Skip to content

Security term · last reviewed 2026-07-07

SOAR

Also known as: Security Orchestration, Automation, and Response

SOAR automates and orchestrates the response to security alerts with playbooks, sitting downstream of detection (often a SIEM) to cut response time.

How it works

SOAR (Security Orchestration, Automation, and Response) is the layer that automates and coordinates the response to security alerts, turning a detection into action without a human doing every step by hand. A SOAR platform runs playbooks: when an alert fires (often from a SIEM), it can enrich the alert with threat intelligence, open a ticket, isolate a host, disable an account, and notify responders, following a predefined workflow. The goal is to cut response time and free analysts from repetitive triage.

When it matters

SOAR matters for security teams drowning in alert volume, where manual response does not scale and consistency matters. It sits downstream of detection: the SIEM (or other tools) find the problem, SOAR orchestrates the fix. Like a SIEM, it is an enterprise-scale control that presumes a staffed security function, so it is well past what an early-stage startup needs.

Common misconceptions

  • "SOAR replaces analysts." It automates the repetitive parts; humans still handle judgment calls and tuning.
  • "SOAR and [SIEM](/glossary/siem/) are interchangeable." SIEM detects and alerts; SOAR orchestrates and automates the response. They are complementary.
  • "You can automate response before you can detect." SOAR is only as good as the detections feeding it.

Related terms

← All terms