What is SOAR?

SOAR is an acronym for Security Orchestration, Automation and Response. As a collection of security software platforms, tools and technologies, SOAR enables organisations like your own to better monitor events in your systems and coordinate the inputs taken by your security operators.

What SOAR looks like in practice are any tools which allow your organisation to define and identify incidents along with the response procedures within a predetermined digital workflow. Pulling data from a variety of sources and by leveraging human and machine power, SOAR tools rely on automation to empower your decision makers to respond faster and more efficiently to real time threats and incidents in your systems.

How does SOAR differ from other tools?

SOAR platforms are defined by three main capabilities: threat and vulnerability management, security incident response, and security operations automation.

The threat and vulnerability management falls under the orchestration aspect of SOAR in that it points to the specific technologies that help isolate and amend cyber threats. In particular, security orchestration allows for the integration of both internal and external tools via their APIs. Examples of systems could include vulnerability scanners or security and event management (SIEM) platforms. As more data is shared and collected, the probability of early threat detection also rises.

The security operations automation aspect, on the other hand, points to the technologies that rely on machine power to automate your operations. Where previously every task would be handled by either an analyst or separately, they can now be standardised and automatically executed using machine learning and other automated features. In other words, security automation in this context receives the data from the security orchestration and then processes it automatically, saving your organization precious time and manpower.

And lastly the security incident response aspect points to your team's abilities to not only flag and identify threats, but take the appropriate action in minimising their presence. With SOAR, your security operators benefit from having a centralised platform that provides a comprehensive view of your security planning, managing, monitoring and reporting.

Gartner has defined SOAR as a convergence of Security incident response platforms (SIRPs), Security orchestration and automation (SOA), and Threat intelligence platforms (TIPs).

Source: Market Guide for Security Orchestration, Automation and Response Solutions

Published 21 September 2020

Why choose SOAR over over security tools or platforms?

SOAR platforms have proven themselves to be beneficial to organisations for various reasons. However, the automation component is perhaps the greatest asset that SOAR can bring to the table for your organisation's security.

Growth in SOAR can be attributable to several factors mainly related to an increase in the number of alerts as attack surface grow. This drove the demand for hiring security analysts, which in turn became harder due to skills shortages, thereby, significantly increasing cost to operate a security operations center (SOC).

Some of the compelling benefits of SOAR and particularly its automation capabilities include:

  • Automate your response workflows, effectively saving time and man hours that can be allocated to higher priority tasks such as triaging incidents.
  • Consolidate your incident management processes and standardise your response workflows, ensuring your team can respond to any incidents quickly and efficiently.
  • Allow for centralised asset monitoring and management.
  • Enrich alerts with contextual specifics about each incident, again saving time for your team during their triage and investigations.
  • Automate certain responses to again free up resources and ensure quick handling of incidents.

What are the challenges to building a SOAR automation?

Integration is the number one challenge. As the attack surface grows, the number of applications or tools required continues to expand at staggering pace. We pointed out in our last blog that on average, small enterprises use anywhere from 15 and 20 tools, medium-sized businesses are typically using 50 to 60, and enterprises are using over 130 security tools. It is therefore essential for SOARs to build integrations at scale, and more importantly update and maintain the integrations for API changes and version upgrades.

Designing custom playbook is essential to make analysts more effective. Playbooks must constantly evolve and content must be kept relevant to make any SOAR effective. The challenge to maintain and upgrade content is not trivial.


In summary, SOAR platforms provide ample benefits for any organisation. Integrating multiple components and automating various components and tools works towards maximising the efficiency of your organisation’s incident monitoring, reporting and responding, while also freeing up resources and human bandwidth.

Considering venturing into SOAR? Metron has experience integrating multiple security platforms, technologies, and tools. If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to friends@metronlabs.com.