惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
Google DeepMind News
Google DeepMind News
罗磊的独立博客
Martin Fowler
Martin Fowler
博客园_首页
Stack Overflow Blog
Stack Overflow Blog
Last Week in AI
Last Week in AI
The GitHub Blog
The GitHub Blog
B
Blog
C
Check Point Blog
WordPress大学
WordPress大学
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
月光博客
月光博客
U
Unit 42
Engineering at Meta
Engineering at Meta
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
大猫的无限游戏
大猫的无限游戏
博客园 - 聂微东
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 【当耐特】
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Jina AI
Jina AI
S
Secure Thoughts
aimingoo的专栏
aimingoo的专栏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
Intezer
Latest news
Latest news
V
Vulnerabilities – Threatpost
D
Docker
Attack and Defense Labs
Attack and Defense Labs
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Forbes - Security
Forbes - Security
MongoDB | Blog
MongoDB | Blog
云风的 BLOG
云风的 BLOG
L
LINUX DO - 热门话题
P
Palo Alto Networks Blog
Cloudbric
Cloudbric
Spread Privacy
Spread Privacy

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
Is SOAR dead or alive? Sort of
2026-04-24 · via Search Security Resources and Information from TechTarget

Michael Nadeau

By

Published: 23 Apr 2026

"SOAR is dead," a cybersecurity vendor recently proclaimed on its website. But the evolution of security orchestration, automation and response suggests that the supposed death is more about semantics than obsolescence.

While some companies experienced success with SOAR technology, many organizations struggled to implement it. Those difficulties harmed SOAR's reputation. In fact, many analysts and vendors now shy away from the term, even though core SOAR functionality -- collecting, coordinating and responding to threat data -- remains vital to security operations.

SOAR vendors have rebranded. Companies once considered SOAR providers now describe their offerings as AI SOC, agentic AI, workflow automation or intelligent workflows.

"[SOAR] was a little bit of a made-up term," said Thomas Kinsella, co-founder of Tines, a security vendor that is often included in lists of SOAR providers. The company, however, has never identified as such, referring to its primary offering as an AI orchestration platform.

What is SOAR?

Gartner coined the term SOAR about 10 years ago to describe a stack of security tools that collects data about detected threats and responds automatically or with minimal human assistance. It was touted as a way to maximize the productivity of security teams.

SOAR includes the following three components, which create a deterministic system for identifying and responding to security events:

  • Orchestration. The process of getting all necessary security tools, such as endpoint protection, SIEM platforms and firewalls, working together and integrated with a central SOAR application. This is done through custom or built-in integrations.
  • Automation. Occurs in response to data signals coming from security orchestration. When a potential threat is detected, SOAR sends an alert and can automatically respond based on predetermined criteria.
  • Response. Refers to the actions taken by the SOAR application once it identifies a potential threat, either acting on its own or sending an alert to a human operator. Security teams can see response activity on a dashboard.

What happened to SOAR?

The concept of SOAR was compelling to enterprise cybersecurity leaders. Security talent was scarce, and the idea of reducing stress on security teams through automation was and still is a big selling point. At one point, at least 20 vendors provided standalone SOAR products. Larger security vendors took notice and acquired SOAR providers; most rolled the functionality into broader security platforms to fill gaps in their own offerings.

Implementation and maintenance presented challenges, however. As yet another standalone product in the security stack, SOAR vendors had an uphill battle to show that the implementation effort would be worth it.

"Organizations struggled to implement SOAR for a number of reasons," said Kevin Schmidt, senior director analyst at Gartner. "You had to write code or scripts or use some sort of an interface to build executable blocks that you would link together."

The better an organization understood and maintained its workflows, security playbooks and technology stack, the easier it could implement and maintain SOAR. According to Schmidt, the necessary integrations posed short- and long-term maintenance challenges that became harder when people with knowledge of them left the organization. "[With] the nature of [SOAR] being code, at the end of the day, it is sometimes very brittle," he said.

To use legacy SOAR technology effectively, added Cody Cornell, CEO and founder of security automation vendor Swimlane, a SecOps team needed experience in incident response, security operations, threat intelligence and the MITRE ATT&CK framework. "Finding someone that was good at [all] that was hard," he said.

Teams also had to understand how to codify security domain knowledge into logic and rules -- something Cornell said too few people could do.

Then, around 2020, new low-code/no-code SOAR products renewed interest in the technology.

"A lot of people jumped on the bandwagon because the demos were great," says Matt Rodriguez, director of service delivery at cybersecurity consultancy Phoenix Cyber. "[They showed] what this platform could do, with just a little bit of simple configuration, for your environment."

More sophisticated security programs -- those with a good handle on their workflows and process engineering -- often have positive experiences with low-code/no-code SOAR adoption, said Nelson Conard, director of cybersecurity solutions at Phoenix Cyber. "For those who struggle, they've just not reached that level of maturity, they're too ad hoc," he added. "So, how you remove the human out of the loop becomes more of a challenge."

As SecOps teams navigated these benefits and challenges, SOAR earned a bit of a reputation in the field.

"Everything is easier in the demo," Rodriguez said. "Even though low-code/no-code solutions make it easier to build playbooks and workflows, there are complications. The issue at times is that the client doesn't understand their world close enough for it to be automated."

What AI means for SOAR

Today, AI agents capable of building and maintaining automation pipelines that previously required significant human expertise and oversight can further simplify SOAR implementation and bring more flexibility and adaptability to SOAR environments. For example, an organization could theoretically build agents that reflect its particular risk tolerance or security preferences.

The SOAR/AI combination has another benefit: no AI black box. Every action by a user -- whether human or agentic -- should be visible through the SOAR dashboard.

A caveat is that AI use is not cheap, and future pricing is uncertain. Organizations must therefore be careful about when and where they use AI agents within their SOAR environments, Kinsella warned, meaning SOAR's deterministic workflows remain a critical part of security automation.

"If you've got a security alert and you know the playbook it should follow, there's no reason it should be an AI agent [responding]," Kinsella said. "You should be relying on a deterministic outcome for something that you know is deterministic." He recommended using AI agents on probabilistic outcomes, such as summarizing alerts or evaluating alerts with uncertain severity.

Relying on SOAR's underlying automation system will help mitigate AI costs, Cornell agreed. "The cost to do automation is much cheaper than AI tokens," he said. "The beauty of the combination is that leveraging AI to build automation pipelines is a much more predictable, reliable, trustworthy and cost-effective way to do security ops."

The decision to supplement or replace SOAR with AI tools should ultimately come down to ROI, suggested Rodriguez. "[With a] fivefold return on investment for [our] clients who are very successful [with SOAR], AI doesn't seem as appealing because it's an unknown cost at the moment," he said. "We know what the real cost is to run automations with APIs and code within cloud infrastructure, and it's less than pennies on the dollar."

Conard said SOAR users soon will need to re-evaluate the costs and benefits of AI. "[AI] is a little analogous to the cloud challenges we saw when it first came out," he said. "Everybody was rushing to get to the cloud. Everybody's rushing to have some piece of AI. Once we started getting out into those data centers, we really saw what the cost was."

What's next for SOAR?

While SOAR was once a product that was best suited to large enterprises with plentiful resources, disparate systems and mature security programs, it is increasingly accessible. "Now it has evolved [so] that it is obtainable to the middle market and smaller players, and is even being leveraged by MSPs," Conard said.

With that in mind, organizations successfully using traditional SOAR are unlikely to abandon it, according to Gartner's Schmidt. "You don't throw out your tool that is working just to go after the new splashy, shiny AI stuff."

Instead, organizations that continue to use SOAR might supplement it with AI. For example, experts suggested, AI could support tasks related to change management, audit trails, fail-safes and rollbacks in the SOC.

"Look for ways you can plug in a call to a large language model to help with some aspect that you can't do within the playbook or to help verify some texts you're getting from a database," Schmidt said. "Over time, SOAR is going to morph into the agentic software, AI SOC."

Michael Nadeau is an award-winning journalist and editor who covers IT and energy tech. He has held senior positions at CSO Online, BYTE magazine, SAP Experts/SAP Insider and 80 Micro. Nadeau also writes the PowerTown blog on Substack for stakeholders in local renewable energy initiatives. Follow him on Bluesky at @mnadeau.bsky.social.

Dig Deeper on Security operations and management