Skip to content
Z Zendikt
United Kingdom edition · 10 products ranked · Verified 2026-05-18

Top 10 SOAR Software in the United Kingdom for 2026

Independent UK SOAR ranking: GBP pricing, Tines as UK-strong champion, NCSC CAF SOC obligations, NHS England SecOps, and UK GDPR playbook data requirements.

← Global ranking · Category overview
SOAR Software by country
🌐 Global United States India United Kingdom France Germany

United Kingdom verdict (TL;DR)

Verified 2026-05-18

The UK SOAR market is led by Splunk SOAR and Cortex XSOAR at large enterprise and financial services SOC scale (Barclays, HSBC, Lloyd's-tier), with Tines (Dublin-founded, UK-strong) as the standout choice for engineering-led security and IT teams. NHS England SOC standardization on Microsoft Sentinel plus Defender has made Sentinel Automation (Logic Apps) the de facto NHS SOAR, but Cortex XSOAR is also present at NHS suppliers. NCSC Cyber Assessment Framework (CAF) requirements for operators of essential services drive documented SOC capability investment. UK GDPR applies to SOAR playbook data: automated containment actions on employee systems require documented lawful basis, and the ICO has published guidance on automated decision-making. Torq, Swimlane, and ServiceNow SecOps have growing UK presence; D3 and LogicHub are thin.

Picks for United Kingdom

  • UK FCA-regulated financial services SOC (Barclays/HSBC-tier): splunk-soar Deep FCA operational resilience playbooks. SPL detection engineering for financial-crime-adjacent threat models. EU/UK data residency. Dominant at UK Tier 1 bank SOC scale.
  • UK Palo Alto Networks-anchored SOC: cortex-xsoar Largest playbook marketplace (1,000+ content packs). Native Cortex XDR integration. NCSC CAF content available. Strong UK Palo Alto partner ecosystem (Softcat, Computacenter).
  • UK engineering-led security and IT team: tines Dublin-founded, UK-strong. Cleanest no-code authoring in category. $1B+ valuation (SoftBank Vision, May 2024). Strong UK community. EU/UK data residency. NCSC CAF story library available.
  • NHS Trusts and UK healthcare SOC: cortex-xsoar NHS England SOC uses Cortex XSOAR alongside Microsoft Sentinel. Strong NCSC NHS guidance alignment. UK data residency via EU adequacy or SCCs.
  • UK Google Chronicle / SecOps customer: google-secops-soar Native Chronicle integration. Per-employee pricing. Mandiant threat intel included. UK Google Cloud region (London) satisfies UK GDPR data residency.
  • UK OES operators (NIS Regulations / NIS2): splunk-soar Deepest NCSC CAF content alignment via UK Splunk partners. OES operators in energy, water, transport need SOAR mapped to CAF outcomes B1-D2. Splunk GovCloud available for UK public sector.
Market context

How the soar software market looks in United Kingdom

The UK SOAR market mirrors the US in vendor lineup but differs in regulatory emphasis and buyer cluster distribution.

Financial services is the largest UK SOAR buyer segment. FCA-regulated firms (Tier 1 banks, insurers, capital markets) run Splunk SOAR or Cortex XSOAR at scale. The FCA PS21/3 operational resilience framework (full compliance deadline March 2025) requires firms to demonstrate detection and response capability for important business services. PRA-regulated firms face the Bank of England operational resilience framework with similar SOAR implications. UK SOAR deployments at financial services firms are typically 12-24 month implementation projects with Computacenter, Softcat, or SCC as delivery partners.

NHS and public sector is the second major cluster. NHS England's 2022 NCSC-guided cybersecurity strategy standardized on Microsoft security stack (Sentinel, Defender) for NHS Trusts, making Sentinel Automation (Logic Apps) the default NHS SOAR layer. Cortex XSOAR is present at NHS suppliers and some NHS Foundation Trusts that operate their own SOC. NHS Digital DSPT (Data Security and Protection Toolkit) requires documented incident response capability; SOAR playbooks with DSPT audit logs satisfy this.

Tines is particularly strong in UK commercial enterprise and technology companies. The Dublin origin and EU/UK proximity resonates with UK buyers who prefer a non-US vendor for data residency and cultural alignment. Tines' UK community events (Tines UK User Group) and active UK customer base (including UK fintech and retail) make it the most credible SOAR alternative to the incumbent enterprise pair in the UK.

UK GDPR complicates automated containment actions. SOAR playbooks that execute actions on employee systems (disabling accounts, blocking access, isolating devices) are subject to UK GDPR Article 22 automated decision-making provisions. ICO guidance recommends human-in-the-loop approval for automated decisions that significantly affect individuals. UK SOC teams should design playbooks with human approval gates for containment actions affecting employee accounts.

Compliance & local rules

UK GDPR: SOAR playbooks that process personal data (incident records, employee system data, customer data in breach context) require documented lawful basis. Automated containment actions (account lockouts, IP blocks) affecting employees require ICO Article 22 assessment and human-in-the-loop approval steps. UK GDPR data residency: EU-US adequacy decisions cover US-based SOAR vendors; post-Brexit UK-US transfers rely on UK Extension to US Data Privacy Framework (2023). ICO breach reporting (72-hour window) requires documented incident timelines exportable from SOAR case management. NCSC CAF Outcomes: B1 (Understanding risk), B2 (Asset management), B3 (Supply chain), B4 (Identity and access), C1 (Security monitoring), D1 (Response), D2 (Recovery) all map to SOAR capabilities; Splunk SOAR and Cortex XSOAR have deepest UK CAF content via certified partners. NIS2 UK equivalent (Network and Information Systems Regulations 2018, updated): OES operators must notify NCSC of significant incidents within 72 hours; SOAR platforms with NIS-aligned incident report templates satisfy this.

At a glance

Quick comparison, ranked for United Kingdom

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Splunk SOAR
Mature Splunk-anchored enterprise SOC
 Quote - 4.3 Global
2 Cortex XSOAR
Palo Alto-anchored enterprise SOC
 Quote - 4.5 Global
3 Tines
Engineering-led security and IT teams
 $0 $0 4.8 Global; strong EMEA presence
4 Torq
Modern SOC pursuing hyperautomation
 Quote - 4.7 Global; US strongest
5 Swimlane
Mid-market and enterprise SOC
 Quote - 4.5 Global; US strongest
6 Google SecOps SOAR
Google Chronicle / SecOps customers
 $0 + $8/emp $80 4.3 Global
8 ServiceNow Security Operations
Large enterprise; ServiceNow-anchored
 Quote - 4.2 Global
7 IBM Security QRadar SOAR
Traditional IBM-anchored enterprise
 Quote - 4.1 Global
9 D3 Smart SOAR
MSSP and mid-market SOC
 Quote - 4.6 Global; North America strongest
10 LogicHub (Devo SOAR)
Devo SIEM customers and MSSPs
 Quote - 4.2 Global; US strongest

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in United Kingdom actually pay

Median annual deal size by employee band, in GBP. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (GBP) Sample Notes
Splunk SOAR 500-2,000 employees (UK enterprise) £115,000 24 Splunk SOAR Cloud; GBP-equivalent enterprise
Cortex XSOAR 500-2,000 employees (UK) £145,000 21 XSOAR Standalone; GBP-equivalent enterprise
Tines 100-500 employees (UK commercial) £33,000 31 Professional tier; GBP-equivalent; EU data residency
Google SecOps SOAR 500-2,000 employees (UK) £76,000 14 Per-employee; GBP-equivalent; UK Google Cloud region
ServiceNow Security Operations 2,000-10,000 employees (UK enterprise) £290,000 16 Enterprise; Now Platform prerequisite; GBP-equivalent
Local challengers

United Kingdom-built or United Kingdom-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for United Kingdom buyers and worth a shortlist.

Tines

Visit ↗

Dublin-founded (2018) but UK-strong. The standout choice for UK engineering-led security and IT teams wanting no-code workflow automation. $1B+ valuation (SoftBank Vision, May 2024). Active UK user community. EU data residency. Best alternative to legacy SOAR vendors for UK commercial enterprise.

Darktrace

Visit ↗

Cambridge-founded AI threat detection (NDR, SIEM-adjacent). Has SOAR-adjacent response automation features (Darktrace Respond/HEAL). Not a standalone SOAR; deployed alongside Splunk SOAR or XSOAR at UK financial services and critical infrastructure. Relevant for UK CAF-assessed organizations.

Excluded for United Kingdom

Global picks that don't fit here

  • LogicHub (Devo SOAR)
    Post-Devo acquisition; product investment slowed. Minimal UK footprint. Devo SIEM has thin UK market share. IBM QRadar SOAR is the better choice for legacy SIEM UK customers.
  • D3 Smart SOAR
    Canadian-founded; thin UK presence. Tines covers the no-code UK mid-market use case with stronger UK community and EU data residency.
The United Kingdom ranking

All 10, ranked for United Kingdom

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the United Kingdom market.

#1

Splunk SOAR

Deepest playbook engine for Splunk-anchored SOCs.

Founded 2014 · San Jose, CA · public · 1,000-100,000+ employees
G2 4.3 (320)
Capterra 4.3
Custom quote
○ Sales call required
Visit Splunk SOAR

Splunk SOAR (formerly Phantom, acquired by Splunk in 2018 for roughly $350M) is the SOAR platform with the deepest playbook engine and the most mature Python-extensible automation framework. The product runs natively alongside Splunk Enterprise Security, which is the single biggest reason mature SOCs continue to choose it. Acquired by Cisco in March 2024 as part of the $28B Splunk deal. Trade-offs: pricing post-Cisco is still settling, the Phantom-to-Splunk SOAR rebrand confused some customers, and Cisco SecureX overlap created roadmap uncertainty that the 2025 SecureX deprecation only partially resolved.

Best for

Mature SOC teams (10+ analysts) already running Splunk Enterprise Security where deep Python-extensible playbooks are critical and Splunk-native integration is non-negotiable.

Worst for

Non-Splunk SOCs (XSOAR or Tines win), engineering-led teams wanting no-code (Tines, Torq win), or mid-market without Python skills on the security team.

Strengths

  • Deepest playbook engine with full Python extensibility
  • Native Splunk Enterprise Security integration (single pane of glass)
  • Mature pre-built playbook library (300+ apps)
  • Battle-tested at Fortune 500 SOC scale
  • Cisco network and observability integration post-2024 acquisition
  • Strong enterprise partner ecosystem

Weaknesses

  • Pricing complexity post-Cisco; multiple pricing models still settling
  • Phantom-to-Splunk SOAR rebrand caused customer confusion
  • Cisco SecureX deprecation (2025) created intermediate uncertainty
  • Python-first authoring excludes non-developer security analysts
  • Implementation 8-20 weeks for Fortune 500 deployments
  • Customer support response times flagged through Cisco transition

Pricing tiers

opaque
  • Splunk SOAR Cloud
    Industry estimate $60K-$300K annually mid-enterprise
    Quote
  • Splunk SOAR (on-prem)
    Industry estimate $120K-$800K annually for Fortune 500
    Quote
Watch for
  • · Implementation $30K-$250K via certified partners
  • · Multi-year contracts standard
  • · Add-on apps occasionally licensed separately
  • · Splunk ES licensed separately

Key features

  • +Python-extensible playbook engine
  • +Native Splunk ES integration
  • +300+ pre-built apps and connectors
  • +Visual playbook editor
  • +Case management
  • +Mission Control (unified SecOps workspace)
  • +Custom decision logic
  • +Investigation workflows
300+ integrations
Splunk Enterprise SecurityCisco SecureX successor stackAWSMicrosoft DefenderCrowdStrikeServiceNow
Geography
Global
View full Splunk SOAR intelligence profile → Compare Splunk SOAR →
#2

Cortex XSOAR

War-chest playbook marketplace, with XSIAM convergence ahead.

Founded 2015 · Santa Clara, CA · public · 1,000-100,000+ employees
G2 4.5 (410)
Capterra 4.4
Custom quote
○ Sales call required
Visit Cortex XSOAR

Cortex XSOAR (formerly Demisto, acquired by Palo Alto Networks in 2019 for $560M) is the SOAR platform with the largest pre-built playbook marketplace (the Cortex Marketplace ships 1,000+ content packs). The product excels for Palo Alto-anchored SOCs running Cortex XDR. The defining 2026 question: Palo Alto launched XSIAM in late 2022 explicitly to converge SIEM, XDR, and SOAR into one platform, and XSIAM is now the strategic priority. Standalone XSOAR continues to ship, but every Palo Alto analyst day reinforces XSIAM as the destination. Trade-offs: licensing complexity, multi-year contracts standard, and the open question of whether XSOAR is being quietly sunset into XSIAM.

Best for

Palo Alto Networks-anchored SOCs running Cortex XDR or XSIAM that need the deepest playbook marketplace and are willing to commit to the Palo Alto ecosystem for the next 5 years.

Worst for

Non-Palo Alto SOCs (XSOAR list price not justified outside the stack), engineering-led teams (Tines, Torq win), or buyers nervous about XSIAM cannibalization.

Strengths

  • Largest pre-built playbook marketplace (1,000+ content packs)
  • Native Cortex XDR and XSIAM integration
  • Mature case management and war room collaboration
  • Threat intel management built in (formerly Demisto TIM)
  • Strong MSSP multi-tenancy
  • Active developer community via Marketplace

Weaknesses

  • XSIAM convergence path raises whether standalone XSOAR has long-term future
  • Licensing complexity (XSOAR + XDR + XSIAM SKU overlap)
  • Pricing among the highest in category
  • Multi-year contracts standard
  • Best-fit narrowed to Palo Alto-anchored stacks
  • Founder team (Demisto founders Slavik Markovich and Rishi Bhargava) largely departed post-acquisition

Pricing tiers

opaque
  • XSOAR Standalone
    Industry estimate $100K-$500K annually
    Quote
  • XSOAR + XDR Bundle
    Industry estimate $250K-$1.5M annually
    Quote
  • XSIAM Convergence
    Industry estimate $400K-$3M+ for SIEM+SOAR+XDR consolidation
    Quote
Watch for
  • · Multi-year contracts standard (3-5 years)
  • · Cortex Marketplace premium content packs
  • · Implementation $50K-$300K
  • · XDR and XSIAM priced separately

Key features

  • +1,000+ pre-built content packs (Cortex Marketplace)
  • +Native Cortex XDR / XSIAM integration
  • +Visual playbook editor
  • +War Room collaboration
  • +Threat Intel Management
  • +Case management
  • +Multi-tenancy for MSSP
  • +Python and JavaScript scripting
800+ integrations
Cortex XDRCortex XSIAMPalo Alto PrismaSplunkCrowdStrikeMicrosoft SentinelServiceNow
Geography
Global
View full Cortex XSOAR intelligence profile → Compare Cortex XSOAR →
#3

Tines

No-code automation, security-born, now expanding into IT and engineering.

Founded 2018 · Dublin, Ireland · private · 50-3,000+ employees
G2 4.8 (280)
Capterra 4.7
From $0 /mo
◐ Partial disclosure
Visit Tines

Tines is the no-code automation platform built originally for security teams that want to stop writing Python playbooks. Founded by two former eBay security engineers (Eoin Hinchy and Thomas Kinsella), Tines raised a $50M Series C in May 2024 led by SoftBank Vision at a valuation above $1B. The product is unusual in this category because it never came out of a SIEM or XDR vendor; it was built no-code-first. The result is the cleanest authoring experience in the SOAR category, accessible to security analysts who do not write code. Trade-offs: pricing rises quickly at scale, integration depth is smaller than Cortex XSOAR (300 vs 1,000+), and the no-code abstraction has limits when complex branching logic is required.

Best for

Engineering-led security and IT teams (50-3,000 employees) that want no-code workflow automation without legacy SOAR vendor baggage. Best for organizations that value author productivity over playbook marketplace depth.

Worst for

Fortune 500 SOCs running Splunk ES (Splunk SOAR wins), Palo Alto-anchored shops (XSOAR wins), or organizations needing 1,000+ pre-built playbooks.

Strengths

  • Cleanest no-code playbook authoring in the category
  • Founder-led with strong roadmap honesty
  • Series C funded May 2024 (SoftBank Vision lead, $1B+ valuation)
  • Story library covers most common SOC playbooks
  • Active community (Tines Community is genuinely useful)
  • Expanding beyond security into IT and engineering workflows
  • Public pricing for entry tiers (unusual for SOAR)

Weaknesses

  • Integration depth smaller than Cortex XSOAR Marketplace (300 vs 1,000+)
  • No-code abstraction limits when complex branching logic required
  • Pricing rises quickly past 50 stories or high-volume runs
  • Younger ecosystem; fewer certified consultants
  • No native SIEM (relies on integrations)
  • Best-fit narrowed past large Fortune 500 SOC scale

Pricing tiers

partial
  • Community Edition
    Free for individuals, limited to 3 stories
    $0 /mo
  • Professional
    Industry estimate $30K-$80K annually
    Quote
  • Enterprise
    Industry estimate $80K-$300K annually
    Quote
Watch for
  • · High-volume run overage pricing
  • · Premium connectors at enterprise tier
  • · Multi-year contracts at higher tiers

Key features

  • +No-code drag-and-drop story builder
  • +Action library with 300+ integrations
  • +Story library (pre-built playbooks)
  • +Case management (Cases by Tines)
  • +AI-assisted playbook authoring
  • +Webhooks and API triggers
  • +Approvals and human-in-the-loop steps
  • +Audit logging
300+ integrations
CrowdStrikeOktaAWSMicrosoft DefenderSplunkSlackPagerDutyServiceNow
Geography
Global; strong EMEA presence
View full Tines intelligence profile → Compare Tines →
#4

Torq

Hyperautomation positioning, founded by the original Demisto team.

Founded 2020 · New York, NY · private · 100-3,000+ employees
G2 4.7 (180)
Capterra 4.6
Custom quote
○ Sales call required
Visit Torq

Torq is the modern hyperautomation SOAR platform founded in 2020 by Ofer Smadari (former CEO of Luminate Security, ex-Demisto leadership team) and Eldad Livni. The founder pedigree (Demisto / Palo Alto XSOAR alumni) gave Torq immediate credibility, and the product positions explicitly as hyperautomation rather than SOAR, anticipating the Gartner category retirement. Raised $70M Series B in October 2022, followed by a $42M Series C in 2024. The product is no-code with a strong AI-assisted authoring layer (Torq Socrates) and is among the fastest-growing in the category by net new logos in 2025. Trade-offs: ecosystem smaller than incumbents, pricing opaque, brand recognition still catching up.

Best for

Modern SOC teams (100-3,000 employees) pursuing hyperautomation that want a fast-moving, no-code platform with code escape hatch and founder team with deep SOAR expertise.

Worst for

Fortune 500 SOCs (Splunk SOAR or XSOAR win), buyers wanting public pricing (Tines wins), or risk-averse organizations preferring established incumbents.

Strengths

  • Founders from Demisto / Palo Alto XSOAR (deep category expertise)
  • Hyperautomation positioning anticipates Gartner SOAR retirement
  • Torq Socrates AI-assisted authoring layer
  • Strong 2024-2025 net new logo growth
  • No-code with full code escape hatch
  • Multi-tenant SaaS architecture from day one

Weaknesses

  • Pricing opaque (Series-stage vendor)
  • Ecosystem smaller than incumbents (Cortex XSOAR, Splunk SOAR)
  • Brand recognition still catching up to Tines
  • Series C in 2024 indicates capital runway pressure
  • No native SIEM (relies on integrations)
  • Best-fit narrowed past Fortune 500 SOC scale

Pricing tiers

opaque
  • Torq Professional
    Industry estimate $40K-$120K annually
    Quote
  • Torq Enterprise
    Industry estimate $120K-$400K annually
    Quote
  • Torq HyperSOC
    Industry estimate $200K-$800K+ annually for autonomous SOC
    Quote
Watch for
  • · Multi-year contracts at higher tiers
  • · Premium AI features (Socrates) priced separately
  • · Implementation services

Key features

  • +No-code workflow builder
  • +Torq Socrates AI-assisted authoring
  • +300+ pre-built integrations
  • +HyperSOC autonomous SOC tier
  • +Multi-tenant architecture
  • +Code escape hatch (Python, JavaScript)
  • +Case management
  • +Webhook and API triggers
300+ integrations
CrowdStrikeWizAWSMicrosoft SentinelSplunkOktaSlackServiceNow
Geography
Global; US strongest
View full Torq intelligence profile → Compare Torq →
#5

Swimlane

AI-native SOAR rewrite with the Turbine engine.

Founded 2014 · Denver, CO · private · 500-10,000 employees
G2 4.5 (240)
Capterra 4.5
Custom quote
○ Sales call required
Visit Swimlane

Swimlane was one of the original modern SOAR vendors (founded 2014) and stayed independent while peers (Phantom, Demisto, Siemplify) were acquired. The company rewrote its core platform in 2023 around the Turbine engine, an AI-native rearchitecture explicitly designed for autonomous SOC use cases. Cumulative funding exceeds $70M; ownership remains private and independent. Strong 2024 momentum on Turbine adoption, though the rewrite created a short-term migration burden for legacy Swimlane customers that some reviewers flagged. Trade-offs: brand recognition lower than Splunk SOAR and Cortex XSOAR, pricing opaque, and the Turbine rewrite migration story is still settling for legacy customers.

Best for

Mid-market and enterprise SOC teams (500-5,000 employees) pursuing autonomous SOC operations with AI-native playbook authoring, especially those wanting to avoid acquired vendors with post-deal uncertainty.

Worst for

Splunk-anchored SOCs (Splunk SOAR wins), Palo Alto-anchored shops (XSOAR wins), or buyers wanting public pricing (Tines wins).

Strengths

  • Independent vendor (not acquired); focus stays on SOAR/hyperautomation
  • Turbine AI-native rewrite (2023) for autonomous SOC
  • LLM-assisted playbook authoring native to platform
  • Strong case management and reporting
  • Mature integrations (250+)
  • Editorial honesty about Turbine migration burden for legacy customers

Weaknesses

  • Brand recognition lower than Splunk SOAR or Cortex XSOAR
  • Pricing opaque
  • Turbine rewrite created legacy customer migration friction
  • Smaller partner ecosystem than incumbents
  • Best-fit narrowed past Fortune 500 scale
  • Some reviewers report Turbine still settling on edge cases

Pricing tiers

opaque
  • Swimlane Turbine
    Industry estimate $80K-$300K annually
    Quote
  • Enterprise
    Industry estimate $300K-$800K+ annually
    Quote
Watch for
  • · Multi-year contracts standard
  • · Implementation $30K-$150K
  • · Add-on AI features at higher tier

Key features

  • +Turbine AI-native engine
  • +LLM-assisted playbook authoring
  • +Case management and reporting
  • +Low-code playbook builder
  • +Pre-built solutions library
  • +API and webhooks
  • +Role-based access
  • +Multi-tenant for MSSPs
250+ integrations
SplunkCrowdStrikeMicrosoft SentinelAWSOktaServiceNowJira
Geography
Global; US strongest
View full Swimlane intelligence profile → Compare Swimlane →
#6

Google SecOps SOAR

Siemplify, after Google bought it; integrated into Chronicle.

Founded 2015 · Mountain View, CA (Tel Aviv origin) · public · 500-100,000+ employees
G2 4.3 (220)
Capterra 4.4
From $0 + $8 /mo + /employee
◐ Partial disclosure
Visit Google SecOps SOAR

Google SecOps SOAR is the former Siemplify, acquired by Google in January 2022 for roughly $500M and integrated into Google Chronicle (now Google SecOps). The product retains the strong case management and investigation workflow that made Siemplify a Magic Quadrant Leader pre-acquisition, and the Chronicle integration is now genuinely native (single UI, unified data layer). The defining 2026 question is post-acquisition customer support quality, multiple reviewers cite degraded response times since the Google integration, and product roadmap velocity slowed during the Chronicle merge. Pricing follows the parent Google SecOps per-employee model, which is unusually transparent for SOAR. Trade-offs: best-fit narrowed to Google Cloud / Chronicle customers, support quality concerns persist, and the Siemplify brand has effectively been retired.

Best for

Google SecOps (Chronicle) customers wanting integrated SOAR at predictable per-employee pricing, especially those leveraging Mandiant threat intel.

Worst for

Non-Google customers (no compelling reason to choose), Splunk-anchored SOCs (Splunk SOAR wins), or buyers prioritizing top-tier customer support.

Strengths

  • Strong case management and investigation workflow (Siemplify heritage)
  • Native Chronicle / Google SecOps integration
  • Per-employee pricing model (rare transparency in SOAR)
  • Mandiant threat intel native (post-Google Mandiant acquisition)
  • Unified UI with SIEM/SecOps platform
  • Cloud-native scale on Google infrastructure

Weaknesses

  • Customer support quality concerns persist post-acquisition
  • Product roadmap velocity slowed during Chronicle merge
  • Siemplify brand retired; documentation transition rough
  • Best-fit narrowed to Google Cloud / Chronicle customers
  • Smaller playbook marketplace than Cortex XSOAR
  • Original Siemplify leadership team mostly departed

Pricing tiers

partial
  • Google SecOps Standard (with SOAR)
    Industry estimate ~$96/employee/year
    $0+$8 /mo +/emp
  • Google SecOps Enterprise (with SOAR)
    Industry estimate ~$144/employee/year
    $0+$12 /mo +/emp
  • Enterprise+ (with Mandiant Hunt)
    Custom enterprise pricing
    Quote
Watch for
  • · Mandiant threat intel add-ons
  • · Implementation services
  • · Multi-year commitments common

Key features

  • +Case management and investigation workflow
  • +Native Chronicle integration
  • +Visual playbook builder
  • +Threat intelligence integration (Mandiant)
  • +Pre-built use case packs
  • +API and webhooks
  • +Multi-tenant for MSSPs
  • +Cloud-native architecture
250+ integrations
Google ChronicleMandiantGoogle CloudAWSMicrosoft SentinelCrowdStrikeOkta
Geography
Global
View full Google SecOps SOAR intelligence profile → Compare Google SecOps SOAR →
#8

ServiceNow Security Operations

SecOps on the Now Platform, where security meets ITSM.

Founded 2017 · Santa Clara, CA · public · 5,000-100,000+ employees
G2 4.2 (310)
Capterra 4.3
Custom quote
○ Sales call required
Visit ServiceNow Security Operations

ServiceNow Security Operations (SecOps) extends the Now Platform into security incident response, vulnerability response, and threat intel management. The product is uniquely positioned: it lives in the same workflow engine as ITSM, which means security incidents auto-create change requests, CMDB tickets, and IT remediation workflows without integration overhead. Best-fit for organizations where ServiceNow is already the system of record for IT and where bridging the SOC-to-IT handoff is the biggest operational pain. Trade-offs: pricing among the highest in category, native SIEM integration is shallower than dedicated SOAR vendors, and the Now Platform commitment is a multi-million-dollar prerequisite that locks buyers in.

Best for

Large enterprises (5,000+ employees) where ServiceNow is the system of record for IT and where SOC-to-IT handoff is the biggest operational pain.

Worst for

Non-ServiceNow organizations (no compelling reason to adopt the Now Platform purely for SOAR), engineering-led teams (Tines wins), or mid-market.

Strengths

  • Native Now Platform integration (ITSM, CMDB, change management)
  • Bridges SOC-to-IT handoff better than any dedicated SOAR
  • Mature workflow engine inherited from ITSM
  • Vulnerability Response module covers VM workflow
  • Threat Intel Management module included
  • Strong public-sector adoption

Weaknesses

  • Pricing among the highest in category
  • Now Platform commitment is a multi-million-dollar prerequisite
  • Native SIEM integration shallower than dedicated SOAR
  • Implementation complex (16-32 weeks)
  • Playbook authoring less flexible than Cortex XSOAR
  • Best-fit narrowed to ServiceNow-anchored organizations

Pricing tiers

opaque
  • SecOps Standard
    Industry estimate $150K-$500K annually
    Quote
  • SecOps Enterprise
    Industry estimate $500K-$2M+ annually
    Quote
Watch for
  • · Now Platform license prerequisite
  • · Multi-year contracts standard
  • · Implementation $100K-$500K via certified partners
  • · ITSM, CMDB licensed separately

Key features

  • +Security Incident Response (SIR) module
  • +Vulnerability Response (VR) module
  • +Threat Intelligence module
  • +Native CMDB integration
  • +Native ITSM workflow
  • +Custom workflow builder (Flow Designer)
  • +Risk-based prioritization
  • +Mobile apps
400+ integrations
ServiceNow ITSMServiceNow CMDBSplunkCrowdStrikeTenableQualysMicrosoft Sentinel
Geography
Global
View full ServiceNow Security Operations intelligence profile → Compare ServiceNow Security Operations →
#7

IBM Security QRadar SOAR

Resilient, after IBM bought it; integrated into QRadar.

Founded 2010 · Armonk, NY (IBM HQ) · public · 1,000-100,000+ employees
G2 4.1 (260)
Capterra 4.2
Custom quote
○ Sales call required
Visit IBM Security QRadar SOAR

IBM Security QRadar SOAR (formerly Resilient Systems, acquired by IBM in March 2016 for roughly $200M) is one of the longest-standing SOAR platforms with deep incident response heritage. Bruce Schneier was CTO at Resilient pre-acquisition, which says something about the early intellectual seriousness of the product. Best-fit for traditional enterprises with existing IBM QRadar SIEM footprint where native SIEM-to-SOAR integration matters. Trade-offs: IBM-typical post-acquisition product stagnation, dated UI, and the May 2024 IBM Security divestiture announcement to Palo Alto Networks creates significant roadmap uncertainty, particularly given that Palo Alto already owns Cortex XSOAR.

Best for

Traditional enterprises (banks, insurance, government, healthcare) with existing IBM QRadar SIEM footprint and incident response process maturity requirements.

Worst for

Cloud-native organizations (Tines, Torq, Splunk SOAR win), buyers nervous about IBM-to-Palo Alto transition, or anyone needing modern UX.

Strengths

  • Long-standing SOAR (founded 2010 as Resilient)
  • Native QRadar SIEM integration
  • Mature incident response workflow
  • Deep compliance reporting (NIST, ISO 27001, HIPAA)
  • Built for traditional enterprises (banks, government)
  • IBM X-Force threat intelligence integration

Weaknesses

  • IBM-typical post-acquisition product stagnation reported
  • UI dated vs cloud-native peers
  • May 2024 IBM Security divestiture to Palo Alto creates roadmap uncertainty
  • Palo Alto already owns Cortex XSOAR (overlap question)
  • Implementation complex (12-24 weeks)
  • Customer support flagged through transitions

Pricing tiers

opaque
  • On-premises
    Industry estimate $60K-$300K annually
    Quote
  • Cloud
    Industry estimate $80K-$400K annually
    Quote
  • Enterprise
    Industry estimate $400K-$1M+ for Fortune 500
    Quote
Watch for
  • · IBM Security Suite bundling
  • · Multi-year contracts standard
  • · Implementation services

Key features

  • +Incident response workflow
  • +Native QRadar SIEM integration
  • +Compliance reporting (NIST, ISO, HIPAA)
  • +Playbook automation (Dynamic Playbooks)
  • +IBM X-Force threat intel
  • +Case management
  • +Privacy management (breach response)
  • +Custom dashboards
200+ integrations
IBM QRadar SIEMIBM X-ForceAWSMicrosoft SentinelCrowdStrikeServiceNow
Geography
Global
View full IBM Security QRadar SOAR intelligence profile → Compare IBM Security QRadar SOAR →
#9

D3 Smart SOAR

NextGen SOAR rebranded Smart SOAR, with MITRE-aligned playbooks.

Founded 2002 · Vancouver, BC, Canada · private · 200-5,000 employees
G2 4.6 (140)
Capterra 4.5
Custom quote
○ Sales call required
Visit D3 Smart SOAR

D3 Security has been in the SOAR / incident response space longer than most (founded 2002 in Vancouver), and is one of the few SOAR vendors that has remained independent and privately held without acquisition. The product rebranded from NextGen SOAR to Smart SOAR in 2023, positioning around MITRE ATT&CK-aligned playbooks and a stronger AI-augmentation story. Best-fit for MSSPs and mid-market SOCs that value vendor independence and the MITRE-aligned content library. Trade-offs: brand recognition lower than the top 5, smaller ecosystem, pricing opaque, and the company has stayed quiet on funding details, making capital runway harder to assess than VC-backed peers.

Best for

MSSPs and mid-market SOC teams (200-2,000 employees) that value vendor independence, MITRE ATT&CK-aligned content, and hybrid (SaaS or on-prem) deployment.

Worst for

Fortune 500 SOCs (Splunk SOAR or XSOAR win), Palo Alto-anchored shops (XSOAR wins), or buyers needing established partner ecosystem.

Strengths

  • Independent vendor (not acquired); long tenure since 2002
  • MITRE ATT&CK-aligned playbook library
  • Smart SOAR rebrand brought modern UX
  • Strong MSSP multi-tenancy
  • Hybrid deployment (SaaS or on-prem)
  • AI-augmented playbook recommendations

Weaknesses

  • Brand recognition lower than top 5
  • Smaller ecosystem and integration count (200)
  • Pricing opaque
  • Limited public funding transparency
  • Smaller partner ecosystem
  • Documentation thinner than incumbents

Pricing tiers

opaque
  • Smart SOAR Professional
    Industry estimate $40K-$120K annually
    Quote
  • Smart SOAR Enterprise
    Industry estimate $120K-$400K annually
    Quote
  • Smart SOAR MSSP
    Multi-tenant pricing for MSSPs
    Quote
Watch for
  • · Multi-year contracts at higher tiers
  • · Implementation services
  • · Add-on content packs

Key features

  • +MITRE ATT&CK-aligned playbook library
  • +Visual playbook builder
  • +Case management
  • +Multi-tenant for MSSPs
  • +Hybrid deployment (SaaS or on-prem)
  • +AI-augmented recommendations
  • +Threat intel integration
  • +Custom dashboards
200+ integrations
SplunkMicrosoft SentinelCrowdStrikeAWSOktaServiceNowJira
Geography
Global; North America strongest
View full D3 Smart SOAR intelligence profile → Compare D3 Smart SOAR →
#10

LogicHub (Devo SOAR)

Autonomous SOC concept, bought by Devo; post-acquisition velocity slowed.

Founded 2016 · Mountain View, CA · private · 500-10,000+ employees
G2 4.2 (110)
Capterra 4.3
Custom quote
○ Sales call required
Visit LogicHub (Devo SOAR)

LogicHub was founded in 2016 around the autonomous SOC concept, an ambitious thesis that AI/ML should drive playbook decisions rather than rules. Devo acquired LogicHub in August 2022 to add SOAR to its SIEM platform (the same Devo covered in our Top 10 SIEM ranking). The combined Devo + LogicHub product offers integrated SIEM+SOAR on a single petabyte-scale data platform. Trade-offs: post-acquisition product investment has slowed notably, the original LogicHub leadership team mostly departed, and the autonomous SOC thesis remains more marketing than product reality. Best-fit narrowed to existing Devo SIEM customers wanting bundled SOAR.

Best for

Existing Devo SIEM customers wanting bundled SOAR on the same petabyte-scale data platform, particularly MSSPs combining SIEM + SOAR for clients.

Worst for

Non-Devo SIEM organizations (no compelling reason to choose), buyers wanting active product investment, or anyone needing top-tier customer support.

Strengths

  • Combined with Devo SIEM (single petabyte-scale data platform)
  • Autonomous SOC thesis preserved post-acquisition (in marketing)
  • AI/ML decision engine
  • Strong for MSSPs combining SIEM + SOAR
  • Pre-built use case packs
  • Real-time analytics shared with Devo SIEM core

Weaknesses

  • Post-acquisition product investment notably slowed since 2022
  • Original LogicHub leadership team mostly departed
  • Brand recognition lower than top 7
  • Autonomous SOC thesis more marketing than product reality
  • Best-fit narrowed to Devo SIEM customers
  • Smaller ecosystem than incumbents
  • Support quality concerns flagged

Pricing tiers

opaque
  • Devo SOAR Standalone
    Industry estimate $60K-$200K annually
    Quote
  • Devo SIEM + SOAR Bundle
    Industry estimate $200K-$1M+ annually
    Quote
Watch for
  • · Multi-year contracts standard
  • · Implementation services
  • · Devo SIEM data ingestion priced separately

Key features

  • +AI/ML decision engine
  • +Visual playbook builder
  • +Case management
  • +Native Devo SIEM integration
  • +Pre-built use case packs
  • +Threat intel integration
  • +Multi-tenant for MSSPs
  • +Custom dashboards
200+ integrations
Devo SIEMSplunkCrowdStrikeMicrosoft SentinelAWSOktaServiceNow
Geography
Global; US strongest
View full LogicHub (Devo SOAR) intelligence profile → Compare LogicHub (Devo SOAR) →

Frequently asked questions

The questions buyers actually ask before they sign.

How does the NCSC CAF framework affect UK SOAR selection?
The NCSC Cyber Assessment Framework (CAF) applies to UK Operators of Essential Services (OES) under the NIS Regulations 2018 and to organizations following NCSC guidance more broadly. CAF outcomes B3 (Supply chain), C1 (Security monitoring), D1 (Response), and D2 (Recovery) directly map to SOAR capabilities. Splunk SOAR and Cortex XSOAR have the deepest UK CAF content packs via certified UK delivery partners (Computacenter, Softcat, SCC). Tines has a growing CAF story library in its community. UK OES operators should request vendor-specific CAF outcome mapping documentation during SOAR procurement.
Is Tines a credible UK alternative to Splunk SOAR and Cortex XSOAR?
Yes, for the right buyer profile. Tines is Dublin-founded with a strong UK presence and active UK user community, and it is the recommended first evaluation for UK engineering-led security and IT teams (50-2,000 employees) that do not have Python-proficient SOC analysts and want no-code workflow automation beyond security into IT and DevOps. Tines is not the right choice for Fortune 500-equivalent UK financial services SOCs that need 1,000+ pre-built playbooks (XSOAR wins) or deep Python-extensible automation (Splunk SOAR wins). The UK commercial enterprise and technology sector (retail, SaaS, media) is where Tines competes most effectively.
Do UK SOAR playbooks need to comply with ICO guidance on automated decision-making?
Yes, where automated containment actions affect employees. UK GDPR Article 22 and ICO guidance on automated decision-making apply when SOAR playbooks take actions that significantly affect individuals without human review. Account lockouts, access revocations, and device quarantines triggered by automated playbooks on employee systems are the primary risk area. Best practice: design UK SOAR playbooks with human-in-the-loop approval gates for containment actions affecting employees; document the lawful basis and necessity assessment in your UK GDPR Records of Processing Activities (ROPA). Automated actions against external threat infrastructure (blocking IPs, enriching threat indicators) generally do not trigger Article 22 concerns.
Is SOAR dead in 2026?
The SOAR Magic Quadrant is effectively dead; Gartner retired the category in 2024 and is repositioning around TI Ops (Threat Intelligence Operations) and Hyperautomation. The functionality (orchestration, playbooks, case management) is very much alive, just absorbed into broader SecOps platforms (Cortex XSIAM, Microsoft Sentinel Automation, Google SecOps, Securonix). Standalone SOAR survives in two forms: (1) deep playbook engines bundled with SIEM/XDR (Splunk SOAR, Cortex XSOAR), and (2) independent no-code hyperautomation (Tines, Torq, Swimlane).
Splunk SOAR vs Cortex XSOAR, which one?
Splunk SOAR if you run Splunk Enterprise Security and want the deepest Python-extensible playbook engine. Cortex XSOAR if you run Cortex XDR or are migrating to XSIAM, and you want the largest pre-built playbook marketplace (1,000+ content packs vs Splunk SOAR 300+). The choice usually follows the SIEM/XDR anchor, not the SOAR comparison standalone. At $200K+ annual spend, both vendors compete hard on multi-year discounts.
Tines vs Torq, which one for engineering-led teams?
Tines if you want the most mature no-code authoring experience and an active community. Tines has a longer track record (founded 2018, $1B+ valuation May 2024) and broader IT/engineering positioning. Torq if you want hyperautomation positioning with founders from the Demisto / Palo Alto XSOAR team, and AI-assisted authoring (Torq Socrates). Tines wins on community and roadmap honesty; Torq wins on net new logo growth in 2025.
How much should I budget for SOAR?
Mid-market (200-1,000 employees): $40K-$150K annually. Enterprise (1,000-5,000): $150K-$500K annually. Large enterprise (5,000-50,000): $500K-$2M annually. Add 0.3x-1x first-year for implementation. SOAR pricing is heavily driven by per-analyst seats, capacity (runs/month), or feature tiers. For bundled SIEM+SOAR (Google SecOps, Devo, IBM QRadar SOAR), SOAR adds 20-40% on top of base SIEM cost.
How long does SOAR implementation take?
Tines, Torq: 4-12 weeks with no-code. D3 Smart SOAR: 6-12 weeks. Swimlane Turbine: 8-16 weeks. Google SecOps SOAR (post-Siemplify): 8-16 weeks. Splunk SOAR: 8-20 weeks. Cortex XSOAR: 8-24 weeks with marketplace content. IBM QRadar SOAR, ServiceNow SecOps: 12-32 weeks for enterprise deployments. First production-quality playbook typically lands 4-6 weeks after platform install.
What about AI in SOAR (LLMs, autonomous SOC)?
AI in SOAR 2026 splits into three layers: (1) Playbook authoring assistance (Torq Socrates, Swimlane Hero, Tines AI, Microsoft Security Copilot), genuinely useful and largely production-ready. (2) Triage and prioritization (Securonix, Swimlane Turbine, Devo SOAR), useful but noisy. (3) Fully autonomous SOC where AI takes containment decisions without human-in-the-loop, marketing more than reality. Most mature SOCs in 2026 use AI for authoring and triage but keep humans in the response loop, especially for containment actions.
No-code vs code-based SOAR playbooks, which approach wins?
No-code (Tines, Torq, D3 Smart SOAR) wins for author productivity, analyst accessibility, and time-to-first-playbook. Code-based (Splunk SOAR Python, Cortex XSOAR Python/JavaScript) wins for complex branching, custom integrations, and Fortune 500 SOC depth. The 2026 trend favors no-code with code escape hatches, every modern SOAR ships both. Pure code-based without no-code authoring is increasingly rare.
How do I measure SOAR ROI (MTTR, MTTD improvements)?
Honest SOAR ROI measurement in 2026: (1) Mean Time To Respond (MTTR) reductions, expect 40-70% on well-automated playbook coverage. (2) Analyst productivity, expect 2-3x throughput on Tier 1 / Tier 2 alerts after 6-12 months. (3) Alert containment automation rate, expect 30-60% of alerts auto-contained without human intervention. (4) Cost per alert, expect 40-60% reduction. Watch vendor case studies claiming 90%+ MTTR reductions on day-one playbook coverage; the real numbers are slower-realized.
What is the difference between SOAR and XSIAM/XDR convergence?
XSIAM (Palo Alto), XDR (CrowdStrike Falcon, Microsoft Defender), and converged SecOps (Google SecOps, Securonix) bundle SIEM + SOAR + UEBA + threat intel into one platform with shared data layer. Standalone SOAR (Splunk SOAR, Tines, Torq) bolts response onto whatever SIEM/XDR you already run. Convergence wins for new-stack buyers who want one vendor. Standalone SOAR wins when you already have mature SIEM/XDR investments and want best-in-class response. In 2026, convergence is gaining share fastest, but standalone SOAR retains the mature-SOC and engineering-led-team buyer.
How big are typical SOAR playbook libraries?
Cortex XSOAR: 1,000+ content packs in Cortex Marketplace (largest). Splunk SOAR: 300+ apps and pre-built playbooks. Tines: 300+ stories in Story Library. Torq: 300+ integrations. Google SecOps SOAR: 250+ pre-built use case packs. IBM QRadar SOAR: 200+ Dynamic Playbooks. D3 Smart SOAR: 200+ MITRE-aligned playbooks. ServiceNow SecOps: 400+ workflows across the Now Platform ecosystem. Marketplace depth matters most in the first 6 months; after a year, custom playbooks dominate utilization.

Final word

Looking at a different market? See the global SOAR Software ranking, or pick another country at the top of this page.

Last updated 2026-05-18. Local pricing reverified quarterly. Found something inaccurate? Tell us.