← Back to Blogs

SOAR, So What? The Promise, the Letdown, and What Comes Next

Ami Hofman · January 7, 2026

Remember When SOAR Was Going to Save Us?

Ah yes—Security Orchestration, Automation, and Response (SOAR). Once pitched as the cyber equivalent of a self-driving SOC: no more 3am alerts, tier-1 fatigue, or 27-tab pivoting. Just clean, streamlined, playbook-powered bliss.

But here we are, a decade in. Most orgs still struggle to scale SOAR. Analysts spend more time maintaining integrations than stopping threats. And some of us are left wondering: Did we automate the chaos instead of reducing it?

Let’s explore the original promise of SOAR, where it stumbled, and what the future might look like—spoiler: it’s not just more automation.

The Original Promise: Orchestration, Not Just Automation

SOAR was never just about pushing buttons faster. At its core, it was meant to:

  • Unify the SOC estate: Connect SIEM, EDR, threat intel, ticketing, IR tools, and more.
  • Codify tribal knowledge: Turn analyst actions into repeatable playbooks.
  • Reduce dwell time: Move from alert to action in seconds, not hours.
  • Shrink burnout: Let machines handle the noise so humans can focus on the meaningful.

Gartner once predicted that by 2022, 30% of organisations with a security team of 5+ would leverage SOAR tools. Reality? We’re still barely past 10-15% adoption in practice.

Article content
The disparity between SOAR’s promised capabilities and real-world implementation hurdles.

The Reality: Tool Sprawl, Rigid Playbooks, and “Heavy Lift” Integration

The market quickly split into two camps:

1. Platform-Centric SOAR (aka The Big Guys)

  • Think Palo Alto Cortex XSOAR, IBM Resilient, Splunk Phantom
  • Feature-rich but often complex, with long deployment cycles
  • High cost, steep learning curve

2. Lean/Vertical SOAR (aka The New Wave)

  • Tines, Swimlane, Torq, etc.
  • API-first, lighter UX, focused use cases (e.g., phishing triage)

But both suffer from:

  • Integration fragility: APIs break, vendor updates lag, and maintenance costs mount
  • Playbook fatigue: Rigid logic fails when attackers don’t follow scripts
  • Data silos: Alert enrichment still depends on disconnected tools

In a recent study, 64% of SOC leaders said they spend more time updating playbooks and integrations than responding to threats.

Article content
The chaos of managing numerous security tools without effective orchestration.

Why Automation Alone Isn’t Enough

SOAR promised orchestration. But what we often got was conditional logic duct-taped to unreliable APIs.

And here’s the thing: Threat actors don’t operate like linear workflows.

  • They pivot.
  • They adapt.
  • They bypass every static playbook you’ve written.

Meanwhile, your SOAR stack is asking if source_ip == known_malicious. 🤦

True response needs context, correlation, and creativity—not just automation.

So What Does the Future Hold?

1. SOAR Will Morph Into Decision Engines

  • Expect a shift from hard-coded logic to AI-driven decision layers
  • Systems will ask: “What’s the intent here?”, not just “What’s the matching rule?”

2. Integration Will Become Invisible

  • Thanks to middleware abstraction, future SOAR will auto-discover and auto-link tools
  • Think “plug-and-play SOC”

3. Human-in-the-Loop, Not Human-on-the-Hook

  • Smart orchestration will loop in humans only where ambiguity or risk thresholds demand it
  • SOC 2.0 = judgment at the edge, not drowning in noise

4. Composable Security Will Win

  • Modular, event-driven architectures will replace monolithic platforms
  • SOAR becomes a capability, not a product

Key Data Points to Watch

  • 75% of cyber leaders believe playbook rigidity is the #1 blocker to effective response
  • Median time to deploy SOAR across hybrid environments = 9-12 months
  • 54% of orgs report failed SOAR PoCs due to integration challenges or cultural mismatch

Where Do We Go From Here?

If you’re a CISO, SOC leader, or IR lead—here’s your real takeaway:

✅ Don’t chase automation. Chase agility.

✅ Stop coding rules. Start encoding context.

✅ Don’t buy SOAR to reduce headcount. Buy it to empower the humans you already trust.

Oh, and don’t let Kevin the Bot run your IR without adult supervision. He’s great at closing tickets, not so much at threat modelling.

Orchestrate with Intent, Automate with Caution

The promise of SOAR was never wrong. But its implementation often was.

We’re now entering a phase where security automation must move from script-kiddie logic to intent-based orchestration. From tool-centric to outcome-centric. From “faster alerts” to better decisions.

SOAR isn’t dead. It’s evolving.

Let’s make sure our thinking evolves with it.

 
 
Effective Security… The Homer Way.