Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The Evolution of SOAR Platforms

Automation and Orchestration Have Evolved to Become Indispensable Security Tools

Automation and Orchestration Have Evolved to Become Indispensable Security Tools

In 2017, Gartner coined the term security orchestration, automation, and response (SOAR) to describe the emerging category of platforms born of incident response, security automation, case management, and other security tools.

Two recent articles, The Evolution of Security Operations, Automation and Orchestration, and The Rise of Analyst-Centric Security Operations Technologies by Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), highlight how SOAR platforms are maturing in significant ways. SOAR tools are increasingly effective for some of today’s most pressing security problems, which has led to growing demand across enterprise organizations. As Oltsik points out, the ultimate validation of the category can be seen in the series of acquisitions of SOAR vendors by tech giants in recent years.

This explosion in the prominence of SOAR is driven by a few key benefits that the current generation of solutions provides. These improvements are reducing barriers to implementation and making the platforms more accessible to more security teams, even in sectors that are slow to adopt new technology, such as retail, healthcare, and government.

Expansion of Native Features

At first, many SOAR platforms on the market were very limited in their functionality, with automation and orchestration features that were only appropriate for handling minor incidents. While these products offered some time-saving potential for security teams, their effectiveness was limited by their narrow scope and lack of depth.

Part of the current evolution of SOAR that we are seeing is in the maturity of the features being offered. Automation and orchestration capabilities have grown, through increasingly sophisticated automated playbooks and a surge of integrations across other security tools. This has scaled the ability of analysts to use SOAR to filter out massive amounts of noise and identify genuine threats.

SOAR platforms are also now offering deeper feature sets that make them suitable for handling larger investigations and more serious incidents. These include case management modules, with tools that facilitate communication, collaboration, and task management within the SOC and beyond. Today’s incidents are so complex that response teams cannot afford to manually coordinate across workflow and reporting silos, especially in organizations that have strict compliance obligations. The increased depth in features allows SOAR to be a tool for long-term systematic improvements, rather than merely short-term alert triage.

Less Experience Required

As SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization. 

Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated. SOAR platforms will still keep analysts involved by requiring approvals for major actions, but analysts are no longer expected to be experts in automation and orchestration.

Additionally, SOAR platforms’ ability to gather and contextualize threat intelligence makes it easier for less-experienced analysts to make the right decisions during incident response. Because technical advancements are happening so rapidly, companies are quick to buy tools, but not as committed to investing in the training and hiring necessary to integrate and execute the technology in their unique environment. SOAR advancements are helping to close this gap.

The “Single Pane of Glass”

The “single pane of glass”—the term for a single unified console that has all the information an analyst needs—is something of a holy grail in the security operations world. Unfortunately, vendors often exaggerate their ability to deliver this type of interface. However, the evolution of SOAR platforms is bringing them very close to realizing the vision of a centralized dashboard. 

The key advantage SOAR platforms have in pursuing the single pane of glass is the concept of orchestration, which has the potential to integrate the entire security stack via integrations. SOAR platforms can leverage partnerships with other products to exchange detailed information on the fly, analyze data from threat intelligence sources, and even empower analysts to take action directly from the SOAR interface. The complexity of today’s security incidents necessitates this level of seamless coordination across people, technology, and processes, because every second wasted switching between interfaces increases risk.

Where SOAR is Headed

The exciting thing is that SOAR is still a relatively new category, and there is still lots of innovation to come. Automation and orchestration have evolved to become indispensable tools, and soon they will be complemented in many platforms by machine learning, artificial intelligence, and other emerging technology.

It is easy to feel anxious about the near future of cybersecurity, with sophisticated methods of attack, state-sponsored hacking, and a lack of qualified people to defend against these threats. However, SOAR should be the source of some optimism for security teams, with its growing ability to be a force multiplier in the SOC.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...