAR in your environment.

Put a contingency plan in place in the event a SOAR vendor is acquired by another
vendor, in case their roadmap substantially changes. Contingency plans could be
minor (like ensuring roadmap support for tools you have in place) or could include
considering a replacement

Demand that vendors in your security ecosystem deliver comprehensive APIs in their
products when you renew or procure solutions. Having poor APIs in your ecosystem
directly impinges your security operations effectiveness and SOAR’s ability to deliver
value.

Assess potential use cases as today’s overall coverage maturity remains more basic
for coverage of business-critical cloud services, particularly SaaS applications. Some
clients are now using automation and orchestration capabilities in non-security-
centric use cases, as there is some crossover with enterprise automation use cases
typically delivered by low-code application platforms (see Magic Quadrant for
Enterprise Low-Code Application Platforms).

Evaluate any managed detection and response (MDR) provider’s use of SOAR as it is
an indicator of their ability to provide better threat detection and response capabilities
for your organization.
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 2/18
2/5/23, 10:13 PM Gartner Reprint

Market Definition
This document was republished on 9 August 2022. The document you are viewing is the
corrected version. For more information, see the Corrections page on gartner.com.

Gartner defines SOAR as solutions that combine incident response, orchestration and
automation, and threat intelligence platform management capabilities in a single
solution.

SOAR tools can be used for many security operations tasks, including:

To document and implement processes.

To support security incident management.

To apply machine-based assistance to human security analysts and operators.

To better operationalize the use of threat intelligence.

Workflows can be orchestrated via integrations with other technologies, and automated
to achieve desired outcomes — example use cases include:

Incident triage.

Incident response.

Threat intelligence (TI) acquisition curation and management.

Newer use cases that are starting to arise. Gartner is seeing some clients use SOAR
solutions for more IT-based workflows, as well as in other areas like “low code”
solutions (see Magic Quadrant for Enterprise Low-Code Application Platforms).

Market Description
SOAR solutions are the amalgamation of three historically distinct technologies that
have some common attributes and some common users consuming them. These
technologies were historically distinct and offer utility to security operations teams in the
form of a product that can relieve significant amounts of manual labor for a number of
security operations functions. Products that have been developing as this market
continues to mature into SOAR are:

Security incident response platforms (SIRPs)

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 3/18
2/5/23, 10:13 PM Gartner Reprint

Security orchestration and automation (SOA)

Threat intelligence platforms (TIPs)

These technologies are depicted in Figure 1.

Figure 1: The Convergence of Three Technologies (SOA, SIRP

and TIP)

Below are some strongly recommended requirements to consider when selecting a

SOAR solution. SOAR solutions should:

Support a wide range of security products across multiple existing point solution
markets (for example, endpoint, firewalls, intrusion detection and prevention systems
[IDPSs], SIEM, secure email gateways, SSE and vulnerability assessment
technologies).

Support the ability to do event correlation and aggregation for the purpose of
improving security operations processes and alerting with better event enrichment. A
key way to do this is through the implementation of low-code “playbooks,” which allow
for the codification of processes where automation can be applied to improve
consistency and time savings.

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 4/18
2/5/23, 10:13 PM Gartner Reprint

Have the ability to be deployed either on-premises or as a cloud solution (like SaaS).

Support the ingestion of a wide variety of sources and formats of threat intelligence
from third-party sources, supporting open-source, industry and government
(information sharing and analysis centers [ISACs] and computer emergency response
teams [CERTs]) and commercial providers.

Bidirectional integrations with IT operations solutions like ticketing systems for case
management and collaboration tools, like messaging applications for better real-time
communications.

The security technology market is in a state of general overload —

with pressure on budgets and staff, and too many point solutions
being pervasive issues for organizations.

Gartner clients continue to see problems with their environments where they have alert
fatigue exacerbated further by complexity and duplication of tools. In principle,
automation continues to show promise to assist with many of these persistent issues.

SOAR solutions are primarily adopted to create consistency in security processes and
improve threat detection and response by providing context enrichment and improving
downstream prioritization. In most cases, this is a key deliverable of end-user
organizations and service providers that operate security operations centers (see SOC
Model Guide).

SOAR tools also offer levels of flexibility, allowing them to be applied to a variety of
security operations use cases. SOAR tools are mostly used for improving threat
detection and incident response and the automation of workflows (or for a combination
of the two). TIP functionality in SOAR tools coming from an automation heritage remains
more basic in nature.
Market Direction
The SOAR market remains niche overall in the broader security marketplace and is
primarily consumed by organizations that have larger and more-mature security
operations programs, as well as by security services providers. Organizations that are
less mature, or that tend to outsource their security operations, have shown little interest

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 5/18
2/5/23, 10:13 PM Gartner Reprint

in SOAR tools. However, MDR continues its rapid growth trajectory, and SOAR is a key
element of a majority of MDR services today.

SIEM vendors have been both acquiring and building out SOAR capabilities in their
solutions for some years now. This functionality is usually delivered as a premium add-
on (see Critical Capabilities for Security Information and Event Management).

As awareness of the need to apply automation in security operations improves, SOA-

specific capabilities are emerging in other security technologies (see Top Trends in
Cybersecurity 2022). Technologies incorporating SOAR include:

SIEM (see Magic Quadrant for Security Information and Event Management)

XDR (see Market Guide for Extended Detection and Response)

Email security (see Market Guide for Email Security)

SOAR Has Become a Feature in Other Security Technologies and Services

SOAR continues to connect disparate solutions and create a control plane for security
operations environments. However, it also delivers secondary functionality — becoming
useful for execution of a variety of repeatable, simple security issues (like phishing) and
processes (like indicator-of-compromise-based blocking in prevention devices). These
features and capabilities are also seen as being helpful in other (often larger) security
technology markets as well.

As a result of this reality, SOAR technologies have offered low-code-like functionality

(see Magic Quadrant for Enterprise Low-Code Application Platforms) since their
inception. This makes programming and workflow improvements made by the
operations team more accessible. Meanwhile, SOAR continues to offer a lot of features
for “power users.” Power users can develop their own code and then use SOAR to help
build out more sophisticated functionality tailored to their organizations based on the
building blocks that already exist.

If organizations are not ready, SOAR can be too complex to operate and configure for
smaller security teams looking to take advantage of its benefits. This is leading security
vendors to embed orchestration and automation (SOAR-lite) features and, in some
cases, incident management capabilities in their products. These products are
preprogrammed and optimized to complement a specific technology — for example,
email security orchestration use cases.

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 6/18
2/5/23, 10:13 PM Gartner Reprint

Demand for SIEM technology remains prevalent for larger organizations (see Magic
Quadrant for Security Information and Event Management), with threat management
now the main driver — while compliance use cases are still expected features. Almost all
SIEM vendors are organically enhancing their investigation capabilities and introducing
integrations for response actions via natively built (or acquired) capabilities or third-party
integrations with SOAR solutions.

XDR (see Innovation Insight for Extended Detection and Response) is an emerging
market, and vendors are focused on providing a better user experience around their
multiple threat-focused security technologies. This is especially true of the unification of
alerts from across tools such as endpoint protection platforms (EPPs), endpoint
detection and response (EDR), network detection and response (NDR) and firewalls into
a common data store, and a single user interface (UI). Credible XDRs (see Market Guide
for Extended Detection and Response) must offer some similar functions to SOAR tools,
including localized incident and case management, and orchestration and automation
activities. However, these capabilities will be primarily delivered across the vendor’s own
tool ecosystem, rather than through the expansive set of vendor-neutral integrations that
SOAR offers. These SOAR capabilities are more often preprogrammed by the vendor —
primarily focused inward at their own products — and may lack the ability to support the
level of customization available in dedicated SOAR solutions.

Although XDR and SIEM have some features replicated in a dedicated SOAR solution,
buyers who prefer the best-of-breed approach will find that SOAR offers capabilities that
can provide flexibility, genuine vendor-neutrality and potential room for nonsecurity use
cases.
Market Analysis
While certainly valuable, the total number of use cases implemented by SOAR buyers is
still relatively small, with a focus on the use of the tool for time-consuming, manual
processes performed by people who can benefit from automation.

The most common use case mentioned by Gartner clients who are planning to
implement, or who have already implemented a SOAR solution, is automating the triage
of suspected phishing emails reported by end users. This is a good example of a
process that follows a repeatable process, dozens to hundreds of times per day, with the
goal of determining whether the email (or its content) is malicious and whether it
requires a response. It is a process ripe for the application of automation. These kinds of
repetitive actions that have levels of mitigation and enrichment remain very popular use
cases for SOAR.

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 7/18
2/5/23, 10:13 PM Gartner Reprint

A lack of mature processes and procedures in the security

operations team, combined with budget and staff constraints,
presents obstacles to the adoption of SOAR solutions by a wider
audience. This, combined with the varying degrees of maturity in
vendors’ APIs as integration options, remains a key reason for
SOAR not achieving higher rates of adoption.

Determining operational security maturity means that security leaders can evaluate their
readiness to adopt new products, including SOAR solutions. This readiness should be
evaluated through at least five areas (see SOAR: Assessing Readiness Through Use-
Case Analysis):

Operational metrics

Defined processes

Trained analysts

Documented workflows

Integration of supported technologies

Commercial SOAR vendors can be grouped into two categories — product-portfolio-

oriented, and broad-based SOAR vendors.

Vendors That Provide Product-Level SOAR Functions (Product-Oriented

SOAR Vendors)
Vendors today provide product-level SOAR functions that support activities revolving
primarily around that vendor’s specific portfolio of products. Of course, integrating with
products outside of their own ecosystems is also valuable, but having improved
workflow and orchestration improves these offerings in ways that aren’t directly related
to their threat detection engines. For example, a product that uses automation and
orchestration, that is dedicated to protecting the email infrastructure, will include SOAR
functions required to detect phishing emails or malicious attachments and provide
better operational outcomes for users. Orchestration and automation are needed to
better support product-level workflows needed for threat response. Usually, this type of
product does not have case-management capabilities or third-party threat intelligence

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 8/18
2/5/23, 10:13 PM Gartner Reprint

handling, implying an integration with existing ticket systems solutions and other SOAR
tools.

Broad-Based SOAR Solutions

Providers that supply broad-based vendor-neutral SOAR can be pure-play vendors or part
of a vendor that delivers a broader security portfolio — these are often the result of a
previous acquisition of a pure-play SOAR. What sets these products apart is their ability
to receive inputs from a broad ecosystem of security products, and organize the security
operations team workflow. The vast majority of this type of product is also sold
separately, maintaining a maximum interoperability level with other vendors, even if they
are competing products.

Buyers’ use cases can define the most productive way forward when choosing the best
type of product to meet your organization’s specific needs. Below are the most common
use cases mentioned by Gartner customers:

SOC optimization

Process automation and analyst collaboration

Threat monitoring, investigation and response

Management and operationalisation of threat intelligence

However, organizations looking to evaluate SOAR on technical merits should start with
capabilities at a high level — those aspects include:

Alert triage and prioritization: This is the ability to take alert inputs from different
sources and apply a process of data enrichment and correlation. This reduces,
rationalizes and prioritizes the number of incidents that will have a more-significant
impact and high probability of causing damage to your organization. The goal is to
leave no alerts behind and concurrently produce accurate incidents that deserve
genuine attention from analysts.

Orchestration and automation: Security teams are often dealing with a number of
point-solution tools with a singular focus. The ability to better orchestrate and
automate horizontal “processes” across a number of solutions continues to prove to
be a key feature of SOAR. The complexity of combining resources involves the
coordination of workflows with manual and automated steps (which, in turn, involve
many components affecting information systems and, often, humans).

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 9/18
2/5/23, 10:13 PM Gartner Reprint

Case management and collaboration: Manual or automated response provides

canned resolution to programmatically defined activities. The response includes
activities from a basic level (such as ticket creation in an IT service desk application)
to more-advanced actions (for example, responding via another security control, such
as blocking an domain name or IP address by changing a firewall rule). This
functionality is the most impactful operationally as it applies to the most complex of
use cases and can significantly improve analyst effectiveness.

Dashboard and reporting: Dashboard and reporting provides the ability to aggregate
security telemetry that allows an understanding of the SOC’s situation, the evolution of
incident response processes, and performance results. SOC data should be presented
to different audiences, such as the SOC manager, SOC analyst and chief information
security officer (CISO).

Operationalisation of threat intelligence and investigation: This takes the form of

evidence-based knowledge, including context, mechanisms, indicators, implications
and action-oriented advice about an existing or emerging menace or hazard to assets.
This intelligence can be used to inform decisions regarding the subject’s response to
that threat. An incident investigation will be conducted in the form of a workflow to
validate the alert into an incident and determine the best workflow to initiate a
response in a manual or automated fashion.

Architecture: This includes items like form factor (cloud or on-premises), redundancy
of the solution to support high availability, and performance — to include how
prioritization can be applied to playbook execution. It also includes role-based access
control (RBAC) for functions that support a wider range of users who use the tool
during incidents (like usage of a war room). Architecture also covers licensing models
that encourage better adoption and usage rather than punishing for expanding usage,
and integration with your existing vendor ecosystem.

SOAR Cloud-Based Solutions

For smaller clients, cloud delivery of SOAR is becoming more prevalent and Gartner sees
cloud delivery as a viable form factor for many scenarios. Feature parity with on-
premises solutions (for the vendors that support cloud) is largely the same, so there is
often no risk of the cloud-delivered version being less feature-rich. A majority of
providers that have cloud versions are also doing agile deployments, shipping more
updates, more often (in contrast to a slower cadence for more monolithic on-premises
versions). This is especially true for remote worker use cases, where orchestration will
move to working mainly with (often cloud-delivered) endpoint solutions for response

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 10/18
2/5/23, 10:13 PM Gartner Reprint

activities — such as EPP and, particularly, EDR and security service edgie (SSE).
Traditional controls, such as firewalls and IDPSs will be less relevant during this time due
to the sharp increases in remote working and usage of cloud services driving different
traffic patterns.

Acquisitions are still happening, and will shape the state of the SOAR market in the
coming years (see Table 1).

Table 1: SOAR Acquisitions in the Last Two Years

Date Event

January 2020 FireEye acquires Cloudvisory

April 2020 Swimlane acquires Syncurity

July 2020 Micro Focus acquires ATAR Labs

March 2021 Sumo Logic acquires DFLabs

September 2021 Logpoint acquires SecBI

January 2022 Google Cloud acquires Siemplify

Source: Gartner (May 2022)

Vendors have been steadily acquiring SOAR solutions to fill gaps in existing products like
SIEM and XDR or to enter the SOAR market, as well as building out their own native
capabilities. These acquisition scenarios however require end users to create a
contingency plan for vendor acquisition of their current SOAR solution. Generally
speaking, SOAR products must be vendor-agnostic to maintain their best value
proposition. This is due to the need for integration, and this will be the reality for some
time. Independent solutions will continue to do a better job with their singular focus on
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 11/18
2/5/23, 10:13 PM Gartner Reprint

roadmap execution and will be better at being “vendor-neutral” with available

integrations.

Security Services Providers Are Using SOAR to Improve Service Delivery

and Response Capabilities
Demand for threat-response capabilities from managed security services providers
(MSSP) is increasing and is already prevalent in MDR services. For MDRs in particular,
they are almost universally either using a SOAR tool or building their own SOAR-like
features to help deliver better client outcomes at scale. We recommend that you assess
how MDRs are consuming SOAR as part of your evaluation of services, even though you
might not be running SOAR natively as a stand-alone product.

Alerting and providing notifications to a customer when a potential threat has been
detected is no longer sufficient given the speed at which attacks can progress in an
environment. Customers have expectations that their security services providers will
have the ability to actively contain or disrupt a threat to their environment. SOAR plays an
essential role in helping providers to deliver services that include active response. This
makes multitenancy a mandatory capability for SOAR in these services.

Organizations considering MDR should include the usage of orchestration and

automation in their vendor evaluation process. For example, an MDR that can also
support the list of current security products in use and integrate with your products will
lead to better outcomes. If this is not possible, it could lead to restrictions on
integrations, limiting the benefits of using the provider’s MDR service to their set of tools
only.

Security services providers can work through different tenants to offer a personalized
workflow for your specific environment. However, they also benefit from having a wider
view of threats across their client base and can take learnings from one client and apply
remedies to their entire client base. This view can then feed back into service
improvement, often via their SOAR technology.

Another evaluation criterion to consider is the need for bidirectional integration with your
own technologies to collect data for analysis and to power more-effective incident
investigations and response activities.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is
intended to provide more understanding of the market and its offerings.

Market Introduction
https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 12/18
2/5/23, 10:13 PM Gartner Reprint

Table 2 provides a list of vendors. It is not — nor is it intended to be — a list of all vendors
or offerings on the market, or a competitive analysis of the vendors’ features and
functions. This is also not a definitive list of each provider’s services. For more
information, see Note 1.

Table 2: Representative Vendors in Security Orchestration, Automation and Response

Vendor Product, Service or Solution Name

Anomali ThreatStream

Cyware Virtual Cyber Fusion Center

D3 Security D3 SOAR

EclecticIQ EclecticIQ Platform

Fortinet (formerly FortiSOAR

CyberSponse)

Google Cloud (Siemplify) SecOps Platform

Honeycomb SOCAutomation

IBM IBM Security QRadar SOAR

LogicHub SOAR+

Logsign Logsign SOAR

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 13/18
2/5/23, 10:13 PM Gartner Reprint

Micro Focus (ATAR Labs) ArcSight SOAR

Microsoft Microsoft Sentinel

NSFOCUS ISOP

Palo Alto Networks Cortex XSOAR

QI-ANXIN Security Orchestration, Automation and Response

Platform (SOAR)

Rapid7 InsightConnect

Revelstoke Revelstoke

ServiceNow Security Operations

SIRP Security Orchestration, Automation & Response

Splunk Splunk SOAR

Sumo Logic (formerly Cloud SOAR

DFLabs)

Swimlane Swimlane (SOAR platform)

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 14/18
2/5/23, 10:13 PM Gartner Reprint

ThreatConnect ThreatConnect (Security Orchestration, Automation,

and Response (SOAR) Platform)

ThreatQuotient ThreatQ TDR Orchestrator

Tines Tines

Torq No-code Security Automation

Note: There are providers in this list that — while they offer a SOAR solution — in practice
prefer to offer, and have more clients consuming, their SOAR solution as part of a larger
offering. SIEM and XDR solutions are relevant examples of this situation today.

Source: Gartner (May 2022)

Market Recommendations
Security and risk management leaders should consider using SOAR tools in their
security operations to improve security operations efficiency and efficacy. SOAR
solutions are made up of the following major capabilities:

Workflow and collaboration

Ticket and case management

Orchestration and automation of security processes

Threat intelligence operationalisation and management

When selecting a solution, security and risk management leaders should favor SOAR
solutions that:

Are compatible with the collection of existing products installed in the organization
environment. Also, plan to update the skill sets of your security team and, where
required, the internal development team, to help on the customization of the solution
to your specific security operations program. Operational security metrics related to

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 15/18
2/5/23, 10:13 PM Gartner Reprint

“time to detect threats” and “time to response” styles of metrics should be

demonstrably better with, rather than without, a SOAR tool.
Deliver the use cases needed to complement the primary set of people, processes
and technologies that are critical to your security operations functions. For instance,
some clients prefer to use the company ticket system instead of a dedicated case
management solution. Others see technology like SOAR as key to improving the
efficacy of existing tools like SIEM and EDR. End users also see SOAR as a key tool for
improving the efficiency of security staff in the face of rising numbers of threats, while
getting and retaining staff remains an acute pain point for many organizations.

Buying a SOAR solution should primarily be driven by your existing processes (for
example, security operations optimization, threat monitoring and response, threat
investigation and hunting, and operationalizing threat intelligence).

Offer the capability to easily code an organization’s existing processes into functional
playbooks via an intuitive UI (using a low- or no-code model), so that the tool can then
automate these playbooks. The ability to create playbooks and then execute them
regularly is a key capability for a SOAR solution and should be a key design principle
for you in your implementation of SOAR.

Optimize the collaboration of analysts, for example, with a chat or instant messaging
framework that makes analyst communication more efficient, or with the ability to
work together on complex cases across multiple security and nonsecurity teams.

Have a pricing model that is aligned with the needs of the organization, is predictable
and encourages the creation and usage of the tool. Avoid pricing structures based on
the volume of data managed by the tool or based on the number of playbook
executions. These metrics carry an automatic penalty for more frequent use of the
solution.

Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-
premises or as a hybrid of these. Deployment should accommodate the organization’s
security policies and privacy considerations, or its cloud-first initiatives.
Evidence
The overall list of representative providers has been validated by responses to client
inquiries and in collaboration with the cohort of Gartner analysts that cover the security
operations markets that include SOAR.

Note 1: Representative Vendor Selection

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 16/18
2/5/23, 10:13 PM Gartner Reprint

The sample vendors listed in this publication are listed in alphabetical order and are
representative only. The sample vendor list is not intended to be an exhaustive list. The
vendors and solutions provided are those that most closely illustrate the marketplace
trends described and provide the individual capabilities described in each section that
Gartner sees in day-to-day coverage of the SOAR market.

Additionally, there are providers in the list that — while they offer a SOAR solution — in
practice prefer to offer, and have more clients consuming, their SOAR solution as part of
a larger offering. SIEM and XDR solutions are relevant examples of this situation today.

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained
in this publication has been obtained from sources believed to be reliable, Gartner disclaims all
warranties as to the accuracy, completeness or adequacy of such information. Although Gartner
research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication
are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or
influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog

Network Contact Send Feedback

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 17/18
2/5/23, 10:13 PM Gartner Reprint

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

https://www.gartner.com/doc/reprints?id=1-2ADE1K2G&ct=220621&st=sb 18/18