Gartner SOAR 2019

5/12/2020 Gartner Reprint
Licensed for Distribution
Market Guide for Security Orchestration, Automation and

Response Solutions
Published 27 June 2019 - ID G00389446 - 26 min read
By Analysts Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski
SOAR solutions are gaining visibility and real-world use driven by early adoption to improve
security operations centers. Security and risk management leaders should start to evaluate how
these solutions can support and optimize their broader security operations capabilities.
Overview
Key Findings
■ The SOAR technology market aims to converge security orchestration and automation (SOA),
security incident response (SIR) and threat intelligence platform (TIP) capabilities into single
solutions.
■ Early adopters of SOAR technologies have been organizations and managed security service
providers with mature security operations centers (SOCs) that understood the benefits of
incorporating SOAR capabilities into their operations. However, use cases implemented by early
adopters have not evolved over the last 12 months and are stuck in a rut, limiting the long-term
potential for SOAR in security operations.
■ SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use
cases and integrations, buyers are reporting multiweek professional services engagements to
implement their initial use cases, as every organization’s processes and technologies deployed are
different.
■ Orchestration and automation are starting to be localized in point security technologies, usually in
the form of predefined, automated workflows. This is not the same as a full-featured SOAR
solution.
Recommendations
Security and risk management leaders overseeing security operations should:
Prepare
■ use
We cookiesfor
to their
deliverSOAR implementations
the best possible experienceby
onhaving a starting
our website. To learnset ofvisit
more, defined processes
our Privacy and
Policy. By
workflows
continuing to use that canorbe
this site, implemented.
closing this box, youOut-of-the-box
consent to our useplays and integrations
of cookies. are a starting point but
https://www.gartner.com/doc/reprints?__hstc=258496277.950c02cd6949865c8106a346c483e9d1.1589294788449.1589294788449.1589294788449.1&__hssc=2584… 1/17
can rarely be implemented without some customizations.
■ Plan for the implementation and the ongoing operation and administration of SOAR tools by using
a mix of professional services and internal resources.
■ Put a contingency plan in place in the event the SOAR tool is acquired by another vendor.
Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.
Strategic Planning Assumption

By year-end 2022, 30% of organizations with a security team larger than five people will leverage
SOAR tools in their security operations, up from less than 5% today.
Market Definition
This document was revised on 3 July 2019. The document you are viewing is the corrected version.
For more information, see the Corrections page on gartner.com.
Gartner defines security orchestration, automation and response (SOAR) as technologies that enable
organizations to take inputs from a variety of sources (mostly from security information and event
management [SIEM] systems) and apply workflows aligned to processes and procedures. These can
be orchestrated via integrations with other technologies and automated to achieve a desired
outcome and greater visibility. Additional capabilities include case and incident management
features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can
be applied across various functions. SOAR tools significantly enhance security operations activities
like threat detection and response by providing machine-powered assistance to human analysts to
improve the efficiency and consistency of people and processes.
Most SOAR tools are still strongest in their original “home offerings,” which are security incident and
response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence
platforms (TIPs). Currently, the most common use case for SOAR by an organization is to define
incident analysis and response procedures in a digital workflow format — such as plays in a security
operations playbook. Additionally, these tools facilitate the use and operationalization of threat
intelligence in security operations, which enhances the ability to predict, prevent, detect and respond
to the prevailing threat landscape that a company faces.
Market Description
To understand the evolving SOAR market, it is necessary to define the specific terms used — namely,
orchestration and automation — in the context of security operations:
■ Aggregation: The ability to aggregate/ingest data across sources. This may take the form of alerts,
signals
We use ortoother
cookies inputs
deliver from
the best other
possible technologies
experience such asToan
on our website. alert
learn from
more, visitaour
SIEM toolPolicy.
Privacy or anByemail sent
continuing to use this site, or closing this box, you consent to our use of cookies.
to a group mailbox. Other data that is ingested may include user information from an identity and
access management (IAM) tool or threat intelligence from multiple sources.
■ Enrichment: Whether after incident identification or during data collection and processing, SOAR
solutions can help integrate external threat intelligence, perform internal contextual look-ups or run
processes to gather further data according to defined actions.
■ Orchestration: The complexity of combining resources involves coordination of workflows with

manual and automated steps, involving many components and affecting information systems and
often humans as well.
■ Automation: This concept involves the capability of software and systems to execute functions on
their own, typically to affect other information systems and applications.
■ Response: Manual or automated response provides canned resolution to programmatically

defined activities. This includes activities from a basic level — ticket creation in an IT service desk
application — to more advanced activities like applying some form of response via another security
control, like blocking an IP address by changing a firewall rule. This functionality is the most
impactful, but also applies to the most complex use cases.
Buyers are expressing demand for SOAR for several reasons:
■ Staff shortages: Due to staff shortages in security operations, clients describe a growing need to
automate repeatable tasks, streamline workflows and orchestrate security tasks resulting in
operational scale. For instance, if you have a team, SOAR can give them more reach — but this is
not a tool to get instead of a team. Also, organizations need the ability to demonstrate to
management the organization’s ability to reduce the impact of inevitable incidents.
■ Continued evolution of threats and increases in volume: As organizations consider threats that
destroy data and can result in disclosure of intellectual property and monetary extortion, they
require rapid, consistent, continuous and more frequent responses with fewer manual steps.
■ Improving alert triage quality and speed: Security monitoring systems (such as SIEMs) are known
to cost a significant amount to run and generate a high number of alerts, including many found to
be “false positives” or simply not relevant after additional investigation. Security and risk
management leaders then treat alert triage in a very manual way, which is subject to mistakes by
the analysts. This leaves real incidents ignored. SOAR helps improve the signal-to-noise ratio by
automating the repeatable, mundane aspects of incident investigation. This creates a positive
situation where analysts can spend more time investigating and responding to an event instead of
spending most of their time collecting all the data required to perform the investigation.
We Need
■ use for atocentralized
cookies view
deliver the best of threat
possible intelligence:
experience A large
on our website. number
To learn more,of security
visit controls
our Privacy on
Policy. By the
continuing
market to today
use thisbenefit
site, or closing this box,intelligence.
from threat you consent toSOAR
our usetools
of cookies.
allow for the centralized collection,
aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly,
conversion of intelligence into action.
■ Reducing time to respond, contain and remediate: Organizations are dealing with increasingly
aggressive threats, such as ransomware, where rapid response of only minutes at best is required
in order to stand a chance of containing the threat that is spread laterally in your environment. This
scenario forces organizations to reduce the time they take to respond to those incidents, typically
by delegating more tasks to machines. Reducing the response time, including incident
containment and remediation, is one of the most effective ways to control the impact of security
incidents. Like a brush fire, the sooner you can get to it, the smaller it is, and therefore the easier it
is to put out.
■ Reducing unnecessary, routine work for the analysts: SOC analysts are often working with
multiple tools. They are looking at a stream of row and column SIEM console alerts, threat
intelligence (TI) service portals for information about the entities involved, and endpoint detection
and response (EDR) for context on what is happening on the affected endpoint. They may even be
using workflow tools to control the triage and investigation processes.
SOAR supports multiple activities for security operations decision making such as, but not limited to,
the following:
■ Prioritizing security operations activities: Use of a SOAR solution requires organizations to

consider questions about their processes. Which are most critical? Which ones consume the most
staff time and resources? Which ones would benefit from automation? Where do we have gaps in
our documented procedures? The preparation and planning for SOAR, and its ongoing use, help
organizations prioritize and manage where orchestration and automation should be applied and
where it can help improve response. This response can then lead to improvements in security
operations and showing a demonstrable impact on business operations (e.g., faster time to detect
and respond to threats that could impact business operations and optimization of security
operations staff and budget).
■ Formalizing triage and incident response: Security operations teams must be consistent in their
responses to incident and threats. They must also follow best practices, provide an audit trail and
be measurable against business objectives.
■ Automating response: Speed is of the essence in today’s threat landscape. Attacks are increasing
in speed (e.g., ransomware is now being automated to spread with worm functionality), but
security operations are not automated. Having the ability to automate response action offers SOC
teams the ability to quickly isolate/contain security incidents. Some responses can be fully
automated, but at this time many SOAR users still inject a human to make the final decision.
However,
We use cookies even thisthereduces
to deliver the mean
best possible timeontoour
experience respond
website. for the organization
To learn compared
more, visit our Privacy Policy.to
Bybeing fully
continuing to use this
dependent site, or closing
on “human this box, you consent to our use of cookies.
power.”
Market Direction
In 2015, Gartner described SOAR (which was then considered “security operations, analytics and
reporting”) as resources that utilized machine-readable and stateful security data to provide
reporting, analysis and management capabilities to support operational security teams. In 2017, as
this market matures, Gartner observes three previously distinct technologies: security orchestration
and automation (SOA), security incident response platforms (SIRPs), and threat intelligence
platforms (TIPs), as depicted in Figure 1.
Figure 1. SOAR Types
This convergence is still valid in 2019, with vendors increasingly adding features from areas of SOAR
other than the area from which they first started. The acquisitions that happened in the last two
years, however, may expand the use of such solutions to a broader scope. For example, after the
acquisition of Phantom by Splunk, SOAR may become embedded into its SIEM and also used for IT
operations use cases such as infrastructure monitoring, application performance monitoring and
troubleshooting. SOAR selection in 2019 and beyond is being driven by use cases such as:
■ SOC optimization
■ Threat monitoring and response
■ Threat investigation and response
■ Threat intelligence management

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
Several major acquisitions have occurred in the last several years, as shown in Table 1.
Table 1: SOAR Acquisitions
Month/Year Acquisitions
February/2016 FireEye (Helix) acquired Invotas
April/2016 IBM acquired Resilient Systems
June/2016 ServiceNow acquired Brightpoint Security
June/2017 Microsoft acquired Hexadite
July/2017 Rapid7 acquired Komand
February/2018 Splunk acquired Phantom Cyber
February/2019 Palo Alto Networks acquired Demisto
Source: Gartner (June 2019)
The Future of SOAR
Numerous acquisitions have been occurring consistently for three years. Vendors are looking to build
a “security platform” to add SOAR to, either natively or via acquisition, suggesting that more
acquisitions are a real possibility. This scenario requires buyers’ attention to create a contingency
plan in case their SOAR tool is acquired by another vendor. At the same time, SOAR products must be
vendor-agnostic to maintain value due to integration. The reality will more likely be that for some time
independent solutions will continue to do a better job with their singular focus on roadmap execution
and better treatment of being “vendor neutral” with available integrations.
SOAR can be the central hub for an organization to achieve several goals: monitoring the event from
SIEM or other security controls; orchestrating different security products to construct the context;
helping prioritize multiple concurrent items and incidents; and then driving response.
It’s still early days for SOAR (see “Innovation Insight for Security Orchestration, Automation and
Response” and “Preparing Your Security Operations for Orchestration and Automation Tools”).
However, the promise of improving the efficiencies and consistencies of SOC activities, as well as
being able to offer more customized processes to managed security service (MSS) customers, is
compelling. Some managed security service providers (MSSPs) have adopted SOAR technologies in
earnest
We and to
use cookies have embedded
deliver them experience
the best possible at the core
onof
ourtheir delivery
website. platforms.
To learn more, visit Based on Policy.
our Privacy conversations
By
with SOAR technology vendors and MSSPs, we expect most MSSPs to adopt and embed SOAR
capabilities over the next three years.
Other vendors are exploring the ability to work with not just traditional technologies but also cloud
security and even nonsecurity use cases. For instance, during the creation of a new workload in the
cloud without proper authorization, the playbook would notify operations and security and isolate (or
delete) the workload until it is properly approved. Gartner recognizes the potential of using the
orchestration and automation capabilities outside of security use cases, but this is not a really among
the reasons that Gartner clients are implementing SOAR.
Use cases will continue to determine the capabilities that are important for each organization. For
example, in the case of incident response, case management is highly valued by Gartner clients, but
there are organizations that consider themselves ticket-driven companies. In that case, the
organization is not willing to give up its ticket system, making case management irrelevant for that
specific enterprise.
SOAR solutions with a broader scope of use cases will require role-based access control (RBAC)
capabilities to allow segregation of duties as well as views of information.
Market Analysis
The SOAR market is still an emerging market, as examined in “Emerging Technology Analysis: SOAR
Solutions,” and it is forecast to grow up to $550 million in the five-year (2018-2023) time frame (see
“Forecast Analysis: SOAR, Worldwide”). Gartner clients are still lagging in their incident response (IR)
capabilities and are asking for other solutions that would help them to improve their IR. Many
organizations implement SOAR tools with use cases primarily focused on making their SOC analysts
more efficient such that they can process more incidents while having more time to apply human
analysis and drive response actions much quicker. Historically, they were not aware of the existence
of these types of solutions. There are now more clients aware of SOAR solutions, which is fueling
further adoption. This awareness is broadening; even SOAR vendors claim to have less work
evangelizing about the technology and more conversations about their capabilities and
differentiators. However, improving detection and response activities is just one of several
opportunities for the use of SOAR tools to support security operations activities.
Since SOAR is often used as an umbrella term that covers security operations, security incident
response and threat intelligence, many vendors are driving their existing solutions in the fight for
market leadership.
Clients should recall that the selection of the right product will depend on the
We useuse cases.
cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
For example, some vendors can ingest security events from a SIEM and apply enrichment to promote
better triage capabilities, which include threat intelligence correlation but lag in case management. In
such cases, an integration with an external case management system would be imperative to fulfill
the incident response needs.
For the security operations use case — often the main purpose of a SOAR solution (see Figure 2) —
an organization must have mature processes to be successful (see “Make Sure Your Organization Is
Mature Enough for SOAR”). Security and risk management leaders should have an SOC with well-
established processes and verify the level of API integration that would be possible with their current
security toolset.
Figure 2 reflects the use of the continuous adaptive risk and trust assessment (CARTA) strategy for
continuous monitoring and visibility, which includes a continuous set of activities that can be
performed by an SOC team by using SOAR technology. CARTA’s value is that it is continuous, and one
element helps and inform other elements, allowing for continuous improvement in your organization’s
ability to improve both security posture and digital resilience.
Figure 2. SOAR Overview
Another aspect of the SOAR market is the pricing models that exist. The most common models are
based on number of analysts (named), number of events and three tiers (each tier will determine
which capabilities are available). For more information, see “Negotiate a Favorable Contract for
Security Event Monitoring Technologies by Analyzing Licensing Models.”
The most common models are based on:
■ The number of (named) analysts using the tool
■ The number of events coming to the SOAR
■ The number of playbooks or actions the SOAR will perform
■ A tiered approach with higher tiers unlocking additional functionality and value
Gartner clients have systematically expressed frustration with pricing models that are hard to predict.
It is very hard on 1 January to know how many events will hit the SOAR, or how many
actions/playbooks the SOAR will do for the whole year.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.
Market Introduction
A list of vendors is provided below. It is not, nor is it intended to be, a list of all vendors or offerings on
the market or a competitive analysis of the vendors’ features and functions (see Note 1). This is also
not a definitive list of each provider’s services.
Table 2: Representative Vendors in the Security Orchestration, Automation and Response Market
Vendor Product, Service or Solution Name
ATAR Labs ATAR
Ayehu Ayehu NG Platform
Cyberbit SOC 3D
CyberSponse CyOPs
Vendor Product, Service or Solution Name
D3 Security D3 SOAR
Demisto Demisto Enterprise
DFLabs IncMan
EclecticIQ EclecticIQ Platform
IBM Resilient
Splunk Phantom
Rapid7 InsightConnect
Resolve Resolve
ServiceNow Security Operations
Siemplify Siemplify
Swimlane Swimlane
Syncurity IR Flow
ThreatConnect ThreatConnect
ThreatQuotient ThreatQ
Source: Gartner (June 2019)
Vendor Profiles
ATAR Labs
Founded in 2017 in Turkey, ATAR helps manage SOC activities by offering three main capabilities:
playbooks
We and
use cookies automation,
to deliver incidentexperience
the best possible management, and SOC
on our website. analytics.
To learn ATAR
more, visit our provides comprehensive
Privacy Policy. By
automation and tight SIEM integrations. ATAR also has capabilities to monitor key performance
indicators (KPIs) via customizable dashboards.
Ayehu
Founded in 2007, the Ayehu NG platform is a web-based IT automation and orchestration solution for
security and IT operations. Its key features are playbook scheduling, enabling selective alerts to
support remote control of incidents, audit trail generation, rollback of changes to workflows and role-
based access to workflows in order to maintain access segregation for both teams (IT and security).
Also, Ayehu NG uses machine learning to suggest playbooks and creation of rules. In addition, Ayehu
NG bridges the gap between IT and security operations (network operations center [NOC] and SOC),
streamlining automated workflow processes and tasks, and resolving IT and security alerts and
incidents to improve SLAs.
Cyberbit
Founded in 2015 as a spinoff of Elbit Systems, Cyberbit delivers SOAR through its SOC 3D platform.
SOC 3D is based on three major capabilities: orchestration, automation and big data investigation,
and includes a playbook builder for playbook creation and editing. Cyberbit also offers Cyberbit
Range for training and simulation, SCADAShield and SCADAShield Mobile for OT visibility and
detection of threats, and Cyberbit Endpoint Detection and Response (EDR) for endpoint detection and
response. These products can optionally integrate with the SOAR platform for IT/OT detection and
response.
CyberSponse
Founded in 2011, CyberSponse is one of the few cybersecurity companies that is bootstrapped, with
no outside investor or investment firm. Their current CyOps SOAR tool focuses mainly on incident
response orchestration and automation, vulnerability management, fraud automation, and case
management. Included within its playbook automation are some TIP features. CyOps has more than
275 out-of-the-box connectors and 200 out-of-the-box playbooks utilizing all major vendors and
technologies.
D3 Security
Founded in 2002 to support incident/case management for security and privacy, D3 Security emerged
in 2004 with a focus on incident response. D3 Security is self-funded by its founders with no outside
investment. Today, D3 Security offers a SOAR tool designed to respond to adversarial intent with
automated kill chain playbooks based on the MITRE ATT&CK framework or other tactics, techniques
and procedures (TTP) resources. The tool has powerful RBAC and chain-of-custody features, TIP
capabilities, and more than 200 connectors to date. The tool is sold as a modular platform with
specific modules sold separately. For each module, pricing is based on the number of users (e.g.,
SOC analysts, not the number of employees in the organization).
Demistoto use this site, or closing this box, you consent to our use of cookies.
continuing
Founded in 2015, Demisto raised $69 million and was acquired by Palo Alto Networks in February
2019 for $560 million — emphatic proof of the perceived value of these tools. Demisto’s focus has
been to optimize the efficiency of security operations by offering a single platform for SOC analysts
to manage incidents, automate and standardize incident response processes, and collaborate on
incident investigations. Demisto makes use of machine learning (ML) to support functions such as
incident triage or to offer SOC analysts some suggestions for next steps. Demisto offers a War Room
for analysts to collaborate on investigating incidents, with action being autodocumented for post-
incident reporting. Demisto offers robust incident/case management and playbook automation
features, and more than 300 product integrations out-of-the-box. Pricing is based on the number of
users (e.g., SOC analysts, not the number of employees in the organization).
DFLabs
As a technology company since 2013, DFLabs is a SOAR provider focusing on incident response and
threat intelligence that can be used on the SOC, computer security incident response team (CSIRT)
and MSSP. The SOAR solution promotes the security incident life cycle using R3 Rapid Response
Runbooks (referred to as playbooks by other vendors) that execute workflows and data enrichment,
notification, containment, and custom actions. DFLabs uses machine learning in two situations: for
recommendation of actions based on steps for similar or related threats and for triage to prefilter
security events. DFLabs’ incident management support enables the documentation of physical and
logical evidence and audit logs, document policies, procedures, and best practices in the knowledge
base.
EclecticIQ
Founded in 2014, EclecticIQ is a provider of technology and services for the aggregation, analysis and
sharing of threat intelligence and its operationalization through downstream integrations. A key
feature of EclecticIQ is the ability to enable analysts to leverage intelligence-led techniques for threat
hunting, incident response, threat and threat actor enumeration, and tracking. Another capability,
called Fusion Center, eases selection of upstream intelligence sources by offering single and fused
bundles of intelligence at fixed prices. Clients can select from a wide range of commercial and open-
source threat intelligence feeds that are fused according to the themes most relevant to the
customer.
IBM Resilient
IBM Resilient, founded in 2010 as Co3 Systems and acquired by IBM in 2016, provides workflow, case
management, and orchestration and automation capabilities for security and privacy teams at
hundreds of customers. The three features that Resilient focuses on are case management,
orchestration and automation, and human- and machine-based intelligence. The solution is delivered
via software for on-premises deployments or via SaaS model; it is also available as an MSSP offering
for managed service providers and forms part of IBM’s X-Force Threat Management Service offering.
We use cookies
Resilient alsotoleverages
deliver the best
thepossible experience
IBM X-Force on our website.
Exchange whereTo learn
IBM, more, visit our
technology Privacyand
partner Policy. By
user-created
apps can be shared.
Rapid7
Founded in 2000, Rapid7 acquired Komand — a SOAR vendor — in July 2017 and is now offering a
SOAR called InsightConnect. InsightConnect’s security orchestration and automation helps security
analysts optimize SOC operations through a library of more than 270 plug-ins and a visual workflow
builder that requires little to no code. The automation capabilities in Rapid7’s vulnerability
management (InsightVM) and cloud SIEM solutions with embedded UEBA solutions (InsightIDR)
mean that customers can automate processes for automation-assisted patching and threat
containment. InsightConnect is only available as a cloud-based solution, and is part of Insight,
Rapid7’s broader security management platform.
Resolve
Founded in 2014, Resolve’s orchestration and automation platform aims to bridge security and IT
processes with prebuilt connectors for both security and IT infrastructure systems. The Resolve
platform focuses mainly on incident response and case management but has expanded preventive
measure capabilities such as secure provisioning, patch management and audit trails. The platform
provides playbooks on NISTSP 800-61 Revision 2 (the Computer Security Incident Handling Guide |
CSRC). Also, its case management capability stores all artifacts and actions that relate to the
incident and provides a contextual recommendation for each step to accelerate response.
ServiceNow
Security Operations is the product from ServiceNow that provides a security orchestration and
automation solution that is used by hundreds of customers. Security Operations is delivered from the
Now Platform as SaaS and provides workflow, case management, orchestration and automation, and
threat intelligence management. Additional capabilities also address vulnerability management and
security operations metrics, reporting and dashboards, and configuration compliance, as well as
governance risk and compliance. Three service packages (Standard [security incident response or
vulnerability response], Professional and Enterprise) are available with Enterprise being required to
get the fullest set of SOAR capabilities, including orchestration.
Siemplify
Founded in 2015 in Tel Aviv, Israel, Siemplify is used mainly for SOC activities with an easy-to-use
user interface. Siemplify provides context-driven investigation capabilities that visually correlate
incidents and group alerts to help the analyst reduce time to respond. Along with case management,
it helps control the flow of incidents across the SOC analysts. Also, Siemplify uses machine learning
capabilities to prioritize and suggest which analyst would be best for a specific incident. Multitenancy
capabilities are also promoted for managed service users. Siemplify also provides dashboards and
reporting for tracking and SOC metrics, and recently added crisis management and analyst
collaboration modules as part of version 5.0.
Splunk
Phantom Cyber, founded in 2014, was acquired by Splunk in 2018. The Splunk Phantom solution
provides orchestration and automation capabilities along with case management functionality.
Splunk Phantom is deployed on-premises as software. Additional functionality includes its central
view, called Phantom Mission Control, as well as its recommendation capability, called Mission
Guidance. Logical data separation is available to provide multitenancy capabilities for managed
services users. The licensing model is based on events per day (EPD). An event is only considered a
notable event if it was acted upon. In other words, not everything ingested into the Phantom solution
is actioned; thus, not all the events will be charged for. Once an event is actioned, the customer has
unlimited actions within that specific event. They can do whatever they need to, for example, run
playbooks multiple times.
Swimlane
Founded in 2014, Swimlane focuses on the orchestration and automation of existing security
controls interacting with over 850 APIs for an organization’s existing technology stack and can let an
organization reuse existing scripts. A key capability is for clients to develop playbooks that visually
represent complicated security operations workflows using a drag-and-drop-type of paradigm where
analytics and automation can be brought to bear on operations. This allows for security teams to
achieve better accuracy, consistency and time efficiency for analysts.
Syncurity
Syncurity was founded in 2014. The Syncurity IR Flow solution focuses on orchestration, automation,
dashboards and reporting, with alert triage, incident management and collaboration capabilities. The
solution is positioned as end-to-end case management. Validated incidents that can be
programmatically defined are handled through automation to allow for focusing on unvalidated
events requiring analyst involvement. Dynamic risk scoring is a feature, and an analyst workbench is
provided for investigation and cross-analyst collaboration. The solution is delivered as software, and
support is provided as on-premises or private cloud deployment for enterprises and managed
security service providers, including multitenancy and granular role-based access control (RBAC)
features.
ThreatConnect
Founded in 2011, ThreatConnect has an architecture delivering both threat intelligence platform (TIP)
and security orchestration and automation (SOA) features from the same product. ThreatConnect’s
large ecosystem of integrations (built internally and by third parties) allows for the application of
intelligence from both internal and external sources to security processes and workflows. In recent
years, ThreatConnect has expanded on its TIP heritage to also deliver further orchestration and
automation capabilities that aid in a wide range of SOAR use cases.
ThreatQuotient
Founded
We in 2013,
use cookies ThreatQuotient
to deliver the best possibledelivers theonThreatQ
experience platform
our website. To learnthat
more,relies onPrivacy
visit our threatPolicy.
intelligence
By and
continuing
contextualto use this site, or closing
information to drivethis
a box, you consenttriage
score-driven to our use of cookies.
process to help prioritize actions across a variety
of security operations use cases. Also, ThreatQ delivers a user interface that supports investigation
to: improve the understanding of threats, promote collaboration across different teams and enable
the execution of playbooks to perform data enrichment and other response actions. Also, the offering
uses a learning system that captures other systems feedback to collaborate with other incident
triage, taking into consideration results of previous events using a self-tuning capability that makes
the system more and more customer-specific over time.
Market Recommendations
Security and risk management leaders should consider SOAR tools in their security operations to
meet the following goal: improve security operations efficiency and efficacy.
SOAR tools offer a way to orchestrate and automate response. A common use case would be
consuming events from a SIEM to enrich the context of an alert. The events most amenable to
automation are the ones with the lowest risk of being false positive. For example, with a user
credential lockout, SOAR can be used to execute a playbook to validate if this event is based on
human error (e.g., user forgot the password) or verify if this event might be a brute-force attack. For
both options, the analyst would have to execute a series of steps that would force the account to
change the password, which could be automated through consistent workflow execution. This is
beneficial for many reasons, including:
■ Performing the task faster equals better time to resolution. The longer an issue is left
unaddressed, the worse it can become, leaving the organization in a potentially risky situation for
longer periods of time. Ransomware, for example, is a threat that can get exponentially worse with
time.
■ Staff shortages are a critical issue for many organizations. The ability to handle processes more
efficiently means that security analysts can spend less time with each incident and will thus be
able to handle and respond to more incidents, allowing response to more incidents despite fewer
resources being available.
SOAR Tool Advice
In terms of product selection, security and risk management leaders should favor SOAR solutions
that:
■ Deliver the use cases needed to complement their set of security products to manage their SOC.
For instance, some clients prefer to use the company ticket system instead of a dedicated case
management solution; but, instead, they value the threat investigation capabilities more. Buying a
SOAR solution today must be driven by the use case: SOC optimization, threat monitoring and
response, threat investigation and hunting, and threat intelligence management.
■ Offer the capability to easily code an organization’s existing playbooks that the tool can then
automate, either via an intuitive UI and/or via a simple script.
■ Optimize the collaboration of analysts in the SOC, for example, with a chat or IM framework that
makes analysts’ communication more efficient, or with the ability to work together on complex
cases.
■ Have a pricing cost that is aligned with the needs of the organization and that is predictable. Avoid
pricing structures based on the volume of data managed by the tool or based on the number of
playbooks run per month, as these metrics carry an automatic penalty for more frequent use of the
solution.
■ Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises or
a hybrid of these — to accommodate organizations’ security policies and privacy considerations, or
organizations’ cloud-first initiatives.
Note 1
Representative Vendor Selection
Gartner is tracking 28 vendors in the SOAR market. The vendor list below, capped at 18, includes only
sample representative vendors that appear most frequently in analyst interactions with Gartner
clients.
Note 2
Gartner’s Initial Market Coverage
This Market Guide provides Gartner’s initial coverage of the market and focuses on the market
definition, rationale for the market and market dynamics.
© 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization, which should not be construed as
statements of fact. While the information contained in this publication has been obtained from sources believed to
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research
We is produced
use cookies to deliverindependently by its
the best possible researchon
experience organization
our website.without
To learninput
more,or influence
visit fromPolicy.
our Privacy any third
By party. For
further information,
continuing see or
to use this site, "Guiding
closing Principles onconsent
this box, you Independence and
to our use of Objectivity."
cookies.
About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send Feedback
© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Gartner SOAR 2019

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gartner SOAR 2019

Uploaded by

Copyright:

Available Formats

5/12/2020 Gartner Reprint

Licensed for Distribution

Market Guide for Security Orchestration, Automation and

By Analysts Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski

can rarely be implemented without some customizations.

Strategic Planning Assumption

■ Orchestration: The complexity of combining resources involves coordination of workﬂows with

■ Response: Manual or automated response provides canned resolution to programmatically

Buyers are expressing demand for SOAR for several reasons:

■ Prioritizing security operations activities: Use of a SOAR solution requires organizations to

Figure 1. SOAR Types

■ Threat monitoring and response

■ Threat investigation and response

■ Threat intelligence management

Table 1: SOAR Acquisitions

February/2016 FireEye (Helix) acquired Invotas

April/2016 IBM acquired Resilient Systems

June/2016 ServiceNow acquired Brightpoint Security

June/2017 Microsoft acquired Hexadite

July/2017 Rapid7 acquired Komand

February/2018 Splunk acquired Phantom Cyber

February/2019 Palo Alto Networks acquired Demisto

Source: Gartner (June 2019)

The Future of SOAR

Figure 2. SOAR Overview

The most common models are based on:

■ The number of (named) analysts using the tool

■ The number of events coming to the SOAR

■ The number of playbooks or actions the SOAR will perform

Vendor Product, Service or Solution Name

ATAR Labs ATAR

Ayehu Ayehu NG Platform

Vendor Product, Service or Solution Name

Demisto Demisto Enterprise

EclecticIQ EclecticIQ Platform

ServiceNow Security Operations

Source: Gartner (June 2019)

SOAR Tool Advice

© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

You might also like