Gartner SOAR Market Guide Insights from CEO Cody Cornell

Whether it’s for a blog, social media post, media interview, webinar or podcast episode, you’ve likely heard someone at Swimlane mention the fact that security operations centers (SOCs) cannot keep up with today’s growing and changing threat landscape. You’ve probably noticed how we explain the ways in which SOCs are understaffed, overworked and constantly bombarded with alarms from their security information and event management (SIEM) systems. These realities have made SOAR a necessity, and Gartner recently released a 2019 Market Guide for Security Orchestration, Automation and Response to help you navigate this space.

The Gartner SOAR Market Guide has some great information and guidance for anyone looking to improve their security operations. However, as a former SOC analyst who has worked in the aforementioned challenging environments and now a CEO of a company that provides a best-in-class SOAR solution, I have thoughts on some of the information presented in the Gartner Market Guide.

SOAR is challenging.

Gartner states that “SOAR solutions are not plug-and-play.” SOAR solutions solve complex problems—from automating mundane tasks to orchestrating critical systems. Like anything of great value, the more you put into it, the more you get back. Plug-and-play implies a simple, “cookie-cutter” approach, and there is no cookie-cutter for SOCs. No organization has the same requirements, technology, people or processes. Because of the individuality of each organization’s needs, a SOAR solution MUST be highly flexible, configurable and scalable to meet the team’s evolving requirements. Taking a simple approach will leave an organization feeling boxed in and bumped up against the limits in terms of what they can do. Perhaps that’s why Gartner also referenced SOAR use cases as “stuck in a rut.”

SOAR use cases stuck in a rut? Not Swimlane customers.

The Gartner SOAR Market Guide mentions “use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut.” This is not the case for Swimlane customers. We work with our customers to develop advanced, personalized use cases, and our engineers constantly look for new ways to leverage SOAR. In the last few months, we have even offered webinars on unique use cases including, “Proactive Credential Dump Hunting,” “How to Automate the Employee Off-Boarding IT Process with SOAR,” and “Automated Malware Analysis,” and continue to research and publish others—the interesting ones built by our customers.

My advice for any company evaluating SOAR would be to think beyond the simple use cases evaluated in a short duration proof of value/concept. What might appear as easy from an evaluation perspective—as it is already set up—can become the very thing that prevents the organization from breaking out of the “SOAR use case rut” down the road. The right solution should solve the basic use cases and provide the ability to mature and iterate those use cases over time to meet the needs of the business, changing investigation resources, and the rapidly evolving landscape of attacks, threat detection and monitoring systems.


Towards the end of the report, the Gartner Market Guide offers a strong set of recommendations for security and risk management leaders evaluating a SOAR solution. Some of these recommendations are pragmatic best practices for both customers and vendors, and I agree with most of them. However, I found one section particularly interesting:

“Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.”

As the CEO of the only independent SOAR solution, I find that statement relevant but a bit misleading. Tools are built by companies, and those companies are comprised of people that have a passion for the problems they are trying to solve. Do acquisitions happen? Sure. But I’d like to think across the board. Without a doubt, the people at Swimlane are on a mission to ensure every organization can use automation to be more secure. I do believe market independent vendors that are able to integrate with any and every vendor out there—even our competition—are best suited to solve the largest set of use cases.The nature of a SOAR solution requires vendor neutrality to truly deliver value with integrations with any needed solution from Slack to McAfee and Cylance.

Swimlane will always deliver on the promise of open collaboration to provide SOC teams with the best solution.

SOAR pricing

I absolutely agree with the Gartner SOAR Market Guide on the section regarding per analyst pricing models. Consumption-based pricing is counterintuitive to the ROI proposition of automation. Organizations should be encouraged and rewarded (with ROI) for the increased usage of their investment in SOAR—not punished with a higher licensing subscription cost.

SOAR is an investment in your past, present and future.

It sounds a bit poetic, but it’s also true. A true SOAR solution pulls together your past investments, improves your present day-to-day abilities, and can help you expand and grow those capabilities in the future. Look for a SOAR company as a partner, not just a product.

Overall, I think the Gartner Market Guide is a good read for any organization evaluating their SOAR needs. In addition to the Market Guide, review Swimlane’s SOAR Buyer’s Guide with a checklist that includes many of these same guidelines.

Gartner Innovation Insight for Security Orchestration, Automation and Response, Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski, November 30, 2017

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Cody Cornell. Read the original post at:

Avatar photo

Cody Cornell

Cody is responsible for the strategic direction of Swimlane and the development of our security orchestration, automation, and response (SOAR) platform. At Swimlane we advocate for the open exchange of security information and deep technology integration, that maximizes the value customers receive from their investments in security operations technology and people. Collaborating with industry-leading technology vendors, we work to identify opportunities to streamline and automate security activities saving customer operational costs and reducing risk.

cody-cornell has 131 posts and counting.See all posts by cody-cornell