GigaOm Radar for Security Orchestration, Automation, and Response (SOAR)v4.0

Table of Contents

  1. Executive Summary
  2. Market Categories and Deployment Types
  3. Decision Criteria Comparison
  4. GigaOm Radar
  5. Solution Insights
  6. Analyst’s Outlook
  7. About Andrew Green

1. Executive Summary

Security orchestration, automation, and response (SOAR) emerged as a product category in the mid-2010s to provide a set of tools and technologies that could help organizations improve cybersecurity by detecting potential threats and automating security responses.

At that point, SOAR solutions were based on playbooks and integrations, but since then, SOAR platforms have developed beyond their initial automation capabilities. They now offer more holistic experiences for security analysts, with vendors intending to develop SOAR platforms as the main workspace for security practitioners.

Newer features offered by this holistic experience include case management, collaboration, simulations, threat enrichment, and visual correlations. Additionally, SOAR vendors have gradually implemented AI and machine learning (ML) technologies, enabling their platforms to learn from past events and fine-tune existing processes. This is the juncture where evolving threat categorization and autonomous operations become differentiators in this space. While these two metrics are not critical for a SOAR platform, they may offer advantages in terms of reduced mean time to resolution (MTTR), resilience against employee turnover, and overall flexibility.

We’ve found that SOAR vendors come from three distinct backgrounds:

  • Pure-play SOAR vendors: Players that offer only a SOAR solution.
  • Security players: Vendors that have a broader security portfolio and are either developing their SOAR platform or acquiring existing companies that have one.
  • Cross-portfolio players: Vendors that have traditionally been active in other areas, such as IT automation or service management, and are now entering the security automation space.

We’ve observed many acquisitions in the SOAR space. This was to be expected, considering that automation is a must-have in any modern IT stack. Large security players have a wide selection of SOAR vendors to pick from, virtually all of them offering vendor-agnostic point-solutions, meaning they can be acquired and easily integrated in a wider security portfolio.

However, this aggressive approach to acquiring point-solution SOAR vendors is unlikely to spell the end of SOAR solutions as we know them today. There are multiple reasons for this.

First, standalone and vendor-agnostic solutions have some inherent benefits that cannot be replicated otherwise, which is why large security players continue offering their SOAR platforms as vendor-agnostic and standalone solutions.

Second, SOAR solutions are increasingly capable of ingesting events from security information and event management (SIEM) solutions, non-SIEM security sources, and non-security sources. This point further splits into two other implications, namely that SOAR tools can start running independently of SIEM tools to strengthen an organization’s security posture and automate non-security processes as well.

A large number of security vendors, especially SIEM providers, have started offering SOAR capabilities as integrated features of a wider solution, which is creating some overlap within security markets. Thus, to avoid our own overlap with existing reports in these areas, this evaluation will focus on vendors that offer a standalone SOAR solution that can be purchased separately and integrated with any third-party SIEM solution. This will exclude SIEM or extended detection and response (XDR) tools with native SOAR capabilities that cannot be integrated with third-party SIEM solutions.

This is our fourth year evaluating the SOAR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 16 of the top SOAR solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading SOAR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.