What is SOAR (Security Orchestration, Automation, and Response)?

What is Security Orchestration, Automation, and Response?

SOAR, or Security Orchestration, Automation, and Response, enables security teams to standardize and streamline their organization’s response to cyber attacks and incidents. SOAR optimizes workflows within and beyond the security operations center (SOC) — enabling analysts to focus their efforts on securing their organization's ecosystem.

How does SOAR work?

The SOAR solution details established investigation and response protocols, guiding analysts and laying the groundwork for automation. Bidirectional integrations throughout the ecosystem enable routine investigation and response processes to be triggered autonomously (i.e., fetch processes) or by an analyst (i.e. isolate host). Throughout security operations workflows, the SOAR surfaces relevant context via integrations with threat intelligence feeds and other data sources.

Why is Security Orchestration Automation and Response important?

A SOAR standardizes SOC processes, ensuring consistent investigation and response while enhancing the skill of security analysts of every experience level. By automating the workflows for many of the manual, mundane tasks otherwise associated with incident response — logging security incidents, alerting relevant parties, submitting and updating report tickets — SOAR substantially reduces mean-time-to-remediate (MTTR).

What are the benefits of SOAR?

SOAR also drives efficiencies that save the SOC substantial time and effort, helping cybersecurity teams streamline their security operations by reducing human intervention. This frees up analysts to focus on pressing issues that require human creativity and intuition. Other benefits include:

  1. Reduced risk
    An effective SOAR solution will neutralize attacks before damage can grow by accelerating investigation and response times for analysts.
  2. Expedited mean time to respond (MTTR)
    Aligning people, processes, and technologies through SOAR means response actions are automated instantaneously, eliminating human buffering time.
  3. Burnout prevention
    Analysts have enough on their plates already. Automate away the mundane tasks that keep them from the creative problem solving they're best at.
  4. Optimized workflows
    Infuse threat intelligence and insights like attribute frequency and host anomaly score, and codify investigation and guide response procedures. Your team won't have to second-guess processes and next steps.
  5. Rich integrations
    Integrate your preferred tools into a single workflow — you'll get the benefit of their technology, without the swivel chair of pivoting between them.

History of SOAR tools

With the emergence of specialized security workflow solutions for security incident investigation and response in the mid-2010s, Gartner began using the term Security Orchestration, Automation, and Response (SOAR). Many SOAR start-ups were acquired by security conglomerates during this time and bolted onto an established security information and event management (SIEM), UEBA, or network detection and response technology. Subsequently, a new breed of SOAR vendors have scaled their technologies to handle a broader range of security incidents. During this time, automation playbooks have grown in sophistication and SOAR platforms have become more user-friendly.


SOAR technology helps the SOC fully leverage the combined power of its people and technologies by coordinating and automating key processes on a single platform. It is typically tightly integrated with a SIEM to unify team processes and data. SIEM empowers analysts to take on use cases such as security monitoring, threat detection, threat hunting, event correlation, and more.

SOAR serves more on the workflows and remediation side of the house — acting upon the findings illuminated by a SIEM with automated follow-up actions and orchestration of the necessary steps to stop a threat before it can cause damage. In practice, the solutions are merging ever closer.

Experience Elastic Security for SOAR

Easily automate your team's security incident response with Elastic SOAR — ready for download or hosted in Elastic Cloud.

Explore SOAR solutions