SOAR (Security Orchestration, Automation and Response)

SOAR (Security Orchestration, Automation and Response) is the layer that turns security signals into action. Where a SIEM detects, a SOAR responds: it executes pre-built playbooks that call APIs across the security stack — identity provider, EDR, ticketing, MDM, email gateway, network controls — to handle incidents at machine speed.

The category was coined by Gartner in 2017. Typical playbooks:

• “Phishing reported via Outlook button” → extract URL → detonate in sandbox → if malicious, search the SIEM for who else received it → quarantine those mailboxes → open a ticket.
• “MFA push approved from new country” → suspend session → force re-authentication → notify SOC → if user confirms compromise, isolate device and rotate tokens.
• “Anomalous data egress from SaaS app” → revoke the OAuth grant → snapshot recent activity → open an investigation case.

SOAR is rarely sold as a standalone product anymore. The market has largely folded into “SIEM + SOAR” platforms (Splunk + Phantom, Microsoft Sentinel + Logic Apps, Palo Alto Cortex XSIAM, Chronicle SecOps, IBM QRadar SOAR) and into “XDR” suites that bundle detection and response with vendor-native automation.

The practical question for a mid-market SOC is not do we buy SIEM and SOAR — they come together — but what signals are we automating against. A SOAR that only ingests endpoint and network telemetry can only automate against endpoint and network attacks. Adding behaviour-layer signals from Engarde — confirmed MFA fatigue responses, unsanctioned OAuth grants, dormant external collaborator re-activations — expands the playbook surface to the human side of incidents, distinct from other vendors sharing the Engarde name.