One question that we get asked a lot is “Is there a Gartner Magic Quadrant for SOAR?” The short answer is “not yet.” The most detailed research Gartner has released in the SOAR space is the Gartner Market Guide for SOAR. And, while Gartner analysts haven’t rated SOAR vendors yet, Gartner users certainly have. You can head over to Gartner Peer Insights to read some user reviews on the various SOAR platforms.
In this post, we will, however, attempt to provide insights on what a magic quadrant might look like for SOAR and what basis could be used for rating SOAR platforms.
Important note: All opinions expressed are our own and are not Gartner’s official position.
Magic Quadrant Basics
As a refresher, Gartner Magic Quadrants evaluate vendors in a specific category on two different axis:
Ability to execute: This includes the current product offering, overall vendor viability, and sales and marketing execution.
Completeness of vision: This includes market understanding, product strategy, as well as marketing and sales strategy.
The vendors are then divided into four different quadrants, namely:
Leaders: Leaders distinguish themselves by offering a service suitable for strategic adoption and having an ambitious roadmap. Leaders in this market have appreciable market share and many referenceable customers.
Challengers: Challengers are well-positioned to serve some current market needs. They deliver a good service that is targeted at a particular set of use cases, and they have a track record of successful delivery.
Visionaries: Visionaries have an ambitious vision of the future and are making significant investments in the development of unique technologies. Their services are still emerging, and they have many capabilities in development that are not yet generally available.
Niche Players: Niche players may be excellent providers for particular use cases or in regions in which they operate, but they should ultimately be viewed as specialist providers. They often do not serve a broad range of use cases well or have a broadly ambitious roadmap.
Assessing Ability to Execute
While SOAR is certainly a maturing category, leading vendors have been offering SOAR products for around five years. So when assessing a provider’s ability to execute, leading vendors have certainly separated themselves from the pack.
Here are some criteria to consider when assessing a SOAR vendor’s ability to execute:
Number of customers: Clearly an obvious factor to consider. We can speak from experience that there is no shortcut for improving your offering through “battle scars” earned from serving leading security operations teams from around the world. At this stage of the market, a leading SOAR platform should have at least 100 successful SOAR implementations.
Quantity and Quality of integrations: Integrations are the bread and butter of SOAR. Leading SOAR platforms should cover all leading SIEMs, threat intelligence platforms, EDRs, NDRs, cloud platforms and then some. Leading SOAR platforms at this day and age should cover all the common tools used by SecOps teams (that number is easily upward of 150) However, when evaluating SOAR platforms, make sure to look beyond the quantity of integrations and also assess their quality. Integrations can vary greatly in terms of depth, stability, and documentation. So don’t take a vendor’s claim of “Yes, we integrate with product XYZ” at face value.
Company Size: As with any mission-critical technology, you want to partner with a SOAR vendor that has adequate engineering, professional services and support resources to ensure your success. With SOAR pure-plays,100 employees is probably the bare minimum required to support a large customer base. (LinkedIn is one of the best sources for accurate employee counts). For large corporations that offer SOAR as part of a broad portfolio, this data can be hard to obtain. (As an example, IBM likely has thousands of engineers, but it’s hard to know how many of them are dedicated to a specific product)
Product “Trifecta”: Gartner defines SOAR as the convergence of three technologies. incident response platforms (which include case management), security orchestration and automation, and threat intelligence platforms (TIP). Product offerings of SOAR leaders should offer solid capabilities across all three of these technologies. (That is one reason why we partnered with a best-of-breed TIP provider for our integrated TIP offering.)
Assessing Completeness of Vision
One Gartner analyst we spoke with offered a great soundbite, mentioning that SOAR is only “in its second inning.” It’s definitely still early days for SOAR, which means there is a lot more innovation ahead, both in terms of vendor product enhancements as well as end-user adoption and use case development.
Here are some criteria that can be used to assess completeness of vision:
Cloud: In the half-decade SOAR has been around, cloud has transformed security operations. This is true both in terms of the adoption of more modern cloud-native SecOps tools (such as SIEM and EDR) and also in terms of the need to secure cloud-based applications and infrastructure. Forward-thinking SOAR platforms are built to quickly embrace the cloud, from cloud-native deployment of the SOAR platform to cloud-specific use cases and playbooks.
Ease-of-Use and Time-to-Value: Despite some dubious vendor claims, SOAR is not a plug-and-play solution, and successful implementations involve the design, building and maintenance of playbooks. That said, SOAR platforms greatly differ in their ability to reduce time to value and take at least some of the heavy lifting away, with packaged use-cases and intuitive playbook building and testing.
Collaboration: With remote work, and the increased reliance on service providers, collaboration in security operations is more important than ever. Modern SOAR platforms are designed to focus on how security operations teams can better collaborate among each other, with MSSPs and with teams outside the SOC (such as legal and PR when a crisis hits).
Machine Learning: While often over-hyped, machine learning can provide incredible value in security operations. Forward thinking SOAR platforms leverage machine learning to get smarter with every analyst interaction and to provide actionable insights and recommendations to analysts, engineers and SOC managers.
Community: The idiom “it takes a village” rings ever so loudly in cybersecurity. Leading SOAR platforms harness the power of community to foster development and sharing of integrations and use cases with the entire security community, as well as serving as a platform for general sharing of secops best practices.
Good Quadrants Come to Those Who Wait?
While a Gartner Magic Quadrant for SOAR is not in plain sight, the SOAR market is continuing with full force. Many vendors claim to have SOAR capabilities, but it’s worth noting that only 12 names made it to the list of sample SOAR vendors included in the recent Gartner Hype Cycle for Security Operations, perhaps providing a glimpse of what a future SOAR Magic Quadrant might look like.
If you’re in the market for SOAR, you’ll have to do without a Magic Quadrant for the time being. Fortunately, we have some great resources that can help: