Is SOAR dead or alive? Sort of

What is SOAR?

Gartner coined the term SOAR about 10 years ago to describe a stack of security tools that collects data about detected threats and responds automatically or with minimal human assistance. It was touted as a way to maximize the productivity of security teams.

SOAR includes the following three components, which create a deterministic system for identifying and responding to security events:

• Orchestration. The process of getting all necessary security tools, such as endpoint protection, SIEM platforms and firewalls, working together and integrated with a central SOAR application. This is done through custom or built-in integrations.
• Automation. Occurs in response to data signals coming from security orchestration. When a potential threat is detected, SOAR sends an alert and can automatically respond based on predetermined criteria.
• Response. Refers to the actions taken by the SOAR application once it identifies a potential threat, either acting on its own or sending an alert to a human operator. Security teams can see response activity on a dashboard.

What happened to SOAR?

The concept of SOAR was compelling to enterprise cybersecurity leaders. Security talent was scarce, and the idea of reducing stress on security teams through automation was and still is a big selling point. At one point, at least 20 vendors provided standalone SOAR products. Larger security vendors took notice and acquired SOAR providers; most rolled the functionality into broader security platforms to fill gaps in their own offerings.

Implementation and maintenance presented challenges, however. As yet another standalone product in the security stack, SOAR vendors had an uphill battle to show that the implementation effort would be worth it.

"Organizations struggled to implement SOAR for a number of reasons," said Kevin Schmidt, senior director analyst at Gartner. "You had to write code or scripts or use some sort of an interface to build executable blocks that you would link together."

The better an organization understood and maintained its workflows, security playbooks and technology stack, the easier it could implement and maintain SOAR. According to Schmidt, the necessary integrations posed short- and long-term maintenance challenges that became harder when people with knowledge of them left the organization. "[With] the nature of [SOAR] being code, at the end of the day, it is sometimes very brittle," he said.

To use legacy SOAR technology effectively, added Cody Cornell, CEO and founder of security automation vendor Swimlane, a SecOps team needed experience in incident response, security operations, threat intelligence and the MITRE ATT&CK framework. "Finding someone that was good at [all] that was hard," he said.

Teams also had to understand how to codify security domain knowledge into logic and rules -- something Cornell said too few people could do.

Then, around 2020, new low-code/no-code SOAR products renewed interest in the technology.

"A lot of people jumped on the bandwagon because the demos were great," says Matt Rodriguez, director of service delivery at cybersecurity consultancy Phoenix Cyber. "[They showed] what this platform could do, with just a little bit of simple configuration, for your environment."

More sophisticated security programs -- those with a good handle on their workflows and process engineering -- often have positive experiences with low-code/no-code SOAR adoption, said Nelson Conard, director of cybersecurity solutions at Phoenix Cyber. "For those who struggle, they've just not reached that level of maturity, they're too ad hoc," he added. "So, how you remove the human out of the loop becomes more of a challenge."

As SecOps teams navigated these benefits and challenges, SOAR earned a bit of a reputation in the field.

"Everything is easier in the demo," Rodriguez said. "Even though low-code/no-code solutions make it easier to build playbooks and workflows, there are complications. The issue at times is that the client doesn't understand their world close enough for it to be automated."

What AI means for SOAR

Today, AI agents capable of building and maintaining automation pipelines that previously required significant human expertise and oversight can further simplify SOAR implementation and bring more flexibility and adaptability to SOAR environments. For example, an organization could theoretically build agents that reflect its particular risk tolerance or security preferences.

The SOAR/AI combination has another benefit: no AI black box. Every action by a user -- whether human or agentic -- should be visible through the SOAR dashboard.

A caveat is that AI use is not cheap, and future pricing is uncertain. Organizations must therefore be careful about when and where they use AI agents within their SOAR environments, Kinsella warned, meaning SOAR's deterministic workflows remain a critical part of security automation.

"If you've got a security alert and you know the playbook it should follow, there's no reason it should be an AI agent [responding]," Kinsella said. "You should be relying on a deterministic outcome for something that you know is deterministic." He recommended using AI agents on probabilistic outcomes, such as summarizing alerts or evaluating alerts with uncertain severity.

Relying on SOAR's underlying automation system will help mitigate AI costs, Cornell agreed. "The cost to do automation is much cheaper than AI tokens," he said. "The beauty of the combination is that leveraging AI to build automation pipelines is a much more predictable, reliable, trustworthy and cost-effective way to do security ops."

The decision to supplement or replace SOAR with AI tools should ultimately come down to ROI, suggested Rodriguez. "[With a] fivefold return on investment for [our] clients who are very successful [with SOAR], AI doesn't seem as appealing because it's an unknown cost at the moment," he said. "We know what the real cost is to run automations with APIs and code within cloud infrastructure, and it's less than pennies on the dollar."

Conard said SOAR users soon will need to re-evaluate the costs and benefits of AI. "[AI] is a little analogous to the cloud challenges we saw when it first came out," he said. "Everybody was rushing to get to the cloud. Everybody's rushing to have some piece of AI. Once we started getting out into those data centers, we really saw what the cost was."

What's next for SOAR?

While SOAR was once a product that was best suited to large enterprises with plentiful resources, disparate systems and mature security programs, it is increasingly accessible. "Now it has evolved [so] that it is obtainable to the middle market and smaller players, and is even being leveraged by MSPs," Conard said.

With that in mind, organizations successfully using traditional SOAR are unlikely to abandon it, according to Gartner's Schmidt. "You don't throw out your tool that is working just to go after the new splashy, shiny AI stuff."

Instead, organizations that continue to use SOAR might supplement it with AI. For example, experts suggested, AI could support tasks related to change management, audit trails, fail-safes and rollbacks in the SOC.

"Look for ways you can plug in a call to a large language model to help with some aspect that you can't do within the playbook or to help verify some texts you're getting from a database," Schmidt said. "Over time, SOAR is going to morph into the agentic software, AI SOC."

Michael Nadeau is an award-winning journalist and editor who covers IT and energy tech. He has held senior positions at CSO Online, BYTE magazine, SAP Experts/SAP Insider and 80 Micro. Nadeau also writes the PowerTown blog on Substack for stakeholders in local renewable energy initiatives. Follow him on Bluesky at @mnadeau.bsky.social.