SOAR Software

Deepest playbook engine for Splunk-anchored SOCs.

Splunk SOAR (formerly Phantom, acquired by Splunk in 2018 for roughly $350M) is the SOAR platform with the deepest playbook engine and the most mature Python-extensible automation framework. The product runs natively alongside Splunk Enterprise Security, which is the single biggest reason mature SOCs continue to choose it. Acquired by Cisco in March 2024 as part of the $28B Splunk deal. Trade-offs: pricing post-Cisco is still settling, the Phantom-to-Splunk SOAR rebrand confused some customers, and Cisco SecureX overlap created roadmap uncertainty that the 2025 SecureX deprecation only partially resolved.

War-chest playbook marketplace, with XSIAM convergence ahead.

Cortex XSOAR (formerly Demisto, acquired by Palo Alto Networks in 2019 for $560M) is the SOAR platform with the largest pre-built playbook marketplace (the Cortex Marketplace ships 1,000+ content packs). The product excels for Palo Alto-anchored SOCs running Cortex XDR. The defining 2026 question: Palo Alto launched XSIAM in late 2022 explicitly to converge SIEM, XDR, and SOAR into one platform, and XSIAM is now the strategic priority. Standalone XSOAR continues to ship, but every Palo Alto analyst day reinforces XSIAM as the destination. Trade-offs: licensing complexity, multi-year contracts standard, and the open question of whether XSOAR is being quietly sunset into XSIAM.

No-code automation, security-born, now expanding into IT and engineering.

Tines is the no-code automation platform built originally for security teams that want to stop writing Python playbooks. Founded by two former eBay security engineers (Eoin Hinchy and Thomas Kinsella), Tines raised a $50M Series C in May 2024 led by SoftBank Vision at a valuation above $1B. The product is unusual in this category because it never came out of a SIEM or XDR vendor; it was built no-code-first. The result is the cleanest authoring experience in the SOAR category, accessible to security analysts who do not write code. Trade-offs: pricing rises quickly at scale, integration depth is smaller than Cortex XSOAR (300 vs 1,000+), and the no-code abstraction has limits when complex branching logic is required.

Hyperautomation positioning, founded by the original Demisto team.

Torq is the modern hyperautomation SOAR platform founded in 2020 by Ofer Smadari (former CEO of Luminate Security, ex-Demisto leadership team) and Eldad Livni. The founder pedigree (Demisto / Palo Alto XSOAR alumni) gave Torq immediate credibility, and the product positions explicitly as hyperautomation rather than SOAR, anticipating the Gartner category retirement. Raised $70M Series B in October 2022, followed by a $42M Series C in 2024. The product is no-code with a strong AI-assisted authoring layer (Torq Socrates) and is among the fastest-growing in the category by net new logos in 2025. Trade-offs: ecosystem smaller than incumbents, pricing opaque, brand recognition still catching up.

AI-native SOAR rewrite with the Turbine engine.

Swimlane was one of the original modern SOAR vendors (founded 2014) and stayed independent while peers (Phantom, Demisto, Siemplify) were acquired. The company rewrote its core platform in 2023 around the Turbine engine, an AI-native rearchitecture explicitly designed for autonomous SOC use cases. Cumulative funding exceeds $70M; ownership remains private and independent. Strong 2024 momentum on Turbine adoption, though the rewrite created a short-term migration burden for legacy Swimlane customers that some reviewers flagged. Trade-offs: brand recognition lower than Splunk SOAR and Cortex XSOAR, pricing opaque, and the Turbine rewrite migration story is still settling for legacy customers.

Siemplify, after Google bought it; integrated into Chronicle.

Google SecOps SOAR is the former Siemplify, acquired by Google in January 2022 for roughly $500M and integrated into Google Chronicle (now Google SecOps). The product retains the strong case management and investigation workflow that made Siemplify a Magic Quadrant Leader pre-acquisition, and the Chronicle integration is now genuinely native (single UI, unified data layer). The defining 2026 question is post-acquisition customer support quality, multiple reviewers cite degraded response times since the Google integration, and product roadmap velocity slowed during the Chronicle merge. Pricing follows the parent Google SecOps per-employee model, which is unusually transparent for SOAR. Trade-offs: best-fit narrowed to Google Cloud / Chronicle customers, support quality concerns persist, and the Siemplify brand has effectively been retired.

Resilient, after IBM bought it; integrated into QRadar.

IBM Security QRadar SOAR (formerly Resilient Systems, acquired by IBM in March 2016 for roughly $200M) is one of the longest-standing SOAR platforms with deep incident response heritage. Bruce Schneier was CTO at Resilient pre-acquisition, which says something about the early intellectual seriousness of the product. Best-fit for traditional enterprises with existing IBM QRadar SIEM footprint where native SIEM-to-SOAR integration matters. Trade-offs: IBM-typical post-acquisition product stagnation, dated UI, and the May 2024 IBM Security divestiture announcement to Palo Alto Networks creates significant roadmap uncertainty, particularly given that Palo Alto already owns Cortex XSOAR.

SecOps on the Now Platform, where security meets ITSM.

ServiceNow Security Operations (SecOps) extends the Now Platform into security incident response, vulnerability response, and threat intel management. The product is uniquely positioned: it lives in the same workflow engine as ITSM, which means security incidents auto-create change requests, CMDB tickets, and IT remediation workflows without integration overhead. Best-fit for organizations where ServiceNow is already the system of record for IT and where bridging the SOC-to-IT handoff is the biggest operational pain. Trade-offs: pricing among the highest in category, native SIEM integration is shallower than dedicated SOAR vendors, and the Now Platform commitment is a multi-million-dollar prerequisite that locks buyers in.

NextGen SOAR rebranded Smart SOAR, with MITRE-aligned playbooks.

D3 Security has been in the SOAR / incident response space longer than most (founded 2002 in Vancouver), and is one of the few SOAR vendors that has remained independent and privately held without acquisition. The product rebranded from NextGen SOAR to Smart SOAR in 2023, positioning around MITRE ATT&CK-aligned playbooks and a stronger AI-augmentation story. Best-fit for MSSPs and mid-market SOCs that value vendor independence and the MITRE-aligned content library. Trade-offs: brand recognition lower than the top 5, smaller ecosystem, pricing opaque, and the company has stayed quiet on funding details, making capital runway harder to assess than VC-backed peers.

Autonomous SOC concept, bought by Devo; post-acquisition velocity slowed.

LogicHub was founded in 2016 around the autonomous SOC concept, an ambitious thesis that AI/ML should drive playbook decisions rather than rules. Devo acquired LogicHub in August 2022 to add SOAR to its SIEM platform (the same Devo covered in our Top 10 SIEM ranking). The combined Devo + LogicHub product offers integrated SIEM+SOAR on a single petabyte-scale data platform. Trade-offs: post-acquisition product investment has slowed notably, the original LogicHub leadership team mostly departed, and the autonomous SOC thesis remains more marketing than product reality. Best-fit narrowed to existing Devo SIEM customers wanting bundled SOAR.