A cybersecurity software platform with capabilities of automation and integration with other technology designed for a Security Operations Center (SOC) is known as a Security Orchestration, Automation & Response (SOAR) solution. This technology is growing in adoption among security and risk management decision makers. Here's a look at how SOARs function and respond to cyberthreats.

How SOARs are Used

The main investors in SOAR solutions are large SOCs that have plenty of experience with automation. These security teams buy the technology to boost productivity and efficiency in their centers. SOARs are mainly used to handle incident/case management and track threat intelligence (TI). These tools may be embedded in services such as email security and other data protection technologies while enhancing performance.

One of the most productive ways SOARs are used is to improve speed, consistency and client engagement when responding to threat intelligence. Vendors that deal with cybersecurity are steadily expanding SOAR capabilities through their own exploration into improving data protection or deals such as acquisitions and OEM contracts. They typically market new tools as premium add-ons.

Not only are SOAR tools used to document events, they can activate processes such as playbooks and workflows. Tools are designed to support security incident management with assistance from machine learning software that draws from a high volume of data. The software can generate recommendations for responding to cyberthreats. It can also orchestrate workflows automatically to deliver reports on incident triage, as well as TI curation and management. SOAR tools include compliance monitoring and management.

Another type of team that taps into SOAR tools is the managed service approach. Such vendors may integrate them into their ecosystems as premium applications - the SOCs benefit from gained intel across a range of customers (security scale effects). Mature IT vendors are also gravitating toward SOAR tools for threat management. The question whether to operate SOAR inhouse, as managed service or mixed has been discussed for years very emotionally. We suggest in ATC to operate it as a mix. The ATSEP team needs to be in control, but use external support, expertise and big-data-based intel. We will discuss this more in depth in a subsequent article.

Understanding SOAR Components in ATC

A SOAR solution is the result of three SOC technologies working together, which are:

  1. Security Incident Response Platforms (SIRPs) - These platforms facilitate case/incident management and workflows as they collect data that becomes part of an incident knowledge base.
  2. Security Orchestration and Automation (SOA) - This technology involves integrations, play/process/workflow automation and playbook management.
  3. Threat Intelligence Platforms (TIPs) - This combination of platforms allows for TI aggregation, curation and distribution, TI visualization and sending alerts.

The main component that convinces many SOCs to invest in SOAR is automation because it resolves so many operational problems. Automation can cut costs on labor while improving data collection with greater accuracy and agility. When an SOC becomes cluttered with too many alerts or complex tools to the point of overload, automation is a reliable solution to simplify processes. It's also a helpful solution in times of budget tightening or staff shortages.

SOAR tools are selected to help improve SOC efficiency. The tools used most often at these centers involve incident response and managing workflows. SOARs are progressively advancing in developing native TI solutions.


SOCs, SIEM teams and more mature IT organizations are increasingly adopting SOAR tools to strengthen cybersecurity. These tools help organizations detect and identify cyberthreats as well as contain them. Ultimately, SOAR can provide real-time data for higher quality decision making and faster response to cyberthreats.

New call-to-action

References and Further Reading

New call-to-action