Is SOAR Obsolete? Here’s Why Security Engineers And AI Make The Difference

Is SOAR Obsolete? Here’s Why Security Engineers And AI Make The Difference Subscribe To Newsletters BETA THIS IS A BETA EXPERIENCE. OPT-OUT HERE More From Forbes Jan 2, 2025, 10:15am EST When Perfect Risk Models Fail: The Human Factor Jan 2, 2025, 10:00am EST How AIOps Redefines Cloud Provisioning By Embracing GitOps Principles And Security Standards Jan 2, 2025, 09:45am EST AI Agents: The Next Frontier In Intelligent Automation Jan 2, 2025, 09:30am EST Free From Vendor Lock-In: Strategies For Cloud-Native Innovation Jan 2, 2025, 09:15am EST Three Key Cybersecurity Predictions For 2025 (And What You Need To Do) Jan 2, 2025, 09:00am EST Building A Team Of Allies: Hiring Candidates Who Grow Into Partners Jan 2, 2025, 08:45am EST AI In Payments: Opportunities, Challenges And Best Practices Jan 2, 2025, 08:15am EST How AI Is Shaping Influencer Use In U.S. Political Elections Edit Story Forbes Innovation Is SOAR Obsolete? Here’s Why Security Engineers And AI Make The Difference Daryl Lim Forbes Councils Member Forbes Technology Council COUNCIL POST Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based) Jan 2, 2025, 08:30am EST Share to Facebook Share to Twitter Share to Linkedin Daryl Lim is the Co-Founder and CTO of Tracecat . getty In 2017, analysts at Gartner decided to define the term SOAR to cover an emerging class of security product. SOAR—which stands for security orchestration, automation and response—enables security operations centers (SOCs) to define their incident response procedures as digitalized playbooks. A playbook integrates and executes actions across security tools, actions that human incident responders had to manually repeat over and over without a SOAR. SOAR was supposed to automate all manual processes in a SOC. Gartner , however, labeled SOAR as obsolete before plateau. They cited high total cost of ownership and competing automation features in existing security platforms (e.g., SIEM or XDR) as the two key reasons for this designation. The latter observation seems to hold the most weight. For example, Palo Alto Networks, Splunk and Google Chronicle all purchased and consolidated first-generation SOARs (Demisto, Phantom, SIEMplify) into their wider security platforms. What Is Happening? If you are a CISO or security lead looking to purchase a stand-alone SOAR in 2025, you’re probably wondering whether it’s even a worthwhile investment. Practitioner surveys, job postings and the rise of AI coding assistants, however, suggest a more nuanced reality. MORE FOR YOU Ukraine’s Newest Leopard 2 Brigade Began Disintegrating Before It Reached The Front Line New Orleans Truck Attack: AG Argues Sugar Bowl Should Be Postponed Again (Live Updates) Apple Watch Series 10 Price Slashed To All-Time Low In New Sale The Rise Of The SOAR Engineer The latest SANS report on the “State of Automation on Security Operations” recommends hiring dedicated talent, separate from detection and response teams, just to manage automation. This recommendation represents a shift in the way the first-generation of SOARs were marketed. These SOARs were sold as automation tools with click-and-drag workflows that any SOC analyst, including analysts without programming skills, could use. The reality, as suggested in the SANS survey, is that SOAR is a technical product that requires programming skills to successfully implement and maintain. Pure-Play And Open-Source SOARs The data suggests otherwise. Closed-sourced pure-play SOARs, such as Torq and Tines, continue to grow in sales. With Torq and Tines raising Series B and C funding in the middle of 2024. Even newer open-source SOARs, such as my company Tracecat, continue to grow in adoption, with over 5000 downloads since its first release in June 2024. Why do security teams continue to pick stand-alone SOARs over automations bundled into their SIEM/XDR? According to Tines’ report , 88% of security professionals prefer a best-in-class automation platform that isn’t locked into a specific vendor. This sentiment aligns with the data from SANS linked above, which found that the majority of organizations (approximately 59%) use more than 10 different security tools across different vendors. Lastly, looking at G2’s 2024 momentum leader survey of SOAR products, bundled SOARs (e.g., Splunk SOAR and Palo Alto XSOAR) all lie at the lower end of customer satisfaction. AI And Coding Low-code SOAR platforms will likely see a surge in adoption as LLM-powered assistants redefine automation workflows. In the past, fully no-code solutions were favored to avoid the complexity of writing code. Now, LLMs empower analysts with basic coding skills to thrive in low-code environments. This shift makes it easier to build flexible, sophisticated automations, bridging the gap between no-code simplicity and the power of custom coding. Open-source SOARs are positioned to benefit more from coding assistants than closed-source products. With an open codebase, analysts have access to a wide range of ready-made integrations, which they can adapt quickly with the help of LLM-powered assistants. This makes it easier to adopt low-code solutions and build advanced integrations faster. So, Are SOARs Obsolete? It depends. It depends on whether your team can retain a dedicated engineering hire to build and maintain your playbooks. It depends on the maturity of your incident response processes. It depends on whether your organization has an engineering culture. If your answer is no, consider outsourcing rote incident response work to professional services (e.g., managed detection and response). Otherwise, check if your existing detection and response platforms come with simple out-of-the-box automations. Most security event and information management (SIEM) platforms now come with basic automations out-of-the-box (e.g., the ability to open tickets in Jira or notify users in Slack). If the answer is yes, a SOAR gives your team full control over your SOC’s tooling integrations and automations. It also serves as a system of record for your incident response playbooks and activities. A SOAR, if implemented correctly, can be a powerful force-multiplier in increasing your SOC analyst’s capacity, reducing response time and consolidating your organization’s collective knowledge around incident response. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? Follow me on LinkedIn . Check out my website . Daryl Lim Editorial Standards Forbes Accolades