1 Executive Summary

Cyberattacks have been intensifying over the past few years as cybercriminals continue to devise new strategies to launch sophisticated attacks and gain unauthorized access. Global supply chains and private organizations are facing an increased risk of cyberattacks as a result of economic and geopolitical instability. The tactics, techniques, and procedures (TTPs) that were once only used by state actors are being commoditized by cybercriminals. As a result, some vendors have realized that traditional cybersecurity approaches and tools have proven inadequate in keeping up with the rapid changes in the threat landscape.

To stay secure and compliant, organizations need to actively seek out new ways to assess and respond to cyber threats while providing Security Operations Center (SOC) analysts with the right tools. Cyber threats are a constant challenge, and unfortunately, they do not remain static but instead continually evolve. The dynamic nature of cyber threats demands continuous adaptation and innovation in cybersecurity strategies to effectively mitigate the ever-changing risks.

Large organizations, whether they are part of critical infrastructure or not, need to be able to detect and respond to incidents by monitoring security and analyzing real-time events. Security Information and Event Management (SIEM) products were once hailed as the ultimate solution for managing security operations. In many organizations, they still form the foundation of modern SOCs. However, visibility of potential security events alone does not help analysts to assess each discovered threat, nor does it reduce the amount of time spent on repetitive manual tasks in incident response processes.

High deployment and operational costs, lack of intelligence to react to modern cyber threats, limited automation and response capabilities, and the growing skills gap to staff the security teams needed for efficient security operations were the most common problems of legacy SIEM tools. SIEMs did and still do provide value, but some SIEM users report that the volume of false positives causes problems in trying to sift out what is worthy of attention and follow-up and what is not.

Parallel to SIEM solutions, a class of incident investigation and response platforms emerged focusing on creating more streamlined and automated workflows for dealing with security incidents. Security Orchestration, Automation, and Response (SOAR) solutions are advanced software platforms designed to improve the efficiency and effectiveness of SOCs. These solutions enable organizations to automatically collect and consolidate security threat intelligence from various sources, streamline the management of incident response processes, and orchestrate workflows across different security tools.

SOAR platforms, designed to complement or directly integrate with SIEMs, are increasingly becoming the foundation of modern SOCs. Initially, large organizations, which are often more vulnerable to sophisticated cyberattacks due to their size and complexity, were the early adopters of SOAR solutions. However, the utility of SOAR extends beyond these large organizations. Regardless of the maturity or scale of an organization's SOC, SOAR capabilities significantly enhance SIEM/SOC deployments.

For example, SOAR systems can be fed by all kinds of security solutions, albeit indirectly through the aforementioned SIEMs. SOARs that are tightly integrated with SIEMs can take in telemetry via APIs or in CEF and syslog format. SOAR systems generally have OOTB connectors (software configurations and code in the form of packaged API calls) to facilitate data collection from upstream sources. By utilizing these connectors, SOAR systems can easily integrate with a diverse array of security products, such as threat intelligence platforms, firewall solutions, and detection systems, without the need for extensive custom coding.

The orchestration aspect of SOAR involves not only the collection of telemetry from these different sources, but also initiating a workflow, opening cases and tickets where appropriate, and correlation and enrichment of event information. Many large organizations, especially the type looking for SOAR systems, have IT Service Management (ITSM) suites that dispatch and track activities in the form of tickets. SOAR solutions have case management capabilities by design, but they must also interoperate with existing ITSM solutions.

Enrichment of event data can be facilitated by SOAR systems by the automatic collection of additional forensic evidence on-site, such as outputs of Endpoint Protection Detection and Response (EPDR) scans, obtaining non-standard log files, memory dumps, etc. Some vendor solutions can kick off somewhat automated threat hunts (looking for IOCs across multiple nodes in an environment) and add the results to preliminary investigation. SOAR solutions should also be able to generate queries to threat intelligence sources based on suspicious items and patterns observed from upstream telemetry.

Some vendors have extensive threat intelligence capabilities which are utilized by their SOAR solutions. External threat intelligence sources may and ideally should be used to supplement internal threat intel sources. Examples of threat intelligence content include IOCs (files, hashes, IPs, URLs, and so forth), compromised credential intelligence, device intelligence (often from Mobile Network Operators [MNOs]), and domain/file/IP/URL reputation information. Ideally SOAR solutions will accomplish all the foregoing actions automatically prior to or while alerting a human analyst.

When an analyst is alerted and assigned a case, all pertinent information related to the event should be constructed and presented by the SOAR platform to the analysts for their investigation. The SOAR platform should package information coherently, with descriptions and recommendations for actions. More recently, the use of Large Language Models (LLM) has been the focus of customer interest. Trained on enormous datasets from various sources, LLMs can generate new content and texts in multiple languages. They enable the creation of chatbots that are potentially indistinguishable from humans when combined with natural language processing (NLP) technology.

For SOC analysts, generative AI potentially offers a remarkable leap forward in the efficiency and effectiveness of their work. It means being able to automate the most repetitive parts of their job, focusing on the more creative and strategic dimensions of their role, such as planning new defense strategies, identifying emerging threats, and formulating proactive mitigation plans. However, the potential use of generative AI extends beyond mere task automation. Security analysts can use generative AI to create alerts and perform tasks like threat detection, incident analysis, generate or suggest playbook templates, summarize events, enhance decision-making, and more.

While the integration of generative AI into SOAR platforms offers substantial benefits, there are several challenges that need to be addressed. Generative AI requires access to vast amounts of data to learn and make decisions. Ensuring that this data is handled securely and in compliance with privacy regulations is a significant challenge. In addition, there is a risk that AI models may develop biases based on the data they are trained on, which can lead to inaccurate or unfair outcomes. Therefore, the use of LLMs must be accompanied by thorough quality control on the part of the vendor, to ensure that the information provided is indeed useful and accurate.

Although some vendors are highly enthusiastic about the potential of generative AI in SOAR solutions, emphasizing its ability to revolutionize security operations, others adopt a more cautious stance. These vendors are waiting to see how the industry evolves and are focused on how to best meet their customers' expectations as they assess the practical benefits and challenges of adopting generative AI. This balanced approach reflects a careful consideration of both the opportunities and the complexities involved with integrating new technologies into security operations.

Moreover, most SOAR vendors adhere to the paradigm of a playbook. Playbooks typically address common security scenarios and can be triggered either by manual analyst action or automatically if allowed by policy and supported by the vendor. Examples of security events that may trigger playbooks are phishing, malware, ransomware, failed login attempts, excessive or abnormal use of privileged credentials, prohibited communication attempts, attempts to access unauthorized resources, file copying or moving, attempts to transfer data using unauthorized webmail providers, attempts to transfer data to blocked IPs or URLs, unusual process launches, unusual application to network port activities, unusual network communication patterns, and so on. The end goal of SOAR is to be able to automate incident responses among the various security systems. To this end, SOAR platforms often support dozens to hundreds of playbook scenarios and offer hundreds to thousands of possible incident response actions.

SOAR platforms stand at the forefront of security operations, offering sophisticated automation and orchestration capabilities that enhance the efficiency and effectiveness of SOC teams in responding to and mitigating cybersecurity threats. Given the current threat landscape, every organization must act with extreme urgency to secure its information technology infrastructure. As rogue nations continue to foster an environment for cybercriminals and ransomware attackers to thrive, organizations need to be prepared and build a strong security foundation while providing SOC analysts with the right tools.

Ultimately, the selection of any SOAR solution will depend on the organization’s particular requirements, which depend strongly on the currently deployed and planned IT security and Identity and Access Management (IAM) infrastructure. Careful consideration must be given to evaluating which SOAR solutions have integrations for the tools in use and on the roadmap. The maximum utility is achieved by selecting a SOAR that has pre-packaged connectors for all the security and identity elements in your portfolio.

For more information on our research approach, see KuppingerCole Leadership Compass Methodology.

1.1 Key Findings

• As the number and sophistication of cyberattacks have continued to increase over the years, organizations need to be prepared and build a strong security foundation while providing SOC analysts with the right tools.
• SOAR products have been driven by the growing demand to distinguish between related and unrelated events across all connected systems, enrich the event information by acquiring additional intelligence, create and/or coordinate tickets with ITSMs, and assist human analysts with pre-programmed responses in playbooks.
• The SOAR market is mature and as such has a reasonably well-defined terminology and includes capabilities such as data collection, correlation, enrichment, orchestration, automation, and incident response and mitigation.
• KuppingerCole research predicts that the Compound Annual Grow Rate (CAGR) of the SOAR Market Segment is 14.9%, which would lift the market size to 1.9 billion US dollars by 2025.
• While some vendors are optimistic about the transformative potential of generative AI in SOAR solutions, others maintain a cautious approach, observing industry trends and focusing on aligning with customer expectations.
• Some vendors provide SOAR as a service for their customers, and most license their products to Managed Security Service Providers (MSSPs) who run it on behalf of their customers.
• Single-vendor XDR offerings that blend EPDR with NDR are gaining traction, offering a streamlined alternative to traditional SIEM and SOAR systems, particularly for mid-market businesses and MSSPs/MDRs.
• SOAR vendors deliver solutions that often require complex on-premises deployments. However, SOAR systems also offer support for various cloud hosted environments such as IaaS, PaaS, and SaaS applications as well.
• Selecting the right SOAR vendor involves careful evaluation of how well the solution integrates with your existing security tools and aligns with your organization's specific operational needs, ensuring you choose a platform that maximizes efficiency and effectiveness in your security operations.

1.2 Market Analysis

The SOAR market, while well-established, continues to experience significant growth, driven by the increasing complexity of cyber threats and the need for more efficient security operations. Future developments in SOAR are likely to focus on enhancing AI capabilities, improving integration with other security tools, and making the platforms more user-friendly and accessible to organizations of all sizes. In addition, increasing regulatory demands around data breach disclosures and cybersecurity defenses are expected to drive further adoption of SOAR solutions, as organizations seek to comply with these regulations efficiently.

Some vendors in the market started out with a mission to address what they saw as missing functionality in the broader cybersecurity market. These start-ups may have gone through several rounds of funding and grown a sizable customer base. Furthermore, some of the bigger specialty start-ups in the SOAR market have been acquired by large cybersecurity stack vendors who were desirous to add these types of capabilities to their already extensive suites of products and services. For instance, Palo Alto Networks Networks recently expanded its application security suite by acquiring Cider Security, and Cisco enhanced its cybersecurity offerings by acquiring Splunk in early 2024. In other cases, SOAR has been an outgrowth to complementary product offerings (most commonly SIEM) at some of the mid-tier vendors in the market.

Customers in the SOAR market tend to be somewhat mid-sized businesses, enterprises, and government agencies. Organizations that have established IT security departments, especially those with SOCs, are the most likely to see a need for SOAR. SMBs and some enterprises that are either outsourcing IT functions or adding security capabilities but not adding staff are turning to MSSP options that have SOAR.

The SOAR market is valid globally, but the greatest uptake has been in North America, followed by Europe. However, many companies are expanding into the Middle East and the APAC region. This region comprises some of the world’s largest economies, such as China, India, Japan, Singapore, and Australia. With the threat landscape constantly changing, cyber threats experienced by organizations in these countries are increasing at an alarming rate. We expect to see more organizations across the world adding SOAR to their cybersecurity portfolios in the years ahead. SOAR as an outsourced function provided by MSSPs is also likely to grow in popularity.

1.3 Market Size and Segmentation

KuppingerCole research predicts that the Compound Annual Grow Rate (CAGR) of the SOAR Market Segment is 14.9%, which would lift the market size to 1.9 billion US dollars by 2025. This growth trajectory highlights the increasing reliance on SOAR solutions across various industries, driven by the need to combat sophisticated cyber threats and streamline security operations.

North America currently holds the largest share of the global SOAR market revenue, accounting for 43.9%. This dominance is largely due to the region's advanced technological infrastructure, stringent regulatory requirements, and the presence of major cybersecurity firms that drive innovation and adoption of new security solutions.

The EMEA (Europe, Middle East, and Africa) region follows closely, contributing 39.1% to the global revenue. The significant market share in EMEA is driven by a growing awareness of cybersecurity threats, regional compliance regulations, and an increasing number of businesses adopting digital transformation strategies which necessitate resilient security measures.

While the adoption rates in the Asia-Pacific (APAC) and Latin America (LATAM) regions are currently lower, these regions are expected to exhibit significant growth in the coming years. Factors contributing to this anticipated growth include rapid economic development, digital transformation in businesses, and increasing government initiatives towards cybersecurity regulation in these regions. As such, both APAC and LATAM represent important emerging markets for SOAR solutions, with potential for substantial market penetration as awareness and infrastructure continue to improve.

Overall, the global expansion of the SOAR market is set against a backdrop of escalating security challenges and a pressing need for efficient incident response mechanisms, indicating a continued upward trend in adoption and investment in SOAR technologies worldwide.

Figure 1: Global revenue expected by 2025 in the SOAR market

1.4 Delivery Models

SOAR solutions often require complex deployment models. In most cases, on-premises components must be implemented, including software agents and API connectivity for upstream security systems from which telemetry will be gathered, and appliances and/or virtual appliances that serve as collection, analysis, operational, and management nodes for the SOAR solution.

Over the past few years, digital transformation has been driving organizations to adopt cloud-based solutions and change their operating models. SOAR systems also generally provide support for various cloud hosted environments such as IaaS and PaaS, which requires agents or images to be installed or the use of customized APIs. Some support specific SaaS applications as well. Cloud-based deployment offers several benefits to organizations, such as scalability and agility, reduced physical infrastructure, less maintenance cost, flexibility, and continuous accessibility of data.

In addition to APIs and connectors for security tools, SOAR platforms have user interfaces for administrators and analysts. Some vendors offer this as a capability on the components installed on-premises and others offer it as a cloud-hosted service.

1.5 Required Capabilities

We expect a Security Orchestration, Automation, and Response platform to implement all three of the core set of capabilities mentioned below:

Security data collection, correlation, and enrichment: a SOAR platform can collect historical and real-time security data either on its own or ingest security events from a SIEM solution. The data should be enriched with additional business context, external threat intelligence, or other data sources according to established workflows.

Security Orchestration and Automation: a SOAR platform should implement comprehensive workflow management capabilities to ensure that tasks across multiple environments and security tools can be efficiently coordinated. Whenever possible, repetitive parts of these workflows should be automated to free the analyst’s time for more creative tasks. For manual steps, intelligent guidance and decision support capabilities are a major plus.

Incident Response and mitigation: for identified security incidents, a SOAR platform should be able to offer a range of predefined resolutions: ranging from simple actions like creating a ticket for manual processing or blocking an infected machine in a firewall to more sophisticated playbooks that coordinate response processes across multiple departments: from IT to legal and public relations.

The specific set of features we consider in SOAR solutions are:

• SIEM integration
• EPDR integration
• Email/web gateway integration
• Cloud integration
• IAM integration
• Telemetry collection
• Correlation of security event information, generally from SIEMs
• Enrichment with cyber threat intelligence
• Automated analysis
• Threat hunting
• Comprehensive forensic tools
• Workflow orchestration, automation, and case management
• Incident response
• Playbooks
• Case management
• Generative AI
• Support for standards such as STIX and TAXII
• Contributions to the Open Cybersecurity Alliance (OCA), Cyber Threat Alliance, etc.
• Multi-Factor Authentication (MFA) and identity federation
• Role-based or policy-based access controls for admins and analysts
• Well-documented APIs
• SOAR functionality across multi-cloud environments

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.

Based on our rating, we created various Leadership ratings. The Overall Leadership rating provides a combined view of the ratings for

• Product Leadership
• Innovation Leadership
• Market Leadership

2.1 Overall Leadership

Figure 2: Overall Leadership in the SOAR market

The Overall Leadership chart is linear, with Followers appearing on the left side, Challengers in the center, and Leaders on the right. The rating provides a consolidated view of all-around functionality, market presence, and financial security.

However, these vendors may differ significantly from each other in terms of product features, innovation, and market leadership. Therefore, we recommend considering our other leadership categories in the sections covering each vendor and their products to get a comprehensive understanding of the players in this market and which of your use cases they support best.

The Overall Leadership chart shows that a number of vendors have achieved a high level of maturity, with just fewer than half of the vendors in the Leaders segment. Palo Alto Networks is the overall leader and takes a strong position as one of the dominant products on the market today. Palo Alto Networks’s agility and scalability make them a worthy choice for mid-market organizations and large enterprises.

Palo Alto Networks is closely followed by Fortinet. FortiSOAR is recognized for its orchestration, automation, and response capabilities that streamline complex security operations. It's particularly valued for integrating with other Fortinet products and a broad range of third-party tools. Fortinet is followed by a group of three vendors, including Splunk, ServiceNow, and Swimlane. These are well-established vendors with innovative and feature-rich capabilities.

In the Challenger segment, the landscape includes a variety of vendors: dedicated SOAR specialists, established SIEM providers, and small, innovative companies. They have overall good capabilities and a high degree of flexibility in configuration, while lacking some of the more advanced features other vendors provide. All vendors within the Challenger section have good products with varying levels of compliance, reporting, scalability, deployment, and API capabilities. Furthermore, some still have limited global presence, affecting their rating for Overall Leadership.

Overall Leaders are (in alphabetical order):

• Fortinet
• Palo Alto Networks
• ServiceNow
• Splunk
• Swimlane

2.2 Product Leadership

Product leadership is the first specific category examined below. This view is mainly based on the presence and completeness of required features as defined in the required capabilities section above. The vertical axis shows the product strength plotted against the combined/overall strength on the horizontal axis. The Product Leadership chart is rectangular and divided into thirds. Product Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 3: Product Leadership in the SOAR market

As organizations continue to face sophisticated cybersecurity threats, the role of SOAR platforms is increasingly critical. Again, we find several vendors in the Leaders segment. These include Palo Alto Networks, Fortinet, ServiceNow, Splunk, Swimlane, Cyware, and D3 Security.

These platforms offer everything from extensive integrations and generative AI to advanced analytics and streamlined incident management processes, highlighting their importance in enhancing organizational security postures. For example, more than 1,000 out-of-the-box integrations and automated actions available, plus the ability to extend the platform, make Palo Alto Networks’ XSOAR a strong product in the market. FortiSOAR enables quick deployment even for companies lacking the required operational expertise yet can offer a flexible upgrade path to support the largest and most complex architectures. Additionally, it features an extensive connector database for third-party integrations.

In addition, ServiceNow’s Security Incident Response (SIR) platform consolidates incident management processes and provides organizations with innovative tools to quickly detect, analyze, and respond to security threats. Splunk SOAR integrates with more than 300 third-party tools and supports more than 2,800 automated actions, while Swimlane features visual dashboards and reports that give security teams critical insight into KPIs, compliance, process efficiency, and team performance.

Cyware stands out for its generative AI capabilities through its AI advisor, Quarterback, which is deeply integrated with Cyware's SOAR solution. Leveraging this integration, Quarterback AI drives over 4,000 pre-trained actions across more than 400 security and IT tools, while also enabling security teams to create their own custom actions. D3 Security's platform includes the Event Pipeline, a powerful feature that includes capabilities such as normalization, which extracts fields, IOCs, and other data to create a clear and consistent picture of each alert. This capability also includes threat triage, which enriches and ranks events by severity using third-party threat intelligence sources.

The other vendors are placed in the Challenger segment, with Microsoft being close to becoming Leader. These other vendors are all positioned more towards the center of the Challenger segment.

Product Leaders (in alphabetical order):

• Cyware
• D3 Security
• Fortinet
• Palo Alto Networks
• ServiceNow
• Splunk
• Swimlane

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.

This view is mainly based on the evaluation of innovative features, services, and/or technical approaches as defined in the Required Capabilities section. The vertical axis shows the degree of innovation plotted against the combined/overall strength on the horizontal axis. The Innovation Leadership Chart is rectangular and divided into thirds. Innovation Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 4: Innovation Leadership in the SOAR market

Innovation Leaders are those vendors that are delivering cutting-edge products, not only in response to customers’ requests but also because they are driving the technical changes in the market by anticipating what will be needed in the months and years ahead. There is a correlation between the Overall, Product, and Innovation Leaders, which demonstrates that leadership requires feature-rich products that are looking over the horizon to bring advancements to help their customers.

Both established and specialized vendors continue to innovate in the SOAR market. Innovation is driven by capabilities such as use of generative AI, playbook customization, user interface, case management, reporting and analytics, and more.

In the Leaders segment, Fortinet comes in ahead of Palo Alto Networks, closely followed by a group of five vendors, consisting of ServiceNow, Securaa, Cyware, Swimlane, and Splunk.

Innovation Leaders (in alphabetical order):

• Cyware
• Fortinet
• Palo Alto Networks
• Securaa
• ServiceNow
• Splunk
• Swimlane

2.4 Market Leadership

Finally, we analyze Market Leadership. This is an amalgamation of the number of customers, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.

In this chart, the vertical axis shows the market strength plotted against the combined/overall strength on the horizontal axis. The Market Leadership Chart is rectangular and divided into thirds. Market Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 5: Market Leaders in the SOAR Market

Microsoft is leading the market, being a dominant player in the SOAR space. Following them are large IT vendors with a considerable footprint in the SOAR market; these are Splunk, Palo Alto Networks, Fortinet, and ServiceNow.

The rest of the vendors are rated as Challengers. These are smaller vendors with mostly small partner ecosystems and limited market presence on a global scale.

Market Leaders (in alphabetical order):

• Fortinet
• Microsoft
• Palo Alto Networks
• ServiceNow
• Splunk

3 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this Leadership Compass. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. Since some vendors may have multiple products, these are listed according to the vendor’s name

Vendor	Security	Functionality	Deployment	Interoperability	Usability
Cyware
D3 Security
Fortinet
ManageEngine
Microsoft
Palo Alto Networks
Securaa
ServiceNow
SIRP
Splunk
Swimlane

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.

Vendor	Innovativeness	Market Position	Financial Strength	Ecosystem
Cyware
D3 Security
Fortinet
ManageEngine
Microsoft
Palo Alto Networks
Securaa
ServiceNow
SIRP
Splunk
Swimlane

Table 2: Comparative overview of the ratings for vendors

4 Product/Vendor evaluation

This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.

4.1 Spider graphs

In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For this market segment, we look at the following categories:

Responses: This category measures the types of manual and automated responses available in a given platform. Response capabilities often depend on the presence of integrations with third-party tools and the functions available via APIs to the tools. Responses are usually packaged in playbooks which can be customized, and templates that can be extended as needed. Examples of response actions might include enabling/disabling user accounts, blocking communications by IP or URL, isolating nodes, etc.

Enrichment: Enrichment is the process of adding intelligence and context to security events and incidents. SOAR platforms may pull threat intelligence from within their own network but should also support subscriptions to and queries to third-party threat intelligence sources. The support for standards such as STIX, TAXII, and MISP play a crucial role in this process. This measures the quantity and quality of threat intelligence sources available to each vendor’s SOAR solution.

Case Management: This metric evaluates how well the SOAR solution automatically processes enriched event information and presents it to analysts for action. Case management also includes automation of preliminary analysis, background triage, facilitation of collaboration between analysts, and interoperability with ticketing systems.

API Support: This evaluates the robustness and versatility of the SOAR platform’s API capabilities, which are fundamental for integrating with a wide range of other security tools and enabling customized workflows. API support in SOAR platforms is assessed by evaluating the types of APIs supported, such as REST, GraphQL, and Webhooks, alongside their security mechanisms like OAuth 2.0 for authentication. These aspects ensure the platform can integrate effectively with diverse security tools and handle complex workflows securely.

Analyst Interface: This header appraises the utility of and presentation of information within the analyst interface. The analyst interface should allow queries to be easily built and executed, extensive drill down and linking of data between screens, map and timeline views, attack and response visualizations, incident-to-artifact relationship visualization, root cause analysis, etc.

Investigations: This label describes the features that enable analysts to conduct investigations, including methods for building queries, IoC updates, ability to create custom IoCs, behavioral analysis for creating baseline profiles, ML-enhanced detection and classification of outliers, and integration with SIEM and other analytics tools.

Automation: Many analyst tasks can be repetitive, which means these tasks are an inefficient use of their time; and they can lead to data entry errors. As a result, we expect modern SOAR solutions to be able to remove the statistical noise and reduce false positives without human intervention, by relying on techniques like behavior analysis and machine learning. This category measures the level of automation functions reported to be present in each solution. In addition, security analysts can use generative AI to create alerts and perform tasks like incident analysis, generate playbook templates, summarize events, enhance decision-making, and more.

Compliance and Reporting: This category assesses the SOAR solution's ability to provide detailed compliance reporting tools and support a range of regulatory standards, facilitating organizational compliance with legal and security requirements. It includes support for key standards such as ISO/IEC 27001, PCI-DSS, and SOC 2 Type II.

4.2 Cyware – Cyware SOAR

Founded in 2016 and headquartered in New Jersey, Cyware is notable for its Cyware SOAR solution, which is designed to enhance security operations by proactively stopping threats, connecting disparate security incident data, automating repetitive tasks, and significantly reducing response times. The company's client base predominantly consists small, mid-market and large enterprises, MSSPs, information sharing communities (ISACs and ISAOs), CERTs, and government entities and regulators. It offers its services on a global scale, with coverage extending across North America, EMEA, and the APAC region. The licensing model is based on a fixed annual cost. However, to accommodate diverse organizational needs, customers have the option to purchase additional licenses tailored for various roles such as administrators, analysts, and subscribers.

Cyware's SOAR solution consists of two standalone, but fully integrated technologies: a dedicated security orchestration and automation platform called Cyware Orchestrate, and an incident response and threat analysis platform called Cyware Respond. This decoupled SOA+R approach ensures that security orchestration and automation capabilities extend beyond incident response to all other key security functions such as case management, threat intelligence, threat detection, cloud security, network security, etc. The solution can be deployed on-premises, private cloud, public cloud, and as a service offered through MSSPs. However, the solution lacks an online community for sharing content and expertise.

In addition, the solution supports correlation of both real-time and historical threat data and incidents. However, customers can set enrichment policies and manage enrichment tool usage quotas to enrich threat data based on configured sources and conditions. Cyware playbooks are customizable and come with several intuitive features such as drag and drop editing, pre-built templates, node customization, etc. Cyware's pre-built playbook templates and app library also provides advanced no-code automation capabilities for security teams. It supports 125+ pre-built playbooks across more than 400 third-party cybersecurity and IT tools.

Cyware offers generative AI capabilities through its AI advisor, Quarterback, which is integrated with Cyware's SOAR solution. Leveraging this integration, Quarterback AI drives over 4,000 pre-trained actions across more than 400 security and IT tools, while also enabling security teams to create their own custom actions. Essentially, the Quarterback feature serves as an AI-powered chatbot capable of performing various tasks, including summarizing cases, executing investigative actions, conducting threat hunting exercises, and automating response actions, among others. Designed to help analysts make faster, more informed decisions, it automates incident response by connecting applications, systems, and people and turning threat intelligence into intelligent actions.

In addition to Quarterback, Cyware's low-code/no-code (LC/NC) automation capabilities are integral to its Cyber Fusion Strategy. By normalizing and enriching threat intelligence (TI), users can focus on specific actions using Cyware's automation tools. Furthermore, Cyware offers flexibility, allowing integration with other SOAR solutions, providing customers with alternative options tailored to their needs. The solution offers an integrator named Cyware Agent that helps bridge the gap between cloud operations and on-premises deployed solutions. Cyware Agent enables collection, analysis, and operationalization of data from all sources across cloud and on-premises environments in real-time for conducting machine-driven orchestration and automation actions. Moreover, the company supports STIX, TAXII, YARA, and MISP. Supported API protocols include REST, RPC, SOAP, Webhooks, WebSockets, and GraphQL. It also supports JWT, OAuth2, SAML, and Key exchange for API authentication. MFA methods supported include mobile authenticator apps and vendor-provided apps.

The Cyware SOAR platform provides a robust framework for automating and orchestrating security operations, enabling organizations to efficiently manage and respond to cyber threats in a streamlined and integrated manner. Cyware’s agility and innovativeness make them a worthy choice for potential customers ranging from medium-size businesses to large enterprises. Additionally, its ability to integrate with legacy systems makes it a good choice for organizations looking to modernize their security operations. Cyware appears in the product and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 3: Cyware’s rating

Leader in

4.3 D3 Security – Smart SOAR

D3 Security was founded in 2002 in Vancouver, Canada. Between 2002 and 2014, the company provided incident and case management for IT security teams. D3 Security views SOAR as a pathway to fundamental improvements in the security operations of enterprises and MSSPs in finance, pharmaceutical, government, utilities and healthcare. Coverage is primarily focused on North America, but with a growing presence in EMEA, APAC, and Latin America. Licensing is per user. In 2024, D3 Security unveiled a comprehensive rebranding, introducing a new brand voice, visual identity, and logo across all digital and physical platforms.

The Smart SOAR platform, formerly known as NextGen SOAR, is designed to streamline the management of security events and incidents effectively. The solution can be deployed on-premises, public cloud, and as a service offered through MSSPs. A standout feature of the solution is the MSSP Client Portal. MSSPs can provide their customers with access to a dedicated portal, enabling them to review and interact with tickets created by the security team. This approach removes the need for external ticketing tools and creates an integrated response loop between the SOAR and ITSM tools. With more than 500 out-of-the-box integrations, D3 also develops, tests, and maintains customer integrations, eliminating the need for customers to engage in extensive API programming. Instead, customers can utilize pre-configured integration commands that handle complex data interactions and error management within the platform itself. D3 recently announced its Legacy SOAR Migration Program in response to increasing demand from organizations looking to transition away from legacy SOAR solutions.

Smart SOAR offers advanced data enrichment and correlation tasks, automatically surfacing critical information in the investigation tab to aid quick decision-making. The platform’s Event Pipeline is a strong feature that includes capabilities such as normalization which extracts fields, IOCs, and other data to create a clear and consistent picture of each alert. This capability also includes threat triage, which enriches and ranks events by severity using third-party threat intelligence sources, and auto dismissal and escalation, which applies rule-based filters to automatically close false positives and trigger incident response playbooks.

D3 has a separate playbook engine for events and incidents. The event playbook eliminates duplicates and handles correlation on ingestion while the incident playbook helps with the incident response process for day-to-day work. In addition, the platform triggers an incident-specific playbook when a MITRE ATT&CK technique is identified by a security tool and ingested into the SOAR platform. The playbook also queries, extracts, and enriches incidents with contextual data from threat intelligence tools, and searches for related TTPs. Moreover, users can leverage out-of-box event playbooks to calculate and assign severity on ingestion. Additionally, D3 recently introduced two new playbook task types, Mutex Lock and Mutex Unlock, designed to enhance task management within playbooks. The platform also supports nested playbooks, which are particularly useful for threat- or asset-specific workflows that can be reused across multiple parent playbooks.

For generative AI, D3 has taken a more measured approach. The company was among the first to integrate ChatGPT into their workflows, enhancing the efficiency of analysts by allowing them to incorporate AI-generated summaries and responses directly into their operational processes. Additionally, D3 is participating as a development partner in Microsoft's Security Copilot program. More recently, Smart SOAR released an AI-enabled command execution feature, providing users with hundreds of pre-set commands ranging from data transformations to endpoint isolation. Previously, users had to manually select the required command from a dropdown menu. Now, they can simply describe the desired outcome, and the embedded LLM (Large Language Model) within Smart SOAR will automatically suggest the appropriate command. Complementing this, D3 launched "Ace AI," a suite of AI features integrated into Smart SOAR. A notable component of Ace AI is its Natural Language-Driven Playbook Development feature, which enables users to reduce playbook development times by inputting plain text that outlines the desired functionality.

The company supports STIX, TAXII, and MISP. Supported API protocols include REST and Webhooks. It also supports JWT, OAuth2, and SAML for API authentication. MFA methods supported include mobile authenticator apps, vendor-provided apps, and code-based verification via email or SMS. D3 Security is vendor-agnostic. The company positions itself as a strong alternative to the established offerings supporting mid-market to enterprise organizations. Organizations looking for SOAR functionality, particularly those in North America, should consider D3 Security. The company appears in the product leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 4: D3 Security’s rating

Leader in

4.4 Fortinet – FortiSOAR

Fortinet is an American cybersecurity company with headquarters in Sunnyvale, California, USA. Established in 2000, it provides a wide range of network security and threat protection solutions for carriers, data centers, enterprises, and distributed offices. Its solutions are integrated into the Fortinet Security Fabric. The Fortinet security operations portfolio includes SIEM, SOAR, and XDR capabilities, as well as more advanced security analytics, automation tools, and security operations tools such as NDR, ASM, and Deception. Fortinet’s sweet spot is the mid-market and large enterprises in North America, EMEA, and the APAC region. Licensing is per user and per node.

Fortinet offers FortiSOAR as a standalone product. It is also available as part of its SecOps integrated offering with FortiSIEM, FortiEDR and other SecOps offerings. FortiGuard threat feeds are included with FortiSOAR. Additionally, FortiSOAR Threat Intelligence Management supports hundreds of intelligence sources. A free version supports a limited feed of Fortinet’s FortiGuard Intelligence feed. The full TIM license provides a robust set of functions as well as unlimited processing of any supported feed. The solution can be deployed on-premises, private cloud, public cloud, and as a service offered through MSSPs.

FortiSOAR has connectors for over 600 sources, with new connectors being built each quarter. FortiSOAR correlates security data from multiple sources. It integrates with a variety of security tools and systems - from SIEMs, EDRs and firewalls to IAM and threat intelligence platforms - to collect and centralize data from these disparate sources. FortiSOAR's correlation engine can then analyze this data to identify patterns and connections between different security events, effectively improving threat detection and providing a more complete understanding of potential security incidents.

FortiSOAR includes a visual playbook designer that enables a low-code approach to automating security workflows through an intuitive drag-and-drop interface. Users can visually build playbooks by arranging nodes that represent actions, decisions or conditions, simplifying the creation and management of complex automations. In addition, FortiSOAR integrates with FortiAI, which allows users to select templates and create playbooks using natural language prompts, further streamlining the playbook creation process by translating user intent into executable actions. Custom code snippets, cloning, copying from other playbooks, playbook blocks, versioning - all are supported.

Furthermore, the FortiAI GenAI assistant and ML-based Recommendation engine enhance security operations by offering support and actionable insights for analysts at all experience levels. For instance, during investigations and responses, FortiAI automates alert analysis and provides recommendations, along with guidance on handling investigations, understanding attacker profiles, and determining response actions. The company supports, STIX, TAXII, YARA, and MISP. Supported API protocols include REST, RPC, SOAP, Webhooks, Websockets, and GraphQL. Fortinet also supports JWT, OAuth2, SAML, and Key exchange for API authentication. MFA methods supported include mobile authenticator apps and vendor-provided apps.

Overall, Fortinet’s FortiSOAR provides a highly modular and flexible solution. It offers a comprehensive platform, empowering organizations to streamline their security operations through advanced automation, compliance, and guided incident response capabilities. The platform enables quick deployment even for companies lacking the required operational expertise yet can offer a flexible upgrade path to support the largest and most complex architectures. Organizations that are already Fortinet customers may find it easy to add FortiSOAR capabilities to their security portfolio. The company appears in the overall, product, innovation, and market leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 5: Fortinet’s rating

Leader in

4.5 ManageEngine – Log360

Headquartered in Pleasanton, California, USA with development and operations happening out of Chennai, India, ManageEngine provides over 180,000 customers around the world with over one hundred solutions for managing IT operations for endpoints, servers, networks, and the cloud, as well as security tools for desktops and mobile devices. ManageEngine is a division of privately held ZOHO, founded in 1996. ManageEngine also has products for IT Help Desk management, patch and vulnerability management, MDM, SIEM, PAM, and other areas of IT management and security. The company's client base consists of small, medium, mid-market, and large enterprises across a variety of critical sectors including finance, manufacturing, and healthcare. Coverage includes North America, EMEA, Latin America, and the APAC region. Licensing is based on the number of log sources including servers, domain controllers, databases, applications, etc.

ManageEngine Log360 has both SIEM and SOAR in a single package. SOAR capabilities are built within Log360 and include security analytics, anomaly detection using ML algorithms, automated incident response workflows (playbooks), visual workflow builder, etc. The solution can be deployed on-premises, private cloud, public cloud, and as a service offered through MSSPs. Customers have the option to choose point-products that solve specific challenges or Log360 as a whole. The cloud version of Log360 (Log360 Cloud, their Cloud SIEM solution) is being developed as a single platform.

Log360 is designed to promptly detect indicators of compromise and alert administrators in real time. The platform enables configuration of incident response workflows that automatically initiate actions—such as killing processes, shutting down systems, or disabling users—when specific conditions are met, or threats are detected by the correlation engine. In addition, the solution facilitates the creation of response workflows through a visual drag-and-drop workflow builder. The incident workbench allows security analysts to efficiently investigate threats, providing easy access from anywhere within the SIEM console. Enhanced analytical tools, such as point-and-probe functionality and process flow visualization through parent-child trees, clusters, and Sankey charts, aid in the quick analysis and identification of suspicious activity involving users, devices, and processes. Log360 allows users to customize the dashboard, and the widgets displayed. This allows them to instantly view the network events they deem as important. Anomaly risk modelling is customizable as well.

The platform can also interoperate with PAM solutions such as PAM360, which is an offering from ManageEngine. Log360 can also trigger alerts and tickets in ITSM systems. Generative AI is currently on the roadmap. Since Log360 is a SIEM, it has limited connectors to other SIEMs. What Log360 lacks in certain functions compared to other SOAR specialists, it compensates with a broad range of additional security and compliance features, which are incorporated into a convenient unified management console with out-of-the-box reporting capabilities. The company supports STIX, TAXII, and MISP. Supported API protocols include REST and Webhooks. The company does not support any API authentication methods. MFA methods supported include mobile authenticator apps, vendor-provided apps, smart cards, e-mail, and SMS/OTPs.

With the Log360, customers are able to combine multiple security solutions according to their needs and requirements. ManageEngine is a large global IT company with good geographic distribution of support and integration partners. Organizations that are already ManageEngine and Zoho customers may find it easy to add SIEM and some SOAR functionality to their security portfolios.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 6: ManageEngine’s rating

4.6 Microsoft – Microsoft Sentinel

Microsoft, founded in 1975 and based in Redmond, USA, is a familiar figure in hardware and software, digital services, and cloud infrastructure businesses. The company is the world's largest software company and one of the top corporations by market capitalization. Microsoft Sentinel is a cloud-native SIEM and SOAR platform that delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. The company offers its services on a global scale, with coverage in North America, Latin America, EMEA, and APAC. Licensing is subscription based and pricing is based on volume of data ingested. However, customers can choose a pay as you go model and only pay for what they use.

Microsoft Sentinel is a cloud-native SIEM and SOAR solution that provides an intelligent, comprehensive, and integrated approach to security event management and response. It provides cyber threat detection, investigation, response, and proactive hunting. The solution integrates with IT and security products, ingesting logs for monitoring and detections, or orchestrating actions. Connectors and security logic are discoverable though the Content Hub. These connectors include Microsoft sources and Azure sources like Microsoft Entra ID, Azure Activity, Azure Storage, and more.

The solution incorporates threat detection capabilities based on the MITRE ATT&CK framework, enhancing visibility into security threats and the coverage of an organization’s security measures. The integration of multiple sources of threat intelligence into Sentinel allows for the detection of malicious activity and provides essential context for security responses. The platform also supports the creation of watchlists, which help correlate data from specific data sources with events in the Sentinel environment for monitoring and response actions. Sentinel automated workflows (playbooks) are based on Azure Logic Apps platform, which runs billions of actions for thousands of organizations. With hundreds of OOTB connectors available, Sentinel playbooks can integrate with Azure services, as well as with third-party ticketing systems, collaboration platforms, and custom APIs.

Users can access a prioritized list of alerts, receive correlated analyses of security events within seconds, and visualize the full extent of every attack. The platform simplifies security operations and accelerates threat response by integrating automation and orchestration of common tasks and workflows. For example, Microsoft Copilot for Security, a generative AI-powered solution, integrates with the Microsoft Security portfolio, including Microsoft Sentinel. This integration is designed to significantly enhance the capabilities of security professionals by boosting efficiency and rapidly improving security outcomes. Offering a natural language, assistive copilot experience, it supports security professionals in multiple scenarios including incident response, threat hunting, intelligence gathering, and posture management. Utilizing the advanced capabilities of OpenAI architecture, the solution employs security-specific plugins that incorporate organization-specific data, authoritative sources, and global threat intelligence. The company supports STIX, TAXII, and MISP. Supported API protocols include REST and OData. Microsoft also supports OAuth2 and SAML. MFA methods supported include mobile authenticator apps and vendor-provided apps.

Each organization has different requirements and needs when it comes to adopting a SOAR solution. However, Microsoft Sentinel has the scalability and performance to provide organizations with alert detection, threat visibility, proactive hunting, and threat response capabilities. The solution should be on the shortlist for customers with a lot of Microsoft investments and Azure cloud. Microsoft appears in the market leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 7: Microsoft’s rating

Leader in

4.7 Palo Alto Networks Networks – Cortex XSOAR

Palo Alto Networks Networks, founded in 2005 in Santa Clara, CA, was the pioneer in Next Generation Firewall (NGFW) technology, and is also a major player in the SOAR market after the acquisition of Demisto. Palo Alto Networks also offers endpoint security, XDR, threat intelligence feeds, firewalls, SASE, and other security products. XSOAR includes an engine that enables connecting cloud to on-prem, on-prem to cloud, and cloud to cloud. Customers can deploy multiple engines. Palo Alto Networks hosts a managed service, and some MSSPs use their software for SOAR functions as well. The company's customer base consists primarily of mid-market and large enterprise organizations across multiple industries in North America, Latin America, EMEA, and APAC. Licensing is per admin/analyst user.

Cortex XSOAR is available as a standalone SOAR solution that integrates with major SIEM products, forming a key component of the comprehensive Cortex security operations portfolio. This portfolio includes Cortex XDR, Cortex Xpanse, and Cortex XSIAM—all built on a unified backend platform. Additionally, Cortex XSOAR incorporates threat intelligence management, automating the ingestion, normalization, and deduplication of threat data from various sources into a unified workflow. This integration helps in building detailed threat profiles and provides contextualized data crucial for prioritizing and responding to incidents effectively. The integrated case management system enhances collaboration through features like a war room for each incident, chatbots, and direct integrations with ticketing tools such as ServiceNow, Jira, Remedy, and Slack, enabling streamlined remediation processes.

Playbooks in XSOAR automate most responses. Utilizing advanced mechanisms such as pre-processing policies, these playbooks help to eliminate false positives, deduplicate, and cluster events efficiently. Each playbook is tailored to a specific event type and incorporates logic to score incidents based on enriched event data, enhancing the accuracy and relevance of security responses. Users can customize over 900 out-of-the-box playbooks through a user-friendly drag-and-drop visual editor designed for no-code/low-code automation, making playbook adaptation accessible to all skill levels. Furthermore, XSOAR offers thousands of automated scripts that act as foundational building blocks for developing new playbooks, allowing users to address a broad spectrum of automation tasks. The platform also supports the creation of sub-playbooks, which can be nested and reused across multiple scenarios.

The platform’s continuous innovation is evident in its biweekly updates of automation packs and quarterly platform enhancements that focus on user experience improvements and the integration of generative AI capabilities, further simplifying the playbook creation process for users. XSOAR features built-in chatbot capabilities and supports integration with ChatGPT and other large language models (LLMs), enabling customers to develop their own LLM models. Additionally, as part of the broader Precision AI initiative, generative AI capabilities are being developed across the entire Cortex platform. These capabilities are envisioned as a Cortex Copilot assistant, which will be progressively implemented into each Cortex product following both near and long-term roadmaps. The company supports STIX, TAXII, YARA, CSV, JSON, and MISP. Supported API protocols include REST, Webhooks, Websockets, and GraphQL. Palo Alto Networks also supports JWT, OAuth2, SAML, and Key exchange for API authentication. MFA methods supported include mobile authenticator apps, vendor-provided apps, e-mail, smart cards, and SAML 2.0 integration.

Unlike other solutions that may excel in specific areas, Cortex XSOAR delivers an all-encompassing package that integrates not only with Palo Alto Networks Networks’ products but also with third-party tools across network, cloud security, and IT operations. The substantial number of connectors available, plus the ability to extend the platform, make Palo Alto Networks’s XSOAR one of the dominant products on the market today. Palo Alto Networks’s agility and scalability make them a worthy choice for mid-market organizations and large enterprises. Palo Alto Networks appears in the overall, product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 8: Palo Alto Networks’ rating

Leader in

4.8 Securaa – Securaa SOAR

Headquartered in Bangaluru, India, Securaa was founded in 2018. The company provides a SOAR platform that enhances SOC’s capabilities with automation, threat enrichment, and real-time visibility and control. Despite being a young and small vendor, Securaa is one of the few SOAR platforms to have a Cyber Security Asset Management (CSAM) along with a Threat Intelligence Platform (TIP), enabling security teams to get the full internal context around assets, vulnerabilities, exploits and business impact. Their customer base is primarily located in the APAC region, but with a growing presence in EMEA and North America. The licensing model is based on a per-user and fixed annual cost.

Securaa is fully multi-tenant and built on a container-based microservices architecture. The solution is completely modular, and components can be deployed across hybrid environments. Leveraging no-code and automation features, the platform supports more than 200 integrations with a wide range of tools, allowing additional products to be swiftly incorporated into the platform. The TIP connects indicators of compromise with over 20 open-source threat intelligence sources and numerous commercial feeds, providing dynamic insights into the evolving threat landscape. Conversely, CSAM focuses on organizational context by providing a single pane of glass, enabling the identification of exposure gaps and enriching data related to users, assets, vulnerabilities, and exploits. It gathers and synthesizes information from various platforms, enhancing an organization's understanding and management of its security posture.

With advanced analytics, Securaa can generate attribution theories to hypothesize the likely sources of attacks based on attack patterns, tactics, techniques, and procedures (TTPs). For example, if a particular type of malware or attack vector is commonly associated with a particular threat actor, the platform can intelligently suggest this connection, enhancing the accuracy of threat identification. Additionally, the platform provides a visual workflow editor for analysts to build or modify playbooks. Playbooks are out-of-box for most common use-cases like ransomware, phishing, case management, incident response, vulnerability management, malware analysis, and more. It also includes manual, semi-automated, and fully automated execution of playbooks for orchestration and response automation (500+ automated tasks and 150+ ready-to-use playbooks).

The platform's Cyber Security Asset Management (CSAM) stands out as a key feature, providing SOC analysts with a comprehensive view of enterprise assets. Analysts can tailor asset data based on criteria such as asset tags, business criticality, usage, ownership, and business SLAs. This detailed asset information significantly aids in incident prioritization and understanding attack paths. In addition, the solution supports multiple native AI capabilities including generative AI and chatbot. Utilizing Natural Language Processing (NLP), the platform aids human operators with daily operational tasks such as summarization of alerts, query generation, report creation, and playbook development. AI driven chatbot provides information like playbook execution, information about target and victim and other details. The AI bot also facilitates product deployment and integration at MSSPs, streamlining the onboarding process for new tenants. The company supports STIX, TAXII, YARA, and MISP. Supported API protocols include REST, SOAP, Websockets, and Webhooks. Securaa also supports JWT and SAML for API authentication. MFA methods supported include mobile authenticator apps, vendor-provided apps, FIDO, hardware tokens, smart cards, and magic links.

Equipped with advanced features, Securaa provides SOC analysts with essential tools to manage, secure and streamline daily operational tasks. Securaa positions itself as a strong alternative to the established offerings, which should be of interest to organizations looking for a modern and highly modular offering. Securaa appears in the innovation leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 9: Securaa’s rating

Leader in

4.9 ServiceNow – Security Incident Response (SIR)

ServiceNow, founded in 2004 and headquartered in Santa Clara, is a large IT management, operations, and business management software vendor. They also have products in the IT security, asset management, GRC, and DevOps areas, providing solutions for both employee and customer facing enterprises. Their SOAR offering can be deployed on-premises, private cloud, public cloud, and as a service through MSSPs. ServiceNow has a strong presence in North America, but with growing customers in the EMEA and APAC regions. The solution is licensed per user.

ServiceNow Security Incident Response (SIR) is a comprehensive solution designed to enhance the way organizations manage and respond to security threats. The company's IntegrationHub feature supports bidirectional integrations with any SIEM system, simplifying the creation of integrations. It integrates with a variety of third-party risk or security systems using pre-built connectors, allowing customers to swiftly incorporate and customize their own workflows. Moreover, the platform supports a low-code/no-code technology stack through its flow designer, simplifying the creation of playbooks or integrations by merely dragging and dropping available actions. The platform is also adaptable to on-premises requirements, supporting deployments with mid-servers as well as multiple authentication methods.

The Security Analyst Workspace capability provides an intuitive user experience where analysts can manage the entire lifecycle of alerts and incidents. This workspace includes dashboarding and reporting capabilities that increase visibility and control over security operations. The platform’s orchestration capabilities allow for both automatic and manual activation of processes, including a wide range of security playbooks for common threats. These playbooks can be fully customized to meet specific organizational needs. Furthermore, the platform supports simultaneous execution of multiple playbooks, providing detailed guidance for complex security scenarios. The solution is aligned with the MITRE ATT&CK framework, providing visibility into detection and mitigation coverage. It integrates security incident response and vulnerability data into a heat map, enabling proactive and reactive threat hunting and giving security teams crucial insights.

The ServiceNow platform has mature reporting capabilities that provide metrics on each incident, highlighting opportunities for workflow automation and planning, as well as statistics that can be used at the highest levels of the organization in dashboards and reports for status, team goals, and training. For enhanced automation capabilities, the platform offers both a virtual agent and the Now Assist feature. The virtual agent delivers basic assistance and automation, streamlining routine tasks. In contrast, Now Assist, powered by generative AI, excels in more complex functions such as correlating, deducing, and analyzing information, providing a deeper and more sophisticated level of support and insight. By leveraging ServiceNow's proprietary Now Large Language Model (LLM), which is specifically tailored for IT operational environments, the platform utilizes anonymized data from ServiceNow’s extensive customer base. This data includes knowledge articles and other operational data, providing a rich source of real-world insights.

The company has obtained multiple relevant security and compliance certifications, including FIPS 197 (Advanced Encryption Standard), FIPS 140-2 (Cryptographic Module Standards), NIST 800-57 (Key Management), ISO/IEC 15408 (Common Criteria), ISO/IEC 27001, PCI-DSS v3.2, ISAE 18 SOC 2, HIPAA/HITRUST, and US FedRAMP. It supports STIX, TAXII, and MISP for threat intelligence. Supported API protocols include REST, RPC, OData, SOAP, Webhooks, and W3C WebAuthN. It also supports JWT, OAuth2, SAML, and Key exchange for API authentication. MFA methods supported include mobile authenticator apps and smart cards.

The ServiceNow SIR platform consolidates incident management processes and provides organizations with innovative tools to quickly detect, analyze, and respond to security threats. ServiceNow is quite scalable and has excellent case management features. It has built out integrations with many diverse sets of threat intelligence for enrichment. Organizations who use ServiceNow for ITSM or other functions may find it easy to gain SOAR functionality by adding Security Incident Response. ServiceNow is continuously adding more integrations and innovative features to its platform. The company appears in the overall, product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 10: ServiceNow’s rating

Leader in

4.10 SIRP – SIRP SOAR

SIRP is a start-up founded in 2017 and based in London. SIRP is a risk-based SOAR platform that combines security orchestration, playbook automation and case management capabilities to optimize processes for threat response and vulnerability management. The platform applies risk scoring and context to accelerate investigation and incident response. SIRP has presence in Saudi Arabia, UAE, Bahrain, Pakistan, Italy, Austria, and the UK. Its client-base is mainly composed of mid-market and large enterprises in finance, manufacturing, and oil and gas industries. Licensing is per-user on an annual basis.

The SIRP platform offers incident management, threat intelligence management, vulnerability management, prioritization scoring, and asset management capabilities. The platform is multi-tenant, supports hybrid deployments, and does SLA tracking. The solution comprises both on-premises and cloud components. SIRP also offers SOAR as a managed service that enterprises and MSSPs can use. SIRP provides a suite of 200 apps that support more than 1000 actions through extensive integrations with a variety of systems, including SIEM platforms, EDR solutions, firewalls, threat intelligence platforms, and vulnerability assessment solutions. In addition to launching new integrations every week, the company handles integration requests from customers at no extra cost after which they become officially supported integrations.

The SIRP Security Score (S3) feature is designed to provide a quantifiable measure of threat exposure, incorporating both internal and external factors to help prioritize risks efficiently. By evaluating diverse elements such as network vulnerabilities, past incidents, and threat intelligence, the S3 score enables organizations to strategically focus their resources on the most pressing threats. This prioritization means that security teams can make informed decisions quickly, enhancing their response capabilities to incidents that pose the greatest risk. The scoring system thus allows teams to concentrate on critical issues first, significantly reducing the time spent on false positives.

Playbooks in SIRP can be customized and can execute actions in remote systems. Playbooks can be created using the Playbook Canvas, a visual flow-chart builder, or by leveraging templates and resources available in the marketplace. Some of the playbooks available in the marketplace include brute-force attempt response, threat intelligence - vulnerability automation, successful VPN login from restricted country, artifacts enrichment, phishing email response, and automated malware alert response. Furthermore, the platform allows analysts to do certain tasks manually, semi-automated, and fully automated.

SARA, powered by generative AI, functions as an interactive tool designed to support security analysts by streamlining incident management and remediation processes. It operates like a chatbot, offering predefined options that analysts can select to retrieve information and generate responses without needing to type queries manually. For instance, SARA can fetch remediation details, expand on them, simplify complex information, or correct grammatical errors. SIRP supports STIX, TAXII, YARA, and MISP. Supported API protocols include REST, RPC, and Webhooks. It also supports JWT for API authentication. MFA methods supported include mobile authenticator apps.

SIRP continues to enhance its platform by focusing on real-time operational capabilities and the automation of security tasks. Their presence in the Middle East, both in terms of customers and sales target, is a plus for that region and for their own growth potential. Organizations that prefer a cost-effective and user-friendly SOAR solution for their mid-market and enterprise security needs should consider SIRP.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 11: SIRP’s rating

4.11 Splunk – Splunk SOAR

Splunk was founded in 2003 and is headquartered in San Francisco, California. Since then, the company has been producing solutions for searching, monitoring, and analyzing many kinds of machine-generated data. With its worldwide market presence and a strong global partner ecosystem, Splunk is often considered a de facto standard for operational analytics and intelligence solutions. The company's customer base consists primarily of mid-market and large enterprise organizations across multiple industries in North America, Latin America, EMEA, and APAC. Licensing is structured on an annual basis per user and per server. In early 2024, Splunk was acquired by Cisco to enhance its network and security offerings with advanced data analytics and insights capabilities.

Splunk SOAR is offered as a standalone product with the ability to integrate with other Splunk products. It integrates with Splunk Enterprise Security to provide a seamless and intuitive SecOps platform to prevent, detect and respond to advanced and emerging threats. The solution supports hybrid and multi-cloud environments. It can also support cloud, on-premises, and hybrid deployments. Splunk SOAR integrates across 300+ third-party tools and supports 2,800+ automated actions. Splunk SOAR apps provide a mechanism to extend Splunk SOAR by adding connectivity to third party security technologies in order to run actions. In addition to testing all the apps, the company has open-sourced the connectors on GitHub which drives more quality and community contributions as a result.

Splunk SOAR's Visual Playbook Editor is a key feature that simplifies the creation, editing, and implementation of customized workflows. This tool simplifies the process of scaling automated playbooks, helping teams to eliminate routine tasks and respond to security incidents more effectively. The platform includes a diverse array of prebuilt playbooks aligned with foundational SOC tasks, utilizing frameworks like MITRE ATT&CK and D3FEND to facilitate comprehensive automation from simple tasks to complex use cases. Further enhancing its capabilities are features like Logic Loops, which simplify the creation and maintenance of playbooks by allowing repeatable looping functionalities without custom code.

Splunk has recently enhanced its product lineup with the introduction of the Splunk AI Assistant and updates to Splunk Enterprise Security. The AI Assistant offers generative AI features that streamline tasks such as problem detection and system troubleshooting, improving efficiency for IT operations and security workflows. Meanwhile, Splunk Enterprise Security 8.0 has been upgraded to provide a more unified and automated approach to threat detection and response, integrating natively with Splunk Mission Control and featuring enhanced automation via Splunk SOAR.

Splunk SOAR also excels in case and event management. It orchestrates workflows across security and IT stacks, utilizing workbooks to transform processes into reusable templates. This helps ensure a cohesive and collaborative incident response process. In event management, Splunk consolidates events from multiple sources into a single platform, helping analysts prioritize and respond to significant security incidents efficiently. Splunk supports STIX, and TAXII. Supported API protocols include REST, Webhooks, and Websockets. It also supports SAML for API authentication. MFA methods supported include mobile authenticator apps and vendor-provided apps.

The solution enhances security operations by enabling rapid automation of complex workflows and incident responses through its robust integration with over 300 third-party tools. The ability to scale the platform makes Splunk’s SOAR an excellent choice for mid-market and large enterprises. Organizations looking to get started on a SOAR journey should consider Splunk's products and services. Splunk appears in the overall, product and market leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 12: Splunk’s rating

Leader in

4.12 Swimlane – Swimlane Turbine

Swimlane is an AI-enhanced security automation company that was launched in 2014 and headquartered in Denver, Colorado. The company has offices in India, Japan, the United Kingdom, and Malaysia. Coverage has been primarily focused on North America, but is now growing across EMEA, APAC, Latin America, and Africa (META). Swimlane Turbine is reportedly favored by government agencies, large enterprises, and service providers for its fully multitenant architecture and the ability to accommodate extremely high event throughputs. Swimlane is licensed primarily based on the number of automated events.

The Swimlane platform has been delivering low-code security automation and SOAR solutions to the market since 2017. The solution can be deployed on-premises, private cloud, public cloud, and as a service offered through MSSPs. It is designed to integrate with any API, accommodating virtually any customer-required integration. The company offers customers on-demand integrations at no additional costs, so the business applications they support are constantly changing. All pre-built integrations can be found at the Swimlane Marketplace.

Turbine Canvas is a low-code playbook-building studio that leverages no-code logic, modular and reusable components, and AI-generated Python scripting tools to streamline automation, improving operational efficiency. Users can open the graph to edit the playbook and its associated actions directly or create components that can be reused across multiple playbooks. Furthermore, modifications can be made to existing playbooks, allowing them to be adapted for various use cases. For even greater flexibility, playbooks can be imported and exported to facilitate reuse in different scenarios. Additionally, the Turbine platform comes equipped with foundational SOC automation use cases such as phishing, alert triage (SIEM, EDR, or XDR), case and incident management, threat intelligence and collaboration extensions for detection engineers as well as non-technical stakeholders.

The Hero AI feature within the platform offers a suite of AI capabilities tailored to enhance security operations by utilizing both proprietary and third-party AI technologies. For non-sensitive applications such as the help docs chatbot, OpenAI frameworks are employed, enabling straightforward solutions like multilingual responses and straightforward script generation for Python coding tasks. For more security-sensitive tasks, the platform leverages its own proprietary Large Language Model (LLM), ensuring data privacy and security by processing and retaining all sensitive data within controlled environments. This AI functionality supports complex operations such as case summarization, which automates the process of generating detailed reports and recommendations for security incidents. Moreover, Hero AI extends its utility to playbook creation with AI-generated Python scripts and schema inference capability that uses AI to clean, normalize, and map highly dynamic data sets for a simpler automation-building experience.

Swimlane Turbine’s visual dashboards and reports provide security teams with crucial insights into KPIs, compliance, process efficiencies, and team performance, enabling strategic resource allocation. In addition, the platform provides CISO-level dashboards and real-time reporting and case management for incident response and investigation workflows. Turbine’s reporting and dashboards are also adaptable. It conforms to how different organizations work, the processes they track, how they report, their compliance or regulatory requirements, internal intricacies, and risk management practices. The company supports STIX, TAXII, YARA, and MISP. Supported API protocols include REST, RPC, OData, SOAP, Webhooks, Websockets, W3C WebthAutN, and GraphQL. Swimlane also supports JWT, OAuth2, and SAML for API authentication. MFA methods supported include mobile authenticator apps, vendor-provided apps, and FIDO.

The Swimlane Turbine platform integrates AI capabilities with a low-code environment to streamline security operations, enabling organizations to adapt to the evolving threat landscape. Swimlane and its innovative capabilities provide a strong alternative for customers in complex and highly regulated industries. Organizations looking for a feature-rich solution should consider Swimlane Turbine. The company appears in the overall, product, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 13: Swimlane’s rating

Leader in

5 Vendors to Watch

Besides the vendors covered in detail in this document, we observe some other companies in the market that readers should be aware of. These vendors did not participate in the rating for various reasons, but nevertheless offer a significant contribution to the market space.

5.1 CrowdStrike

Established in 2011, CrowdStrike is a well-known, highly respected cybersecurity company. Headquartered in Austin, Texas, CrowdStrike is a publicly listed company. The company has expanded their product offerings beyond EPDR and has acquired several security specialist firms in recent years.

Why worth watching: The Falcon Fusion SOAR platform leverages CrowdStrike’s Security Cloud which facilitates visibility into endpoints, identities, and applications across IaaS, PaaS, and SaaS environments. The platform also uses conditional branching and sequence logic features to increase flexibility and build workflows with any set of conditions.

5.2 Exabeam

Exabeam was founded in 2013 in Silicon Valley. Exabeam offers a fully integrated security analytics management platform, which encompasses UBA, next-gen SIEM, threat intelligence, as well as SOAR. In early 2024, Exabeam and LogRhythm merged, uniting their technologies to enhance capabilities in threat detection and security operations.

Why worth watching: Exabeam Incident Responder and Exabeam Threat Hunter are two essential components that provide a full SOAR functionality. In addition, Exabeam has a wide range of connectors for various data sources and security tools, enabling deep integration and automated responses. Exabeam is aligned with MITRE ATT&CK, and analysts can even threat hunt based on TTPs and elements in the framework.

5.3 Logpoint

Logpoint is a multinational software company originally founded in 2003 in Copenhagen, Denmark. At present, the company has global presence with multiple offices across Europe, North America, and Asia. The company is notable for offering SIEM, UEBA, SOAR, and Business Critical Security (BCS) technologies converged into a complete platform that aims to detect threats, minimize false positives, autonomously prioritize risks, and respond to incidents. Its client base is mainly composed of mid-market and large enterprises in government, manufacturing, and healthcare industries.

Why worth watching: The Logpoint SIEM and SOAR Threat Intelligence application comes with a ready-to-use Threat Intel Analytics package that includes general-purpose vendor alerts, rules, and dashboards for threat intelligence. In addition, Logpoint is one of the few vendors with SAP-domain knowledge and services for MDR providers. With BCS for SAP, organizations can integrate complex SAP data into a centralized SIEM system while providing SOC analysts with monitoring and automation capabilities.

Rapid7

Founded in 2000 and headquartered in Boston, Rapid7 originated as a vulnerability management solution provider. Currently, the company offers a broad range of cybersecurity products and services, with most of its portfolio built upon the unified, cloud-native Insight platform. These include but are not limited to vulnerability management, application and cloud security, SIEM/XDR, threat detection and response, threat intelligence, security orchestration and automation and related managed services.

Why worth watching: Rapid7 Insight Platform delivers a security operations platform with a portfolio of products. It includes cloud security (InsightCloudSec), application security (Insight AppSec), vulnerability management (InsightVM), orchestration and automation (InsightConnect), threat intelligence (Threat Command), and XDR and SIEM (InsightIDR).

Sumo Logic

Sumo Logic is a cloud-native data analytics company based in Redwood City, California, USA. Founded in 2010, the company focuses on developing and operating an elastic cloud platform for collecting and analyzing enterprise log data. Sumo Logic offers a range of operational, security, and business intelligence solutions that are entirely cloud-based and low maintenance.

Why worth watching: One of the main differentiators is the fact that the company is investing in the Open Integration Framework (OIF). The OIF is an integration framework created to make it easier for organizations to connect disparate security tools for a more seamless security remediation workflow. OIF changes the way integrations are being utilized within a platform, allowing users to easily integrate with third-party technologies, develop external connectors and trigger various automated actions. It provides integration flexibility by allowing developers to extend integrations, modify action parameters, personalize action results, create custom table views, etc.

6 Related Research

Leadership Compass: SOAR (2023)

Leadership Compass: Intelligent SIEM Platforms (2024)

Leadership Compass: Identity Threat Detection and Response (2024)

Advisory Note: Cybersecurity Resilience with Generative AI

Advisory Note: Architecting your Security Operations Centre

Buyer's Compass: Security Operations Center as a Service (SOCaaS)

7 Copyright

© 2025 KuppingerCole Analysts AG. All rights reserved. Reproducing or distributing this publication in any form is prohibited without prior written permission. The conclusions, recommendations, and predictions in this document reflect KuppingerCole's initial views. As we gather more information and conduct deeper analysis, the positions presented here may undergo refinements or significant changes. KuppingerCole disclaims all warranties regarding the completeness, accuracy, and adequacy of this information. Although KuppingerCole research documents may discuss legal issues related to information security and technology, we do not provide legal services or advice, and our publications should not be used as such. KuppingerCole assumes no liability for errors or inadequacies in the information contained in this document. Any expressed opinion may change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Their use does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts supports IT professionals with exceptional expertise to define IT strategies and make relevant decisions. As a leading analyst firm, KuppingerCole offers firsthand, vendor-neutral information. Our services enable you to make decisions crucial to your business with confidence and security.

Founded in 2004, KuppingerCole is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as technologies enabling Digital Transformation. We assist companies, corporate users, integrators, and software manufacturers to address both tactical and strategic challenges by making better decisions for their business success. Balancing immediate implementation with long-term viability is central to our philosophy.

For further information, please contact clients@kuppingercole.com.