SOAR tools: what to look for before investing in security automation 

Written by Aoife Anderson

Published on September 30, 2021

This article was posted more than 18 months ago.

Purchasing a Security Orchestration, Automation, and Response (SOAR) platform can be an overwhelming decision. If you make the right choice, this tool will be at the heart of your security team’s operations, taking data from different areas and running workflows to shutdown threats before they have a chance to cause significant damage. When making such a decision, there are many considerations, including time to value, ease of use, and, of course, pricing.  

Legacy SOAR tools are often expensive, unnervingly brittle, and overly complicated. That’s ultimately why experts like Rak Garg believe that best-of-breed, next-generation SOAR platforms will disrupt various parts of the infosec stack, "thanks to downward pricing pressure, robust workflow automation, and simplicity."

To help you avoid some common pitfalls, here are five things to carefully consider before investing in a SOAR tool.

5 things to consider before investing in SOAR 

1. Real time to value 

Most SOAR vendors offer out-of-the-box playbooks for everyday use cases, which might seem like an ideal option at first glance. Ask around, and you’ll quickly learn that customization of these playbooks is, in fact, complicated and frequently requires purchasing additional professional service hours or other hands-on assistance.

Even with professional services, it can take a minimum of six months to get value from these solutions. It might not always be apparent, but the quality and approach to integrations are often more important than the number of integrations on offer. App-based integrations typically need to be built and maintained by the vendor, which can take two months or more. If and when an integration breaks, the vendor will also need to fix it. 

All of these things translate into additional time, which is somewhat unpredictable, and ultimately means you will lack control.

2. Ease of Use 

It’s surprisingly common for SOAR customers to have less than five use cases in operation in their first year.

Some legacy tools aren't accessible for junior analysts. If your team has Python or other developer resources readily available, great! Unfortunately, if not, you won’t get much value from many SOAR vendors beyond what their professional services build for you.

You'll need to be extra vigilant if you’re using tools owned by competitors of your SOAR vendor. They're not always willing to build out those integrations, and they'll need to do so quickly if you are going to maximize your return on investment. 

3. Onboarding and customer support 

Ensure you have a clear understanding of the vendor’s onboarding process and customer support. Continuously tap your network for insights and feedback, and check out what people in the industry are saying on review sites like G2 and Gartner. Pay attention to frequent mentions of hidden costs, poor documentation, or other issues. 

Dig a little deeper into the vendor’s marketing site. There is usually a good reason why some SOAR vendors have little to no customer feedback or testimonials on display.

4. Recent innovation 

Unfortunately, according to research, acquisitions are often a killer for innovation. Be sure to ask the different vendors how their software has evolved, what new features are in the works, and quiz them on their current approach to integrations for new and emerging security tools.

5. Transparent pricing 

Most SOAR vendors tend to charge for data volume or the number of user licenses. The best tool for your team will depend mainly on the size of your organization and the tool’s ability to support you as you scale. Pricing based on the number of user licenses might seem preferable, but adding additional users later down the line can be very expensive, so try to think long-term.

Choosing a next-gen solution 

At Tines, we believe in delivering flexible, robust, and well-tested solutions to our customers. If you’re interested in evaluating Tines for yourself, sign up for our always-free Community Edition

With Tines, time to value is measured in days or weeks, and we're transparent about our pricing. And because Tines is a no-code solution, our customers typically have 20+ use cases in production in year one.

Built by you,
powered by Tines

Already have an account? Log in.