Gartner Reprint https://www.gartner.com/doc/reprints?

id=1-2AAU9IWB&ct=220614&st=sb

Licensed for Distribution

Market Guide for Security Orchestration, Automation

and Response Solutions
Published 13 June 2022 - ID G00735883 - 22 min read

By Craig Lawson, Al Price

As a pure-play technology, SOAR continues to mature, but remains a relatively niche market. It
is being consumed into other markets such as SIEM, XDR and MDR. Security and risk
management leaders should evaluate how SOAR can support and optimize their broader
security operations capabilities.

Overview
Key Findings
■ Large security teams looking to automate well-established processes remain the main buyers
of pure-play SOAR solutions — using it for productivity, efficiency and consistency
improvements. Many use cases supporting security operations beyond threat monitoring and
detection, vulnerability management, threat intelligence, and incident response and threat
hunting remain nascent.

■ Orchestration and automation, incident and case management, and operationalizing threat
intelligence are expected functionality for SOAR tools. However, these capabilities are also
being embedded in existing security technologies, such as security information and event
management, extended detection and response (XDR), and email security.

■ SOAR is also becoming a popular enabling technology in managed security services and is
already ubiquitous in managed detection and response (MDR) services. Its utility is with helping
providers improve speed and consistency when detecting and responding to threats improves
SLAs. Over the last three years, other larger markets are demonstrating strong convergence
trends (for example, SSE and XDR). This will prove to be advantageous to organizations that
have a dedicated SOAR in place or that are evaluating them for the first time and want to
develop sophisticated workflows.

■ Cloud services are the default for many organizations now, but SOAR remains at the basic end

1 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

of the spectrum in terms of usage for security operations use cases for cloud services.

■ Security orchestration and automation (SOA) tools have not been adding meaningful threat
intelligence platform (TIP) features, and it is often the case that more advanced clients need
both an SOA and a TIP to achieve Gartner’s full definition of SOAR.

Recommendations
Security and risk management leaders responsible for security operations must:

■ Assess your organization’s maturity as it will be problematic to start a SOAR project if the
processes you want to improve are not mature.

■ Examine in detail the requirements for the use of a SOAR tool. Focus not just on initial
deployment, but also how to continually develop new use cases that improve the efficiency of
your security operations program with SOAR.

■ Allocate adequate resources for initial implementation, as well as the ongoing operation of an
SOAR tool. The initial effort of deployment is a given, but it may be the ongoing management
that defines the success of SOAR in your environment.

■ Put a contingency plan in place in the event a SOAR vendor is acquired by another vendor, in
case their roadmap substantially changes. Contingency plans could be minor (like ensuring
roadmap support for tools you have in place) or could include considering a replacement

■ Demand that vendors in your security ecosystem deliver comprehensive APIs in their products
when you renew or procure solutions. Having poor APIs in your ecosystem directly impinges
your security operations effectiveness and SOAR’s ability to deliver value.

■ Assess potential use cases as today’s overall coverage maturity remains more basic for
coverage of business-critical cloud services, particularly SaaS applications. Some clients are
now using automation and orchestration capabilities in non-security-centric use cases, as there
is some crossover with enterprise automation use cases typically delivered by low-code
application platforms (see Magic Quadrant for Enterprise Low-Code Application Platforms).

■ Evaluate any managed detection and response (MDR) provider’s use of SOAR as it is an
indicator of their ability to provide better threat detection and response capabilities for your
organization.

Market Definition
This document was republished on 9 August 2022. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

2 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

Gartner defines SOAR as solutions that combine incident response, orchestration and automation,
and threat intelligence platform management capabilities in a single solution.

SOAR tools can be used for many security operations tasks, including:

■ To document and implement processes.

■ To support security incident management.

■ To apply machine-based assistance to human security analysts and operators.

■ To better operationalize the use of threat intelligence.

Workflows can be orchestrated via integrations with other technologies, and automated to achieve
desired outcomes — example use cases include:

■ Incident triage.

■ Incident response.

■ Threat intelligence (TI) acquisition curation and management.

■ Newer use cases that are starting to arise. Gartner is seeing some clients use SOAR solutions
for more IT-based workflows, as well as in other areas like “low code” solutions (see Magic
Quadrant for Enterprise Low-Code Application Platforms).

Market Description
SOAR solutions are the amalgamation of three historically distinct technologies that have some
common attributes and some common users consuming them. These technologies were
historically distinct and offer utility to security operations teams in the form of a product that can
relieve significant amounts of manual labor for a number of security operations functions.
Products that have been developing as this market continues to mature into SOAR are:

■ Security incident response platforms (SIRPs)

■ Security orchestration and automation (SOA)

■ Threat intelligence platforms (TIPs)

These technologies are depicted in Figure 1.

Figure 1: The Convergence of Three Technologies (SOA, SIRP and

TIP)

3 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

Below are some strongly recommended requirements to consider when selecting a SOAR
solution. SOAR solutions should:

■ Support a wide range of security products across multiple existing point solution markets (for
example, endpoint, firewalls, intrusion detection and prevention systems [IDPSs], SIEM, secure
email gateways, SSE and vulnerability assessment technologies).

■ Support the ability to do event correlation and aggregation for the purpose of improving security
operations processes and alerting with better event enrichment. A key way to do this is through
the implementation of low-code “playbooks,” which allow for the codification of processes
where automation can be applied to improve consistency and time savings.

■ Have the ability to be deployed either on-premises or as a cloud solution (like SaaS).

■ Support the ingestion of a wide variety of sources and formats of threat intelligence from third-
party sources, supporting open-source, industry and government (information sharing and
analysis centers [ISACs] and computer emergency response teams [CERTs]) and commercial
providers.

■ Bidirectional integrations with IT operations solutions like ticketing systems for case
management and collaboration tools, like messaging applications for better real-time

4 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

communications.

The security technology market is in a state of general overload — with

pressure on budgets and staff, and too many point solutions being
pervasive issues for organizations.

Gartner clients continue to see problems with their environments where they have alert fatigue
exacerbated further by complexity and duplication of tools. In principle, automation continues to
show promise to assist with many of these persistent issues.

SOAR solutions are primarily adopted to create consistency in security processes and improve
threat detection and response by providing context enrichment and improving downstream
prioritization. In most cases, this is a key deliverable of end-user organizations and service
providers that operate security operations centers (see SOC Model Guide).

SOAR tools also offer levels of flexibility, allowing them to be applied to a variety of security
operations use cases. SOAR tools are mostly used for improving threat detection and incident
response and the automation of workflows (or for a combination of the two). TIP functionality in
SOAR tools coming from an automation heritage remains more basic in nature.

Market Direction
The SOAR market remains niche overall in the broader security marketplace and is primarily
consumed by organizations that have larger and more-mature security operations programs, as
well as by security services providers. Organizations that are less mature, or that tend to
outsource their security operations, have shown little interest in SOAR tools. However, MDR
continues its rapid growth trajectory, and SOAR is a key element of a majority of MDR services
today.

SIEM vendors have been both acquiring and building out SOAR capabilities in their solutions for
some years now. This functionality is usually delivered as a premium add-on (see Critical
Capabilities for Security Information and Event Management).

As awareness of the need to apply automation in security operations improves, SOA-specific

capabilities are emerging in other security technologies (see Top Trends in Cybersecurity 2022).
Technologies incorporating SOAR include:

■ SIEM (see Magic Quadrant for Security Information and Event Management)

5 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

■ XDR (see Market Guide for Extended Detection and Response)

■ Email security (see Market Guide for Email Security)

SOAR Has Become a Feature in Other Security Technologies and Services

SOAR continues to connect disparate solutions and create a control plane for security operations
environments. However, it also delivers secondary functionality — becoming useful for execution
of a variety of repeatable, simple security issues (like phishing) and processes (like indicator-of-
compromise-based blocking in prevention devices). These features and capabilities are also seen
as being helpful in other (often larger) security technology markets as well.

As a result of this reality, SOAR technologies have offered low-code-like functionality (see Magic
Quadrant for Enterprise Low-Code Application Platforms) since their inception. This makes
programming and workflow improvements made by the operations team more accessible.
Meanwhile, SOAR continues to offer a lot of features for “power users.” Power users can develop
their own code and then use SOAR to help build out more sophisticated functionality tailored to
their organizations based on the building blocks that already exist.

If organizations are not ready, SOAR can be too complex to operate and configure for smaller
security teams looking to take advantage of its benefits. This is leading security vendors to embed
orchestration and automation (SOAR-lite) features and, in some cases, incident management
capabilities in their products. These products are preprogrammed and optimized to complement a
specific technology — for example, email security orchestration use cases.

Demand for SIEM technology remains prevalent for larger organizations (see Magic Quadrant for
Security Information and Event Management), with threat management now the main driver —
while compliance use cases are still expected features. Almost all SIEM vendors are organically
enhancing their investigation capabilities and introducing integrations for response actions via
natively built (or acquired) capabilities or third-party integrations with SOAR solutions.

XDR (see Innovation Insight for Extended Detection and Response) is an emerging market, and
vendors are focused on providing a better user experience around their multiple threat-focused
security technologies. This is especially true of the unification of alerts from across tools such as
endpoint protection platforms (EPPs), endpoint detection and response (EDR), network detection
and response (NDR) and firewalls into a common data store, and a single user interface (UI).
Credible XDRs (see Market Guide for Extended Detection and Response) must offer some similar
functions to SOAR tools, including localized incident and case management, and orchestration
and automation activities. However, these capabilities will be primarily delivered across the
vendor’s own tool ecosystem, rather than through the expansive set of vendor-neutral integrations
that SOAR offers. These SOAR capabilities are more often preprogrammed by the vendor —

6 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

primarily focused inward at their own products — and may lack the ability to support the level of
customization available in dedicated SOAR solutions.

Although XDR and SIEM have some features replicated in a dedicated SOAR solution, buyers who
prefer the best-of-breed approach will find that SOAR offers capabilities that can provide flexibility,
genuine vendor-neutrality and potential room for nonsecurity use cases.

Market Analysis
While certainly valuable, the total number of use cases implemented by SOAR buyers is still
relatively small, with a focus on the use of the tool for time-consuming, manual processes
performed by people who can benefit from automation.

The most common use case mentioned by Gartner clients who are planning to implement, or who
have already implemented a SOAR solution, is automating the triage of suspected phishing emails
reported by end users. This is a good example of a process that follows a repeatable process,
dozens to hundreds of times per day, with the goal of determining whether the email (or its
content) is malicious and whether it requires a response. It is a process ripe for the application of
automation. These kinds of repetitive actions that have levels of mitigation and enrichment
remain very popular use cases for SOAR.

A lack of mature processes and procedures in the security operations

team, combined with budget and staff constraints, presents obstacles to
the adoption of SOAR solutions by a wider audience. This, combined with
the varying degrees of maturity in vendors’ APIs as integration options,
remains a key reason for SOAR not achieving higher rates of adoption.

Determining operational security maturity means that security leaders can evaluate their
readiness to adopt new products, including SOAR solutions. This readiness should be evaluated
through at least five areas (see SOAR: Assessing Readiness Through Use-Case Analysis):

■ Operational metrics

■ Defined processes

■ Trained analysts

■ Documented workflows

7 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

■ Integration of supported technologies

Commercial SOAR vendors can be grouped into two categories — product-portfolio-oriented, and
broad-based SOAR vendors.

Vendors That Provide Product-Level SOAR Functions (Product-Oriented SOAR

Vendors)
Vendors today provide product-level SOAR functions that support activities revolving primarily
around that vendor’s specific portfolio of products. Of course, integrating with products outside of
their own ecosystems is also valuable, but having improved workflow and orchestration improves
these offerings in ways that aren’t directly related to their threat detection engines. For example, a
product that uses automation and orchestration, that is dedicated to protecting the email
infrastructure, will include SOAR functions required to detect phishing emails or malicious
attachments and provide better operational outcomes for users. Orchestration and automation
are needed to better support product-level workflows needed for threat response. Usually, this
type of product does not have case-management capabilities or third-party threat intelligence
handling, implying an integration with existing ticket systems solutions and other SOAR tools.

Broad-Based SOAR Solutions

Providers that supply broad-based vendor-neutral SOAR can be pure-play vendors or part of a
vendor that delivers a broader security portfolio — these are often the result of a previous
acquisition of a pure-play SOAR. What sets these products apart is their ability to receive inputs
from a broad ecosystem of security products, and organize the security operations team
workflow. The vast majority of this type of product is also sold separately, maintaining a maximum
interoperability level with other vendors, even if they are competing products.

Buyers’ use cases can define the most productive way forward when choosing the best type of
product to meet your organization’s specific needs. Below are the most common use cases
mentioned by Gartner customers:

■ SOC optimization

■ Process automation and analyst collaboration

■ Threat monitoring, investigation and response

■ Management and operationalisation of threat intelligence

However, organizations looking to evaluate SOAR on technical merits should start with capabilities
at a high level — those aspects include:

8 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

■ Alert triage and prioritization: This is the ability to take alert inputs from different sources and
apply a process of data enrichment and correlation. This reduces, rationalizes and prioritizes
the number of incidents that will have a more-significant impact and high probability of causing
damage to your organization. The goal is to leave no alerts behind and concurrently produce
accurate incidents that deserve genuine attention from analysts.

■ Orchestration and automation: Security teams are often dealing with a number of point-
solution tools with a singular focus. The ability to better orchestrate and automate horizontal
“processes” across a number of solutions continues to prove to be a key feature of SOAR. The
complexity of combining resources involves the coordination of workflows with manual and
automated steps (which, in turn, involve many components affecting information systems and,
often, humans).

■ Case management and collaboration: Manual or automated response provides canned

resolution to programmatically defined activities. The response includes activities from a basic
level (such as ticket creation in an IT service desk application) to more-advanced actions (for
example, responding via another security control, such as blocking an domain name or IP
address by changing a firewall rule). This functionality is the most impactful operationally as it
applies to the most complex of use cases and can significantly improve analyst effectiveness.

■ Dashboard and reporting: Dashboard and reporting provides the ability to aggregate security
telemetry that allows an understanding of the SOC’s situation, the evolution of incident
response processes, and performance results. SOC data should be presented to different
audiences, such as the SOC manager, SOC analyst and chief information security officer (CISO).

■ Operationalisation of threat intelligence and investigation: This takes the form of evidence-
based knowledge, including context, mechanisms, indicators, implications and action-oriented
advice about an existing or emerging menace or hazard to assets. This intelligence can be used
to inform decisions regarding the subject’s response to that threat. An incident investigation will
be conducted in the form of a workflow to validate the alert into an incident and determine the
best workflow to initiate a response in a manual or automated fashion.

■ Architecture: This includes items like form factor (cloud or on-premises), redundancy of the
solution to support high availability, and performance — to include how prioritization can be
applied to playbook execution. It also includes role-based access control (RBAC) for functions
that support a wider range of users who use the tool during incidents (like usage of a war
room). Architecture also covers licensing models that encourage better adoption and usage
rather than punishing for expanding usage, and integration with your existing vendor
ecosystem.

SOAR Cloud-Based Solutions

9 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

For smaller clients, cloud delivery of SOAR is becoming more prevalent and Gartner sees cloud
delivery as a viable form factor for many scenarios. Feature parity with on-premises solutions (for
the vendors that support cloud) is largely the same, so there is often no risk of the cloud-delivered
version being less feature-rich. A majority of providers that have cloud versions are also doing
agile deployments, shipping more updates, more often (in contrast to a slower cadence for more
monolithic on-premises versions). This is especially true for remote worker use cases, where
orchestration will move to working mainly with (often cloud-delivered) endpoint solutions for
response activities — such as EPP and, particularly, EDR and security service edgie (SSE).
Traditional controls, such as firewalls and IDPSs will be less relevant during this time due to the
sharp increases in remote working and usage of cloud services driving different traffic patterns.

Acquisitions are still happening, and will shape the state of the SOAR market in the coming years
(see Table 1).

Table 1: SOAR Acquisitions in the Last Two Years

Date Event

January 2020 FireEye acquires Cloudvisory

April 2020 Swimlane acquires Syncurity

July 2020 Micro Focus acquires ATAR Labs

March 2021 Sumo Logic acquires DFLabs

September 2021 Logpoint acquires SecBI

January 2022 Google Cloud acquires Siemplify

Source: Gartner (May 2022)

Vendors have been steadily acquiring SOAR solutions to fill gaps in existing products like SIEM

10 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

and XDR or to enter the SOAR market, as well as building out their own native capabilities. These
acquisition scenarios however require end users to create a contingency plan for vendor
acquisition of their current SOAR solution. Generally speaking, SOAR products must be vendor-
agnostic to maintain their best value proposition. This is due to the need for integration, and this
will be the reality for some time. Independent solutions will continue to do a better job with their
singular focus on roadmap execution and will be better at being “vendor-neutral” with available
integrations.

Security Services Providers Are Using SOAR to Improve Service Delivery and
Response Capabilities
Demand for threat-response capabilities from managed security services providers (MSSP) is
increasing and is already prevalent in MDR services. For MDRs in particular, they are almost
universally either using a SOAR tool or building their own SOAR-like features to help deliver better
client outcomes at scale. We recommend that you assess how MDRs are consuming SOAR as
part of your evaluation of services, even though you might not be running SOAR natively as a
stand-alone product.

Alerting and providing notifications to a customer when a potential threat has been detected is no
longer sufficient given the speed at which attacks can progress in an environment. Customers
have expectations that their security services providers will have the ability to actively contain or
disrupt a threat to their environment. SOAR plays an essential role in helping providers to deliver
services that include active response. This makes multitenancy a mandatory capability for SOAR
in these services.

Organizations considering MDR should include the usage of orchestration and automation in their
vendor evaluation process. For example, an MDR that can also support the list of current security
products in use and integrate with your products will lead to better outcomes. If this is not
possible, it could lead to restrictions on integrations, limiting the benefits of using the provider’s
MDR service to their set of tools only.

Security services providers can work through different tenants to offer a personalized workflow for
your specific environment. However, they also benefit from having a wider view of threats across
their client base and can take learnings from one client and apply remedies to their entire client
base. This view can then feed back into service improvement, often via their SOAR technology.

Another evaluation criterion to consider is the need for bidirectional integration with your own
technologies to collect data for analysis and to power more-effective incident investigations and
response activities.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to

11 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

provide more understanding of the market and its offerings.

Market Introduction
Table 2 provides a list of vendors. It is not — nor is it intended to be — a list of all vendors or
offerings on the market, or a competitive analysis of the vendors’ features and functions. This is
also not a definitive list of each provider’s services. For more information, see Note 1.

Table 2: Representative Vendors in Security Orchestration, Automation and Response

Vendor Product, Service or Solution Name

Anomali ThreatStream

Cyware Virtual Cyber Fusion Center

D3 Security D3 SOAR

EclecticIQ EclecticIQ Platform

Fortinet (formerly FortiSOAR

CyberSponse)

Google Cloud (Siemplify) SecOps Platform

Honeycomb SOCAutomation

IBM IBM Security QRadar SOAR

LogicHub SOAR+

12 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

Logsign Logsign SOAR

Micro Focus (ATAR Labs) ArcSight SOAR

Microsoft Microsoft Sentinel

NSFOCUS ISOP

Palo Alto Networks Cortex XSOAR

QI-ANXIN Security Orchestration, Automation and Response Platform

(SOAR)

Rapid7 InsightConnect

Revelstoke Revelstoke

ServiceNow Security Operations

SIRP Security Orchestration, Automation & Response

Splunk Splunk SOAR

Sumo Logic (formerly Cloud SOAR

DFLabs)

Swimlane Swimlane (SOAR platform)

13 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

ThreatConnect ThreatConnect (Security Orchestration, Automation, and

Response (SOAR) Platform)

ThreatQuotient ThreatQ TDR Orchestrator

Tines Tines

Torq No-code Security Automation

Note: There are providers in this list that — while they offer a SOAR solution — in practice prefer to
offer, and have more clients consuming, their SOAR solution as part of a larger offering. SIEM and XDR
solutions are relevant examples of this situation today.

Source: Gartner (May 2022)

Market Recommendations
Security and risk management leaders should consider using SOAR tools in their security
operations to improve security operations efficiency and efficacy. SOAR solutions are made up of
the following major capabilities:

■ Workflow and collaboration

■ Ticket and case management

■ Orchestration and automation of security processes

■ Threat intelligence operationalisation and management

When selecting a solution, security and risk management leaders should favor SOAR solutions
that:

■ Are compatible with the collection of existing products installed in the organization
environment. Also, plan to update the skill sets of your security team and, where required, the
internal development team, to help on the customization of the solution to your specific security
operations program. Operational security metrics related to “time to detect threats” and “time to
response” styles of metrics should be demonstrably better with, rather than without, a SOAR

14 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

tool.

■ Deliver the use cases needed to complement the primary set of people, processes and
technologies that are critical to your security operations functions. For instance, some clients
prefer to use the company ticket system instead of a dedicated case management solution.
Others see technology like SOAR as key to improving the efficacy of existing tools like SIEM and
EDR. End users also see SOAR as a key tool for improving the efficiency of security staff in the
face of rising numbers of threats, while getting and retaining staff remains an acute pain point
for many organizations.

■ Buying a SOAR solution should primarily be driven by your existing processes (for example,
security operations optimization, threat monitoring and response, threat investigation and
hunting, and operationalizing threat intelligence).

■ Offer the capability to easily code an organization’s existing processes into functional
playbooks via an intuitive UI (using a low- or no-code model), so that the tool can then automate
these playbooks. The ability to create playbooks and then execute them regularly is a key
capability for a SOAR solution and should be a key design principle for you in your
implementation of SOAR.

■ Optimize the collaboration of analysts, for example, with a chat or instant messaging
framework that makes analyst communication more efficient, or with the ability to work
together on complex cases across multiple security and nonsecurity teams.

■ Have a pricing model that is aligned with the needs of the organization, is predictable and
encourages the creation and usage of the tool. Avoid pricing structures based on the volume of
data managed by the tool or based on the number of playbook executions. These metrics carry
an automatic penalty for more frequent use of the solution.

■ Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises
or as a hybrid of these. Deployment should accommodate the organization’s security policies
and privacy considerations, or its cloud-first initiatives.

Evidence
The overall list of representative providers has been validated by responses to client inquiries and
in collaboration with the cohort of Gartner analysts that cover the security operations markets that
include SOAR.

Note 1: Representative Vendor Selection

The sample vendors listed in this publication are listed in alphabetical order and are representative
only. The sample vendor list is not intended to be an exhaustive list. The vendors and solutions

15 di 16 14/01/2023, 15:19
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2AAU9IWB&ct=220614&st=sb

provided are those that most closely illustrate the marketplace trends described and provide the
individual capabilities described in each section that Gartner sees in day-to-day coverage of the
SOAR market.

Additionally, there are providers in the list that — while they offer a SOAR solution — in practice
prefer to offer, and have more clients consuming, their SOAR solution as part of a larger offering.
SIEM and XDR solutions are relevant examples of this situation today.

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
written permission. It consists of the opinions of Gartner's research organization, which should not be construed
as statements of fact. While the information contained in this publication has been obtained from sources
believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or
investment advice and its research should not be construed or used as such. Your access and use of this
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or influence from
any third party. For further information, see "Guiding Principles on Independence and Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

16 di 16 14/01/2023, 15:19