Top 10+ SOAR Software & Open Source Alternatives [2025]

With nearly 2 decades of cybersecurity experience in a highly regulated industry, I compiled a list of over 10 security orchestration, automation, and response (SOAR) software:

Top 10+ commercial SOAR software

Features

All vendors support GDPR, PCI DSS, and ISO 27001 compliance and pre-built and customizable playbooks. See how we selected these vendors.

* Vendors with”✅” under the OS log support column support log collection from Linux, Unix, macOS, and Windows.

* *Sections with “-” indicate that vendors typically keep information about the given feature private.

Enrichments

All vendors support essential cloud security platform integrations including AWS, GCP, and Microsoft Azure except Tines, Tines only supports AWS integration.

*Depends on log type: ManageEngine Log 360’s IAM log support capabilities depend on log type, it may: Ingest log from IAM or require to add SOAR to IAM.

AI capabilities

Pricing

Vendors typically base their pricing on several key factors, including the number of users, storage, and add-on tools or integrations (e.g. endpoint protection system integration). Additionally, the complexity of automation workflows or playbooks can impact costs.

Leading open source SOAR tools

Numerous commercial SOAR providers start with one or more of the open source technologies (e.g. no-code workflow builder), then add features and their own specialized automation algorithms. The 4 most popular open-source projects are:

• n8n is a workflow automation tool that enables users to automate processes across various services.
• StackStorm (st2) is an automation platform. The open-source version provides Slack integration but lacks AWS integration, a workflow designer.
• Shuffle is an open source SOAR with 200+ plug-and-play apps. Shuffle’s on-premise enterprise version plans start at $960 per month for 8 CPU cores.
• TheHive Project – Cortex is available in three editions: open source, gold, and platinum. The open source edition supports up to 2 users, 1 organization, and a single Cortex and MISP server.

For more details, check out our article on top 6 open source SOAR tools.

Top 10+ commercial SOAR software explained

Disclaimer: Insights (below) come from vendor websites, AWS Marketplace¹ , and Insight² .

ManageEngine Log360 is a unified SIEM solution that provides log feeds and helps streamline SOAR operations. It is a strong choice for large enterprises looking for built-in threat detection and user and entity behavior analytics (UEBA).

ManageEngine Log360 collects and processes log data from over 750 “different/separate” log sources, including:

• Windows Infrastructure
• Network devices: Palo Alto Sonic, WALL, Fortinet, etc.
• Cloud sources: AWS S3 access Logs, etc.
• Hypervisors
• Databases: Oracle, SQL Server, DB2, MYSQL.
• ManageEngine applications
• Security applications: McAfee, Trend Micro.
• Web stacks: IIS Web servers, Apache Access Logs.
• Others: Syslog Servers, Linux Distributions, IBM AS/400, etc.

Key features:

MITRE ATT&CK framework: ManageEngine Log360’s MITRE ATT&CK framework support effectively enables companies to identify early-stage indicators of compromise and monitor suspicious behaviors with:

• Signature-based attack detection.
• Threat visualizer for categorized by MITRE alerts.
• Lateral movement detection for gaining critical security insights into events including time, event ID, source, and severity.
• APT (advanced persistent threat) movement/attack detection and monitoring

Distinct remediation capabilities: ManageEngine Log360 enhances its remediation capabilities by offering distinct features such as:

• Running a ‘trace route’ function to a device in your network to identify the path. (helps in diagnosing connectivity issues.)
• Executing Cisco ASA firewall commands, such as adding inbound and outbound rules. (eliminates the need to switch between multiple tools to update policies.)

These functionalities make Log360 a strong option in the security market, as it enables more dynamic troubleshooting than its competitors.

Broad SIEM and SOAR enrichments: ManageEngine Log360 offers broad SIEM and SOAR enrichments to enhance security visibility and response. Some key enrichments include:

• Integrated data loss prevention (DLP) for sensitive data discovery and data risk assessment.
• Integrated cloud access security broker (CASB) for enhanced visibility into cloud events.
• Built-in Log360 UEBA engine for analyzing user behavioral data and anomalies in your network.

Broad sensitive data discovery and classification: ManageEngine Log360 also offers sensitive data discovery and classification with predefined data discovery policies. It helps you:

• Find personally identifiable information (PII) such as email addresses, and credit card numbers.
• Automate the classification of files containing PII and electronic protected health information (ePHI).

Pros

• Log management: Logs from various sources such as servers and networks are effectively managed and routed to the appropriate stakeholders.
• Reporting: Engineers state reporting tools are useful for compliance and operational monitoring, especially in sectors with rigid security regulations, such as aerospace.
• Integrations: ADAudit Plus and EventLog Analyzer integrations provide detailed insights into Active Directory changes while aggregating log data from various sources.
• File integration monitoring: Users found the FIM (file integration monitoring) tool useful.

Cons

• XDR features: The solution could be improved by including built-in XDR (extended detection and response) features.
• Service delays: The service can be delayed 20 to 30 minutes while starting.
• Integrations: SharePoint and Teams integrations could be enhanced for smoother operation.

Splunk SOAR is a scalable solution for enterprises that value automation and integration capabilities. It is best suited for mature organizations with well-documented processes. 

Additionally, it can be a convenient solution for companies already using Splunk as their SIEM since it allows users to integrate Splunk SOAR with their existing data and alerts.

With Splunk SOAR playbooks users can automate security and IT operations in the visual playbook editor. Splunk SOAR includes 100 pre-made playbooks, including

• Recorded future indicator enrichment playbook: This playbook enriches ingested events with file hashes, IP addresses, domain names, or URLs.
• Phishing investigation and response playbook: This playbook automates the investigation and response of incoming phishing emails.
• Crowdstrike malware triage playbook: This playbook enhances the alert detected by Crowdstrike.

Pros

• GUI-based interface: Analysts say the graphical user interface (GUI) allows them to manage playbooks with minimal scripting knowledge.
• Deployment and support: Splunk SOAR offers smooth deployment processes and skilled IT personnel.
• Automation for phishing email: Splunk SOAR’s e-mail automation allowed financial security managers to handle phishing emails in 5 minutes, down from up to 30 minutes.
• Ticketing system integrations: IT users appreciate how Splunk SOAR can connect with other ticketing systems, helping them maintain workflows while integrating it with their support desk.
• Mobile app: Cybersecurity analysts find it valuable since it allows their on-call analysts to respond to alerts and incidents from anywhere.

Read more: Cyber threat intelligence software.

Cons

• Cost: Splunk SOAR is expensive, especially for small and medium-sized businesses.
• Steep learning curve: IT specialists indicate that the solution has a steep learning curve, and may require specialized coding knowledge.
• Integrations with existing systems: Some users had issues integrating Splunk SOAR with their current security products and workflows. They were required to build custom app connectors, which increased the complexity.
• Custom-built solutions: Security automation engineers say the product was inefficient in enabling them to create specialized automation with Python across servers, containers, or runners.
• Mobile app: The mobile app is only supported on iOS. 

IBM QRadar SOAR (formerly Resilient) helps orchestrate and automate incident response (IR) across your workflows. It offers 180+ built-in privacy regulations and 300+ integrations on the IBM App Exchange.

 With the SOAR solution, security teams can:

• Leverage dynamic playbooks and customized procedures.
• Manage incident response processes by time stamping key actions to assist in threat intelligence.

Security teams can also integrate IBM QRadar solutions or third-party applications into QRadar SOAR to escalate and manage. Some key integrations include:

• SIEM: IBM QRadar SIEM, Splunk, Microsoft Azure Sentinel, Rapid7 InsightIDR.
• EDR: IBM QRadar EDR, SentinelOne, Crowdstrike
• ITSM: Salesforce Service Cloud, ServiceNow, Jira.

Key considerations:

IBM QRadar SOAR integrates seamlessly with other IBM products. Companies already using IBM products or have teams familiar with IBM security solutions may choose QRadar SOAR.

IBM QRadar SOAR offers broad integrations, however, demands skilled personnel: QRadar SOAR offers broad custom integrations with REST APIs and SDKs, however, a common user concern is that the product requires familiarity with coding (e.g., Python, JavaScript) and API design.

Thus, if your organization expects to connect QRadar SOAR to a proprietary tool or a client-server technical skills will be necessary to write custom scripting connectors.

Pros

• Highly customized scripting options: Analysts can leverage custom scripting to execute specific actions and responses such as custom data correlation, API-based actions, and integrating QRadar SOAR with mainframe systems.
• Integration with QRadar solutions: QRadar SOAR is appreciated for its integration with IBM’s broader security suite, particularly QRadar SIEM.
• Custom incident types: Analysts say they can effectively configure the incident categorization, tags, and attributes based on internal processes.
• Vulnerability testing: Users say vulnerability testing is easy with IBM QRadar SOAR since it effectively enables them to evaluate the entire event payload, filter it, and add useful information to the Jira tickets. 

Cons

• Playbooks require high technical skills: Users find it difficult to build playbooks, they say that playbooks demand programming skills, such as learning Python.
• Dependency on IBM Ecosystem: While QRadar SOAR works best with QRadar SIEM, some users feel constrained by the limited plug-and-play options when integrating with other SIEMs, like ArcSight. QRadar SOAR supports external integrations but requires significant configuration effort to connect with non-IBM products.
• Complexity in setup: Users note setting up QRadar SOAR requires a solid knowledge of Red Hat Enterprise Linux (RHEL) for on-premise deployments
• Complexity in customization: Reviews show customizing the product often involves modifying files via Secure Shell (SSH) protocol.

Rapid 7 InsightConnect automates workflows for IT and security cloud apps, on-premise systems, employees, and administrators. The solution offers 300 plugins to connect your security systems — and a library of customizable workflows. Some key plugin use cases include:

• Creating HTTP requests
• Mass deleting emails with PowerShell
• Python 2 or 3 scripting

Users can use InsightConnect to generate custom workflows that automatically respond to reported phishing emails by integrating with solutions such as Office 365, Gmail, VirusTotal, and Palo Alto Wildfire. This helps inspect the email headers, links, and attachments and get alerts if known malicious results are found.

To gain more control over vulnerabilities users can integrate Rapid7 InsightConnet with Metasploit framework which offers customized filtering for vulnerability management, particularly focused on VM for on-premise. 

Pros

• Robust integration and plugins: Users valued the customization options offered by SIEMs, firewalls, EDR systems, and ticketing platform integrations.
• Automation and incident response: Smaller teams appreciated InsightConnect’s ability to automate threat isolation, which helped them reduce response time and manual intervention. 
• Stability: Network security engineers state the tool is stable and the initial setup is straightforward.
• Managed platform: They provide a managed platform for an additional fee, but if you don’t use it, you often need to rely on their FAQ or Google.
• Metasploit integration – vulnerability management: The Metasploit framework provides effective project management instructions on how to resolve issues.
  
  This is especially beneficial for dealing with large projects, hence with Metasploit framework vulnerability testers can quickly write a report and hand it to admins.
  
• Metasploit integration – vulnerability scans: Scans can be run over the network effectively, however, you will get more accurate results if you install their agents, which cost a separate fee from the platform. 

Cons

• Limited integration coverage: While the integration capabilities are generally well-received, some users think the coverage could be broader. 
• Lack of test cases: A common critique is the absence of a repository of proven automation templates or use cases.
• Requires scripting knowledge: Detailed customization may require scripting knowledge and skilled automation engineers. 
• Metasploit integration – high number of configurations: Users express they are required to make several configurations while running vulnerability scans with the Rapid7 Metasploit framework. There are several manual platform management at the system level. 
• Metasploit integration –  hybrid model: The on-premise solution is partly reliant on the cloud, which can be a problem during outages. For example, if Rapid7’s website goes down, access becomes limited.
• Metasploit integration – reporting: Users conclude reports are useful, especially if they are canned reports. However, several reports contradict each other. The remediation suggestions are pointless unless you employ their expert services.

Microsoft Sentinel is a cloud-based SIEM and SOAR software. The solution offers 100+ threat-hunting queries, workbooks, and playbooks to protect your environment and hunt for threats.

It is used by leading organizations such as EPAM Systems Inc., Accenture PLC, and Cognizant Technology Solutions Corp.

A free trial is available, offering 10 GB of daily usage on an Azure Monitor Log Analytics workspace for 31 days, with a limit of 20 workspaces per Azure subscription. Usage exceeding these limits incurs charges starting at $5.59 per GB.

Free version features:

• Playbooks: ✅ Available
• Usage limit: 10 GB per day free usage for 31 days
• Analytics: ❌ Not included
• Data ingestion: Only free with select Azure resources
• Free data storage: Up to 90 days

Pros

• Categorized notifications: Cybersecurity engineers appreciate the fact that they receive categorized notifications based on security levels.
• Centralized integrations: SOC analysts say that Microsoft Sentinel’s interaction with Microsoft Defender makes it more powerful than just logging security incidents. With the Defender expands users can read and block a phishing email from a single platform.

Cons

• Difficulty with data ingestion and log parsing: Microsoft Sentinel has a large number of data connections provided by Microsoft and its partners. To ingest data from non-supported sources, Microsoft Sentinel uses third-party technologies such as Codeless Connector Platform (CCP) for SaaS and Logstash for on-premise or cloud-hosted infrastructure. Integrating with these sources becomes difficult due to the setups and settings that need to be maintained to make the connector work. 

Palo Alto Networks Cortex XSOAR enables you to manage alerts from several sources, standardize processes through playbooks, act on threat intelligence, and automate responses for various use cases. 

It offers 1000+ third-party integrations, helping SOCs orchestrate incident response across your network security, SASE, endpoint security, and cloud security solutions. A 30-day free trial is available.

Pros

• Strong automation & customization: Users report they could effectively write custom scripts for specific security tasks with XSOAR.
• Rich playbook automation: XSOAR is often considered more detailed playbook automation (e.g. decision trees support) compared to competitors such as Siemplify or Swimlane. 
• Python scripting support: Technical users consider Python scripting capabilities as a strong point for creating customized playbooks.
• Integrations: XSOAR offers broad integrations (1,000+) compared to more niche SOAR platforms with fewer pre-built integrations (e.g. LogicHub).

Cons

• Maintenance burden: Users noted that Playbooks and integrations may need constant attention to ensure they continue to work with the latest version of an integrated tool or API.
• Deployment: While some users claim that they can handle the majority of a large XSOAR deployment solo, some users have reported that XSOAR deployment is resource-intensive.
• Dashboard: Reviwers state navigating the dashboard could be more intuitive.
• Pre-built playbooks: The pre-built playbooks are too generic to be utilized directly and require several modifications.

FortiSOAR is suitable for large companies with skilled technical staff, it is not ideal for smaller firms due to its cost and upfront complexity (it requires complex configuration and maintenance). FortiSOAR enables IT/OT security teams to prevent attacks by automating incident management for threat detection and response. Key features include the following:

• security incident response,
• case and workforce management,
• threat intelligence management,
• and no-code / low-code playbook creation.

Pros

• Automation and playbooks: Analysts report that FortiSOAR offers high customization to manage playbooks. Note that Jinja (and some Python) is essential for normalizing data, and creating custom actions across these playbooks.
• Third-party integrations: Security teams report that FortiSOAR positively impacted their SOC since it effectively allowed them to integrate different security systems/platforms and create a personalized center.
• API integrations: FortiSOAR offers comprehensive API integrations to pull data from firewalls, threat feeds, and other security tools.
• Interface: Users say the interface is user-friendly and allows them to create multiple mini-panels of platforms, incidents, and alerts.

Cons

• Complex data normalization and parsing: Data normalization and parsing (integrating threat feeds or pulling data from different firewalls) can be complex, especially when you don’t have a fully matured SOC environment. The process requires extensive use of custom code with FortSOAR.
• Limited use of Python: In the early stages of maturity, teams may need to use Jinja more frequently than Python, so you may not have fully leveraged the power of Python in playbooks at the outset. This might limit the initial flexibility of your automation workflows.
• Performance: Potential performance issues with Python can arise when using it in playbooks, particularly when dealing with large data sets or resource-intensive processes such as parsing data from multiple firewalls.
• Licensing model: Customers note that the licensing structure is not clear; buyers expect to know the number of concurrent users or the number of FortiSOAR nodes in their licensing plan.
• Costs: The onboarding period can be expensive, leading up to $70,000 in annual licensing costs.³

ArcSight SOAR by OpenText is designed for analysts with limited skill levels, aiming to allow operators to decide what to do manually with no code. 

ArcSight SOAR is a strong choice for enterprises expecting to automate incident response and centralize security operations. Users report that it provides effective playbooks for designing workflows.

However, several users have pointed out shortcomings, particularly with manual policy installations for firewall changes and poor support response times. Concerns have also been raised concerning the platform’s integrations, which are currently limited.

Key features:

Capabilities-based access control: One of the standout features of ArcSight SOAR is its granular access control, which is more flexible and precise than traditional role-based access control (RBAC). Instead of restricting access based on broad roles (e.g., Analyst A has access to Active Directory, Analyst B does not).

With capabilities-based access control, the AD plugin might expose several functions (e.g., viewing user details, listing group members, etc.). Instead of giving an analyst access to all of AD, the administrator can grant Analyst A access to only certain functions—such as viewing user details and locking accounts.

Malware information sharing platform (MISP) support: ArcSight SOAR integrates with malware information sharing platform (MISP) to allow threat intelligence sharing and enrichment. 

Triggers: ArcSight SOAR can initiate a playbook when triggered by a third-party product, such as:

• Third-party products (e.g., SIEM alerts, threat intelligence, or custom applications)
• Manual triggers by SOC analysts
• REST API calls
• Threat intelligence (e.g. IOC (Indicator of Compromise) feeds or real-time alerts from threat intel providers)

Incident classifications: ArcSight SOAR comes equipped with a group of incident classifications; malware, phishing, lost laptops, etc.

Notification templates: Users can send out notifications at particular stages of workflows including:

• Email notifications
• SMS messages
• Windows popup notifications

Pros

• Customization: The product provides high customization for alerting and reporting.
• User-friendly playbook creation: Creating workflows and playbooks is intuitive, without needing extensive expertise in coding or system integration.
• Log file analysis: Analysts appreciated the fact that they could examine the log files in detail.

Cons

• Manual firewall policy installation: While ArcSight SOAR can block IP addresses on the firewall as part of an automated workflow, the manual policy installation for the changes needs to be done separately.
• Costs: The license and pricing model is expensive for small-scale enterprises.
• Limited integrations: Some users think that ArcSight SOAR only integrates with limited tools. 

ServiceNow Security Operations integrates incident data from your security devices into a structured response engine that leverages intelligent security processes. The software provides the following:

• Vulnerability management —  to identify vulnerabilities based on business impact.
• Data security posture management — to understand which security data are protected and at risk.
• Threat intelligence —  to gain a comprehensive platform to bolster cybersecurity posture.

Pros

• Vulnerability summaries: IT specialists note that the product gives accurate vulnerability summaries, allowing for the identification and swift remediation of technical issues.
• Debugging: Users appreciate the debugging features, noting they achieve complete visibility into playbook generation and troubleshooting.

Cons

• Complex playbook: The complexity of playbook design might be challenging for engineers without programming skills.
• Bulk closure option: Users address that the product asks them to terminate events manually, which is difficult because there is no bulk closure option available.

Tines’ main focus is automating standard cloud security posture management (CSPM), endpoint detection and response (EDR), SIEM, phishing, or policy approval processes.

Tines seeks to help the security operations center streamline workflows without coding, scripting, or human intervention. It is used by IT security, engineering, and product experts and offers a free community edition.

Users say the platform is much more lightweight and flexible than other SOAR solutions since it’s no-code workflow builder, enabling users to connect with APIs effectively. 

Pros

• Ease-of-use: Reviews highlight that Tines’ drag-and-drop interface and the UI are easy to use.
• Customer training: Numerous reviews indicate that the Tines team ensures you are well-trained and self-sufficient on the platform.

Cons

• No-code: Users claim that “no-code” features are not useful since utilizing these features requires computer engineering expertise.

Torq is a strong alternative for organizations that prioritize simplicity in automation above significant complex multi-environment coordination since it focuses more on no-code security automation and lacks features such as comprehensive case management.

Torq offers its users security bots. The bots replace manual, monotonous processes with automated self-service experiences. These bots can:

• Integrate workflows and tools – Schedule workflow runs, trigger automatically, or run manually via Slack, or CLI.
• Reduce alert fatigue – Automatically handling duplicate alerts and false positives.

Pros

• Security integrations& automation: Torq has received positive feedback from customers for its versatility in supporting a range of security use cases, particularly for IAM, CSPM, threat hunting, and email security automation.
• Customer support: Several users state that their assistance is highly engaging.

Cons

• Integrations: Some users reported challenges with integration consistency, particularly when working alongside more complex SIEM setups.
• Alerts: Customers note that the software templates are highly repetitive.

What is a SOAR system?

Security orchestration, automation, and response (SOAR) is a collection of services and solutions that automate threat detection and response. This automation is performed by integrating your integrations, and outlining how tasks should be executed.

To further grasp how modern SOAR solutions function, consider breaking them down into three basic components: automation, orchestration, and incident response.

Automation

SOAR tools’ automation capabilities create tasks that can be completed on their own. This is performed via playbooks, which are sets of procedures that run automatically when triggered by a rule or incident. Playbooks enable you to automate tasks, address alerts, and respond to threats and incidents.

Automation also helps accelerate security procedures such as threat hunting and remediation, allowing you to resolve potential risks with minimal steps.

With security automation SOC teams dealing with never-ending alerts can save time by reducing tasks and processes, allowing them to focus on the important signals.

Orchestration

Orchestration enables SOCs to integrate several tools to respond to incidents as a group across their entire environment, even if the data is spread throughout. Orchestration is essential for managing large-scale automation.

Companies can integrate several security tools with SOAR software such as:

• SIEM (security information and event management)
• firewall audit
• endpoint protection
• cyber threat intelligence

Note that, security automation streamlines activities, making them operate more easily, whereas security orchestration integrates tools so that they operate together.

Incident response

SOAR’s orchestration and automation capabilities enable it to function as a centralized console for security incident response. Security analysts can utilize SOARs to investigate and resolve events without switching between technologies.

SOARs, like threat intelligence platforms, collect metrics and alerts from external feeds and combine them into a centralized dashboard. Security analysts may use SOAR solutions to:

• combine data from several sources,
• filter out false positives,
• prioritize alerts

SOCs can also use SOAR tools to conduct post-incident audits. For example, SOAR dashboards can help security teams discover how a certain threat infiltrated the network.

Who should use SOAR systems?

For an organization to successfully implement a SOAR platform, it should have a certain level of maturity, with well-documented processes and robust security/IT controls in place. Without the right maturity level, inadequate processes, or unskilled IT employees, no SOAR solution will be effective.

Additionally, hiring a skilled SecEng professional to implement SOAR can be costly, often more expensive than the analysts or roles the platform aims to automate. Thus, if your organization has achieved a high IT maturity level and has skilled employees you can consider investing in a SOAR solution.

A SOAR tool would be an ideal solution for you, especially if your organization is meeting one or more of the criteria below:

• Organizations with high alert volumes: Companies that need to automate threat detection and response.
• Organizations in highly regulated industries: Financial institutions, healthcare providers, and government agencies with compliance requirements such as HIPAA.
• Organizations with complex IT environments: Companies with multi-cloud or hybrid infrastructures find it difficult to integrate and coordinate responses.

Why should organizations use SOAR systems?

Detecting and responding to security risks earlier helps reduce the effect of cyberattacks. According to IBM’s 2024 and 2023 research, a shorter data breach lifespan correlates with reduced breach costs. Organizations that suffered a data breach between March 2023 and February 2024 spent ~$1 million less on average for breaches remedied in less than 200 days, representing a ~25% savings.⁴

SOARs can assist SOCs in reducing mean time to detect (MTTD) and mean time to respond (MTTR) to identify cyberattacks quicker by:

• Integrating security information with incident response tools.
• Enabling security experts to develop response workflows with playbooks
• Automating incident management and response

Benefits of SOAR systems

1.  Resolving more alerts in less time

Security teams might need to deal with hundreds of security alerts. This can cause alert fatigue, and analysts may miss crucial signals indicating threat conduct.

SOARs can help manage alerts by centralizing security data and automating responses. This helps organizations:

• conduct faster incident responses,
• better utilize their security resources,
• maintain a robust defense against cyber threats/risks.

As a result, SOCs can handle more alerts while lowering response time.

2. Improved SOC collaboration and communication

SOARs centralize security data and incident response processes, allowing analysts to collaborate on investigations among diverse SOC team members, including:

• SOC Manager and CISO
• Analyst and SOC Manager
• Analyst and SOC Manager
• IT and operations manager

3. Automation of repetitive tasks

Security operations involve repetitive, time-consuming tasks, such as threat hunting, incident response, and compliance reporting.

SOARs automate these routine workflows, freeing up security personnel to concentrate on strategic initiatives and high-impact activities.

4. Enhanced security analytics and reporting

SOCs use numerous tools and data, and switching from one tool to another makes communication difficult for personnel.

SOARs enhance workflow procedures by generating a unified customizable dashboard with numerous KPIs and data, allowing SOC teams to view every phase of security activities from a single location.

SOARs can provide default or customizable reports such as:

• Alerts and entities report: Shows the most commonly impacted entities, such as addresses, destination URLs, and hostnames.
• Analysts’ caseload report: Details the workload that each security analyst manages.
• Historical threat monitoring report: Summarizes alerts, products, and threat levels.
• Performance report – handling times: Provides the average time to detect and resolve security incidents.

How was the SOAR list picked?

When selecting the SOAR solutions, we assessed vendors using the following criteria:

Customer usage:

• Customer usage: To get a holistic view of each software’s focus area, we’ve analyzed directly with end customers and reviewed detailed customer case studies, testimonials, and end-user reviews across platforms such as Reddit. ⁵

Features:

Vendors that offer:

• Security information and event management (SIEM): Tools that can centralize the collection and analysis of security data.
• User and entity behavior analytics (UEBA): Tools that help detect anomalous user behavior.
• Mobile app availability: We analyzed whether vendors with mobile apps that enable users to track, update, monitor, and close alerts.
• Broad OS log support: We included vendors offering extensive log collection from Unix, Linux, MacOS, and Windows.
• Connectors: We included vendors with 300+ connectors (e.g. ManageEngine Log 360 (750+)).
• Playbooks: When considering SOAR solutions, we picked providers that have:
  • pre-built playbooks that enable teams to deploy threat responses quickly without creating workflows from scratch.
  • and customizable playbooks that enable teams to create workflows tailored to their environment, addressing complex scenarios that pre-built playbooks may not cover.

Integrations:

Vendors that offer:

• Broad log management integrations: Effective log management is crucial for comprehensive security visibility and quick incident response (e.g. IP blocking). We picked solutions that offer broad firewall log management integrations with leading solutions including Palo Alto Networks, Barracuda, Sophos, Cisco, Fortinet, and ManageEngine.
• At least one cloud security integration: Cloud security solutions can provide comprehensive visibility and threat detection. We provided solutions that offer multiple third-party threat intelligence integration (e.g. Threat Connect, Citrix Analytics).
• Broad SOAR enrichment integrations/support: We selected software that offers a combination of the following integrations:
  • Data loss prevention (DLP) for detecting potential data breaches/data exfiltration.
  • Endpoint detection and response (EDR) for automated investigation and remediation of endpoint-based threats.
  • Identity and access management (IAM) for managing user access controls.
  • Ticketing and IT service management (ITSM) for automatically generating and managing incident tickets.
  • MITRE ATT&CK framework for classifying and describing cyberattacks and intrusions.
  • Threat intelligence feeds for streaming data about cyber threats such as (malware), and zero-day attacks.
  • Vulnerability management systems for vulnerability scanning, assessment, prioritization, and remediation
  • Network security software
  • Email security solutions

Further reading

• Role-based Access Control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics

External Links

• 1. AWS Marketplace: Homepage.
• 2. Solutions and Systems Integrator | Computer Hardware, Software, Technology Services | Insight.
• 3. Reddit - The heart of the internet.
• 4. ”Cost of a Data Breach Report 2024“. 2024. Retrieved on November 2024.
• 5. Reddit - Dive into anything.