Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
Gartner SOAR Magic Quadrant: When, where, and how?
Nimmy Reichenberg
Group Product Marketing Manager
April 29, 2022

One question that we get asked a lot is “Is there a Gartner Magic Quadrant for SOAR?” The short answer is “not yet.” The most detailed research Gartner has released in the SOAR space is the Gartner Market Guide for SOAR. And, while Gartner analysts haven’t rated SOAR vendors yet, Gartner users certainly have. You can head over to Gartner Peer Insights to read some user reviews on the various SOAR platforms.

In this post, we will, however, attempt to provide insights on what a magic quadrant might look like for SOAR and what basis could be used for rating SOAR platforms.

Important note: All opinions expressed are our own and are not Gartner’s official position.  

Magic Quadrant Basics

As a refresher, Gartner Magic Quadrants evaluate vendors in a specific category on two different axis:

  • Ability to execute: This includes the current product offering, overall vendor viability, and sales and marketing execution.

  • Completeness of vision: This includes market understanding, product strategy, as well as marketing and sales strategy.

The vendors are then divided into four different quadrants, namely:

  • Leaders: Leaders distinguish themselves by offering a service suitable for strategic adoption and having an ambitious roadmap. Leaders in this market have appreciable market share and many referenceable customers.

  • Challengers: Challengers are well-positioned to serve some current market needs. They deliver a good service that is targeted at a particular set of use cases, and they have a track record of successful delivery.

  • Visionaries: Visionaries have an ambitious vision of the future and are making significant investments in the development of unique technologies. Their services are still emerging, and they have many capabilities in development that are not yet generally available.

  • Niche Players: Niche players may be excellent providers for particular use cases or in regions in which they operate, but they should ultimately be viewed as specialist providers. They often do not serve a broad range of use cases well or have a broadly ambitious roadmap.

Assessing Ability to Execute

While SOAR is certainly a maturing category, leading vendors have been offering SOAR products for around five years. So when assessing a provider’s ability to execute, leading vendors have certainly separated themselves from the pack.

Here are some criteria to consider when assessing a SOAR vendor’s ability to execute:

  1. Number of customers: Clearly an obvious factor to consider. We can speak from experience that there is no shortcut for improving your offering through “battle scars” earned from serving leading security operations teams from around the world. At this stage of the market, a leading SOAR platform should have at least 100 successful SOAR implementations.

  2. Quantity and Quality of integrations: Integrations are the bread and butter of SOAR. Leading SOAR platforms should cover all leading SIEMs, threat intelligence  platforms, EDRs, NDRs, cloud platforms and then some. Leading SOAR platforms at this day and age should cover all the common tools used by SecOps teams (that number is easily upward of 150) However, when evaluating SOAR platforms, make sure to look beyond the quantity of integrations and also assess their quality. Integrations can vary greatly in terms of depth, stability, and documentation. So don’t take a vendor's claim of “Yes, we integrate with product XYZ” at face value.

  3. Company Size: As with any mission-critical technology, you want to partner with a SOAR vendor that has adequate engineering, professional services and support resources to ensure your success. With SOAR pure-plays,100 employees is probably the bare minimum required to support a large customer base. (LinkedIn is one of the best sources for accurate employee counts). For large corporations that offer SOAR as part of a broad portfolio, this data can be hard to obtain. (As an example, IBM likely has thousands of engineers, but it’s hard to know how many of them are dedicated to a specific product)

  4. Product “Trifecta”: Gartner defines SOAR as the convergence of three technologies. incident response platforms (which include case management), security orchestration and automation, and threat intelligence platforms (TIP). Product offerings of SOAR leaders should offer solid capabilities across all three of these technologies. (That is one reason why we partnered with a best-of-breed TIP provider for our integrated TIP offering.)

Assessing Completeness of Vision

One Gartner analyst we spoke with offered a great soundbite, mentioning that SOAR is only “in its second inning.” It’s definitely still early days for SOAR, which means there is a lot more innovation ahead, both in terms of vendor product enhancements as well as end-user adoption and use case development.

Here are some criteria that can be used to assess completeness of vision:

  • Cloud: In the half-decade SOAR has been around, cloud has transformed security operations. This is true both in terms of the adoption of more modern cloud-native SecOps tools (such as SIEM and EDR) and also in terms of the need to secure cloud-based applications and infrastructure. Forward-thinking SOAR platforms are built to quickly embrace the cloud, from cloud-native deployment of the SOAR platform to cloud-specific use cases and playbooks.

  • Ease-of-Use and Time-to-Value: Despite some dubious vendor claims, SOAR is not a plug-and-play solution, and successful implementations involve the design, building and maintenance of playbooks. That said, SOAR platforms greatly differ in their ability to reduce time to value and take at least some of the heavy lifting away, with packaged use-cases and intuitive playbook building and testing.

  • Collaboration: With remote work, and the increased reliance on service providers, collaboration in security operations is more important than ever. Modern SOAR platforms are designed to focus on how security operations teams can better collaborate among each other, with MSSPs and with teams outside the SOC (such as legal and PR when a crisis hits).

  • Machine Learning: While often over-hyped, machine learning can provide incredible value in security operations. Forward thinking SOAR platforms leverage machine learning to get smarter with every analyst interaction and to provide actionable insights and recommendations to analysts, engineers and SOC managers.

  • Community: The idiom “it takes a village” rings ever so loudly in cybersecurity. Leading SOAR platforms harness the power of community to foster development and sharing of integrations and use cases with the entire security community, as well as serving as a platform for general sharing of secops best practices.

Good Quadrants Come to Those Who Wait?

While a Gartner Magic Quadrant for SOAR is not in plain sight, the SOAR market is continuing with full force. Many vendors claim to have SOAR capabilities, but it’s worth noting that only 12 names made it to the list of sample SOAR vendors included in a recent Gartner Hype Cycle for Security Operations, perhaps providing a glimpse of what a future SOAR Magic Quadrant might look like.

If you’re in the market for SOAR, you’ll have to do without a Magic Quadrant for the time being. Fortunately, we have some resources to help.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page