SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. The term, which was coined by the research firm Gartner, can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.
According to Gartner, the three most important capabilities of SOAR technologies are:
Threat and vulnerability management: These technologies support the remediation of vulnerabilities. They provide formalized workflow, reporting and collaboration capabilities.
Security incident response: These technologies support how an organization plans, manages, tracks and coordinates the response to a security incident.
Security operations automation: These technologies support the automation and orchestration of workflows, processes, policy execution and reporting.
While both security information and event management (SIEM) and SOAR stacks aggregate relevant data from multiple sources, SOAR services integrate with a wider range of internal and external applications. Today, many companies use SOAR services to augment in-house SIEM software. In the future, it is expected that as SIEM vendors begin to add SOAR capabilities to their services, the market for these two product lines will merge. Vendors that currently promote their ability to provide SOAR capabilities include LogRhythm, Rapid7 and Cybersponse.