Last updated at Fri, 29 Jun 2018 13:34:35 GMT

If you’ve been in cybersecurity for some time, you’ve likely heard about the many benefits of security orchestration and automation: time saved, costs reduced, risk exposure mitigated ... the list goes on. And as this popular technology proliferates across our industry, you have more options than ever before when it comes to choosing a security orchestration, automation, and response (SOAR) solution.

It’s important to note that security orchestration and automation solutions aren’t one size fits all. With so many vendors out there, it can seem difficult to cut through the noise and find the right solution to fit your needs. The right security automation and orchestration solution should not only have the feature and functionality capabilities you’re looking for, but it should also enable you to get up and running quickly, even as you mature.

When evaluating SOAR vendors, there are three important things you should ask to make sure your vendor will set you up for success, even if you don’t have a ton of time, money, or bodies to dedicate to security orchestration and automation:

1. How easy is it to adopt your solution?

Your security orchestration and automation vendor should be able to adapt to your own process and tooling. While minimal changes may be required, you should not have to make radical changes in the way your team currently works to accommodate a SOAR solution.

Partners: One major benefit of SOAR solutions is simplifying the cost of building/maintaining integrations. Ask the vendor about its partner ecosystem, and consider the number of integrations missing for your environment that you’ll have to build “custom.” The more pre-built integrations a vendor offers, the less time and resources you and your team will need to put toward creating integrations. For integrations the orchestration and automation vendor doesn’t support, do they have a mature process for adding new integrations based on customer requests? Is there a community of integrations available that customers can contribute to? The SOAR vendor should partner with its customers to continuously expand its integration scope.

Operations: It’s also important to consider operational burden. Ask about the vendor’s deployment and maintenance processes so it is clear whether it will work well in your network, and what the cost is to your IT and operations teams to operate this solution:

  • Is the software deployment automated? What about software updates?
  • How well does it play with your operating systems and networking environment?
  • Is it cloud ready?

Usability: The path to get there is just as important as the automation itself. Can you test how easy it is to build the automation, in addition to executing it? Early in the evaluation process, be sure to ask the SOAR vendor for a demo of building a simple automation, in addition to a demo of a fully baked end process. Seeing sophisticated workflows in action is cool, but it’ll be important to understand the level of effort involved, from deploying the software, to getting up and running, to building a use case designed for your team and tools.

2. How will you empower me to save time and resources, and produce a measurable ROI?

Most organizations are looking at SOAR solutions to address a common pain point: the average security team doesn’t have enough time or human resources to accomplish all of the work that needs to be done across an increasingly complex threat landscape.

But there’s more to security orchestration and automation than that.

Maturity: Automation is table stakes—ask for more. Benefits of SOAR solutions can go beyond increasing efficiency to also include better documented processes and resiliency. In these ways, your security orchestration and automation solution can help you mature your organization. For example, SOAR solutions can allow you to set up workflows to automatically report on errors in automation, track script versions, and maintain visibility into your core processes as your organization matures.

ROI: It’s also important to look for a partner that will help build your business case. Any vendor you work with should be able to understand the use cases you’re aiming to implement (and identify new ones), measure efficiency gains, and build a calculation of time investment in deploying a SOAR solution vs. time/money gained. Below is an example of how Komand by Rapid7 shows time savings:

TCO: When estimating total cost of ownership (TCO), it goes beyond the dollars on the invoice to include how much a solution costs to operate and maintain. With many vendors adopting a subscription model, it’s important to have predictable pricing and packaging. You want to be able to predict the costs of automation relative to the value as your organization grows. Learn more about the ROI of security orchestration and automation.

SOAR adoption should cost less than it would to build it yourself, and provide supporting features to make that possible. To confirm that a vendor will meet your needs before you buy, ask for credible references of customer success from organizations that look like yours in terms of size, maturity, and vertical. Helpful questions may include:

  • What’s the average time to deploy a use case for your existing customer base?
  • Where do customers encounter the most friction?
  • Where do customers experience the most value?

3. Will your security orchestration and automation solution scale with my organization?

Threats are constantly changing, and your security teams, processes, and tools must be agile enough adapt to the threat landscape. Remember: SOAR is much more than just adding pre-built, fixed automation to your incident response tools; a solution needs to go beyond one use case and be flexible to adapt and scale with your organization. Is it extensible and flexible enough to support the use cases you are trying to automate? Does it adapt to your processes versus the other way around?

Extensibility: Too many solutions claim to be orchestration and automation, but require paid professional services or engineering work to build in support for new integrations or use cases. Ask any vendor you are evaluating how easy it will be for you and your team to add new integrations, custom code, etc.

Innovation: Can the vendor keep pace with attackers and today’s evolving threat landscape? How well and fast a company innovates can tell you a lot about the quality of their product and how the vendor treats your partnership. If the product hasn’t changed since inception, it probably never will. But if they’re continuously releasing new features and prioritizing popular customer requests, that’s a great sign that they’ll continue to meet your needs many years down the road. During the sales process, ask how the product team receives customer requests and how they prioritize their product roadmap. Ask how quickly they aim to add new support for integrations for your environment.

This should help you determine what sort of future you can envision for you and your SOAR solution vendor. Is the vendor a flash-in-the-pan startup, or a true partner that will work with you for the long haul?


A good way to find out how responsive a vendor is to customer input is by searching around the web or asking colleagues about their experience. If you find the company is responsive and customers are happy, that is a good sign, but if you find out otherwise, you may want to keep looking. As you start searching for your dream security orchestration and automation vendor, keep these points in mind:

  • SOAR works for you. Adopting security orchestration and automation solutions into your teams should be flexible, cost effective, and easy. Be sure to do some work up-front to ensure your expectations match your team’s, and that the vendors you evaluate are poised to meet those.

  • ROI matters. When evaluating a SOAR solution, a key success metric should be whether the calculated manpower and money saved exceed your investment in adopting the solution. Work with the vendor to ensure that this is clear up-front.

  • Scale for the long-haul. When implementing SOAR, you are adding a critical piece to your security and IT stack. Ensure that the vendor is with you for the long haul and will support your organization as it grows and adapts.

See Rapid7’s automation and orchestration solution for yourself. Join our live demo webcast on June 28th and visit to learn more.