Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
A simple SOAR adoption maturity model
Anton Chuvakin
Security Strategist, Google Cloud
June 14, 2022

As security orchestration, automation and response (SOAR) adoption continues at a rapid pace,  security operations teams have a greater need for a structured planning approach.

My favorite approach has been a maturity model, vaguely modeled on the CMM approach. For example, in my analyst days, I built a maturity model for a SOC (2018), a SIEM deployment (2018) and vulnerability management (2017).

10 Must-Ask Questions When Choosing a SOAR Solution

Guess which one is missing? The one for SOAR!  Now, why was it missing? In my estimation, there are too many doors to SOAR to plot a coherent yet universally applicable SOAR maturity model.

But with many SecOps teams deploying and running SOAR for several years, I sense that a reasonably applicable adoption maturity model can be created. So here is a first attempt at it.

There are a few assumptions to keep in mind:

  • The maturity climb starts with having a SOAR. Admittedly many organizations don’t have a SOAR or comparable technology, so they fall outside of this visual.

  • The starting point for SOAR may still differ dramatically (as the tweet below references), so this is at best an illustration rather than universal guidance. For example, some organizations start with case management and no playbooks, yet still find value in SOAR.

Teams that use SOAR -- how many playbooks do you use *regularly*? 🤖

— hackerxbella | Allie Mellen (@hackerxbella) May 24, 2022

  • Dimensions may be mixed up at many organizations, but they do follow an increasing maturity individually.

Click here to download a larger and printable version

How do you use this in your environment?

  • Take care of the assumptions and check for where you are starting up. (Are you dealing with phishing? Too many SIEM alerts? Using SOAR as case management?)

  • Use as a very rough guide to judge where you are in your SOAR journey and where to go next.

  • Don’t despair if your journey to SOAR does not fit. SOAR is a very flexible and programmable technology, so being atypical is typical.

Thanks to Google SOAR Solution Architecture Manager Oleg Siminel, and others from the Siemplify field team, for their support here.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page