Security Orchestration, Automation and Response (SOAR) Tools

Security Orchestration, Automation and Response (SOAR) Tools Overview

What are Security, Orchestration, Automation and Response (SOAR) Tools?

Security, Orchestration, Automation and Response (SOAR) tools are software that automate security workflows or provide instructions (playbooks) for repeatable security operations tasks. These playbooks ensure that response operations remain consistent with policy and are executed with minimal error. In achieving this, SOAR tools include or ingest information from SIEM, security operations analytics tools, and security forensic tools for post-incident analysis and process improvement. Their functionality overlap with Incident Response Platforms, which also provide playbooks for security operations, but with an emphasis on particular rare but damaging cases (i.e. incidents) rather than recurring operations.

SOAR tools have two core functions. The orchestration process takes security data inputs and determines what operations should be activated in response to the data. The actions that the SOAR tool can take are determined by the security systems it’s connected to and how robust an operations playbook the organization/SOC team has provided the system. The automation functionality ensures the appropriate actions taken based on this playbook without requiring SOC team intervention.

Security, orchestration, automation and response tools are most heavily used by large organizations and enterprises. These scaled businesses tend to have a large number of security systems and recurring security actions that need to be taken. SOAR tools centralize the repeatable actions that need to be taken across these disparate systems that would otherwise require manual activities.

SOAR tools provide a range of benefits. The two primary benefits are scalability and analyst productivity. By automating repeatable security actions, a high volume of tasks are taken off SOC teams’ workloads. This reduces human error in remediation efforts and improves Mean-Time-To-Respond (MTTR). SOAR products also improve analyst productivity by allowing analysts to focus on more specialized tasks and value-add activities.


SOAR and Security Information and Event Management (SIEM) systems are closely related but distinct products at their cores. SIEM systems focus on intaking security data, most commonly in the form of logs, and aggregates or normalizes that data into events. SOAR tools would then take that data and use it to determine what operations, if any, are necessary in response to a given event. The tools serve different functions, but are each necessary for a comprehensive, automated security posture.

Since SOAR relies so heavily on SIEM for usable data, an organization’s SIEM and SOAR should be closely integrated. Some Next-Gen SIEMs also include SOAR capabilities natively, consolidating multiple steps in the security process into a single system. There are also plenty of standalone SOAR tools for organizations looking for a point solution.

SOAR Tools Comparison

When comparing different SOAR tools, consider these factors:

  • Standalone SOAR vs. Security Suite: Does the business need a full suite of security solutions, or just a standalone SOAR product? The latter will suffice if an SIEM and related products are already in place. If businesses are looking for more than a standalone solution, a Next-Generation SIEM may be able to deliver all of the features needed in a single platform.

  • Playbook Management: Consider how easy the operations rules can be established and managed over time. Ongoing maintenance and updates in the face of new policies and data can heavily impact long-term manageability.

  • Reporting: How easily can analysts report on events, data, and results of playbooks operations?

Start a SOAR comparison here

Security Orchestration, Automation and Response (SOAR) Products

(1-25 of 28) Sorted by Most Reviews

LogRhythm NextGen SIEM Platform

The LogRhythm NextGen SIEM Platform, from LogRhythm in Boulder, Colorado, is security information and event management (SIEM) software which includes SOAR functionality via SmartResponse Automation Plugins (a RespondX feature), the DetectX security analytics module, and AnalytiX…

Key Features

  • Custom dashboards and workspaces (20)
  • Centralized event and log data collection (19)
  • Event and log normalization/management (20)
KnowBe4 PhishER

KnowBe4 offers PhishER as a simple and easy-to-use web-based platform with critical functionality that serves as a phishing emergency room to identify and respond to user-reported messages. With automatic prioritization for emails, PhishER helps InfoSec and Security Operations team…

D3 Security

D3 Security in Vancouver provides a platform for security orchestration, automation, incident response, as well as investigation and case management. Core components of the D3 platform include integrations with SIEM and threat intelligence platforms, a NIST-compliant playbook library,…

FireEye Helix

FireEye Helix is a SIEM solution providing a non-malware threat detection solution.

IBM Resilient Security Orchestration, Automation and Response (SOAR)

IBM Security Resilient, a Security Orchestration, Automation, and Response (SOAR) platform, which the vendor states is designed to help security teams respond to cyber-threats with confidence, automate with intelligence, and collaborate with consistency. It captures and codifies…


5th Column headquartered in Chicago provides the security orchestration & operations platform BOSS. They state the solution is designed to remove concerns and cyber distractions and enable users to re-focus on business objectives. The platform supports real-time threat identification,…

FireEye Security Orchestrator

The vendor states Security orchestration and automation helps users improve response times, reduce risk exposure and maintain process consistency across a security program. Being able to simplify security operations means being able to prioritize alerts, improve staff efficiencies…

LogicHub SOAR+

Security automation for the entire threat lifecycleAutomate repetitive, time consuming and mundane security tasks to free security analysts to focus on higher value security activities. End-to-end automation and orchestration enables SOC teams by automating threat analysis and detection…


Siemplify provides a holistic security operations platform designed to empower security analysts to work smarter and respond faster. Siemplify combines security orchestration and automation with contextual investigation and case management to deliver what they describe as intuitive,…


Ayehu headquartered in San Jose helps IT and Security professionals to identify and resolve critical incidents, simplify complex workflows and maintain greater control over IT infrastructure through automation.


TEHTRIS, headquartered in Pessac, offers their eponymous XDR platform, providing the XDR infrastructure to bring together several security solutions within a single platform, capable of detecting and responding to security incidents.

DFLabs IncMan

Italian company DFLabs offers IncMan, their flagship security automation and orchestration platform emphasizing rapid incident detection, a higher proportion of incidents receiving response, and faster incident response time.

Rapid7 InsightConnect

Rapid7 offers InsightConnect, a SOAR solution that integrates with existing solutions to orchestrate vulnerability management processes from notification to remediation, so users can ensure critical issues are being addressed with every security advisory that comes in—while leaving…

Vulcan Cyber

Vulcan Cyber is a vulnerability remediation orchestration platform that coordinates teams, tools and tasks to successfully eliminate exposure and risk. Vulcan Cyber does this by automating critical vulnerability management tasks. Vulcan's data collection aggregates data from scanning…

ServiceNow Security Operations

Built on the Now Platform, the ServiceNow Security Operations application bundle, available in the Standard, Professional, and Enterprise bundles, supports SecOps with security orchestration, automation and response (SOAR) platform. Higher tier plans integrating ServiceNow's own…

LogRhythm NetworkXDR

LogRhythm NetworkXDR is a focused NDR solution that detects advanced network-borne threats in real-time and features integrated security orchestration, automation, and response (SOAR) capabilities for investigation and response. It offers immediate value and ease of use without requiring…


SIRP, from SIRP Labs in London, is described by the vendor as a risk-based security orchestration, automation & response (SOAR) Platform.


Pathlock is an access orchestration solution that supports companies becoming Zero Trust by surfacing violations and taking action to prevent loss. With Pathlock, enterprises can manage all aspects of access governance in a single platform, including user provisioning and temporary…

ThreatConnect SOAR

ThreatConnect, from the company of the same name in Arlington, is described by the vendor as an Intelligence-Driven Security Operations Platform with both Security Orchestration Automation and Response (SOAR) and Threat Intelligence Platform (TIP) capabilities. They state ThreatConnect…


Swimlane headquartered in Louisville offers their cyber security automation, orchestration and response (SAOR) platform focusing on incident response and remediative action.

RSA NetWitness Orchestrator

RSA Security provides security orchestration and automation (SOAR) capabilities via RSA NetWitness Orchestrator. The vendor states it is supported by hundreds of preconfigured and customizable playbooks, and that RSA NetWitness Orchestrator empowers teams to collaborate, streamline…

Securonix SOAR

Securonix SOAR helps organizations accelerate incident response to make security operations more efficient through automation, workflow standardization, and integrations with existing security tools.


Transposit headquartered in San Francisco aims to unify incident management and operations, leveraging bi-directional integrations and workflow automations to increase uptime and simplify daily life for engineering teams, supplying "human-in-the-loop" SecOps automation. Transposit’…

Huntsman Next Gen SIEM SOAR (Analyst Portal)

Australian company Huntsman Security offers Next Gen SIEM SOAR (or Analyst Portal), a solution that when integrated with Huntsman Security’s Next Gen SIEM technology, the security orchestration and automated response capabilities of the Analyst Portal creates "Next Gen SIEM SOAR.…

FortiSOAR (formerly Cybersponse)

CyberSponse was a security orchestration, automation and response (SOAR) solution, now known as FortiSOAR. Fortinet acquired and now supports the solution (December 2019).

Frequently Asked Questions

What is security orchestration?

Security orchestration centrally determines what actions need to be taken across multiple security systems in response to a given event.

What is a SOAR system used for?

A SOAR system takes security data and determines what repeatable operations need to be taken in response to a particular security event.

What’s the difference between SOAR and SIEM?

SIEM focuses on collecting and managing security data, while SOAR takes the data output from the SIEM and determines what actions should be taken in response.

Why do I need SOAR?

SOAR is necessary if there are a number of recurring security actions being taken manually that are limiting the SOC team’s productivity and MTTR.