4 hours
Average analyst time to investigate and respond to a single phishing alert manually: SOAR playbooks reduce this to 10-15 minutes with automated enrichment
1,000+
Pre-built SOAR integrations in major platforms (Palo Alto XSOAR, Splunk SOAR): EDR, SIEM, ticketing, threat intel, cloud APIs
29%
Reduction in data breach cost for organizations with automated incident response (IBM Cost of a Data Breach Report)
Tier 1
SOC analyst work SOAR most directly replaces: alert enrichment, triage, and initial investigation that follows a repeatable decision tree

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Security teams face a volume problem: SIEM rules generate thousands of alerts, each requiring an analyst to check threat intel, query the EDR, search email logs, look up asset inventory, and decide whether to escalate or close. Most of this work follows a repeatable process: the same sequence of lookups for a phishing alert every time.

SOAR automates that sequence. When a phishing alert fires, the playbook executes: extract URLs and attachments, look them up in VirusTotal and Recorded Future, query the mail server for other recipients of the same message, check whether any recipients clicked, and if verdict is malicious: pull the email from all mailboxes and open a P1 ticket. All of this happens in the background while the analyst reviews the result rather than performing each step.

SOAR vs. SIEM: What Each Does

SIEM and SOAR are complementary, not alternatives.

SIEM (Security Information and Event Management):

  • Collects and normalizes log data from across the environment
  • Runs correlation rules to generate alerts ("five failed logins then a success = alert")
  • Stores historical data for threat hunting and forensics
  • Examples: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM

SOAR (Security Orchestration, Automation and Response):

  • Sits above the SIEM and other tools
  • Receives alerts from the SIEM (and directly from EDR, email gateways, ticketing systems)
  • Executes playbooks: runs enrichment queries, makes API calls to other tools, takes automated actions
  • Manages the case lifecycle from alert through closure
  • Examples: Palo Alto XSOAR (Cortex), Splunk SOAR (formerly Phantom), Microsoft Sentinel Automation, Swimlane

What SOAR automates (that analysts currently do manually):

Manual analyst taskSOAR equivalent
Look up IP in VirusTotalAutomated enrichment action
Query EDR for process historyAPI call to CrowdStrike/SentinelOne
Check if endpoint has active sessionAPI call to AD or VPN logs
Search email server for other recipientsAutomated email investigation
Isolate endpointAPI call to EDR isolation endpoint
Open incident ticket in Jira/ServiceNowAutomated ticket creation with pre-populated data
Notify analyst on SlackAutomated notification with enrichment summary
Block IP at firewallAPI call to firewall or WAF

What SOAR does NOT replace:

  • Analyst judgment for novel or ambiguous incidents
  • Threat hunting (proactive investigation without a starting alert)
  • Root cause analysis for complex incidents
  • Strategic decisions about response scope

A Concrete SOAR Playbook: Phishing Response

Here is what an automated phishing playbook does when a suspicious email is reported by a user:

Trigger: User clicks "Report Phishing" button in Outlook/Gmail

Automated steps (execute in parallel where possible):

  1. Extract indicators:

    • Parse email headers (sender IP, reply-to domain, sending MTA)
    • Extract URLs from email body and attachments
    • Hash attachments
  2. Enrich indicators (parallel API calls):

    • Check sender IP against VirusTotal, AbuseIPDB, Recorded Future
    • Check URLs against VirusTotal, URLScan.io, Zscaler
    • Check attachment hashes against VirusTotal, MalwareBazaar
    • Check sender domain against WHOIS (registration date), SPF/DKIM/DMARC status
  3. Scope the campaign:

    • Query mail server: how many other users received the same email (matching subject, sender, or attachment hash)?
    • Query email gateway: did any URLs get clicked? By whom?
    • Query EDR: did any endpoint make outbound connections to the URLs in the email?
  4. Decision point (automated):

    • If all indicators are clean → close as false positive, notify reporter
    • If mixed signals → escalate to Tier 1 analyst with full enrichment data
    • If any indicator is malicious OR any URL was clicked → proceed to containment
  5. Automated containment (if malicious verdict):

    • Pull email from all recipient mailboxes via mail server API
    • Block sender domain and IP at email gateway
    • If URLs were clicked: isolate affected endpoint(s) via EDR API
    • Create P1 incident ticket with all enrichment data pre-populated
    • Page on-call analyst via PagerDuty/OpsGenie

Result: A phishing email reported by a user is assessed, scoped, and contained in under 5 minutes. The analyst wakes up to a ticket with complete context rather than an alert with no investigation done.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

When You Are Ready for SOAR (and When You Are Not)

Signs your team is ready for SOAR:

  • Your analysts follow the same investigation steps for common alert types (phishing, malware alerts, failed logins) every time: the process is documented or at least consistent
  • You have a SIEM generating actionable alerts at reasonable volume (not 10,000 noise alerts per day that need tuning first)
  • You have the APIs available: your EDR, email gateway, firewall, and ticketing system all have REST APIs
  • You have at least one engineer (security or DevOps) who can write and maintain Python/JavaScript integrations
  • Your team is drowning in Tier 1 work that follows repeatable patterns: you are triaging instead of investigating

Signs you are not ready yet:

  • Your SIEM alert quality is poor: high false positive rates mean SOAR will automate wrong actions at scale
  • Your investigation process is undocumented: if analysts do different things for the same alert type, you cannot automate a playbook
  • Your tools do not have APIs: some SOAR value requires integrating legacy tools via screen-scraping or email, which is fragile
  • Your team is fewer than 5 analysts: at small scale, automation overhead may exceed the benefit
  • You have no budget for the platform: enterprise SOAR (XSOAR, Splunk SOAR) costs $100K-$500K/year

Free/low-cost SOAR alternatives for smaller teams:

  • Microsoft Sentinel Automation Rules + Logic Apps: Built into Sentinel, included in licensing, handles simple playbooks (enrich alert, create ticket, notify channel)
  • n8n (self-hosted): Open-source workflow automation with security tool integrations
  • Tines (free tier): SOAR-like workflow automation with a generous free tier for small SOCs
  • TheHive + Cortex: Open-source incident response platform with automated enrichment

The bottom line

SOAR automates repeatable analyst workflows: enriching indicators, querying tools, taking containment actions: reducing phishing response from hours to minutes and freeing analysts from Tier 1 mechanical work. It sits above your SIEM and orchestrates your existing tools via APIs. SOAR is ready-for-you when your alert quality is good, your processes are documented, and your tools have APIs. It is not a substitute for a functioning detection program: automating a broken process at scale makes things worse faster.

Frequently asked questions

What is SOAR in cybersecurity?

SOAR (Security Orchestration, Automation and Response) is a platform that integrates security tools via APIs and automates analyst workflows using playbooks. When an alert fires, a SOAR playbook executes automated steps: enriching indicators against threat intel feeds, querying EDR for process activity, checking email logs for other recipients, isolating compromised endpoints, opening tickets: without manual analyst intervention for each step.

What is the difference between SIEM and SOAR?

SIEM collects and correlates log data to generate alerts. SOAR sits above the SIEM and automates what analysts do after receiving those alerts: running enrichment queries, making API calls to other tools, taking containment actions, and managing the case lifecycle. You need a SIEM first; SOAR multiplies the value of good detection by automating the response workflow, not by replacing the detection itself.

What are the top use cases for SOAR in security operations?

The five highest-value SOAR use cases by analyst time saved are: (1) Phishing triage — extract URLs and attachments, run them through sandboxes and threat intel, query email logs for other recipients, and auto-close or escalate with enrichment complete; (2) Alert enrichment and deduplication — auto-tag alerts with context from EDR, threat intel, CMDB, and UEBA before an analyst sees them; (3) Endpoint isolation — trigger EDR containment via API when a compromise is confirmed, without waiting for manual action; (4) Vulnerability management correlation — match new CVEs against asset inventory and auto-prioritize based on internet exposure and CISA KEV status; (5) Identity response — disable accounts, reset passwords, and revoke sessions via IAM APIs when credential compromise is detected.

What is the difference between SOAR and XDR?

XDR (Extended Detection and Response) is a vendor-integrated detection and response platform that collects telemetry from endpoints, network, identity, and cloud sources within a single vendor's ecosystem, and provides automated response to threats detected within that ecosystem. SOAR is vendor-agnostic and orchestrates response across any tool that exposes an API, including tools from different vendors. XDR is faster to deploy in homogeneous environments but locks you into one vendor's detection logic; SOAR takes more effort to build but coordinates your entire toolset regardless of vendor. Many organizations use XDR for their endpoint/network response and SOAR for cross-platform orchestration and ticketing workflows.

How do you build a SOAR playbook?

A SOAR playbook is built by documenting an existing analyst workflow and translating each manual step into an API call or conditional logic block. The process: (1) Pick a high-volume, repetitive alert type — phishing reports are typically the best starting point; (2) Document the exact steps an analyst currently takes, in order; (3) Identify which steps can be automated via API (threat intel lookups, EDR queries, email gateway checks) and which require human judgment (escalation decisions, communication with users); (4) Build the automated steps first, have SOAR present the enriched case to the analyst only at the human decision points; (5) Run in shadow mode before going live, compare SOAR output with analyst decisions for 2 to 4 weeks before removing manual steps. Most mature SOAR playbooks automate 70 to 85 percent of a Tier 1 phishing workflow.

Is SOAR replacing security analysts?

No. SOAR automates the mechanical Tier 1 work that consumes analyst time without requiring judgment: indicator lookups, log queries, ticket creation, containment API calls. It eliminates alert fatigue and the 20-minute tasks that occupy the first hour of every investigation. It does not replace the analyst judgment required for triage decisions, scope assessment, threat actor attribution, containment planning for complex incidents, or communication with business stakeholders. Organizations using SOAR typically see Tier 1 analysts shift from handling 15 to 20 alerts per day to reviewing 80 to 100 SOAR-enriched cases, focusing their time on the decisions only humans can make.

What metrics should you track to measure whether your SOAR deployment is delivering value?

SOAR ROI is measured through operational efficiency metrics and response quality metrics. On the efficiency side, track mean time to detect (MTTD) and mean time to respond (MTTR) per alert type before and after SOAR deployment: a well-implemented phishing playbook should reduce MTTR from hours to under 15 minutes. Track analyst hours per alert by category to show where automation is saving time and where playbooks need improvement. Measure alert closure rate: the percentage of alerts closed automatically by SOAR without analyst intervention is a direct measure of automation effectiveness, with mature deployments targeting 60 to 80 percent auto-close for Tier 1 alert types. On the response quality side, track false positive rate per playbook: if SOAR is taking automated containment actions on a playbook with a 40 percent false positive rate, you are causing more disruption than you are preventing. Track the rate of escalations that required rolling back an automated action as a measure of playbook decision quality. For management reporting, the most compelling metrics are total analyst-hours saved per month (automation actions multiplied by average manual time per action) and reduction in mean MTTR for the alert types with active playbooks. Review these metrics quarterly and use them to prioritize which new playbooks to build next.

Sources & references

  1. Gartner: Market Guide for Security Orchestration, Automation and Response Solutions
  2. CISA: Incident Response Playbooks
  3. Splunk SOAR Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.