What is SOAR (Security Orchestration, Automation, and Response)?

SOAR definition

SOAR, or Security Orchestration, Automation, and Response, enables security teams to standardize and streamline their organization’s response to cyber attacks and incidents. SOAR optimizes workflows within and beyond the security operations center (SOC) — enabling analysts to focus their efforts on securing their organization's ecosystem.

What is security orchestration?

Security orchestration is a means of interconnecting otherwise disparate security tools so that actions can be centralized and propagated. This helps security teams streamline their processes and accelerate the incident response process.

What is security automation?

Security automation is the process of implementing predetermined rules that respond upon a certain action or requirement being reached. This minimizes the human interaction required in the process, thereby alleviating security analysts to handle problems that require more creative problem solving.

Why is Security Orchestration Automation and Response important?

A SOAR standardizes SOC processes, ensuring consistent investigation and response while enhancing the skill of security analysts of every experience level. By automating the workflows for many of the manual, mundane tasks otherwise associated with incident response — logging security incidents, alerting relevant parties, submitting and updating report tickets — SOAR substantially reduces mean-time-to-remediate (MTTR).

History of SOAR tools

With the emergence of specialized security workflow solutions for security incident investigation and response in the mid-2010s, Gartner began using the term Security Orchestration, Automation, and Response (SOAR). Many SOAR start-ups were acquired by security conglomerates during this time and bolted onto an established security information and event management (SIEM), UEBA, or network detection and response technology. Subsequently, a new breed of SOAR vendors have scaled their technologies to handle a broader range of security incidents. During this time, automation playbooks have grown in sophistication and SOAR platforms have become more user-friendly.

How does SOAR work?

A SOAR solution details established investigation and response protocols, guiding analysts and laying the groundwork for automation. Bidirectional integrations throughout the ecosystem enable routine investigation and response processes to be triggered autonomously (i.e., fetch processes) or by an analyst (i.e., isolate host). Throughout security operations workflows, the SOAR surfaces relevant context via integrations with threat intelligence feeds and other data sources.

What are the benefits of SOAR?

SOAR drives efficiencies that save the SOC substantial time and effort, helping cybersecurity teams streamline their security operations by reducing human intervention. This frees up analysts to focus on pressing issues that require human creativity and intuition. Other benefits include:

Reduced risk

An effective SOAR solution will neutralize attacks before damage can grow by accelerating investigation and response times for analysts.

Expedited mean time to respond (MTTR)

Aligning people, processes, and technologies through SOAR means response actions are automated instantaneously, eliminating human buffering time.

Burnout prevention

Analysts have enough on their plates already. Automate away the mundane tasks that keep them from the creative problem solving they’re best at.

Optimized workflows

Infuse threat intelligence and insights like attribute frequency and host anomaly score, and codify investigation and guide response procedures. Your team won’t have to second-guess processes and next steps.

Rich integrations

Integrate your preferred tools into a single workflow — you’ll get the benefit of their technology, without the swivel chair of pivoting between them.


SOAR technology helps the SOC fully leverage the combined power of its people and technologies by coordinating and automating key processes on a single platform. It is typically tightly integrated with a SIEM to unify team processes and data. SIEM empowers analysts to take on use cases such as security monitoring, threat detection, threat hunting, event correlation, and more.

SOAR (security orchestration, automation, and response) serves more on the workflows and remediation side of the house — acting upon the findings illuminated by a SIEM with automated follow-up actions and orchestration of the necessary steps to stop a threat before it can cause damage. In practice, the solutions are merging ever closer.

Security Automation vs. Security Orchestration

While both security automation and orchestration share similar outcomes — minimizing the human interaction required in various processes — they differ in their respective domains of implementation.

Security automation is primarily driven towards achieving immediate prevention of a threat the moment it is detected by a security technology. Security orchestration, on the other hand, is driven towards achieving a streamlined workflow for executing on the correct actions, informing the correct parties, and otherwise moving a process along as has been deemed appropriate by an organization.

SOAR use cases

Incident response

If a security incident has occurred, a coordinated response is necessary to mitigate the breach’s impact.

Case management

When a threat has been identified, it triggers a case. The number of cases can quickly start adding up, and a well-functioning SOAR solution will help teams prioritize and respond in an efficient manner.

Vulnerability management

Understanding where an organization stands with regard to overall security vulnerability is essential. SOAR solutions can help provide a more objective outlook on risk assessment— something every CISO (chief information security officer) needs to do their job.

Threat hunting

The proactive pursuit of threats within one’s IT environment. A mature threat hunting practice requires a fast engine to query across vast amounts of data.

How SOAR technology helps organizations

SOAR (security orchestration, automation, and response) is an essential technology for any mature security function. It may be helpful to think of a SOAR solution’s role in the security stack as similar to the role of a coach on a sports team — it reflects the predetermined goals and processes from management, executes playbooks for different scenarios, and alerts the team when a failure is detected.

Experience Elastic Security for SOAR

Easily automate your team’s security incident response with Elastic SOAR — ready for download or hosted in Elastic Cloud.

Explore SOAR solutions

What you should do next

  1. Start a free trial and see how Elastic can help your business.
  2. Tour our solutions, see how the Elasticsearch Platform works, and how our solutions will fit your needs.
  3. Get ready to prevent the current cybersecurity threats with our latest Global Threat Report.
  4. Share this article with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, or Facebook.