Various publications and analyst companies have predicted a doomsday circumstance for the standalone SOAR next a selection of acquisitions in the space, predominantly by SIEM distributors. Google obtained Siemplify, Devo acquired LogicHub, Fortinet acquired CyberSponse, Palo Alto Networks obtained Demisto, Splunk acquired Phantom, Sumo Logic acquired DFLabs, and Micro Target obtained Atar Labs, which, in flip, bought acquired by OpenText.
But this higher-stage view has extremely reduced resolution. It assumes that all achievable SOARs are by now in circulation, that each and every acquisition minimizes the pool of standalone suppliers, and that an acquisition suggests that the SOAR will be natively integrated in a SIEM or XDR. As part of my investigate on SOAR, I have noticed numerous developments more than the earlier a few a long time that show that not only is there a position for the standalone SOAR, but the remedies are evolving to support new use situations.
Here are some important causes why the standalone SOAR solutions will not be eaten into SIEM or XDR in the close to upcoming:
- 
- Additional standalone distributors enter the industry.
- Large players nonetheless opt for to present standalone.
- The inherent added benefits of standalone and vendor-agnostic remedies.
- Non-security function ingestion.
- Non-safety automation.

















Extra Standalone SOARs Enter the Sector
In contrast to the next iteration of the GigaOm SOAR Radar, the third iteration capabilities 3 far more standalone SOAR players, namely Cyware, Tines, and Torq. Torq is the most the latest participant, getting been set up in 2020 and has crafted an remarkable portfolio of buyers. Tines has also been attaining traction in the market place. I have consistently and adventitiously noticed Tines included to integration portfolios across various network and stability distributors over the past couple of decades.
Huge Players Continue to Present Standalone SOARs
Whilst a choice of protection sellers have selected to combine SOARs into their SIEM – these kinds of as OpenText, Huntsman, Sumo Logic, and Devo – many others have saved SOAR as a standalone and seller-agnostic item. Most notably, heavyweights this sort of as Fortinet, IBM, Splunk, and Palo Alto Networks.
Why would they do that? The most obvious rationale is to broaden their whole addressable market. If an built-in SIEM in addition SOAR resolution (see our GigaOm Radar on ASOM) is only suited for clients that either want to migrate from the incumbent SIEM or really don’t have a SIEM at all, a standalone SOAR can also concentrate on clients with a 3rd-party SIEM that really do not want to migrate.
But there is a lot more to standalone SOARs than just a bigger target marketplace, which we check out in the section down below.
The Inherent Gains of Standalone and Seller-Agnostic Options
A SIEM with native SOAR capabilities could turn into unwieldy and tricky to regulate, with slower cadence on new options. A quite significant part of your SOC results in being dependent on this a person solution, and even with all the automation and ML-driven insights, the platform will likely incur a large amount of technical personal debt.
Right here, SOAR platforms have two advantages—Standalone and vendor agnostic – which are two sides to the similar coin. Seller agnosticism means that a SOAR resolution can get the job done with any third-bash SIEM, substantially lowering the dependency on a single platform and building migration considerably much easier, whether it is switching out the SOAR or SIEM aspect of a option.
The standalone high quality indicates that the SOAR option can fulfill its purpose in the absence of SIEM. This component allows SOAR to branch into two a lot more use circumstances unavailable for built-in SIEM and SOAR methods, specifically ingesting non-stability situations, and automating non-protection duties.
Non-Security Function Ingestion
New developments point out that the remaining standalone SOAR distributors are finding a way of facet-stepping SIEM, with the alternative of turning out to be the primary resource for SOC analysts. Alternatively than relying on SIEM to ingest logs and generate alarms, some SOAR distributors are now ingesting functions directly from the resources that produce them. In this context, non-stability functions are not created by a safety tool these as SIEM, XDR, firewall, or antivirus.
While this situation sounds extremely very similar to SIEM’s log selection features, SOAR methods do not seize every thing, only situations these as API calls, HTTP requests, or login attempts. This technique implies that occasions are fewer and richer as opposed to logs, which suggests two issues:
- 
- SOAR will not have the similar concern of accumulating, digesting, storing, and analyzing billions and trillions of logs as SIEM does.
- SOAR will not deliver the same amount of deep visibility that SIEM does.





This ability to ingest activities directly with out a dependency on SIEM does not mean breaking absent from SIEM altogether—the two answers can go on performing alongside one another, specifically when their functions are complementary. Nevertheless, it might be the situation that SOAR answers would provide a lighter and extra agile way for protection analysts to deal with incident reaction in the context of less complicated IT environments, this kind of as commence-ups and other cloud-native and cloud-only organizations.
Non-Stability Automation
SOAR and fall the S to turn into Orchestration, Automation, and Reaction. How is this distinctive from other IT workflow automation tools? SOAR has been bred in a significant-stakes setting and benefits from potent audit, compliance, governance, and, most importantly, belief. Not to point out, an all-intent SOAR can nonetheless have out its core security features besides the added IT automation.
As a multi-objective software, (S)OAR can develop into its have category that blends IT automation and protection response. Introducing non-stability-similar capabilities into a SIEM would make minimal to no perception, this means that only a standalone SOAR can perform in this market place. Certainly, I can automate responses for the alerts produced by SIEM, but it can also be employed for automatic patch management, ensuring compliance, asset management, and onboarding new personnel.
A seller these types of as ServiceNow has a unique edge thinking of their ITSM track record and comprehensive SOAR abilities.
Exit Choices for Standalone SOAR Vendors
From a considerably less technical viewpoint, one probable explanation we’ve seen so numerous acquisitions is that an acquisition is the most possible exit for SOARs. Most of these commence-ups have been obtained within just 5 to ten a long time of inception. Are we most likely to see an IPO from a SOAR-only seller? The most likely candidates are D3, Swimlane, and ThreatConnect, very well-recognized gamers with lengthy tenure.
Probably the remedy to this stands inside of the last two details I created over for the non-protection event ingestion and non-security automation. There are only a handful of point-option SOAR vendors that extend their capabilities to open up up new use situations for their solutions, which means that there are earnings streams that simply cannot be tapped by adjacent solutions such as SIEMs or IT workflow automation.
Whether or not we’ll see a SOAR IPO or not, the close to-future prognosis for the SOAR industry is solid, and no volume of acquisitions will spell the stop of the standalone SOAR, as its inherent standalone and vendor-agnostic capabilities can not be changed.