An extensive collection from detailed guides that break down complex topics to insightful whitepapers that offer a deep dive into the technology behind our software.
Expand the power of your monitoring. Pandora FMS is flexible and integrates with the main platforms and cloud solutions.
Collect, centralize, and consolidate log and event data from different systems, applications, and devices into a single platform. Data integrates natively with Pandora FMS agents, with no need for additional tools to capture key information.
Remote monitoring and management solution for proactive oversight of devices, networks, and applications. Ideal for managed service providers (MSP) and IT teams seeking automation, scalability, and real-time control.
Remote control software for servers and Windows, Linux and Mac, oriented to system technicians and managed services companies (MSP). Quick, easy and no need for memorizing or installing anything.
In cybersecurity, there’s something almost as abundant as vulnerabilities: acronyms. And today, we’re focusing on one that’s essential if we want our cybersecurity department to operate at peak efficiency SOAR, which stands for Security Orchestration, Automation, and Response.
Implementing SOAR effectively can make the difference between a sluggish, manual response and one that is fast, intelligent, and efficient. That’s why in this post, we’ll break down what SOAR is, what it’s used for, how it works, and how it can dramatically increase your effectiveness in responding to threats—or at the very least, make your workdays a bit smoother.
What Is SOAR?
Movies often portray cybersecurity as a battle between genius hackers typing arcane commands in a black terminal window—furiously banging on keyboards until someone says, “I’m in.”
Reality, however, looks a lot more like keyboards full of Dorito crumbs, script kiddies pasting commands they don’t understand, endless spam and phishing emails, and users clicking exactly where you told them not to.
In that context, SOAR—Security Orchestration, Automation, and Response—is a technology designed to achieve two critical objectives:
Orchestration: Coordinating timely and synchronized responses to major threats.
Automation: Streamlining and executing optimal responses to recurring, low-complexity security incidents.
Given today’s threat landscape, implementing SOAR is no longer optional for organizations of a certain size, complexity, or strategic importance. Why? Because modern cybersecurity is less about single epic attacks and more about “death by a thousand cuts.”
Port scans, phishing emails, and leaked credentials on the dark web flood our environments daily. We’re like Gulliver, overwhelmed not by giants, but by a relentless swarm of tiny attackers.
In this scenario, if you’re not automating, your experts are bogged down with repetitive manual mitigation tasks instead of focusing on high-value threats. It’s a waste of talent.
SOAR handles these repetitive, necessary tasks automaticallynot to replace your SOC, but to empower it. It frees your cybersecurity team to focus on advanced analysis and strategic defense, while automation deals with tasks like IP banning or phishing ticket workflows.
Without SOAR, your organization is more vulnerable. While your top analysts are buried in low-level alert response and ticket management, an attacker may be moving laterally from a compromised IoT device to a printer, looking for ways to escalate privileges—while your defenders are still manually handling the latest DDoS flood.
Key Components of a SOAR Solution
The pillars of a SOAR solution are built right into its name:
Orchestration.
Automation.
Response.
Orchestration refers to the coordination of security tools and systems, such as SIEMs, EDRs, firewalls, and others. Depending on the specific SOAR platform, this orchestration can be implemented via APIs, prebuilt connectors, or custom integrations.
This orchestration sets the stage for the next core component: automated countermeasures.
A simple example would be scanning email attachments. In a SOAR platform, you can create a response flow (known as a playbook, which we’ll dive into later) to handle this. The playbook might scan the attachments, determine if they contain malware, and, if so, block the sender and quarantine the message. If the sender is internal (from the company’s domain), it might even send an alert to the user and proactively lock the account as a precaution.
These automated response playbooks are highly flexible—and they make sure your engineers don’t spend five years of training manually scanning attachments and suspending accounts.
Finally, there’s the response itself. In many cases, the automated workflows described above will already include response actions. These responses vary depending on the threat.
For example, for routine issues like the one above, a SOAR can automatically block an internal account. For more complex scenarios, you can define a playbook that requires human approval—such as escalating to the SOC with an alert and letting analysts take action.
How Does a SOAR Work?
At the core of how a SOAR operates are the playbooks we mentioned earlier.
A playbook—a term borrowed from sports like American football, where it refers to predefined strategies the team can execute on cue—is an automated workflow that tells the SOAR what actions to take in specific scenarios.
Depending on the SOAR solution in use, these workflows can be created using code (such as Python), or through a low-code or no-code interface.
For instance, Splunk SOAR allows users to build playbooks visually, creating flowcharts that define what happens at each stage—no need to write out every if condition manually.
A typical example of how a playbook might run:
The SIEM sends an alert about a potential malware-laced email, based on data it received from an endpoint EDR installed on the CEO’s laptop
The SOAR receives the alert and triggers the relevant playbook.
The playbook launches the first automated response actions, such as quarantining the suspicious email.
Conditional logic built into the playbook adds flexibility
If the email comes from an unknown external source, the playbook deletes it, blocks the sender, logs the event, and moves on—no need to bother anyone, since this happens dozens of times a day.
But if the email originates from the company’s own domain, the situation might be more serious. Perhaps there’s a misconfiguration with the DMARC policy. In that case, the playbook executes a hybrid response: it quarantines the message, logs the metadata, and escalates it to the SOC with all relevant details for investigation.
It’s important not to confuse playbook with runbooks. A runbook is more like a cookbook recipe—a linear, step-by-step process for handling a routine operation, such as restarting a downed service.
Playbooks, on the other hand, are more dynamic and decision-driven. They adapt based on conditions and branching logic rather than executing the same set of steps every time.
Benefits of Implementing a SOAR in Your Organization
The advantages of a SOAR platform are clear. It’s like reinforcing your small cybersecurity team with automated drones that deploy to the battlefield the moment your security monitoring tools detect a threat. This helps eliminate the constant stream of “small cuts” that bleed your resources dry.
SOAR implementation brings:
Reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) Faster threat detection and response times improve your security posture across the board.
Increased response capacity without increasing SOC headcount Your team can do more, better, and faster—without burning out or needing to scale personnel.
Improved compliance Playbooks can be configured to automatically store the necessary data for forensic audits or regulatory reporting, proving active infrastructure monitoring.
Fewer human errors in repetitive tasks Automated actions are consistent and fatigue-proof, reducing risks caused by inattention or burnout.
Standardized, more effective responses Responses are based on pre-built playbooks that reflect cybersecurity best practices, ensuring consistency and efficiency every time.
Common Use Cases for SOAR
We’ve already seen how SOAR can help manage threats without driving our engineers (even more) insane, but here are some other frequent use cases:
Phishing or malware mitigation, as shown in previous examples.
Better alert and false positive management. As long as the playbook rules are solid—for example, ignoring login attempts from internal IPs.
Faster incident investigation. For instance, consolidating logs from Active Directory, firewalls, and the EDR into a single incident report, rather than forcing the SOC team to comb through them individually.
Automated compliance enforcement(audit reports, logging every action taken during an incident, etc.).
Automated patching of non-critical systems.
Blocking malicious insider accounts (e.g., when large-scale data downloads are detected).
And more…
Differences Between SOAR and SIEM: Rivalry or Complement?
In cybersecurity—as in life—there are no absolute black-and-white answers, nor are borders always clearly defined. On top of that, there’s a tendency for tools to expand their capabilities over time.
For example, there’s a strong incentive for an IDS like Snort not only to scan the network, but also to include prevention features, evolving into an IPS.
SIEM and SOAR usually occupy adjacent roles within a cybersecurity architecture. That proximity often leads to blurred lines, with each solution taking on functions traditionally associated with the other in an attempt to become more appealing.
However, SIEM and SOAR are elite specialists, each excelling in their respective areas:
SIEM is the analyst—skilled at gathering and correlating data, transforming raw information into actionable intelligence, often using machine learning to detect threats that aren’t obvious at first glance.
SOAR is the responder—built to take action based on that intelligence, offering broader and more flexible response capabilities.
Yes, some SIEMs now include basic automated response features, and some SOAR platforms have limited data analysis capabilities—but true cybersecurity strength lies in getting both to work together.
Still, it’s essential to note that response quality depends on the quality of the information received.
If that data is poor, the SOAR platform may end up unnecessarily blocking IP addresses or deleting legitimate emails. That’s why a robust SIEM—capable of collecting, filtering, and interpreting threat data—is critical to alerting the SOAR appropriately.
Summary: SIEM vs SOAR
Integration of SOAR with Other Security Tools
SOAR cannot function on its own. As we’ve seen, it relies on its connection to the SIEM (if one is available) or to other programs (like an IDS) to inform it about what it needs to act on. However, it also depends on connecting to other devices to execute its playbooks. This is where orchestration comes in — conducting the various elements like an orchestra to respond to threats.
This highlights the importance of APIs and connectors, ensuring they are easy to configure and that the solution can work well as part of a team.
Let’s look at an example of a modern SOAR architecture and how its connections would function in a simple malware incident.
An unhappy employee arrives at the office with a USB drive full of malicious intent.
They execute the malware contained on it, but the EDR monitors this action. Since it is connected to a SIEM, it reports the event, and the SIEM determines it’s a threat and alerts the SOAR.
The SOAR then triggers the pre-defined playbook for such cases, connecting with the EDR to stop the execution of the malicious file.
At the same time, the SOAR connects to VirusTotal via API, for example, to submit the file for analysis.
If VirusTotal responds positively (confirming the malware), SOAR reconnects with the EDR to block the infected device and opens a ticket in the ticketing system for the SOC, including all relevant details about the incident and the implicated user.
As we can see, SOAR depends on connections with other technologies — both to receive information and to orchestrate an effective and automated response.
Considerations Before Implementing a SOAR Solution
After reading all this, any cybersecurity leader would want that army of little “programmable robots” on their side—handling tedious tasks without needing food, rest, or the occasional scolding (unlike their engineers).
However, SOAR isn’t a silver bullet, nor is it suitable for every organization. Before jumping in, a few key considerations must be addressed.
First, conduct a needs assessment.
Depending on your available resources and the complexity of the infrastructure you need to protect, a full SOAR platform may not be necessary. Other tools with some automated response capabilities might be sufficient. It’s important to understand that SOAR adds a layer of complexity, so ask yourself questions like:
Are we spending too much time on repetitive tasks? If not, SOAR won’t add much value.
Do we already use tools like SIEMs, IDSs, etc., that can be properly integrated with SOAR? Because a SOAR solution alone can’t do much.
Do we have well-defined (but mostly manual) processes that could be handed off to a SOAR platform?
If the analysis shows a clear need for SOAR, then the next step is selecting the right solution. In real life, this choice is usually limited first by budget and second by complexity.
There are open-source options like Shuffle with automated response capabilities. But while powerful, they can be difficult to configure and manage.
And while I love open source with all my heart, if your organization is strategic or faces high-risk scenarios, a commercial solution is often more appropriate. Splunk (now owned by Cisco) is one of the top choices, but not the only one. Other common platforms include Fortinet’s Fortisoar and Microsoft Sentinel.
Then comes the deployment and integration phase, which will vary depending on the tool selected.
After deployment, you’ll need to start small: test a few playbooks, verify that everything works as expected, implement them in production, and slowly expand from there.
At the same time, keep in mind that SOAR changes SOC workflows.
This means you won’t just train staff on the new tool—you’ll also need to manage the shift in responsibilities, as many of the routine tasks (hopefully) get automated and your human analysts take on higher-value work.
SOAR in the Pandora FMS Ecosystem
Pandora SIEM is the ideal ally in any security architecture that includes a SOAR platform.Sitting right before the SOAR’s automated response kicks in, it provides advanced information and alerting capabilities, enhancing effectiveness and significantly reducing workload.
By acting as a centralized intelligence hub, Pandora SIEM prevents unnecessary or counterproductive playbook executions—because once again, endpoints got blocked due to false positives, everyone’s yelling, you’re trying to reduce downtime, and secretly dreaming (with tears in your eyes) about becoming a gardener. Pandora’s integration isn’t limited to SIEM—it’s part of a broader ITSM ecosystem, designed to simplify operations across the board.
For example, Pandora SIEM detects malicious activity and sends the alert to the SOAR platform which triggers the appropriate playbook. Let’s say the incident is serious—the automatic actions help contain the threat, but they aren’t enough on their own.
In that case, SOAR can automatically create a ticket in Pandora ITSM for the SOC, including all relevant information to speed up response and resolution times.
Or perhaps it was a false alarm. Maybe that port scan came from our own Blue Team checking for unsecured doors. The SOAR platform can detect that and, as part of the playbook, close the ticket in Pandora ITSM, specifying the reason and context.
That way, the SOC is free to focus on high-priority tasks—like secretly gaming during work hours without anyone noticing.
As we’ve seen, SOAR helps solve one of the most widespread pain points in modern cybersecurity—but it does require a prior needs assessment, proper budget allocation, and setup time.
Still, once in place and properly configured, a SOAR solution expands your incident response capabilities by deploying “robotic drones” into the battlefield to handle the repetitive tasks—so your human team can focus on what truly matters.
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show (non-) personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
