loading
Loading content
loading
Also known as Security Orchestration, Automation and Response
SOAR (security orchestration, automation, and response) ties together the tools a security operations center already runs and drives them with playbooks. When an alert fires, a playbook can enrich it with threat-intel lookups, query the endpoint for related activity, isolate a host, open a ticket, and notify an analyst, all without a person clicking through each console. The platform handles the wiring between products that otherwise do not talk to each other.
This matters because analysts drown in alerts, and most early triage is mechanical. A SOAR playbook does the rote lookups in seconds and presents the analyst a decision instead of a raw alert, which shrinks dwell time and frees skilled people for the judgment calls automation cannot make. It also makes response consistent, since the playbook runs the same steps every time.
SOAR consumes alerts from a siem and acts as the execution engine for incident response playbooks. The orchestration piece is a form of security orchestration, and good playbooks depend on solid detection engineering upstream so the alerts worth automating are the ones that fire.
Trickest applies the same orchestration idea to offensive and attack-surface tasks, chaining tools into automated workflows that run on triggers or a schedule.
Related terms