Understanding the SOAR Landscape (Security Orchestration, Automation and Response)

Published on May. 29, 2019

Cybersecurity teams are under immense pressure – they need to be more efficient with fewer resources. Manual incident response processes, insufficient workflows and difficulty hiring security personnel have left security operations teams struggling to keep up with the growing volume of vulnerabilities and alerts. Sensing the opportunity, startups have emerged in the past few years that aim to improve the efficiency of physical and digital security operations. Gartner coined the term security orchestration, automation and response (SOAR) to describe these companies. SOAR solutions typically provide threat and vulnerability management capabilities to support the remediation of vulnerabilities, incident response that supports how teams plan, manage, track and coordinate response to a security incident, and security operations automation. 

Why are SOAR Capabilities Needed?

Cybersecurity teams need to address more vulnerabilities than ever due to the rapidly expanding attack surface. The cybersecurity attack surface, or the sum of the different points (“attack vectors”) where an attacker can try to enter data or extract data from an environment, has grown significantly over the past ten years as data begins migrating to the cloud, and is poised to grow exponentially. The rollout of 5G will widen the attack surface even further, as billions of additional IoT devices will join the network, and petabytes of data will be created and transferred due to extreme mobile broadband, AR/VR, vehicle to vehicle communication, and enhanced video monitoring. The growth in the attack surface can be viewed in the chart below, taken from Skybox’s 2019 Vulnerability and Threat Trends report, which demonstrates the growth in CVEs over the past few years. 

Understanding the SOAR Landscape 2

(Source: Skybox 2019 Vulnerability and Threat Trends report)

Considering that it takes over a month for the average organization to patch a critical vulnerability, enterprises now more than ever need tools to help security teams patch vulnerabilities efficiently. 

Further complicating this situation is a shortage of trained cybersecurity personnel, expected to reach approximately 3 million in unfilled openings by 2021. A high-level breakdown of where cybersecurity talent is needed can be seen below: 

Understanding the SOAR Landscape 3

(Source: ISC2 Cybersecurity Workforce Study, 2018)

What Does the Market Look Like?

The below market map categorizes 21 promising early-stage SOAR startups based on core area of focus and scope. Categories are not mutually exclusive; Swimlane, for instance, is network-focused and offers case management capabilities as well.  

Understanding the SOAR Landscape 1


Startups in this category challenge traditional security paradigms – instead of focusing on detecting and preventing attacks, these startups assume that organizations will continue to be breached and need to automate the forensic investigation that aims to answer how the breach occurred, what path attackers took, and how to prevent this from happening again. ZecOps, which was founded in 2018, provides IT / Security Operations Center (SOC) capabilities to perform threat hunting and forensic analysis at scale, as well as to shorten the response time needed for handling incidents by automating root cause analysis and mitigation of advanced persistent threat for endpoints (e.g., ATMs, laptops, mobile devices). 


Due to the growing volume of alerts and vulnerabilities, security teams need tools to expedite investigation, but are stuck with the dashboard and query experiences built 20 years ago. To address these problems, Graphistry utilizes a multi-threaded GPU architecture to offer a visual compute software fabric that enables analysts to visualize security information, track attacker campaigns, and build complex queries to investigate further with just a few clicks. 


Most security analysts perform their tasks manually and collaborate with colleagues in IT and other departments by sending spreadsheets and static PDF reports over email. That’s why Neuralys, a cybersecurity collaboration startup, offers a project management tool for security teams, integrating various cybersecurity tools to streamline workflows and enhance collaboration, automating processes that are otherwise manual (e.g., excel sheets, word docs). The Neuralys platform offers a centralized dashboard for visualizing a company's vulnerability trends, security zoning for the prioritization of risk management tasks, and mitigation tracking for monitoring responses across a team's security operations. The product can reduce mean time to mitigation for vulnerabilities by an estimated 65-70%. 

If you’d like to connect with any of these companies to learn more, please contact Rohit at rohit@pnptc.com