What is SOAR (security orchestration, automation and response)?

What is SOAR (security orchestration, automation and response)?

SOAR, for security orchestration, automation and response, is a software solution that enables security teams to integrate and coordinate separate security tools, automate repetitive tasks and streamline incident and threat response workflows.

In large organizations, security operations centers (SOCs) rely on numerous tools to track and respond to cyber threats, oftentimes manually. This manual investigation of threats results in slower overall threat response times.

SOAR platforms give SOCs a central console where they can integrate these tools into optimized threat response workflows and automate low-level, repetitive tasks in those workflows. This console also allows SOCs to manage all the security alerts generated by these tools in one central place.

By streamlining alert triage and ensuring that different security tools work together, SOARs help SOCs reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture. Detecting and responding to security threats faster can soften the impact of cyberattacks. According to IBM’s latest Cost of a Data Breach report, a shorter data breach lifecycle is associated with lower breach costs. Breaches resolved in less than 200 days cost companies USD 1.02 million less on average, reflecting a 23% difference.

How does SOAR work?

SOAR technology arose as a consolidation of three earlier security tools. According to Gartner, which first coined the term "SOAR" in 2015, SOAR platforms combine the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering.

To understand how modern-day SOAR solutions work, it can help to break them down into their core features: security orchestration, security automation, and incident response.

Security orchestration

"Security orchestration" refers to how SOAR platforms connect and coordinate the hardware and software tools in a company's security system.

SOCs use various solutions to monitor and respond to threats, like firewalls, threat intelligence feeds, and endpoint protection tools. Even simple security processes can involve multiple tools. For example, a security analyst investigating a phishing email may need a secure email gateway, a threat intelligence platform, and antivirus software to identify, understand, and resolve the threat. These tools often come from different vendors and may not readily integrate, so analysts must manually move between tools as they work.

With a SOAR, SOCs can unify these tools in coherent, repeatable security operations (SecOps) workflows. SOARs use application programming interfaces (APIs), prebuilt plugins, and custom integrations to connect security tools (and some non-security tools). Once these tools are integrated, SOCs can coordinate their activities with playbooks.

Playbooks are process maps that security analysts can use to outline the steps of standard security processes like threat detection, investigation, and response. Playbooks can span multiple tools and apps. They can be fully automated, fully manual, or a combination of automated and manual tasks.

Security automation

SOAR security solutions can automate low-level, time-consuming, repetitive tasks like opening and closing support tickets, event enrichment, and alert prioritization. SOARs can also trigger the automated actions of integrated security tools. That means security analysts can use playbook workflows to chain together multiple tools and carry out more complex security operations automation.

For example, consider how a SOAR platform might automate an investigation of a compromised laptop. The first indication that something is amiss comes from an endpoint detection and response (EDR) solution, which detects suspicious activity on the laptop. The EDR sends an alert to the SOAR, which triggers the SOAR to execute a predefined playbook. First, the SOAR opens a ticket for the incident. It enriches the alert with data from integrated threat intelligence feeds and other security tools. Then, the SOAR executes automated responses, such as triggering a network detection and response (NDR) tool to quarantine the endpoint or prompting antivirus software to find and detonate malware. Finally, the SOAR passes the ticket to a security analyst, who determines whether the incident was resolved or human intervention is required.

Some SOARs include artificial intelligence (AI) and machine learning that analyze data from security tools and recommend ways to handle threats in the future.

Incident response

SOAR's orchestration and automation capabilities allow it to serve as a central console for security incident response (IR). IBM’s Cost of a Data Breach report found that organizations with both an IR team and IR plan testing identified breaches 54 days faster than those with neither.

Security analysts can use SOARs to investigate and resolve incidents without moving between multiple tools. Like threat intelligence platforms, SOARs aggregate metrics and alerts from external feeds and integrated security tools in a central dashboard. Analysts can correlate data from different sources, filter out false positives, prioritize alerts, and identify the specific threats they're dealing with. Then, analysts can respond by triggering the appropriate playbooks.

SOCs can also use SOAR tools for post-incident audits and more proactive security processes. SOAR dashboards can help security teams understand how a particular threat breached the network and how to prevent similar threats in the future. Likewise, security teams can use SOAR data to identify unnoticed ongoing threats and focus their threat hunting efforts in the right places.

Think Newsletter

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

https://www.ibm.com/us-en/privacy

Benefits of SOAR

By integrating security tools and automating tasks, SOAR platforms can streamline common security workflows like case management, vulnerability management, and incident response. The benefits of this streamlining include:

Processing more alerts in less time

SOCs may have to deal with hundreds or thousands of security alerts daily. This can lead to alert fatigue, and analysts may miss important signs of threat activity. SOARs can make alerts more manageable by centralizing security data, enriching events, and automating responses. As a result, SOCs can process more alerts while reducing response times.
More consistent incident response plans

SOCs can use SOAR playbooks to define standard, scalable incident response workflows for common threats. Rather than dealing with threats on a case-by-case basis, security analysts can trigger the appropriate playbook for effective remediation.
Enhanced SOC decision-making

SOCs can use SOAR dashboards to gain insight into their networks and the threats they face. This information can help SOCs spot false positives, prioritize alerts better, and select the correct response processes.
Improved SOC collaboration

SOARs centralize security data and incident response processes so analysts can work together on investigations. SOARs can also enable SOCs to share security metrics with outside parties, such as HR, legal, and law enforcement.
Security Intelligence | 17 December, episode 13

Your weekly news podcast for cybersecurity pros

Whether you're a builder, defender, business leader or simply want to stay secure in a connected world, you'll find timely updates and timeless principles in a lively, accessible format. New episodes on Wednesdays at 6am EST.
Watch the latest podcast episode

SOAR, SIEM and XDR

SOAR, SIEM, and XDR tools share some core functions, but each has its own unique features and use cases.

Security information and event management (SIEM) solutions collect information from internal security tools, aggregate it in a central log, and flag anomalies. SIEMs are mainly used to record and manage large volumes of security event data.

SIEM technology first emerged as a compliance reporting tool. SOCs adopted SIEMs when they realized SIEM data could inform cybersecurity operations. SOAR solutions arose to add the security-focused features most standard SIEMs lack, like orchestration, automation, and console functions.

Extended detection and response (XDR) solutions collect and analyze security data from endpoints, networks, and the cloud. Like SOARs, they can automatically respond to security incidents. However, XDRs are capable of more complex and comprehensive incident response automations than SOARs. XDRs can also simplify security integrations, often requiring less expertise or expense than SOAR integrations. Some XDRs are pre-integrated single-vendor solutions, while others can connect security tools from multiple vendors. XDRs are often used for real-time threat detection, incident triage, and automated threat hunting.

SecOps teams in large companies often use all of these tools together. However, providers are blurring the lines between them, rolling out SIEM solutions that can respond to threats and XDRs with SIEM-like data logging. Some security experts believe XDR may one day absorb the other tools, similar to how SOAR once consolidated its predecessors.

Resources

Secure the post-quantum future: How quantum safety strengthens cyber-resilience for today and tomorrow

Advance your company’s readiness, infused by the findings of the new IBM Institute of Business Value Report on securing the post-quantum future.
IBM® X-Force® threat intelligence index 2025

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force threat intelligence index.
IDC MarketScape: Cybersecurity Consulting Services Vendor Assessment 2025

See why IBM has been named a Major Player and gain insights for selecting the Cybersecurity Consulting Services Vendor that best fits your organization’s needs.
Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
IBM® X-Force® cloud threat landscape report 2024

Understand the latest threats and strengthen your cloud defenses with the IBM X-Force cloud threat landscape report.
What is data security?

Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
What is a cyberattack?

A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

 Explore security solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

         Explore AI cybersecurity
    Take the next step

    Use IBM’s automation and security solutions to build a resilient, AI-ready cloud with unified management and trusted protection.

     

         Discover IBM HashiCorp Explore security solutions