Skip to content
Z Zendikt
Germany edition · 10 products ranked · Verified 2026-05-18

Top 10 SOAR Software in Germany for 2026

Independent Germany SOAR ranking: EUR pricing, DAX 40 SOC reality, DSGVO and Mitbestimmung on security automation, on-prem preference, and DACH alternatives.

← Global ranking · Category overview
SOAR Software by country
🌐 Global United States India United Kingdom France Germany

Germany verdict (TL;DR)

Verified 2026-05-18

Germany's SOAR market is led by Cortex XSOAR and Splunk SOAR at DAX 40 SOC scale (Siemens, Deutsche Telekom, Allianz, Deutsche Bank, BASF), served by strong German SI partners (Computacenter Germany, Bechtle, Materna). Tines is growing among Berlin and Munich tech companies that want no-code SOAR without legacy vendor baggage. DSGVO plus Mitbestimmung create Germany-specific obligations: SOAR playbooks that automate actions on employee data or systems require Betriebsrat co-determination and DSGVO-compliant data processing agreements. German enterprise has the strongest on-prem preference in Europe; Cortex XSOAR and Splunk SOAR both offer on-prem deployment. Logpoint SOAR (Danish but DACH-strong) is a relevant regional alternative at mid-market. IBM QRadar SOAR holds legacy BFSI installed base at Deutsche Bank and insurance groups.

Picks for Germany

  • German DAX 40 enterprise SOC (Siemens/Deutsche Telekom-tier): cortex-xsoar Largest playbook marketplace (1,000+ content packs). On-prem deployment option for German enterprise with on-prem preference. Strong German Palo Alto partner ecosystem (Computacenter DE, Bechtle).
  • German enterprise Splunk ES customer: splunk-soar Native Splunk ES integration. On-prem deployment option. Used by German industrials and telecoms with existing Splunk investment. Cisco post-acquisition; factor pricing complexity.
  • Berlin and Munich tech company (engineering-led, no-code preference): tines Growing at N26, Celonis, Personio-tier German tech companies. No-code authoring accessible to analyst teams. EU Frankfurt data residency satisfies DSGVO. DSGVO-compliant DPA available.
  • German mid-market SOC pursuing AI-native autonomous operations: swimlane Independent vendor (not acquired). Turbine AI-native rewrite. On-prem or SaaS deployment. EU data residency. Relevant for German mid-enterprise avoiding Cisco/Palo Alto lock-in.
  • German IBM QRadar SIEM customer (BFSI legacy): ibm-resilient Native QRadar SIEM integration. Long legacy in German BFSI (Deutsche Bank, Allianz-tier). IBM-to-Palo Alto divestiture creates transition risk; factor into contract length decisions.
Market context

How the soar software market looks in Germany

Germany's SOAR market reflects the country's engineering-first culture, risk-aversion toward US tech dependency, and the most stringent employee data protection obligations in Europe.

DAX 40 enterprise is the primary SOAR buyer. German industrial groups (Siemens, Bosch, BASF, Bayer), financial services (Deutsche Bank, Commerzbank, Allianz, Munich Re), and telecoms (Deutsche Telekom) run mature SOCs that evaluate SOAR as part of multi-million-euro security programs. The SOAR choice follows the SIEM anchor: Splunk ES customers evaluate Splunk SOAR; Palo Alto XDR customers evaluate XSOAR; Microsoft Sentinel customers evaluate Sentinel Automation. German delivery partners (Computacenter Germany, Bechtle, Materna, Axians) are the primary channel; direct vendor relationships are less common than in the US.

On-prem preference is genuine and significant in Germany. German enterprise security teams, particularly in regulated industries (BFSI, healthcare, energy), maintain a strong preference for on-prem or private cloud SOAR deployments over SaaS, citing DSGVO data sovereignty, KRITIS-Dachgesetz compliance, and resistance to third-party data access under US CLOUD Act. Cortex XSOAR (on-prem option) and Splunk SOAR (on-prem option) satisfy this. Tines, Torq, and Google SecOps SOAR are SaaS-only; German enterprise buyers must accept EU data residency relying on DSGVO adequacy decisions rather than on-prem control.

DSGVO plus Mitbestimmung create the most complex SOAR compliance environment in Europe. Betriebsrat co-determination rights (BetrVG Section 87(1) No. 6) require formal consultation before deploying SOAR playbooks that monitor employee systems, collect employee behavioral data, or automate actions on employee accounts. A Betriebsvereinbarung governing permitted SOAR playbook actions and data retention is effectively mandatory in any organization with a Betriebsrat. This process adds 4-12 weeks to SOAR deployment timelines.

Logpoint SOAR (Danish-headquartered but with a strong German office and DACH customer base) is a relevant regional alternative. Not included in the global top 10, but German mid-market buyers should evaluate Logpoint alongside D3 Smart SOAR at the MSSP and mid-enterprise tier.

Compliance & local rules

DSGVO (GDPR Germany): SOAR playbooks processing personal data of EU residents require lawful basis (typically legitimate interests for security operations), DSGVO-compliant data processing agreements with US SOAR vendors, and EU-Frankfurt data residency for automated processing. Betriebsrat co-determination (BetrVG Section 87(1) No. 6): Betriebsrat consultation and Betriebsvereinbarung required before deploying SOAR playbooks that monitor employee behavior, automate actions on employee systems, or collect employee security behavioral data; failure to comply can result in labor court injunctions. KRITIS-Dachgesetz (2024): German critical infrastructure operators must demonstrate documented incident response capability; SOAR platform and playbook audit logs satisfy this requirement; BSI can request evidence of SOAR playbook quality and test coverage. BDSG (German Federal Data Protection Act): stricter than DSGVO on employee data; on-call and incident response data about employees should not be used for performance evaluation without explicit employee consent. BSI-Grundschutz: German organizations following BSI-Grundschutz (IT-Grundschutz) should map SOAR playbooks to BSI APP.1 and DER modules; Cortex XSOAR and Splunk SOAR have the most complete BSI-Grundschutz mapping documentation via German SI partners.

At a glance

Quick comparison, ranked for Germany

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
2 Cortex XSOAR
Palo Alto-anchored enterprise SOC
 Quote - 4.5 Global
1 Splunk SOAR
Mature Splunk-anchored enterprise SOC
 Quote - 4.3 Global
3 Tines
Engineering-led security and IT teams
 $0 $0 4.8 Global; strong EMEA presence
5 Swimlane
Mid-market and enterprise SOC
 Quote - 4.5 Global; US strongest
7 IBM Security QRadar SOAR
Traditional IBM-anchored enterprise
 Quote - 4.1 Global
6 Google SecOps SOAR
Google Chronicle / SecOps customers
 $0 + $8/emp $80 4.3 Global
8 ServiceNow Security Operations
Large enterprise; ServiceNow-anchored
 Quote - 4.2 Global
4 Torq
Modern SOC pursuing hyperautomation
 Quote - 4.7 Global; US strongest
9 D3 Smart SOAR
MSSP and mid-market SOC
 Quote - 4.6 Global; North America strongest
10 LogicHub (Devo SOAR)
Devo SIEM customers and MSSPs
 Quote - 4.2 Global; US strongest

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Germany actually pay

Median annual deal size by employee band, in EUR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (EUR) Sample Notes
Cortex XSOAR 500-2,000 employees (Germany enterprise) €152,000 22 XSOAR Standalone; EUR enterprise; on-prem or SaaS
Splunk SOAR 500-2,000 employees (Germany enterprise) €121,000 18 Splunk SOAR Cloud or on-prem; EUR-equivalent
Tines 100-500 employees (Germany tech) €35,000 16 Professional tier; EUR-equivalent; EU Frankfurt data residency
Swimlane 500-2,000 employees (Germany mid-enterprise) €108,000 12 Turbine tier; EUR-equivalent; on-prem or SaaS
IBM Security QRadar SOAR 1,000-5,000 employees (Germany BFSI) €138,000 11 On-prem; EUR-equivalent; German BFSI legacy pricing
Local challengers

Germany-built or Germany-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for Germany buyers and worth a shortlist.

Logpoint SOAR

Visit ↗

Danish-headquartered but DACH-strong with German office and German-language support. Mid-market SOAR alternative at DACH scale. DSGVO-compliant, EU data residency. Often evaluated alongside Cortex XSOAR and Splunk SOAR at German mid-enterprise. Betriebsrat-compatible documentation available.

Bosch CyberCompare

Visit ↗

Bosch-founded security buying intelligence platform (not a SOAR vendor). Helps German industrial enterprises benchmark and procure security tools including SOAR. Relevant for German buyers navigating complex SOAR procurement with Betriebsrat and DSGVO requirements.

Excluded for Germany

Global picks that don't fit here

  • D3 Smart SOAR
    Canadian-founded; thin Germany/DACH presence. No German-language support or DACH SI channel. Logpoint SOAR is the better regional alternative for German mid-market buyers.
  • LogicHub (Devo SOAR)
    Post-Devo acquisition; product investment slowed. No meaningful Germany presence. IBM QRadar SOAR is the better choice for German legacy SIEM customers.
The Germany ranking

All 10, ranked for Germany

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Germany market.

#2

Cortex XSOAR

War-chest playbook marketplace, with XSIAM convergence ahead.

Founded 2015 · Santa Clara, CA · public · 1,000-100,000+ employees
G2 4.5 (410)
Capterra 4.4
Custom quote
○ Sales call required
Visit Cortex XSOAR

Cortex XSOAR (formerly Demisto, acquired by Palo Alto Networks in 2019 for $560M) is the SOAR platform with the largest pre-built playbook marketplace (the Cortex Marketplace ships 1,000+ content packs). The product excels for Palo Alto-anchored SOCs running Cortex XDR. The defining 2026 question: Palo Alto launched XSIAM in late 2022 explicitly to converge SIEM, XDR, and SOAR into one platform, and XSIAM is now the strategic priority. Standalone XSOAR continues to ship, but every Palo Alto analyst day reinforces XSIAM as the destination. Trade-offs: licensing complexity, multi-year contracts standard, and the open question of whether XSOAR is being quietly sunset into XSIAM.

Best for

Palo Alto Networks-anchored SOCs running Cortex XDR or XSIAM that need the deepest playbook marketplace and are willing to commit to the Palo Alto ecosystem for the next 5 years.

Worst for

Non-Palo Alto SOCs (XSOAR list price not justified outside the stack), engineering-led teams (Tines, Torq win), or buyers nervous about XSIAM cannibalization.

Strengths

  • Largest pre-built playbook marketplace (1,000+ content packs)
  • Native Cortex XDR and XSIAM integration
  • Mature case management and war room collaboration
  • Threat intel management built in (formerly Demisto TIM)
  • Strong MSSP multi-tenancy
  • Active developer community via Marketplace

Weaknesses

  • XSIAM convergence path raises whether standalone XSOAR has long-term future
  • Licensing complexity (XSOAR + XDR + XSIAM SKU overlap)
  • Pricing among the highest in category
  • Multi-year contracts standard
  • Best-fit narrowed to Palo Alto-anchored stacks
  • Founder team (Demisto founders Slavik Markovich and Rishi Bhargava) largely departed post-acquisition

Pricing tiers

opaque
  • XSOAR Standalone
    Industry estimate $100K-$500K annually
    Quote
  • XSOAR + XDR Bundle
    Industry estimate $250K-$1.5M annually
    Quote
  • XSIAM Convergence
    Industry estimate $400K-$3M+ for SIEM+SOAR+XDR consolidation
    Quote
Watch for
  • · Multi-year contracts standard (3-5 years)
  • · Cortex Marketplace premium content packs
  • · Implementation $50K-$300K
  • · XDR and XSIAM priced separately

Key features

  • +1,000+ pre-built content packs (Cortex Marketplace)
  • +Native Cortex XDR / XSIAM integration
  • +Visual playbook editor
  • +War Room collaboration
  • +Threat Intel Management
  • +Case management
  • +Multi-tenancy for MSSP
  • +Python and JavaScript scripting
800+ integrations
Cortex XDRCortex XSIAMPalo Alto PrismaSplunkCrowdStrikeMicrosoft SentinelServiceNow
Geography
Global
View full Cortex XSOAR intelligence profile → Compare Cortex XSOAR →
#1

Splunk SOAR

Deepest playbook engine for Splunk-anchored SOCs.

Founded 2014 · San Jose, CA · public · 1,000-100,000+ employees
G2 4.3 (320)
Capterra 4.3
Custom quote
○ Sales call required
Visit Splunk SOAR

Splunk SOAR (formerly Phantom, acquired by Splunk in 2018 for roughly $350M) is the SOAR platform with the deepest playbook engine and the most mature Python-extensible automation framework. The product runs natively alongside Splunk Enterprise Security, which is the single biggest reason mature SOCs continue to choose it. Acquired by Cisco in March 2024 as part of the $28B Splunk deal. Trade-offs: pricing post-Cisco is still settling, the Phantom-to-Splunk SOAR rebrand confused some customers, and Cisco SecureX overlap created roadmap uncertainty that the 2025 SecureX deprecation only partially resolved.

Best for

Mature SOC teams (10+ analysts) already running Splunk Enterprise Security where deep Python-extensible playbooks are critical and Splunk-native integration is non-negotiable.

Worst for

Non-Splunk SOCs (XSOAR or Tines win), engineering-led teams wanting no-code (Tines, Torq win), or mid-market without Python skills on the security team.

Strengths

  • Deepest playbook engine with full Python extensibility
  • Native Splunk Enterprise Security integration (single pane of glass)
  • Mature pre-built playbook library (300+ apps)
  • Battle-tested at Fortune 500 SOC scale
  • Cisco network and observability integration post-2024 acquisition
  • Strong enterprise partner ecosystem

Weaknesses

  • Pricing complexity post-Cisco; multiple pricing models still settling
  • Phantom-to-Splunk SOAR rebrand caused customer confusion
  • Cisco SecureX deprecation (2025) created intermediate uncertainty
  • Python-first authoring excludes non-developer security analysts
  • Implementation 8-20 weeks for Fortune 500 deployments
  • Customer support response times flagged through Cisco transition

Pricing tiers

opaque
  • Splunk SOAR Cloud
    Industry estimate $60K-$300K annually mid-enterprise
    Quote
  • Splunk SOAR (on-prem)
    Industry estimate $120K-$800K annually for Fortune 500
    Quote
Watch for
  • · Implementation $30K-$250K via certified partners
  • · Multi-year contracts standard
  • · Add-on apps occasionally licensed separately
  • · Splunk ES licensed separately

Key features

  • +Python-extensible playbook engine
  • +Native Splunk ES integration
  • +300+ pre-built apps and connectors
  • +Visual playbook editor
  • +Case management
  • +Mission Control (unified SecOps workspace)
  • +Custom decision logic
  • +Investigation workflows
300+ integrations
Splunk Enterprise SecurityCisco SecureX successor stackAWSMicrosoft DefenderCrowdStrikeServiceNow
Geography
Global
View full Splunk SOAR intelligence profile → Compare Splunk SOAR →
#3

Tines

No-code automation, security-born, now expanding into IT and engineering.

Founded 2018 · Dublin, Ireland · private · 50-3,000+ employees
G2 4.8 (280)
Capterra 4.7
From $0 /mo
◐ Partial disclosure
Visit Tines

Tines is the no-code automation platform built originally for security teams that want to stop writing Python playbooks. Founded by two former eBay security engineers (Eoin Hinchy and Thomas Kinsella), Tines raised a $50M Series C in May 2024 led by SoftBank Vision at a valuation above $1B. The product is unusual in this category because it never came out of a SIEM or XDR vendor; it was built no-code-first. The result is the cleanest authoring experience in the SOAR category, accessible to security analysts who do not write code. Trade-offs: pricing rises quickly at scale, integration depth is smaller than Cortex XSOAR (300 vs 1,000+), and the no-code abstraction has limits when complex branching logic is required.

Best for

Engineering-led security and IT teams (50-3,000 employees) that want no-code workflow automation without legacy SOAR vendor baggage. Best for organizations that value author productivity over playbook marketplace depth.

Worst for

Fortune 500 SOCs running Splunk ES (Splunk SOAR wins), Palo Alto-anchored shops (XSOAR wins), or organizations needing 1,000+ pre-built playbooks.

Strengths

  • Cleanest no-code playbook authoring in the category
  • Founder-led with strong roadmap honesty
  • Series C funded May 2024 (SoftBank Vision lead, $1B+ valuation)
  • Story library covers most common SOC playbooks
  • Active community (Tines Community is genuinely useful)
  • Expanding beyond security into IT and engineering workflows
  • Public pricing for entry tiers (unusual for SOAR)

Weaknesses

  • Integration depth smaller than Cortex XSOAR Marketplace (300 vs 1,000+)
  • No-code abstraction limits when complex branching logic required
  • Pricing rises quickly past 50 stories or high-volume runs
  • Younger ecosystem; fewer certified consultants
  • No native SIEM (relies on integrations)
  • Best-fit narrowed past large Fortune 500 SOC scale

Pricing tiers

partial
  • Community Edition
    Free for individuals, limited to 3 stories
    $0 /mo
  • Professional
    Industry estimate $30K-$80K annually
    Quote
  • Enterprise
    Industry estimate $80K-$300K annually
    Quote
Watch for
  • · High-volume run overage pricing
  • · Premium connectors at enterprise tier
  • · Multi-year contracts at higher tiers

Key features

  • +No-code drag-and-drop story builder
  • +Action library with 300+ integrations
  • +Story library (pre-built playbooks)
  • +Case management (Cases by Tines)
  • +AI-assisted playbook authoring
  • +Webhooks and API triggers
  • +Approvals and human-in-the-loop steps
  • +Audit logging
300+ integrations
CrowdStrikeOktaAWSMicrosoft DefenderSplunkSlackPagerDutyServiceNow
Geography
Global; strong EMEA presence
View full Tines intelligence profile → Compare Tines →
#5

Swimlane

AI-native SOAR rewrite with the Turbine engine.

Founded 2014 · Denver, CO · private · 500-10,000 employees
G2 4.5 (240)
Capterra 4.5
Custom quote
○ Sales call required
Visit Swimlane

Swimlane was one of the original modern SOAR vendors (founded 2014) and stayed independent while peers (Phantom, Demisto, Siemplify) were acquired. The company rewrote its core platform in 2023 around the Turbine engine, an AI-native rearchitecture explicitly designed for autonomous SOC use cases. Cumulative funding exceeds $70M; ownership remains private and independent. Strong 2024 momentum on Turbine adoption, though the rewrite created a short-term migration burden for legacy Swimlane customers that some reviewers flagged. Trade-offs: brand recognition lower than Splunk SOAR and Cortex XSOAR, pricing opaque, and the Turbine rewrite migration story is still settling for legacy customers.

Best for

Mid-market and enterprise SOC teams (500-5,000 employees) pursuing autonomous SOC operations with AI-native playbook authoring, especially those wanting to avoid acquired vendors with post-deal uncertainty.

Worst for

Splunk-anchored SOCs (Splunk SOAR wins), Palo Alto-anchored shops (XSOAR wins), or buyers wanting public pricing (Tines wins).

Strengths

  • Independent vendor (not acquired); focus stays on SOAR/hyperautomation
  • Turbine AI-native rewrite (2023) for autonomous SOC
  • LLM-assisted playbook authoring native to platform
  • Strong case management and reporting
  • Mature integrations (250+)
  • Editorial honesty about Turbine migration burden for legacy customers

Weaknesses

  • Brand recognition lower than Splunk SOAR or Cortex XSOAR
  • Pricing opaque
  • Turbine rewrite created legacy customer migration friction
  • Smaller partner ecosystem than incumbents
  • Best-fit narrowed past Fortune 500 scale
  • Some reviewers report Turbine still settling on edge cases

Pricing tiers

opaque
  • Swimlane Turbine
    Industry estimate $80K-$300K annually
    Quote
  • Enterprise
    Industry estimate $300K-$800K+ annually
    Quote
Watch for
  • · Multi-year contracts standard
  • · Implementation $30K-$150K
  • · Add-on AI features at higher tier

Key features

  • +Turbine AI-native engine
  • +LLM-assisted playbook authoring
  • +Case management and reporting
  • +Low-code playbook builder
  • +Pre-built solutions library
  • +API and webhooks
  • +Role-based access
  • +Multi-tenant for MSSPs
250+ integrations
SplunkCrowdStrikeMicrosoft SentinelAWSOktaServiceNowJira
Geography
Global; US strongest
View full Swimlane intelligence profile → Compare Swimlane →
#7

IBM Security QRadar SOAR

Resilient, after IBM bought it; integrated into QRadar.

Founded 2010 · Armonk, NY (IBM HQ) · public · 1,000-100,000+ employees
G2 4.1 (260)
Capterra 4.2
Custom quote
○ Sales call required
Visit IBM Security QRadar SOAR

IBM Security QRadar SOAR (formerly Resilient Systems, acquired by IBM in March 2016 for roughly $200M) is one of the longest-standing SOAR platforms with deep incident response heritage. Bruce Schneier was CTO at Resilient pre-acquisition, which says something about the early intellectual seriousness of the product. Best-fit for traditional enterprises with existing IBM QRadar SIEM footprint where native SIEM-to-SOAR integration matters. Trade-offs: IBM-typical post-acquisition product stagnation, dated UI, and the May 2024 IBM Security divestiture announcement to Palo Alto Networks creates significant roadmap uncertainty, particularly given that Palo Alto already owns Cortex XSOAR.

Best for

Traditional enterprises (banks, insurance, government, healthcare) with existing IBM QRadar SIEM footprint and incident response process maturity requirements.

Worst for

Cloud-native organizations (Tines, Torq, Splunk SOAR win), buyers nervous about IBM-to-Palo Alto transition, or anyone needing modern UX.

Strengths

  • Long-standing SOAR (founded 2010 as Resilient)
  • Native QRadar SIEM integration
  • Mature incident response workflow
  • Deep compliance reporting (NIST, ISO 27001, HIPAA)
  • Built for traditional enterprises (banks, government)
  • IBM X-Force threat intelligence integration

Weaknesses

  • IBM-typical post-acquisition product stagnation reported
  • UI dated vs cloud-native peers
  • May 2024 IBM Security divestiture to Palo Alto creates roadmap uncertainty
  • Palo Alto already owns Cortex XSOAR (overlap question)
  • Implementation complex (12-24 weeks)
  • Customer support flagged through transitions

Pricing tiers

opaque
  • On-premises
    Industry estimate $60K-$300K annually
    Quote
  • Cloud
    Industry estimate $80K-$400K annually
    Quote
  • Enterprise
    Industry estimate $400K-$1M+ for Fortune 500
    Quote
Watch for
  • · IBM Security Suite bundling
  • · Multi-year contracts standard
  • · Implementation services

Key features

  • +Incident response workflow
  • +Native QRadar SIEM integration
  • +Compliance reporting (NIST, ISO, HIPAA)
  • +Playbook automation (Dynamic Playbooks)
  • +IBM X-Force threat intel
  • +Case management
  • +Privacy management (breach response)
  • +Custom dashboards
200+ integrations
IBM QRadar SIEMIBM X-ForceAWSMicrosoft SentinelCrowdStrikeServiceNow
Geography
Global
View full IBM Security QRadar SOAR intelligence profile → Compare IBM Security QRadar SOAR →
#6

Google SecOps SOAR

Siemplify, after Google bought it; integrated into Chronicle.

Founded 2015 · Mountain View, CA (Tel Aviv origin) · public · 500-100,000+ employees
G2 4.3 (220)
Capterra 4.4
From $0 + $8 /mo + /employee
◐ Partial disclosure
Visit Google SecOps SOAR

Google SecOps SOAR is the former Siemplify, acquired by Google in January 2022 for roughly $500M and integrated into Google Chronicle (now Google SecOps). The product retains the strong case management and investigation workflow that made Siemplify a Magic Quadrant Leader pre-acquisition, and the Chronicle integration is now genuinely native (single UI, unified data layer). The defining 2026 question is post-acquisition customer support quality, multiple reviewers cite degraded response times since the Google integration, and product roadmap velocity slowed during the Chronicle merge. Pricing follows the parent Google SecOps per-employee model, which is unusually transparent for SOAR. Trade-offs: best-fit narrowed to Google Cloud / Chronicle customers, support quality concerns persist, and the Siemplify brand has effectively been retired.

Best for

Google SecOps (Chronicle) customers wanting integrated SOAR at predictable per-employee pricing, especially those leveraging Mandiant threat intel.

Worst for

Non-Google customers (no compelling reason to choose), Splunk-anchored SOCs (Splunk SOAR wins), or buyers prioritizing top-tier customer support.

Strengths

  • Strong case management and investigation workflow (Siemplify heritage)
  • Native Chronicle / Google SecOps integration
  • Per-employee pricing model (rare transparency in SOAR)
  • Mandiant threat intel native (post-Google Mandiant acquisition)
  • Unified UI with SIEM/SecOps platform
  • Cloud-native scale on Google infrastructure

Weaknesses

  • Customer support quality concerns persist post-acquisition
  • Product roadmap velocity slowed during Chronicle merge
  • Siemplify brand retired; documentation transition rough
  • Best-fit narrowed to Google Cloud / Chronicle customers
  • Smaller playbook marketplace than Cortex XSOAR
  • Original Siemplify leadership team mostly departed

Pricing tiers

partial
  • Google SecOps Standard (with SOAR)
    Industry estimate ~$96/employee/year
    $0+$8 /mo +/emp
  • Google SecOps Enterprise (with SOAR)
    Industry estimate ~$144/employee/year
    $0+$12 /mo +/emp
  • Enterprise+ (with Mandiant Hunt)
    Custom enterprise pricing
    Quote
Watch for
  • · Mandiant threat intel add-ons
  • · Implementation services
  • · Multi-year commitments common

Key features

  • +Case management and investigation workflow
  • +Native Chronicle integration
  • +Visual playbook builder
  • +Threat intelligence integration (Mandiant)
  • +Pre-built use case packs
  • +API and webhooks
  • +Multi-tenant for MSSPs
  • +Cloud-native architecture
250+ integrations
Google ChronicleMandiantGoogle CloudAWSMicrosoft SentinelCrowdStrikeOkta
Geography
Global
View full Google SecOps SOAR intelligence profile → Compare Google SecOps SOAR →
#8

ServiceNow Security Operations

SecOps on the Now Platform, where security meets ITSM.

Founded 2017 · Santa Clara, CA · public · 5,000-100,000+ employees
G2 4.2 (310)
Capterra 4.3
Custom quote
○ Sales call required
Visit ServiceNow Security Operations

ServiceNow Security Operations (SecOps) extends the Now Platform into security incident response, vulnerability response, and threat intel management. The product is uniquely positioned: it lives in the same workflow engine as ITSM, which means security incidents auto-create change requests, CMDB tickets, and IT remediation workflows without integration overhead. Best-fit for organizations where ServiceNow is already the system of record for IT and where bridging the SOC-to-IT handoff is the biggest operational pain. Trade-offs: pricing among the highest in category, native SIEM integration is shallower than dedicated SOAR vendors, and the Now Platform commitment is a multi-million-dollar prerequisite that locks buyers in.

Best for

Large enterprises (5,000+ employees) where ServiceNow is the system of record for IT and where SOC-to-IT handoff is the biggest operational pain.

Worst for

Non-ServiceNow organizations (no compelling reason to adopt the Now Platform purely for SOAR), engineering-led teams (Tines wins), or mid-market.

Strengths

  • Native Now Platform integration (ITSM, CMDB, change management)
  • Bridges SOC-to-IT handoff better than any dedicated SOAR
  • Mature workflow engine inherited from ITSM
  • Vulnerability Response module covers VM workflow
  • Threat Intel Management module included
  • Strong public-sector adoption

Weaknesses

  • Pricing among the highest in category
  • Now Platform commitment is a multi-million-dollar prerequisite
  • Native SIEM integration shallower than dedicated SOAR
  • Implementation complex (16-32 weeks)
  • Playbook authoring less flexible than Cortex XSOAR
  • Best-fit narrowed to ServiceNow-anchored organizations

Pricing tiers

opaque
  • SecOps Standard
    Industry estimate $150K-$500K annually
    Quote
  • SecOps Enterprise
    Industry estimate $500K-$2M+ annually
    Quote
Watch for
  • · Now Platform license prerequisite
  • · Multi-year contracts standard
  • · Implementation $100K-$500K via certified partners
  • · ITSM, CMDB licensed separately

Key features

  • +Security Incident Response (SIR) module
  • +Vulnerability Response (VR) module
  • +Threat Intelligence module
  • +Native CMDB integration
  • +Native ITSM workflow
  • +Custom workflow builder (Flow Designer)
  • +Risk-based prioritization
  • +Mobile apps
400+ integrations
ServiceNow ITSMServiceNow CMDBSplunkCrowdStrikeTenableQualysMicrosoft Sentinel
Geography
Global
View full ServiceNow Security Operations intelligence profile → Compare ServiceNow Security Operations →
#4

Torq

Hyperautomation positioning, founded by the original Demisto team.

Founded 2020 · New York, NY · private · 100-3,000+ employees
G2 4.7 (180)
Capterra 4.6
Custom quote
○ Sales call required
Visit Torq

Torq is the modern hyperautomation SOAR platform founded in 2020 by Ofer Smadari (former CEO of Luminate Security, ex-Demisto leadership team) and Eldad Livni. The founder pedigree (Demisto / Palo Alto XSOAR alumni) gave Torq immediate credibility, and the product positions explicitly as hyperautomation rather than SOAR, anticipating the Gartner category retirement. Raised $70M Series B in October 2022, followed by a $42M Series C in 2024. The product is no-code with a strong AI-assisted authoring layer (Torq Socrates) and is among the fastest-growing in the category by net new logos in 2025. Trade-offs: ecosystem smaller than incumbents, pricing opaque, brand recognition still catching up.

Best for

Modern SOC teams (100-3,000 employees) pursuing hyperautomation that want a fast-moving, no-code platform with code escape hatch and founder team with deep SOAR expertise.

Worst for

Fortune 500 SOCs (Splunk SOAR or XSOAR win), buyers wanting public pricing (Tines wins), or risk-averse organizations preferring established incumbents.

Strengths

  • Founders from Demisto / Palo Alto XSOAR (deep category expertise)
  • Hyperautomation positioning anticipates Gartner SOAR retirement
  • Torq Socrates AI-assisted authoring layer
  • Strong 2024-2025 net new logo growth
  • No-code with full code escape hatch
  • Multi-tenant SaaS architecture from day one

Weaknesses

  • Pricing opaque (Series-stage vendor)
  • Ecosystem smaller than incumbents (Cortex XSOAR, Splunk SOAR)
  • Brand recognition still catching up to Tines
  • Series C in 2024 indicates capital runway pressure
  • No native SIEM (relies on integrations)
  • Best-fit narrowed past Fortune 500 SOC scale

Pricing tiers

opaque
  • Torq Professional
    Industry estimate $40K-$120K annually
    Quote
  • Torq Enterprise
    Industry estimate $120K-$400K annually
    Quote
  • Torq HyperSOC
    Industry estimate $200K-$800K+ annually for autonomous SOC
    Quote
Watch for
  • · Multi-year contracts at higher tiers
  • · Premium AI features (Socrates) priced separately
  • · Implementation services

Key features

  • +No-code workflow builder
  • +Torq Socrates AI-assisted authoring
  • +300+ pre-built integrations
  • +HyperSOC autonomous SOC tier
  • +Multi-tenant architecture
  • +Code escape hatch (Python, JavaScript)
  • +Case management
  • +Webhook and API triggers
300+ integrations
CrowdStrikeWizAWSMicrosoft SentinelSplunkOktaSlackServiceNow
Geography
Global; US strongest
View full Torq intelligence profile → Compare Torq →
#9

D3 Smart SOAR

NextGen SOAR rebranded Smart SOAR, with MITRE-aligned playbooks.

Founded 2002 · Vancouver, BC, Canada · private · 200-5,000 employees
G2 4.6 (140)
Capterra 4.5
Custom quote
○ Sales call required
Visit D3 Smart SOAR

D3 Security has been in the SOAR / incident response space longer than most (founded 2002 in Vancouver), and is one of the few SOAR vendors that has remained independent and privately held without acquisition. The product rebranded from NextGen SOAR to Smart SOAR in 2023, positioning around MITRE ATT&CK-aligned playbooks and a stronger AI-augmentation story. Best-fit for MSSPs and mid-market SOCs that value vendor independence and the MITRE-aligned content library. Trade-offs: brand recognition lower than the top 5, smaller ecosystem, pricing opaque, and the company has stayed quiet on funding details, making capital runway harder to assess than VC-backed peers.

Best for

MSSPs and mid-market SOC teams (200-2,000 employees) that value vendor independence, MITRE ATT&CK-aligned content, and hybrid (SaaS or on-prem) deployment.

Worst for

Fortune 500 SOCs (Splunk SOAR or XSOAR win), Palo Alto-anchored shops (XSOAR wins), or buyers needing established partner ecosystem.

Strengths

  • Independent vendor (not acquired); long tenure since 2002
  • MITRE ATT&CK-aligned playbook library
  • Smart SOAR rebrand brought modern UX
  • Strong MSSP multi-tenancy
  • Hybrid deployment (SaaS or on-prem)
  • AI-augmented playbook recommendations

Weaknesses

  • Brand recognition lower than top 5
  • Smaller ecosystem and integration count (200)
  • Pricing opaque
  • Limited public funding transparency
  • Smaller partner ecosystem
  • Documentation thinner than incumbents

Pricing tiers

opaque
  • Smart SOAR Professional
    Industry estimate $40K-$120K annually
    Quote
  • Smart SOAR Enterprise
    Industry estimate $120K-$400K annually
    Quote
  • Smart SOAR MSSP
    Multi-tenant pricing for MSSPs
    Quote
Watch for
  • · Multi-year contracts at higher tiers
  • · Implementation services
  • · Add-on content packs

Key features

  • +MITRE ATT&CK-aligned playbook library
  • +Visual playbook builder
  • +Case management
  • +Multi-tenant for MSSPs
  • +Hybrid deployment (SaaS or on-prem)
  • +AI-augmented recommendations
  • +Threat intel integration
  • +Custom dashboards
200+ integrations
SplunkMicrosoft SentinelCrowdStrikeAWSOktaServiceNowJira
Geography
Global; North America strongest
View full D3 Smart SOAR intelligence profile → Compare D3 Smart SOAR →
#10

LogicHub (Devo SOAR)

Autonomous SOC concept, bought by Devo; post-acquisition velocity slowed.

Founded 2016 · Mountain View, CA · private · 500-10,000+ employees
G2 4.2 (110)
Capterra 4.3
Custom quote
○ Sales call required
Visit LogicHub (Devo SOAR)

LogicHub was founded in 2016 around the autonomous SOC concept, an ambitious thesis that AI/ML should drive playbook decisions rather than rules. Devo acquired LogicHub in August 2022 to add SOAR to its SIEM platform (the same Devo covered in our Top 10 SIEM ranking). The combined Devo + LogicHub product offers integrated SIEM+SOAR on a single petabyte-scale data platform. Trade-offs: post-acquisition product investment has slowed notably, the original LogicHub leadership team mostly departed, and the autonomous SOC thesis remains more marketing than product reality. Best-fit narrowed to existing Devo SIEM customers wanting bundled SOAR.

Best for

Existing Devo SIEM customers wanting bundled SOAR on the same petabyte-scale data platform, particularly MSSPs combining SIEM + SOAR for clients.

Worst for

Non-Devo SIEM organizations (no compelling reason to choose), buyers wanting active product investment, or anyone needing top-tier customer support.

Strengths

  • Combined with Devo SIEM (single petabyte-scale data platform)
  • Autonomous SOC thesis preserved post-acquisition (in marketing)
  • AI/ML decision engine
  • Strong for MSSPs combining SIEM + SOAR
  • Pre-built use case packs
  • Real-time analytics shared with Devo SIEM core

Weaknesses

  • Post-acquisition product investment notably slowed since 2022
  • Original LogicHub leadership team mostly departed
  • Brand recognition lower than top 7
  • Autonomous SOC thesis more marketing than product reality
  • Best-fit narrowed to Devo SIEM customers
  • Smaller ecosystem than incumbents
  • Support quality concerns flagged

Pricing tiers

opaque
  • Devo SOAR Standalone
    Industry estimate $60K-$200K annually
    Quote
  • Devo SIEM + SOAR Bundle
    Industry estimate $200K-$1M+ annually
    Quote
Watch for
  • · Multi-year contracts standard
  • · Implementation services
  • · Devo SIEM data ingestion priced separately

Key features

  • +AI/ML decision engine
  • +Visual playbook builder
  • +Case management
  • +Native Devo SIEM integration
  • +Pre-built use case packs
  • +Threat intel integration
  • +Multi-tenant for MSSPs
  • +Custom dashboards
200+ integrations
Devo SIEMSplunkCrowdStrikeMicrosoft SentinelAWSOktaServiceNow
Geography
Global; US strongest
View full LogicHub (Devo SOAR) intelligence profile → Compare LogicHub (Devo SOAR) →

Frequently asked questions

The questions buyers actually ask before they sign.

Does Betriebsrat co-determination apply to SOAR playbook deployment in Germany?
Yes, in almost all cases where a Betriebsrat exists. BetrVG Section 87(1) No. 6 grants the Betriebsrat co-determination rights over the introduction of technical devices that monitor employee behavior or performance. SOAR playbooks that automatically collect endpoint telemetry from employee devices, monitor employee account behavior, or execute automated actions on employee systems (account lockouts, device quarantine) fall within this scope. Before deploying any SOAR platform in Germany, negotiate a Betriebsvereinbarung that defines: permitted playbook actions on employee systems, prohibited use of playbook data in performance appraisals, data retention limits, and the approval process for adding new automated containment actions. Plan for 4-12 weeks of Betriebsrat consultation in your SOAR deployment timeline.
Which SOAR platforms offer on-prem deployment for German enterprise?
Cortex XSOAR, Splunk SOAR, Swimlane Turbine, and IBM QRadar SOAR all offer on-prem deployment options. D3 Smart SOAR also supports on-prem. Tines, Torq, Google SecOps SOAR, ServiceNow SecOps, and LogicHub/Devo SOAR are SaaS-only platforms; German enterprise buyers choosing these must rely on EU data residency (Frankfurt data centers) and DSGVO adequacy decisions for data sovereignty, rather than physical on-prem control. For KRITIS operators and BAFIN-regulated firms with explicit on-prem data handling requirements, narrow to Cortex XSOAR or Splunk SOAR first.
How does KRITIS-Dachgesetz affect German SOAR buyers?
The KRITIS-Dachgesetz (German Critical Infrastructure Protection Act, expected 2024-2025) extends the scope of KRITIS obligations and aligns Germany more closely with the NIS2 Directive. German KRITIS operators (energy, water, transport, health, finance, digital infrastructure, waste management) must demonstrate documented incident detection and response capability and report significant incidents to BSI within 24-72 hours. A SOAR platform with documented playbook coverage and exportable incident timelines satisfies the response documentation requirement. BSI can request evidence of playbook quality, coverage, and regular testing as part of KRITIS compliance audits. Cortex XSOAR and Splunk SOAR, deployed by German SI partners with BSI-Grundschutz mapping, are the most common KRITIS-compliant SOAR configurations.
Is SOAR dead in 2026?
The SOAR Magic Quadrant is effectively dead; Gartner retired the category in 2024 and is repositioning around TI Ops (Threat Intelligence Operations) and Hyperautomation. The functionality (orchestration, playbooks, case management) is very much alive, just absorbed into broader SecOps platforms (Cortex XSIAM, Microsoft Sentinel Automation, Google SecOps, Securonix). Standalone SOAR survives in two forms: (1) deep playbook engines bundled with SIEM/XDR (Splunk SOAR, Cortex XSOAR), and (2) independent no-code hyperautomation (Tines, Torq, Swimlane).
Splunk SOAR vs Cortex XSOAR, which one?
Splunk SOAR if you run Splunk Enterprise Security and want the deepest Python-extensible playbook engine. Cortex XSOAR if you run Cortex XDR or are migrating to XSIAM, and you want the largest pre-built playbook marketplace (1,000+ content packs vs Splunk SOAR 300+). The choice usually follows the SIEM/XDR anchor, not the SOAR comparison standalone. At $200K+ annual spend, both vendors compete hard on multi-year discounts.
Tines vs Torq, which one for engineering-led teams?
Tines if you want the most mature no-code authoring experience and an active community. Tines has a longer track record (founded 2018, $1B+ valuation May 2024) and broader IT/engineering positioning. Torq if you want hyperautomation positioning with founders from the Demisto / Palo Alto XSOAR team, and AI-assisted authoring (Torq Socrates). Tines wins on community and roadmap honesty; Torq wins on net new logo growth in 2025.
How much should I budget for SOAR?
Mid-market (200-1,000 employees): $40K-$150K annually. Enterprise (1,000-5,000): $150K-$500K annually. Large enterprise (5,000-50,000): $500K-$2M annually. Add 0.3x-1x first-year for implementation. SOAR pricing is heavily driven by per-analyst seats, capacity (runs/month), or feature tiers. For bundled SIEM+SOAR (Google SecOps, Devo, IBM QRadar SOAR), SOAR adds 20-40% on top of base SIEM cost.
How long does SOAR implementation take?
Tines, Torq: 4-12 weeks with no-code. D3 Smart SOAR: 6-12 weeks. Swimlane Turbine: 8-16 weeks. Google SecOps SOAR (post-Siemplify): 8-16 weeks. Splunk SOAR: 8-20 weeks. Cortex XSOAR: 8-24 weeks with marketplace content. IBM QRadar SOAR, ServiceNow SecOps: 12-32 weeks for enterprise deployments. First production-quality playbook typically lands 4-6 weeks after platform install.
What about AI in SOAR (LLMs, autonomous SOC)?
AI in SOAR 2026 splits into three layers: (1) Playbook authoring assistance (Torq Socrates, Swimlane Hero, Tines AI, Microsoft Security Copilot), genuinely useful and largely production-ready. (2) Triage and prioritization (Securonix, Swimlane Turbine, Devo SOAR), useful but noisy. (3) Fully autonomous SOC where AI takes containment decisions without human-in-the-loop, marketing more than reality. Most mature SOCs in 2026 use AI for authoring and triage but keep humans in the response loop, especially for containment actions.
No-code vs code-based SOAR playbooks, which approach wins?
No-code (Tines, Torq, D3 Smart SOAR) wins for author productivity, analyst accessibility, and time-to-first-playbook. Code-based (Splunk SOAR Python, Cortex XSOAR Python/JavaScript) wins for complex branching, custom integrations, and Fortune 500 SOC depth. The 2026 trend favors no-code with code escape hatches, every modern SOAR ships both. Pure code-based without no-code authoring is increasingly rare.
How do I measure SOAR ROI (MTTR, MTTD improvements)?
Honest SOAR ROI measurement in 2026: (1) Mean Time To Respond (MTTR) reductions, expect 40-70% on well-automated playbook coverage. (2) Analyst productivity, expect 2-3x throughput on Tier 1 / Tier 2 alerts after 6-12 months. (3) Alert containment automation rate, expect 30-60% of alerts auto-contained without human intervention. (4) Cost per alert, expect 40-60% reduction. Watch vendor case studies claiming 90%+ MTTR reductions on day-one playbook coverage; the real numbers are slower-realized.
What is the difference between SOAR and XSIAM/XDR convergence?
XSIAM (Palo Alto), XDR (CrowdStrike Falcon, Microsoft Defender), and converged SecOps (Google SecOps, Securonix) bundle SIEM + SOAR + UEBA + threat intel into one platform with shared data layer. Standalone SOAR (Splunk SOAR, Tines, Torq) bolts response onto whatever SIEM/XDR you already run. Convergence wins for new-stack buyers who want one vendor. Standalone SOAR wins when you already have mature SIEM/XDR investments and want best-in-class response. In 2026, convergence is gaining share fastest, but standalone SOAR retains the mature-SOC and engineering-led-team buyer.
How big are typical SOAR playbook libraries?
Cortex XSOAR: 1,000+ content packs in Cortex Marketplace (largest). Splunk SOAR: 300+ apps and pre-built playbooks. Tines: 300+ stories in Story Library. Torq: 300+ integrations. Google SecOps SOAR: 250+ pre-built use case packs. IBM QRadar SOAR: 200+ Dynamic Playbooks. D3 Smart SOAR: 200+ MITRE-aligned playbooks. ServiceNow SecOps: 400+ workflows across the Now Platform ecosystem. Marketplace depth matters most in the first 6 months; after a year, custom playbooks dominate utilization.

Final word

Looking at a different market? See the global SOAR Software ranking, or pick another country at the top of this page.

Last updated 2026-05-18. Local pricing reverified quarterly. Found something inaccurate? Tell us.