1. Introduction
  2. Overview of Free Cyber Incident Response Platforms and Ticketing Systems
  3. Overview of foreign SOAR platforms
  4. Overview of Russian SOAR platforms
  5. Conclusion



The digital transformation of the economy and the transition to online business processes, especially in connection with the pandemic and remote work, have led to the evolution of not only information systems and infrastructures, but also continuously complex and changing cyber threats, and, as a result, have posed new challenges to the cybersecurity industry. People responsible for information security no longer play "second fiddle", because the company's revenue, reputation and market position directly depend on the cyber stability of systems and services. Sometimes even the existence of a business can be threatened by a successfully implemented cyber attack – whether it is a leak of customer data, a compromise of a software product, or an infection with an encryption virus.

Modern cyber threats leave less and less time to respond to incidents: serious attacks with significant damage can be carried out within literally a few minutes from the moment of initial penetration into an organization's computer network. At the same time, employees of IS departments are overworked and are in a state of almost continuous pressure. The number, danger and sophistication of cyber attacks are compounded by the chronic staff shortage and the specifics of activities that require constant focus, as well as the continuously increasing volume of information that must be received and processed to update one's own knowledge about modern methods and methods of attack.  The well-known events of 2020 have only accelerated this trend: there are even more stress factors and cyber attacks, responsibility is higher, and the features of remote work have made some adjustments to the effectiveness of communication. In SOC-Centers, there is consistently significant turnover, especially on L1 — tired of performing routine operations and having acquired the necessary skills, analysts tend to move to higher levels with more diverse tasks and better salary, thus creating understandable staff turnover. A variety of security tools only "adds fuel to the fire": regularly new, functionally "rich" and complex products are released, each of which has its own interface, functionality and peculiarities.

The logical response to these circumstances was the automation of routine and easily programmable response actions. We recall that in accordance with the NIST Special Publication 800-61 rev.2 "Computer Security Incident Handling", cyber incident response is a step-by-step implementation of related processes: incident, detection and analysis of the incident, then containment, elimination and recovery after the incident, as well as the implementation of post-incident activities with the analysis of the "lessons learned", adjusting response plans, reconfiguring the Information security system.

So, in order to reduce the burden on Information security analysts, it was decided to automate some of the actions for handling cyber incidents – for example, searching and collecting additional information about the asset affected by the incident, searching for IoC (Indicator of Compromise) and data on TTPs (Tactics, Techniques, Procedures) of attackers in TIPs (threat intelligence platform), primary triage (classification) and analysis of incidents, as well as filtering out obvious false positives. Automation of these actions would significantly reduce the KPI of responding to cyber incidents, such as MTTD —mean time to detect, the average time to detect an incident. Then there was the question of how to reduce the indicators of another metric, which is MTTR — mean time to respond, the average response time to an incident. The response implies some active action aimed at localization, containment, elimination of the threat and bringing the Information security to the state "before the attack".

The answer to this challenge was the creation of such a class of products as IRP — Incident Response Platform, a platform for responding to cyber incidents. This class of solutions assumes both the automation of actions for analyzing IS incidents and the collection of additional information (to reduce MTTD), as well as integration with various IT / Information security products to perform automatic or automated response actions (to reduce MTTR), for example, blocking the attacker's IP address on network equipment, isolating the attacked host from the network, terminating suspicious processes and stopping services, deleting unread phishing messages on the mail server, restoring the state of the SPI on the attacked endpoints, etc. The main tasks of solutions of the IRP class are, first, automation of the processing of cyber incidents using programmable workflows or response scenarios (playbook scripts) that describe the procedure for response actions, incl. by sending control commands to the IS system to actively counter the threat (stages of containment and elimination of an incident); second, providing Information security analysts with tools for collaboration on the incident.

As you we can see, IRP platforms actually solve some of the tasks of automating and accelerating incident response.  However, security vendors decided to go further and combine solutions for automating incident response in SOAR-class systems – Security Orchestration, Automation and Response platforms for orchestration, automation and cyber incident response. SOAR platforms integrate tools for processing Information security events (obtained, as a rule, from SIEM or Log Management systems), automating actions for processing event data in accordance with workflows and playbooks, as well as tools for response actions due to centralized management of (orchestration) IT / Information security systems (OS, software, SPI). Additionally, SOAR solutions have case management options for collaboration of a group of analysts on incidents, the ability to process cyber intelligence data (thanks to integration with cyber intelligence data providers, or Threat Intelligence feeds, TI feeds), as well as tools for visualization, reporting, analytics, logging of completed response actions, and maintaining a knowledge base. Optionally, there may be Big Data processing, machine learning and artificial intelligence tools to automate actions and help in decision-making when responding. Roughly speaking, we can derive a logical formula: SOAR = IRP + TIP + XDR, where TIP stands for threat intelligence platform, cyber intelligence data management platform; XDR stands for extended detection and response, platform for advanced detection and response to cyber incidents.

Example of a use case of the SOAR platform: scan an incoming email (integration with a mail server, such as Microsoft Exchange) for malicious URL links or attachment hashes (integration with cyber intelligence systems, such as VirusTotal or URLScan), analyze data of Information security events from the firewall (integration with network equipment, for example, CheckPoint), search for traffic from/to suspicious IP addresses, then send notifications to Information security analysts (integration with instant messengers, for example, Slack) and block malicious IP addresses and URLs on the firewall. It is also possible to assume a scenario when the SOAR system interacts with the end device by integrating with an EDR solution (for example, Kaspersky EDR) to actively contain the threat (for example, network isolation of a host, stopping suspicious processes / services) or to collect information for forensic research (timeline – a timeline of the device, memory dumps, a list of running processes, network connections). Another scenario when using a SOAR solution: analyzing the data of the scanning system for vulnerabilities (for example, MaxPatrol), assessing the network availability and exploitation of the vulnerability on a specific device (for example, via Infoblox) and creating a task to install updates for the IT department (for example, via Atlassian JIRA).

However, recently a new trend has emerged: solutions of the NG-SIEM (Next Generation SIEM) class combine the functionality of SIEM systems, UEBA modules (user and entity behavior analytics, behavioral analysis of users and entities), as well as SOAR platforms. At the same time, many vendors present their NG-SIEM as an easily scalable cloud solution with connectors to cloud and on-prem infrastructures of customers for receiving IS events and responding to incidents. The desire of vendors to combine solutions that perform similar functions is understandable, but with this approach, the customer's ISMS (information security management system) is almost completely dependent on one product from one vendor. The failure of this system leads to major problems: non-compliance with the legislation in terms of collecting logs, the inability to respond quickly to incidents, and the uncontrolled infrastructure.  Thus, customers will soon face a dilemma by taking all the associated risks: either choose individual solutions (for example, SOAR + SIEM or SIEM + IRP) provided by specialized vendors that declare smooth integration with third-party SPI, or complex solutions.

Our current analysis of SOAR solutions will include both specialized SOAR vendors and end-to-end systems developers who typically started with SIEMENS systems. We will try to describe such functions and options that are significant for consumers of SOAR platforms, such as the ability to integrate with third-party IT / Information security solutions that are already used in the customer infrastructure, the simplicity and flexibility of creating playbooks, the options of response automation and the availability of tools for creating custom response modules, as well as options for the team of analysts to collaborate on incidents (cases), visualization (including displaying the performance metrics of ISMS processes), reporting, analytics, support for Big Data, Machine Learning and Artificial Intelligence. We consider the position of the company on the information security market, system/architectural requirements and features, and support for Multitenancy, i.e. the ability to host multiple installations on one platform for different service customers of MSSP (Managed Security Service Provider) and MDR (Managed Detection and Response) providers.

According to some Internet resources, systems for responding to cyber incidents often include business process and IT process automation systems. For example,

  • Ayehu NG (eyeShare) – IT automation and orchestration platform
  • CyberBit SOC 3D – out-of-market IRP solution; now CyberBit is developing a platform for training SOC-Center specialists (trainings, attack simulations, virtual laboratories)
  • Resolve Actions – IT Automation System
  • Tufin Orchestration Suite – solution for centralized management of network devices
  • Ubiqube – platform for complex automation of business processes
  • Zenduty — incident management solution for DevOps and IT departments

An interesting end-to-end platform, in addition to Microsoft Azure Sentinel, is the Google Chronicle Backstory, which runs on Google Cloud and provides the collection and analysis of Google Cloud logs, event correlation and incident link graph viewing, as well as threat detection through its subsidiary VirusTotal and collaboration with the Uppercase cyber intelligence team. However, such complex solutions as Microsoft Azure Sentinel and Google Chronicle Backstory, obviously, go "off the mark" in our analysis, since their use assumes work only in the large ecosystems of Microsoft or Google, respectively.



However, we will start analyzing SOAR platforms not with commercial SOAR systems, but with free OpenSource incident response platforms and ticketing systems. They will not be able to completely replace full-fledged ERP/SAAS platforms, but they will still help analysts and IS specialists in small companies that do not face a large number of incidents. The products are listed in alphabetical order.


Developer: ControlScan, Inc., the United States, which provides cybersecurity services to the SMB segment using cloud solutions and platforms, as well as legal compliance, in particular, PCI DSS. At the end of 2020, the Irish company Sysnet Global Solutions announced the purchase of the MCS office (Managed Compliance Solutions) of ControlScan.

Cyphon Project is an Open Source IS incident management and response platform. The solution is distributed under a non-commercial proprietary user license. The core of the system (Cyphon Engine) is distributed under the GNU GPLv3 license. Актуальная версия на текущий момент: 1.6.7. The distribution is available as a Docker container, as an image for VMware, VirtualBox, and is also available for download from GitHub. Documentation is also available.

The project is a modular solution consisting of the Cyphon Engine and the Cyclops web frontend, which helps to manage Cyphon data and alerts in real time. The project's backend is built on the Django web framework.

The following components are used within the Cyphon project: PostgreSQL, RabbitMQ, Logstash, Elasticsearch, and/or MongoDB, Nginx, or Apache

System requirements:

  • 2 CPU
  • 8 GB RAM
  • 20 GB disk subsystem.

Cyphon provides the following functionality:

  1. Collecting information from the following sources: email (Django Mailbox via IMAP), IT system logs, geographic services, social media (e.g. Twitter)
  2. Creating alerts
  3. Reacting i.e. viewing events, annotating incidents, integrating with the JIRA system (creating a ticket in Service Desk)
  4. Support for REST API requests for interacting with IT / Information security systems and for receiving data, for example, from web services
  5. Receiving logs from endpoints using the Filebeat agent (for Debian, RedHat, MacOS, Windows) and then sending them to Cyphon (to Logstash and then to RabbitMQ)
  6. The user and group management tool almost completely copies that of the Django web framework.

Having received the data, the incoming events are parsed, the properties of the incoming data are mapped to the properties of future incidents, and they are saved and indexed by the selected properties.  Also, the entire process of processing the incoming stream of events is flexibly configurable up to the choice of storage locations. After data collection and initial processing, the received events are analyzed and enriched: regex rules are applied to the content-search for keywords of interest or metadata to generate alerts, and methods of semantic analysis of information can be used for the incoming flow of information (for example, to determine the sentiment of a post on a social network ).  The generated incidents can be tagged, including automatically, to simplify the response, as well as quickly navigate to the context (i.e., to the events related to this incident).

Response in Cyphon is currently limited only to creating a ticket in JIRA, but developers can use the interaction functionality via the REST API to program other response tools. Administrators are notified of new incidents via Push notifications or email, and interaction can also be implemented using the Cyclops frontend.

2.2. FIR

FIR (Fast Incident Response) is a cyber incident management platform that allows initiating, tracking, and reporting. The project was created in the CERT of the French bank – Societe Generale.  The solution is not very actively developed in recent years, it is distributed under the GNU GPLv3 license. The project is in Python, in the solution – MySQL, uWSGI, nginx.

One can use GitHub for installation. There is support for running from a Docker container, or one can use the Heroku cloud platform. The documentation is also freely available.

System requirements:

  • Ubuntu OS 14.04 or later
  • 1 CPU
  • 1 GB RAM
  • 40 GB disk subsystem.

In essence, FIR — a web-based collaboration tool for analysts in an incident investigation, incl. forensic research. Automation includes the creation of incident templates to speed up filling in information when an incident occurs, as well as the ability to build a timeline with details (these objects are called nuggets in FIR). It supports automatic search and extraction of artifacts (IP addresses, host names, URLs, hashes, emails) from created events with automatic link of these IOCs with previously created events and incidents. The FIR interface contains the categories " Events "and" Incidents", where incidents are escalated events that require certain actions to be performed, while loading arbitrary file attachments to events and incidents is supported.

To describe incidents, custom attributes are used, such as financial losses, downtime, the number of stolen credentials, etc., while the creation of custom attributes, as well as the display of statistics and diagrams on them, are supported. To display a list of events and incidents, dashboards are used, which are lists of elements with certain properties (date, time, category, level of severity, status, etc.) with the ability to flexibly search. Reporting on the work of response teams can be visualized in the Stats module, which generates graphs and charts on the performance of handling cyber incidents. To expand the functionality, plugins are used, which include, among other things, response actions, for example, sending an email. System users can develop and install their own plugins to the platform.

2.3. RTIR

The RTIR (Request Tracker for Incident Response) product, as well as the "parent" RT (Request Tracker) project, is developed and supported by the American company Best Practical Solutions LLC. The product is distributed free of charge under the GNU GPLv2 license, but support, revision, and training on the product are paid. Current version: 5.0.1, released in January 2021.

The RTIR product is essentially an IS-focused add-on to the RT project, which is written in Perl and is a web application with an email interface for sending and receiving email on the portal. The product is available for download as an archive and can be installed on any Linux distributions, Mac OS X, FreeBSD, Solaris and other Unix-like OS. The solution needs a Perl interpreter, a database (MySQL, MariaDB, PostgreSQL, Oracle are supported) , and a web server (Apache, Lighttpd, nginx, or any server with FastCGI support). The project has a wiki page and a forum. The documentation is publicly available.

A feature of the project is the only built-in incident handling workflow created in the UK-based Janet CSIRT. Incoming events are received either by email (PGP support), or they are started manually. The product uses immutable fields for incidents, the data in which is filled in from email or entered manually. One can send email from the solution interface and collect simple statistics on resolved incidents. There is a REST API for transferring data in the system. In fact, the solution is a bug tracker slightly adapted to the needs of responding to IS incidents.


TheHive is a free Security Intelligence Response Platform created by a group of six expert Information security enthusiasts, supported by them and the community on GitHub. It is distributed under the GNU AGPLv3 (Affero General Public License). Also, there are paid services for support, installation, revision, training on TheHive product. Current version: 4.0.5, released in February 2021.

The project is written in Python. TheHive consists of TheHive analyst web platform, Cortex analytics module (written in Scala), MISP cyber intelligence data processing platform (uses Apache, MySQL, PHP), Hippocampe TI data aggregator, TheHive4Py API client. The frontend uses the AngularJS framework and Bootstrap. ElasticSearch is used to store data. Documentation for the product and Cortex analytics module is available.

The product can be installed on a physical or virtual machine, and run from a Docker container. Installation of a boolean package, build from source code from GitHub, and installation as RPM and DEB packages are supported.

System requirements:

  • 8 CPU
  • 8 GB RAM
  • 60 GB disk subsystem.

A special feature of the project is the deep integration with the TI-platform – MISP (Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing). MISP is an open source modular cyber intelligence platform. The MISP platform can be installed on-prem or used externally. It allows creating rules from the received indicators of compromise for such systems as Snort, Suricata, Bro / Zeek IDS, as well as convert the received data into STIX, OpenIOC, text, CSV.

Cortex – a module for analytical enrichment of information on IoCs with automated analysis of objects, the ability to create personal analyzers (i.e. analysis modules written in Python or any Linux-supported programming language) and use the MISP modules to enrich analytical data with REST API support. Analyzers request information on an input JSON object that contains IoC from various services such as VirusTotal, Shodan, Censys, PhishTank, UrlScan (the list includes more than 100 services), and also sends the object for analysis to the sandbox (Cuckoo Sandbox, Joe Sandbox).

Also, Cortex provides the ability to create and configure Responders, i.e. direct response modules, which receive a JSON object as input, perform a specific action when processing cyber incidents (for example, send an email alert or give a command to the IST) and return the result. Responders can be written in Python (recommended by the developer), Ruby, Perl, Scala, or any programming language supported on Linux. Cortex interacts with other Information security systems via REST API or the Cortex4py module.

Hippocampe — a TI feed data aggregator that receives IoCs from the Internet and accumulates them in an Elasticsearch cluster, making it possible to access them via REST API. One of the Cortex analyzers is designed to access Hippocampe to search the accumulated CTI data. Hippocampe is also free software, distributed under the AGPL.

A common work pattern of TheHive is as follows:

  1. Receiving data via API from the file directory, from SIEM, via email, from the Information security system, from cyber intelligence data providers. For these interactions, the TheHive4Py API client is used, which, creates an incident in TheHive after parsing the incoming message.
  2. Next, in the TheHive web interface, a team of analysts works on the incident: information is exchanged, tasks with customized properties are assigned and processed, files are attached to tasks, metrics are viewed, and information is displayed on interactive dashboards.
  3. Analytical data is obtained from Cortex analyzers and cyber intelligence data from the MISP platform to enrich information about the incident.
  4. There is a response to an incident using responders, notifications are sent to messengers and / or by email), reports on incidents that have occurred are generated.




In 2020, Micro Focus acquired the UK-based Atar Labs — the creator of the ATAR (Automated Threat Analysis and Response) platform. Current version: Micro Focus ArcSight SOAR 3.0. This SOAR platform is available as a container for installation on an ArcSight Platform server at no additional cost for users of Micro Focus ArcSight ESM and Recon solutions. The documentation for both the SOAR solution and the entire ArcSight Platform is publicly available.

System requirements for installing ArcSight Platform Server:

  • 4 CPU
  • 16 GB RAM
  • 200 GB disk subsystem.
  • RHEL 7.7, 7.8, 8.1
  • CentOS 7.7, 7.8, 8.1
  • ArcSight Fusion (web-based management) and ESM Command Center / Recon components installed.

Key features of the solution:

  1. Integration with the ArcSight platform, which includes the ArcSight ESM SIEM-solution
  2. Integration with over 120 IT /Information security solutions
  3. Graphical and Python editor for actions and workflows
  4. Using automatic and manual actions, for example, requiring formal manual approval of a critical action. The ability to "rollback" some of the performed actions. The ability to set conditions for performing actions
  5. Access control to perform operations with various connected systems based on a role model, use of ACLs of users and user groups to control access to integration objects.
  6. Logging of performed actions, reporting with 20 preset templates, building a timeline
  7. Customizable dashboards, 50 preset widgets
  8. The ability to create custom plugins in the development environment provided in the solution
  9. Using Lists to store data
  10. Support for installation on-prem or in cloud infrastructure (Azure, AWS)


Blumira, Inc is an American startup, developer of the Blumira solution. The Bloomira product portfolio includes the Cloud SIEM solution with features for TI-view data processing, automated threat detection, Threat Hunting, and incident data management.

The solution setup process involves the installation of the Blumira Sensor component in the protected infrastructure; the installation is carried out on the Ubuntu 18.04 OS (virtual or physical server). Next, the Blumira Sensor receives and parses data from the protected infrastructure, sends the results to the Blumira Cloud SIEM cloud instance via the https protocol, where cyber intelligence data analysis is applied to the received Information security events. Then, if a prompt response is required, the cloud service sends commands to be executed in the organization's infrastructure and notifies employees via emails / messengers while providing recommendations for further response.

Key features of the solution:

  1. Integration with more than 60 IT / Information security systems
  2. Personal TI feeds – the result of the work of Blumira analysts, the exchange of TI feed data within the solution between customers, integration with third-party TI feeds
  3. Using dynamic block lists for online blocking of IP addresses and domain names on network equipment (Palo Alto Networks, Cisco, Fortinet, Check Point, Sophos, F5, etc.)
  4. Playbooks as a recommended sequence of actions for each type of incident
  5. Prioritizing Information security alerts and incidents
  6. Passing required artifacts in an incident
  7. Automatic correlation of Information security events data and cyber intelligence data
  8. The ability to install a virtual honeypot – Blumira honeypot – for proactive detection of threats on the network
  9. Multitenancy support
  10. Role-based access control
  11. Incident reporting in accordance with such Western standards as PCI DSS, FFIEC, NIST 800-53, HIPAA, etc.

Only dynamic block lists for network equipment are supported. The rest of the integrations are used only to receive Information security events from integrated (connected) systems.


Cisco Systems introduced its Cisco SecureX solution in 2020. The product is provided free of charge if the company uses any Cisco products. Deep integration with all Cisco products and services is supported (for example, cyber intelligence from Cisco Talos). The product is built on a cloud-based microservice architecture (hosted in the European Union, the USA or in the countries of the Asia-Pacific region) with the API-first concept; it supports the creation of personal integrations (adapters to IT / Information security systems) via REST API. Adapters can be written in Python, Golang, Java; integration with Git repositories is also supported. Workflow automation in SecureX is based on Cisco Action Orchestrator, which is responsible for the logic and order of the playbooks. The documentation for the latest version of Cisco Action Orchestrator 5.2.1 is publicly available.

Key features of the solution:

  1. Simple integration with the Cisco products
  2. Creation of custom adapters for IT / Information security systems
  3. Support for executing scripts on Linux Shell and Python on integrated systems
  4. Playbook editor GUI, using actions ("methods") and variables to implement incident response logic
  5. Incident management: ticketing, incident list, collaboration, object aggregation in casebook
  6. The ability to search data in Cisco Orbital (essentially a database with host attributes on the network) using SQL queries (Osquery)
  7. Requesting context for an object of interest from different systems, requesting data from TI feeds (including Cisco Talos)
  8. The Threat Hunting module with a search for indicators of compromise (IoC) in the network, history and updating of IoCs and affected objects, the ability to respond immediately
  9. The ability to send IoC to Cisco AMP Threat Grid (on-premises or cloud sandbox) for investigation
  10. Role-based access control
  11. Flexible dashboards, reporting, news feed functionality (ribbon) with the ability to transfer customized widgets between different Cisco products.


Cyware Labs Inc. is an American startup headquartered in New York, working in the field of providing services and products for cybersecurity. The Cyware Fusion and Threat Response (CFTR) product includes the Cyware Security Orchestration Layer and the Security Orchestration Gateway, which provide management of IT / Information security systems hosted on-prem or in the cloud infrastructure.

The solutions also include platforms for exchanging cyber intelligence data, providing situational awareness, conducting investigations of cyber incidents.  Commercial features include a referral affiliate program to attract new customers, as well as a financial program for MSSP providers.

Key features of the solution:

  1. More than 250 pre-configured application integrations
  2. Built-in REST API support for interacting with the CFTR product and integrations
  3. Hundreds of graphical pre-configured playbooks with import and export support
  4. Graphic editor for playbooks,
  5. Python 3 support for creating custom response functions
  6. Triggering actions automatically and manually, as well as on a schedule
  7. The ability to interact with both devices and asset owners to handle cyber incidents
  8. Case management with support for responding to cyber incidents according to NIST 800-61
  9. Visualization of the link between information security events, incidents and detected IoCs/artifacts, support for the classification of incidents in accordance with the MITER ATT & CK matrix
  10. Vulnerability management, maintaining a database with vulnerabilities
  11. Audit of actions performed on the playbook
  12. Role-based access control model based on user group membership
  13. Customizable dashboards, reporting, widgets, displaying indicators of the performance of Information security processes.

3.5. D3 SOAR

D3 Security is a Canadian company that positions itself as an independent vendor, not a member of any alliance. The cyber incident response automation module is an integral part of the platform for cyber security management, standardization, automation and acceleration of incident response, compliance with legal requirements. The documentation is publicly available.

Key features of the solution:

  1. Graphical, customizable playbooks for responding to cyber incidents based on NIST 800-61 and SANS
  2. Handling cyber incidents using the MITRE ATT&CK matrix with search for indicators of compromise and analysis of Https in Information security events (the ATTACKBOT technology)
  3. More than 300 integrations, codeless API-based integrations, incl. two-way SIEM integration: Elasticsearch, Exabeam, FortiSIEM, IBM QRadar, LogRhythm, McAfee ESM, Micro Focus ArcSight ESM, RSA NetWitness, Splunk
  4. Graphic editor for playbooks; the ability to create automated and manual (for example, coordination or expert decision) actions
  5. Visualization of the link of artifacts, TTPs, events and Information security incidents, building a timeline for the development of cyber incidents
  6. Finding, analyzing and documenting indicators of compromise
  7. Correlation and deduplication of Information security events and incidents
  8. Access control models based on response stages and user authority (role, group, organization), support for data encryption in object fields
  9. Reporting, forensic documentation, visualization of Information security metrics, trend analysis
  10. Multitenancy support.


DFLabs is a cyber incident response platform that includes IncMan SOAR and IncMan DFIR (a forensic and incident response automation product). The developer is the Italian DFLABS SPA company. Developers are presenting their product as a platform for SOCs, CSIRTs (Cyber Incident Response Teams) and MSSP providers to deliver MDR services. The solution has a web community.

Key features of the solution:

  1. Integration with more than 150 IT / Information security systems via QUIK, API, CF, Syslog, e-mail, integration with TI-types (STIX, TAXI, Opinion, MISP, etc.)
  2. REST API and Open Integration Framework support for custom integration
  3. Creating graphical playbooks using the R3 (Rapid Response Runbook) engine, more than 100 pre-configured playbooks
  4. The bility to perform automatic, automated and manual actions as part of the response
  5. Case management with more than 100 custom fields in incident cards
  6. Customizable dashboards and widgets
  7. More than 140 customizable preset reports and KPI-metrics of ISMS performance, including cyber incidents and compliance
  8. Centralized storage of all documents related to the incident with access control
  9. Role-based access control
  10. Knowledge base with cyber intelligence data, procedures, best practices, standards (GDPR, ISO, NIST, etc.)
  11. Applying machine learning methods (Supervised Learning) to analyze processed incidents and issue response recommendations using the ARK (Automated Responder Knowledge) module
  12. Multitenancy support with centralized management, physical separation of consumer data, horizontal and vertical scalability, load balancing, and high availability. Installation as a virtual or physical application.


Exabeam, Inc. is an American company with headquarters in California and offices in the United States, Mexico and the EMEA and APAC regions, which bought (in 2019) the Israeli company SkyFormation engaged in the protection of cloud applications. The Exabeam Incident Responder product is part of the Exabeam Security Management Platform solution consisting of SIEM, UEBA, TIP, analytics and cyber incident response, which has evolved into the Exabeam Cloud Platform. Current version: Incident Responder i54.5.2. Product documentation is publicly available, as is the community and knowledge base.

The solution is based on Linux OS; installation via VMware ESX, AWS, Google Cloud is supported.

Key features of the solution:

  1. Multitenancy support with Exabeam Cloud Platform PaaS- Solution
  2. Integration with the Exabeam platform, incl. SIEM and UEBA
  3. Integration with more than 85 IT / Information security solutions for incident response, the Exabeam Application Marketplace is available; it is possible to create new integrations via SDK
  4. Graphical playbook editor, creating new playbooks in Exabeam Cloud Studio, preset playbooks
  5. Boolean expressions, manual and automatic (triggered) execution of tasks in playbooks. Triggers can be creating an incident, changing its status or priority
  6. Self-creation of API actions in Python playbooks in the internal web Action Editor
  7. Role-based access control


The American company FireEye is the developer of the FireEye Helix SOAR product. This solution is part of the cloud-based Information security management FireEye Helix platform, which consists of SIEM modules (incl. threat detection using machine learning methods and cyber intelligence data), UEBA and analytics (using machine learning and artificial intelligence methods to detect anomalies in the IT infrastructure and user behavior). Support for installation in cloud, on-premises, and hybrid infrastructures. Current version of the FireEye's Security Orchestrator (FSO) product: 6.0.

Key features of the solution:

  1. More than 400 built-in playbooks developed by the incident response experts at the Mandiant subsidiary
  2. A framework for plugin development, more than 150 built-in integrations, the ability to download additional integrations from the marketplace
  3. Integration with TI feeds, quick creation of incidents if a malicious connection or a compromise indicator was detected
  4. Response Next Steps Tips (Expertise Packages)
  5. Correlation of the current incident with previous incidents
  6. Rapid shift from incident to asset properties
  7. Attributing an attack with a specific APT grouping
  8. Integration with such TI services as Mandiant and FireEye Threat Intelligence
  9. Customizable dashboards, displaying warnings, cases, Information security events
  10. Regulatory compliance reports
  11. Role-based model of granting access, the ability to assign granular access rights.


At the end of 2019, the American company Fortinet acquired CyberSponse, the developer of the SOAR product CyOPs, and transformed this solution into FortiSOAR. The FortiSOAR product supports full integration with the Fortinet Security Fabric ecosystem, which includes FortiAnalyzer (Pack for collecting and analyzing Information security events), FortiSIEM (SIEM system incl. UEBA, machine learning, TI feeds and CMDB modules), FortiGate (NGFW), FortiEDR (a multi-platform EDR solution with support for IoT device protection), FortiSandbox (sandboxing with the ability to be hosted in an on-premises infrastructure or in the cloud), FortiMail (an email security system). Current version of the FortiSOAR solution: 6.4.4. The documentation is publicly available. The product also has a free version – FortiSOAR Free Community Edition.

The FortiSOAR solution is based on CentOS 7, it supports installation only in such virtual environment as VMware, KVM and AWS from a virtual machine image or using an installer (binary file) on CentOS 7. PostgreSQL, Elasticsearch, Redis, RabbitMQ, nginx, Tomcat are used as components.

Hardware requirements:

  • 8 CPU
  • 32 GB RAM
  • 1 TB disk subsystem

Key features of the solution:

  1. Management of Information security incidents using interactive custom dashboards, with the ability to create custom mappings, lists, data fields using a role-based model of access to incident data, incl. support for queuing functionality for processed incidents and setting tasks to various members of the SOC center team and support for the MITRE ATT&CK matrix
  2. Interactive graphic editor of workflows (playbooks), more than 200 preset playbooks. The ability to export / import playbooks (as JSON) and analyze their use and performance, the ability to collaborate to create custom playbooks as graphics or text (JSON file)
  3. Functionality of connectors to almost 300 different IT systems and information security systems, including such SIEM solutions as FortiSIEM, McAfee ESM, RSA Netwitness, Micro Focus ArcSight, IBM QRadar, Splunk. The ability to create custom connectors in Python using the FortiSOAR Connector SDK
  4. Building a graph of relationships between entities that appear in a cyber incident
  5. Support for Multitenancy, optimization for MSSP, the ability to assign permissions for different tenants, load balancing and fast scaling, running independent workflows for different clients
  6. Data visualization on dashboards, widgets, lists, charts, data output to reports, export of graphic representations as pdf, the ability to assign access rights to graphic elements in accordance with the access model
  7. The ability to work in dedicated network segments using the FortiSOAR agent, which sends and receives control signals and data
  8. Role-based model of granting access to playbooks – rights to create, update, read, execute, delete. In addition, access to certain playbooks can only be granted to certain analyst teams.


In 2016, the American company IBM acquired Resilient Systems specialized in responding to cyber incidents and developed the Resilient IRP solution. The response automation product is known as IBM Security Resilient, but was recently renamed IBM Security SOAR. The IBM portfolio includes a large number of products, including the IBM QRadar SIEM system, which integrates with IBM Security SOAR using the IBM QRadar SOAR Plugin application. The version of the IBM Security SOAR is 36.2. The documentation for the solution is publicly available. There is also a portal for integration developers and a GitHub repository.

System requirements:

  • 4 CPU
  • 16 GB RAM
  • 100 GB disk subsystem.
  • Installation on RHEL 7.4-7.7 or later, the database runs on Tomcat and PostgreSQL
  • Hypervisor support: VMware 6.0 or later

Key features of the solution:

  1. Graphical workflow editor with BPMN notation support, dynamic playbooks with the ability to change the incident handling process as new information becomes available, the ability to manually edit playbooks and write response scripts in Python (version 2.7)
  2. Integration with over 180 IT / Information security systems using Resilient App Host containerization technology (based on Kubernetes).
  3. Creating new Python applications using the Resilient Circuits framework, support for RESTful API
  4. Native integration with the cyber intelligence provider i.e. IBM X-Force Exchange, the ability to integrate with other TI feeds
  5. Knowledge base with a library of regulations (focused on foreign legislation on the protection of personal data)
  6. Reporting, graphic dashboards, display of KPIs and metrics of the performance of information security processes
  7. Role-based access control
  8. Installation on-premise and in the cloud infrastructure (IBM Cloud OS 2 Type 2, compliance with ISO 27001, 27017, 27018).
  9. Support for Multitenancy and work in MSSP environments (options for fast scaling, control of metrics for all customers, fast content and playbook updates for all customers).


The LogRhythm RespondX product is developed by the American company LogRhythm and is part of LogRhythm NextGen SIEM Platform, which includes LogRhythm XDR Stack (AnalytiX module – AI-based log management, DetectX module – analytics, scoring and TI, RespondX – SOAR module), NetworkXDR (control and response to network threats), UserXDR (control and response to account threats), NetMon (network activity control module), SysMon (endpoint control module). The platform documentation is publicly available.

The solution can be installed in a local infrastructure (as applications and on top of the OS), as well as in a cloud infrastructure (public and private clouds).

Key features of the solution:

  1. Reacting with the SmartResponse Automation module
  2. Integration with IT / Information security systems with more than 40 ready-made LogRhythm SmartResponse automation Plugins (SRPs) that allow collaborating (for example, sending alerts to messengers, creating tickets in helpdesk systems), enriching incident data (for example, searching for a hash in VT, running a vulnerability scan, obtaining data about the host), responding to an incident (for example, blocking an IP address on a network device, blocking an account, stopping a service or process on a host)
  3. The ability to create custom plugins for responding using built-in tools in common scripting languages (including Python and PowerShell)
  4. Support for a variety of options for responding to incidents: manually, with a request for approval, automatic execution when boolean conditions are met, remote command execution by the LogRhythm SysMon Agents component.
  5. Case management module with documenting actions and maintaining an audit trail
  6. Graphic playbooks
  7. Metrics of the performance of Information security processes for SOC
  8. Dashboards, reporting
  9. Discretionary access control model.


LogSign is a Turkish company that creates solutions of the SIEM and SOAR class. The SIEM system has more than 400 integrations, as well as interaction with TI feeds, creation of custom plugins, behavioral analysis, more than 200 built-in correlation rules, dashboards and reports, notifications by email and SMS. LogSign SOAR interacts with LogSign SIEM.

Key features of the solution:

  1. API support for interacting with third-party solutions
  2. More than 400 built-in integrations and more than 200 pre-configured automation actions
  3. Graphical playbooks and interactive custom bots to automate actions
  4. Manual and automatic actions
  5. Case management and information exchange, task setting, SLA control
  6. Maintaining a knowledge base of resolved incidents
  7. Graphic dashboards, reports
  8. Multitenancy support for MSSP providers.


The stack of security technologies from the American company Microsoft is quite extensive and can be represented by such products as the Azure Security Center (cloud infrastructure security complex), the Microsoft 365 Security Center, the Microsoft 365 Compliance Center, the Microsoft 365 Defender XDR solution, the Microsoft Cloud App Security CASB solution, and the Microsoft Azure Sentinel cloud SIEM system incl. SOAR functions. As part of this review, we will briefly describe the main features of the solution, but it should be taken into account that Sentinel cannot be used separately from the entire Microsoft cloud stack, which is a huge interconnected ecosystem of technologies, products and services. Therefore, an objective comparison with other SOAR platforms should not be expected.

The Microsoft Azure Sentinel solution allows collecting Information security events from Microsoft cloud products, as well as from almost any other sources, using standard methods (CEF, Syslog, etc.), the Azure Sentinel agent, the REST API method. To provide cyber intelligence data, there is Microsoft Threat Intelligence Center, which monitors more than 200 various cloud services, more than 18 billion web pages scanned daily by the Bing search engine, and more than 400 billion emails are analyzed.

The product is preconfigured with some playbooks and provides the ability to create personal ones in a graphical editor. One can also use the Jupiter Notebook analytical tool and Python scripts to analyze IS events and respond to cyber incidents.

Thanks to the Fusion technology, based on the principles of machine learning and artificial intelligence, the product is able to detect multi-stage complex cyber attacks by identifying and analyzing suspicious actions, signs of compromise and deviations in the behavior of controlled entities. The ability to load personal machine learning models to the system.


The Demisto startup was acquired by the American company Palo Alto in 2019, and Demisto's SOAR product was named PaloAlto Cortex XSOAR. At the same time, the GitHub repository of Demisto is regularly updated, and Cortex XCSOAR also has a free Community Edition Current version of the PaloAlto Cortex XSOAR product: 6.1. The documentation for the solution is publicly available. There is also a developer portal.

PaloAlto Cortex XSOAR can be installed on virtual and physical infrastructures, as well as using Docker. Indicators and audit data are stored in Elasticsearch. The solution supports the installation and use of agents on Windows, Linux or MacOS to perform actions (scripts, commands) to respond to endpoints and to collect forensic data.

System requirements:

Cortex XSOAR Server:

  • CentOS (7.x and later), Ubuntu (16.04 and later), RHEL (7.x and later), Oracle Linux (7.x)
  • 8 CPU
  • 16 GB RAM
  • 500 GB disk subsystem.

Cortex XOR Engine Server:

  • Windows, MacOS, Linux
  • 8 CPU
  • 16 GB RAM
  • 20 GB disk subsystem.

Key features of the solution:

  1. More than 500 built-in integrations, two-way data exchange between XSOAR and integrated IT / Information security systems for data synchronization, full integration with the PaloAlto products
  2. Graphic editor for playbooks
  3. Marketplace with use-cases, playbooks, dashboards, reports
  4. DBot that implements machine learning by analyzing the actions of analysts (Supervised learning) and further analysis of indicators of compromise, recommendations for assigning an appropriate incident analyst to perform further actions as part of the response process and for improving playbooks
  5. Managing cyber intelligence data, processing indicators of compromise, linking indicators with incidents, adding new indicators
  6. Automatic mapping of event properties (fields) from integrated systems to XSOAR using machine learning methods
  7. Multitenancy support.


The American company Rapid7 in 2017 bought the company Komand, which was engaged in the development of SOAR systems. As a result, the Rapid7 InsightConnect product came on the market. The Rapid7 portfolio also includes Rapid7 InsightIDR (cyber threat detection and response solution), DivvyCloud (cloud security product), InsightAppSec (software analyzer), InsightVM (vulnerability management platform). These solutions are combined in the Rapid7 Insight Cloud platform. The documentation is publicly available.

A key component of the solution is Insight Orchestrator, which manages integration plugins running in Docker containers. The orchestrator is installed either as a CentOS 7-based image for virtualization platforms (VirtualBox, VMware, AWS), or using an installation script on a server running CentOS 7 or RHEL 7/8. The orchestrator interacts with the InsightConnect cloud servers to receive tasks and send the results of their execution, as well as to provide information about the state of the orchestrator. A single orchestrator can be used to manage multiple Rapid7 products (Insight Connect, InsightVM, or InsightIDR), and in the case of LAN segmentation, a separate orchestrator server will need to be installed in each network segment.

System requirements:

Insight Orchestrator Server:

  • 4 CPU
  • 8 GB RAM
  • 64 GB disk subsystem.

Key features of the solution:

  1. More than 300 plugins for integration with IT / Information security systems and documentation on how plugins work, connection and requirements for work (ports, rights). Two-way integration support for data synchronization in connected IT / Information security systems (SPI, ticketing systems). There is API integration with the following SIEM systems: IBM QRadar (transmitting data about incidents, directories, executing AQL queries to search for events), McAfee ESM (receiving events, tracking the status of incidents), Splunk (receiving events, searching for information, sending updated information to Splunk)
  2. More than 170 ready-made workflows for performing typical actions on connected IT/ Information security systems, for example: add a URL to the blocklist, delete an asset, quarantine a host, get data by hash from TI feeds.  Interaction between integrated systems is carried out either via API or via messengers Slack and Microsoft Teams
  3. Advanced integrations via embedded applications: InsightConnect App for Splunk (sending events from Splunk to InsightConnect to launch workflow), Slack (implementing the ChatOps concept, i.e. performing actions to automate the response to cyber incidents via messengers for communication, receiving information and warnings, launching workflows), InsightIDR (transmitting enriched Information security events from InsightConnect to InsightIDR for cyber investigation of an incident)
  4. The ability to select business-critical actions that analysts can only perform manually. The ability to combine automatic actions and interaction with company employees (for example, obtaining the approval of an HR employee before blocking an account in Active Directory)
  5. Dashboards showing the time saved, a list of actions, statistics on workflows, graphs with the number of automated and manual actions
  6. The Workflow module – a graphical editor with support for creating boolean operators in FQL (Format Query Language) for filtering data and setting the logic for making automated decisions. As part of the workflow, all data is passed inside JSON objects, and boolean files are passed as base64 also inside JSON objects. Workflows are run as part of tasks that monitor the status, time, and result of running workflows. The workflow supports working with global artifacts, i.e. with elements of dictionaries containing, for example, IP addresses, account names, domain names that can be used in different workflows at the same time.


RSA NetWitness Orchestrator is a product of the North American company RSA, which was purchased in 2020 by the private investment company Symphony Technology Group from Dell Technologies Corporation, which RSA had been a member of since 2016. In 2019, ThreatConnect, Inc. partnered with RSA: the combined ThreatConnect Platform solution became RSA NetWitness Orchestrator Built on ThreatConnect. ThreatConnect Platform collects and compiles data from over 100 TI feeds and dozens of cyber research communities. Current version of the RSA NetWitness Orchestrator product: 6.0.7. The documentation for the solution is publicly available.

System requirements:

  • Application Server: 16-48 GB RAM, 8 CPUs, 50-150 GB disk subsystem
  • Database server: 12-32 GB RAM, 6-12 CPUs, 20-60 GB disk subsystem
  • Elasticsearch server: 12-32 GB RAM, 6-12 CPUs, 20-60 GB disk subsystem

Software environment requirements:

  • OS RHEL 6/7 or CentOS 6/7
  • Oracle Java or OpenJDK
  • Elasticsearch Server 6.3.0
  • Python 3.6
  • Redis 4.0.10
  • MySQL 5.7 or SAP S / 4HANA or PostgreSQL 11 DBMS

Key features of the solution:

  1. More than 500 integrations with the ability to create personal integrations (Python, JavaScript)
  2. Built-in TI feed support and prioritization of responses based on cyber intelligence accuracy
  3. Customizable graphic dashboards with display of information security metrics
  4. Collaboration tools for cyber incidents with automatic documentation of actions and support for ChatOps
  5. Using the Machine Learning technology ("Supervised learning") to support decision-making by the analyst
  6. Full integration with SIEM solution RSA NetWitness Platform, SGRC-solution RSA Archer
  7. Multitenancy support
  8. Role-based access control


The developer of the Securonix SOAR solution is the American company Securonix, Inc. with offices in the EMEA and APAC regions. In addition to SOAR, the Securonix product line also includes SIEM, UEBA, NDR (Network Detection and Response), NTA (Network traffic analysis) and Security Data Lake solutions (a cloud-based security platform for Big Data processing, certified according to SOC 2 Type 2 and ISO 27001: 2013), which are part of the unified Securonix SNYPR (Security Operations and Analytics Platform) platform.

In 2019, Securonix announced a partnership with CyberSponse and the integration of CyberSponse SOAR (CyOPs) into the Securonix SIEM solution. At the end of 2019, Fortinet acquired CyberSponse, and Securonix, apparently, began to develop SOAR on their own. Current version of the solution: 6.3. The documentation is publicly available.

System requirements:

  • 8 CPU
  • 32 GB RAM
  • 1 TB disk subsystem
  • Hypervisor support: VMware ESX 5.5 and later, AWS

Key features of the solution:

  1. More than 275 integrations in the Securonix Fusion Partners system
  2. Using machine learning (Supervised Learning) and Artificial Intelligence to provide recommendations for responding or to perform actions automatically, as well as to prioritize incidents and threats
  3. Case management with logging of actions performed, creating an audit trail
  4. Reports and metrics providing data on the performance of cyber incident response
  5. License: the cost of a license depends on the number of employees in the company, regardless of the amount of data, assets, integrations, etc.
  6. Securonix API is provided for integrating custom solutions
  7. Professional services for product support and deployment, training and product certification
  8. Multitenancy support
  9. Installation On-prem or in the cloud (AWS Security Competency certification) as a software application (Linux-based)
  10. Role-based access control.


ServiceNow Security Operations is a SOAR solution from the American company ServiceNow, built on the proprietary Now platform using the ServiceNow CMDB and workflows, automation modules and visualization. The ServiceNow platform offers great opportunities for integration with external IT / Information security products using a single unified approach for eliminating vulnerabilities, responding to IS incidents, and working with IT assets. The vendor also has a GRC (Governance, Risk-management, Compliance) solution called Service Now GRC with the following modules: policy and compliance management, risk management, audit management, vendor risk management. The current version of the platform: The ServiceNow release Quebec (in ServiceNow, releases are traditionally called by cities: Quebec, Paris, Orlando, etc.). The documentation for the ServiceNow Security Operations solution is publicly available, there is also a developer platform and a user community. The marketplace with integrations is available for platform users.

System requirements:

  • 4 CPUs (2 GHz)
  • 8 GB RAM
  • 40 GB disk subsystem.

Software environment requirements:

  • Windows Server 2012, 2016, 2019 with .NET Framework versions 3.5, 4.0, 4.5, 4.6, or 4.7 and with PowerShell versions 3.0 to 5.1. Either RHEL 6 or later, CentOS 6 or later, Ubuntu 14.04 or later
  • The platform uses Java 11, Java Service Wrapper version 3.5.40.

Key features of the solution:

  1. More than 80 integrations with IT / Information security systems, including SIEM products Micro Focus ArcSight ESM, Elasticsearch, IBM QRadar, McAfee ESM, Splunk
  2. Vulnerability response module: identification, prioritization and elimination of vulnerabilities with an assessment of operational risks based on data from vulnerability scanners, vulnerability databases, software analyzers, and then setting tasks to IT employees
  3. Cyber incident response module: identification, prioritization, and handling Information security incidents using data from connected SPIs, including: SIEM systems, as well as data from TI feeds, with the implementation of actions to contain and eliminate threats (for example, block the IP address on network equipment, remove a phishing message from email), maintain a knowledge base of resolved incidents, create audit records and provide reporting on response and visualization on dashboards.
  4. Configuration Compliance Module: identifying, prioritizing and setting tasks for correcting the configuration of IT assets based on data obtained from the CMDB, policies (by integrating with the ServiceNow GRC product with further automatic monitoring of compliance indicators), software analyzers and sources of information about compliance requirements
  5. Cyber intelligence module: threat hunting, collection and processing of indicators of compromise, enrichment of Information security incidents with cyber intelligence data using the STIX format (1.1, 2.0 and 2.1 versions are supported)
  6. Integration with mobile platforms (Android, iOS) to provide rapid response capabilities when taking into account the role-based access control model
  7. Multitenancy support for MSSP / SOC implementations by dividing the processed information into domains by controlling access rights
  8. Visualization: graphical editor of workflows, building a response timeline, dashboards of statistics and metrics of the performance of Information security processes (more than 50 pre-configured KPI metrics), analysis and forecasting of ISMS trends
  9. Interaction with controlled IT assets and connected SPIs via the MID-server. Management, Instumentation, Discovery (MID) server – a Java application installed on a Windows or Linux server, equipped with support for a variety of interaction methods (LDAP, JDBC, REST API, SOAP, WSDL, ODBC, web service, file method) and programming languages (Python, PowerShell, PHP, Perl, Ruby, etc.) to expand functionality.
  10. Prioritizing incident response, vulnerability resolution, and misconfiguration based on a risk-focused approach to the importance of a specific asset (CI record in the CMDB) for the company's business processes
  11. Role-based access control.


The Simplify SOAR platform was created by an Israeli company with offices in Tel Aviv and New York. There is a commercial version (from $ 2500 per month, package offers for SOC teams and MSSP providers), and a free Community Edition with some functional restrictions on the number of incidents, playbooks, users, functionality. Current version: 5.6.0. The documentation for the solution is publicly available, and documentation for the used integrations is also available.  There is a portal for developers and users. Siemplify offers its own marketplace with integrations, use cases, playbooks. In addition, a Python development environment is provided for creating integrations (connectors) by third-party developers to send data to Siemplify.

Siemplify is written in Python, the ELK stack (Elasticsearch, Logstash, Kibana) is "under the hood”, as well as PostgreSQL DBMS for operational data and Elastic Search Index for storing Information security events. The installation of Simplify is supported both in the cloud infrastructure and on-prem, incl. on a virtual infrastructure.

System requirements:

  • 12 CPU
  • 32 GB RAM
  • 800 GB disk subsystem.

Software environment requirements:

  • ОС CentOS 7.8

Key features of the solution:

  1. The Siemplify ThreatFuse technology in partnership with cyber intelligence company Anomali to collect, analyze and manage TI data and indicators of compromise using Machine Learning methods
  2. Graphic editor for playbooks with the implementation of branching, setting triggers and transition conditions
  3. A set of preset and updated by the company and community of playbooks for common scenarios, maintenance of metrics for playbooks, simulations and analytics of the performance of actions for playbooks, versioning of playbooks, the ability to rollback to a previous version of the playbook
  4. Machine learning methods are used in Siemplify to prioritize cyber incidents (taking into account previously recorded false-positives), to assign the most appropriate information security analyst to an incident, and to recommend optimal further steps in response
  5. Role-based model of access control with the ability to prohibit/allow certain actions within playbooks
  6. Cyber incidents knowledge base
  7. Data visualization on dashboards, reporting, ISMS performance metrics (ROI, KPI)
  8. Advanced Multitenancy support for MSSP providers and commercial SOCs.

3.20.  SIRP

The SIRP product was created by SIRP Labs Limited, a British company with offices in London and Chicago (USA), which, according to press releases, works mainly with clients from the Middle East. The product is positioned as a risk-oriented SOAR platform.

Key features of the solution:

  1. More than 450 automated actions out of the box, more than 100 integrations, the ability to create a new API integration for free in 72 hours with the help of a vendor
  2. No-code graphical editor for playbooks and workflows
  3. Built-in cyber risk scoring system for accounting the risk of incidents, warnings, vulnerabilities and prioritizing them according to the S3 method (SIRP Security Score) using machine learning methods, the ability to customize for the risk management framework of a particular organization
  4. Using vulnerability databases, cyber intelligence data, and risk scoring to handle vulnerabilities
  5. Automatic logging of actions, reporting, dashboards
  6. Integration with TI feeds
  7. MSSP support: Multitenancy, hybrid installation (on-prem and in cloud infrastructure), web portal for MSSP customer access.


In 2018, Splunk Inc. completed the acquisition of Phantom Cyber Corporation developed the Phantom SOAR solution. The SOAR platform has been owned owned by Splunk and was named Splunk Phantom. Current version of Splunk Phantom: 4.10.1. The documentation is publicly available. The solution also has a Community Edition and an online community. Splunk Phantom is built on the open-source Python Django framework.

Supported installation options:

  • cloud installation (AWS)
  • virtual application (VMware, VirtualBox)
  • installation on an existing server (RHEL 7.6, CentOS 7.6).

System requirements:

  • 4-8 CPUs
  • 16-32 GB RAM
  • 500 GB for a PostgreSQL database, 500 GB for an embedded Splunk database, 500 GB for storing files in a disk subsystem

Key features of the solution:

  1. Graphic Playbook Editor (VPE, Visual Playbook Editor)
  2. Python IDE support for creating workflows
  3. A large number of preset function blocks for use in playbooks with the ability to customize and create custom objects
  4. Support for more than 300 IT / Information security systems and almost 2000 API integrations. Integration with IT / Information security systems at a high level of abstraction, "transparent" for analysts. The ability to create custom integrations in Python. Full integration with the Splunk platform
  5. Integration with the Splunk Machine Learning Toolkit
  6. iOS platform support for Phantom
  7. Tools for co-incident handling, interaction, information exchange.

Splunk Phantom core modules:

  1. Phantom Investigations for operational work with cyber incidents (viewing incidents, data, ongoing operations)
  2. Phantom Emission Guidance: recommendations for handling incidents based on the information available in the platform, configured integrations, and playbooks
  3. Activity Feed: displays the progress of response actions with details for easy collaboration between analysts
  4. Incident management for investigation of confirmed cyber incidents and recording of completed actions
  5. Maintaining guidlines and templates for responding to incidents.

The core components of the Splunk Phantom system are:

  1. Application – a connector to an IT / Information security system that is connected to Phantom. It should be taken into account that when the application is running, it has full access to the OS on which the Phantom is running without any restrictions.  The JIT (Just-in-Time) credential usage tool is also supported, in which credentials for accessing a third-party system are entered directly at the time of the task execution
  2. Container is an Information security event sent to Phantom. Labels are used to group containers
  3. Case — a type of container containing other containers interconnected in a certain way, for example, related to the same Information security incident. The cases contain phases and tasks for handling cyber incidents
  4. Artifact — data added to the container, for example, file hash or IP address
  5. Playbook — a set of automation tasks that are performed with incoming events in the Phantom. Starting a playbook can be part of a workflow that is configured in a Workbook
  6. Workbook — a template with a list of standardized actions that an analyst performs when handling a cyber incident
  7. Action — a task that is performed automatically in playbooks or manually from the Phantom web interface, for example, saving a process memory dump, blocking an IP address, shutting down the server, etc.

3.22.  STORM

STORM is a SOAR system of the German company OTRS Group, the creator of the OTRS (Open-source Ticket Request System) solution — a system for processing ticketing, which has been present on the market for more than 20 years. The OTRS product also has a Community Edition hosted in a GitHub repository. In addition to STORM, the OTRS Group portfolio of solutions also includes the CONTROL product – an information system for ensuring ISMS compliance with the ISO / IEC 27001 standard, which allows automating and documenting some of the tasks related to compliance, audits, risk assessment of information security, asset management, and maintaining an internal knowledge base. Current version of STORM: 8.0. The documentation is publicly available.

Key features of the solution:

  1. Support for encryption and signature of email and requests (tickets) (S/MIME, PGP) with support for TLP privacy tags
  2. Support for scripts for integration, integration via WebAPI, integration with SIEM systems
  3. Integration with providers of TI information (IP addresses, vulnerability bulletins, VulnDB vulnerability catalog, VirusTotal). Updating indicators of compromise in tickets in real time.
  4. Customizing the design of tickets and the list of tickets, setting up notification methods and planned response time
  5. Executing shell scripts on remote systems with updating the ticket fields with the results of the script execution
  6. Search and correlation for specific fields (for example, IP addresses and hash value) in previously opened tickets
  7. Documenting actions and incidents.

Stages of using STORM:

  1. Identification of an incident (for example, one that came from SIEM), setting up a case
  2. Prioritization and categorization of cases (incidents)
  3. Diagnostics and case enrichment: aggregation and centralization of data from integrated systems and TI-feeds
  4. Response: notification of all interested participants in the process, centralized storage of updated information about the incident
  5. Closing the case: documentation of all response actions in a non-editable form for possible future forensic assessment.


Swimlane SOAR is a product of the American company Swimlane presented in the US, EMEA and APAC markets. The company positions itself as the largest American independent vendor-neutral vendor of SOAR solutions, focused on SOC centers and MSSP providers. In April 2020, Swimlane bought Syncurity which was developing its cyber incident investigation platform. Current version: 10.2.0. The documentation for the solution is publicly available, there is also a marketplace with a list of integrations and connection documentation for each system.

The solution supports installation on physical and virtual infrastructure and on cloud IaaS platforms. Support for multitenancy, fault tolerance and high availability. Swimlane uses MongoDB DBMS and Microsoft IIS web server.

Key features of the solution:

  1. Plugins: integration with more than 150 IT / Information security systems and solutions
  2. Applications: Sets of visual elements, workflows, and their stages used to simplify incident investigation
  3. Applets: components of applications that can contain visual elements
  4. API Designed Architecture
  5. Case management module
  6. Reporting and visualization
  7. Sending email notifications
  8. Dashboards
  9. Management of incident handling using graphical workflows and playbooks with automatic response and manual interaction
  10. Visual display of the KPI and ROI indicators.


ThreatConnect is an American cyber intelligence company with offices in the US and UK. ThreatConnect is a platform that combines solutions for managing cyber risks, managing cyber intelligence data, and a SOAR solution. There is open source documentation for developers, as well as a GitHub repository. There is also a knowledge base and a virtual Threat Connect center.

System requirements for installing ThreatConnect Environment Server:

  • 4 CPU
  • 4 GB RAM
  • 10 GB disk subsystem.

Software environment requirements:

  • ОС: RHEL 6,7 or CentOS 6,7
  • Java 11
  • Python 3.6 for Linux

Key features of the solution:

  1. Close integration with cyber intelligence data collected by ThreatConnect, including the global indicator collection system – ThreatConnect's CAL (Collective Analytics Layer).
  2. Graphic editor for playbooks and workflows, including pre-configured ones
  3. Integration with more than 100 IT / Information security products, including two-way integration with SIEM systems (Micro Focus ArcSight, Splunk, IBM QRadar, LogRhythm, RSA NetWitness, FortiSIEM, McAfee ESM)
  4. Collaboration platform for analysts on cyber incidents
  5. Correlation and grouping of incidents based on identified artifacts, indicators of compromise, TTPs
  6. Access to REST API ThreatConnect API is provided, data is transmitted in JSON format
  7. Developer access to ThreatConnect Exchange App Framework for building apps, integrations, playbooks, access to the GitHub repository, developer guides
  8. Integration with MITER ATT & CK matrix with classification of detected indicators of compromise and TTPs
  9. Interaction and collaboration tools (built-in and from a set of integrations)
  10. Integration with the ThreatConnect Risk Quantifier cyber risk management system to prioritize incidents and vulnerabilities
  11. Role-based access control


Tines is an Irish start-up with offices in the US and UK, and it is the developer of the Tines SOAR solution. The documentation is publicly available. The Tines SOAR product can be installed in the cloud and on-prem infrastructure.

Key features of the solution:

  1. The workflow is called a story
  2. Universal API connector to external systems, about 90 integrations at the moment, including integration with collaboration and messaging systems
  3. Graphical no-code workflow editor
  4. More than 1000 preset actions
  5. Debugger (Story Runs) for workflows with the ability to view and analyze the executed automatic actions
  6. Actions in the "stories" are performed by one of 7 connectors (agents): an email agent for sending messages, an agent for transforming internal events, an HTTP agent for exchanging data via REST API, an IMAP agent for receiving messages, a trigger agent for making decisions, Webhook agent for receiving information from third-party systems, agent for sending information to another story
  7. Cases are processed as JSON objects
  8. Reporting, logging of performed actions
  9. Role-based access control model (only two roles – administrator and user).



The developer of the ePlat4m Security GRC product is the Yekaterinburg system integrator "Information Technologies Company" LLC (KIT LLC). The ePlat4m Security GRC Security solution implements the functionality of automating the response to cyber incidents in the Information security Incident Management module. The module allows automating the processes of registration and processing of Information security incidents, creating alerts, storing statistics and results of investigations.  In addition to the incident response module, the product also contains the "GosSOPKA Center" module for interacting with NCCCI. The documentation is in the public domain, but there is no full description of the incident response tool. Thus, which we can conclude that this functionality is still under development.

Certificates of the ePlat4m Security GRC system:

  • The product is included in the Unified Register of Russian Programs for Electronic Computers and Databases.

Key features of the solution:

  1. Creation of incidents manually or automatically by interacting with connected systems
  2. Using integration adapters to interact with external data sources
  3. Creating and editing cyber incident response plans
  4. Providing tools for dealing with information security incidents
  5. Sending notifications by email, assigning responsible persons
  6. Customizable lists, reports, dashboards, display of incident statistics
  7. Role-based access control.


Jet Signal is a product of the domestic IT company "Jet Infosystems", which can be used to manage Information security incidents. The Jet Signal system was probably created for a specific customer. There are no mentions of the companies that use the system. The documentation on Jet Signal, which is publicly available on the official website, dates back to 2016. The system has certificates of compliance with security requirements.

Certificates of Jet Signal:

  • Certificate of state registration of computer programs 
  • Certificate of compliance with Information security requirements for control level 2 UF (Undocumented features) and RDF (Real and documented features) according to the certification system of the Ministry of Defense of the Russian Federation.

The Jet Signal system operates on the basis of Astra Linux OS, Apache web server, PHP, PostgreSQL DBMS, RabbitMQ.

Key features of the solution:

  1. Manual and automated incident management, import of incidents from SIEM and other IT / Information security systems
  2. Creating response plans for typical Information security incidents
  3. Classification, prioritization of incidents in manual mode without a graphical workflow/playbook editor
  4. Monitoring compliance with standards for incident handling, logging of performed actions
  5. task-setting and performance monitoring in a single software interface
  6. Maintaining a knowledge base, lists of normative documentation
  7. Collaboration and interaction tools, news feed.

4.3. R-Vision IRP

The R-Vision IRP product was created by R-Vision to automate actions for monitoring, processing and responding to cyber incidents. The company also develops solutions for analyzing the state of cybersecurity and detecting anomalies (R-Vision SENSE), for detecting attacks using traps and honeypots (R-Vision Threat Deception Platform), for creating monitoring centers for GosSOPKA (R-Vision IRP for GosSOPKA) , for cyber intelligence data management (R-Vision Threat Intelligence Platform), as well as for centralized Information security management (R-Vision Security GRC Platform). R-Vision is registered on the foreign market of IRP-products under the Defensys brand. Current version of the R-Vision IRP product: 4.5. Product interface: Russian, English. The documentation is in Russian and English and it is provided by the vendor.

Certificates of the R-Vision IRP system:

  • The product is certified by the FSTEC of Russia according to the 4th level of trust
  • The product is included in the Unified Register of Russian Programs for Electronic Computers and Databases.

Supported installation options:

  • Installation on physical and virtual infrastructure (support for VMware, VirtualBox, Hyper-V, Xen, Parallels)
  • All-in-one support
  • Installing distributed connectors.

System requirements:

Management server:

  • 1–22 CPUs
  • 8 – 32 GB RAM

DBMS Server:

  • 1 – 16 CPUs
  • 8 – 24 GB RAM

Collector (recommended parameters):

  • 4 CPU
  • 8 GB RAM

Software environment requirements:

Management server, collectors:

  • CentOS 7, RHEL 7, Astra Linux CE 2.12, AltLinux Alt 8 SP

DBMS Server:

  • Ubuntu 14/16, CentOS 7, RHEL 7, Windows Server 2012/2016, FreeBSD 11


  • PostgreSQL v10 and later.

Key features of the solution:

  1. Pre-configured integration with IT / Information security systems (such as SIEM systems IBM QRadar, Micro Focus ArcSight ESM, MaxPatrol SIEM, McAfee ESM, FortiSIEM), as well as integration with arbitrary systems via SSH, SOAP, REST API, LDAP, MySQL, MSSQL, PostgreSQL, Oracle DB, Windows cmd, PowerShell, snmp
  2. Graphic editor for playbooks (response scenarios), manual and automatic launch of response scripts
  3. The ability to create an incident from the vulnerability management module, manually, based on an event from external systems
  4. The connection of incidents with each other, with assets, tasks; the connection of response scripts with assets, with the values of the incident fields
  5. Support for creating automation scripts on Windows cmd, PowerShell, Linux Shell in the proprietary R-Vision format
  6. Boolean criteria for assigning response scenarios to certain types of cyber incidents, launching a scenario when creating or modifying an incident, setting expected response time metrics (date)
  7. Support for various types of response actions: notification, task setting, assignment of responsible persons, change of incident properties, script (execution for the devices specified in the incident or for all devices of a certain type, recording the execution result in the incident fields), solution (manual with a custom choice, automatic when a set of boolean conditions is met, a new action), requesting information from the user, sending data to HP SM, requesting information to IBM QRadar or Micro Focus ArcSight ESM, scanning the equipment specified in the incident, launching a connector to IT / Information security systems and creating attachments to incident as a result of the connector operation, sending the incident to ASOI FinCERT, cyclic action (one of the above)
  8. Support for working with the R-Vision system via the REST API
  9. Sending data to ASOI FinCERT (JSON format), the ability to create an incident according to the form 0403203 of the Central Bank of the Russian Federation
  10. Text search for response scenarios with boolean operators;
  11. Role-based access control
  12. Fault tolerance, high availability
  13. Multitenancy support.


Security Vision Incident Response Platform (IRP/SOAR) was created by the Group of Companies Intellectual Security Group to automate actions to respond to cyber incidents. The Security Vision cybersecurity platform includes several products: cyber incident response (Security Vision IRP / SOAR), compliance management and IS control (Security Vision SGRC / auto-SGRC), ensuring the security of critical information infrastructure and work with GosSOPKA (Security Vision CII), building SOC centers (Security Vision SOC), cyber risk and operational management (Security Vision CRS). In the foreign market of IRP products, the GC is presented under the Security Vision brand. Current version of the Security Vision SOAR product: 5.x. Product interface: multilingual. The documentation is in Russian and English and it is provided by the vendor.

Certificates of the Security Vision IRP/SOAR system:

  • The product is certified by the FSTEC of Russia according to the 4th level of trust and TC
  • The product is included in the Unified Register of Russian Programs for Electronic Computers and Databases.

Supported installation options:

  • Installation on physical and virtual infrastructure (ISO image, software application, VMware support, VirtualBox, Hyper-V, Xen, Parallels, KVM)
  • All-in-one support
  • Installing distributed connectors.

System requirements:

Control server:

  • 1-12 CPUs
  • 4-16 GB RAM
  • 500 GB disk subsystem.


  • 1-2 CPUs
  • 2-4 GB RAM
  • 1 GB disk subsystem.


  • 1-16 CPUs
  • 4-16 GB RAM
  • 2 TB disk subsystem

Software environment requirements:


  • Windows (Windows Server 2012 R2 and later)
  • Linux CentOS 7 and later
  • RHEL 7 and later
  • Ubuntu OS 14.04 or later
  • Astra Linux
  • ALT Linux
  • FreeBSD


  • MS SQL (SQL Server 2016 and later)
  • PostgreSQL 9.5 and later.

Key features of the solution:

  1. More than 80 preset integrations with IT / Information security systems (including two-way), integration with such SIEM systems as IBM QRadar, Micro Focus ArcSight ESM, McAfee ESM, RSA NetWitness, the ability to quickly connect to Information security systems and any IT/OT system. Integration with IT / Information security systems at a high level of abstraction, "transparent" for analysts
  2. Preconfigured integration with state and industry centers for responding to computer incidents – FinCERT, NCCCI
  3. Integration and connection to external IT / Information security systems using connectors with support for API (REST, SOAP); via DNS, HTTP, HTTPS, IMAP, MS RPC, NetFlow, POP3, SMTP, SNMP, SSH, SSL, Syslog, TLS; access to Active Directory directory services and MSSQL, MySQL, Oracle, PostgreSQL DBMS; work through mechanisms Windows cmd, Powershell, WMI, interpreters: Linux Shell, Python, Java, Java Script,
  4. Graphical connector editor, which can create custom connectors to external systems
  5. Graphical editor of response processes. Performing response actions depending on the fulfillment of boolean conditions
  6. Customizable user workstation (menu, menu sections, data content of the menu section) depending on the role in the system and processes
  7. Data visualization: a geographic map showing assets and incidents, dashboards, reports, creating a graph of relationships of entities that appear in a cyber incident
  8. Providing automatic control of compliance with regulatory requirements based on the auto-SGRC technology
  9. Content-role model of access control, granular granting of access to user roles to modules, sections, lists, views, individual properties of incidents, tasks, etc.
  10. The ability to expand functionality on a single platform with functional modules: asset management, risk management, vulnerability management, compliance management, etc.
  11. The ability to create personal modules and Information security management processes, which are not limited to preset functional modules
  12. High availability, fault tolerance
  13. Multitenancy support.


The SOAR functions are implemented in the context of network security in the UserGate 5 products — Russian NGFW (Next Generation Firewall) with IDS/IPS modules, VPN gateway, SSL inspection, reverse proxy, antivirus, email protection, statistics collection, and support for IS event analysis (SIEM functionality).

The solution is delivered as a hardware or software application (support for VMware, Hyper-V, Xen, KVM, OpensStack, VirtualBox).

Certificates of UserGate 5:

  • Certified by the FSTEC of Russia according to the requirements for the protection profiles of firewalls of type A and B of the 4th protection class
  • Certified by the FSTEC of Russia according to the requirements of intrusion detection systems of the 4th class of protection and the 4th level of trust.

The ability to set scenarios for responding to events recorded in NGFW is implemented as follows: scenarios are written as rules on the NGFW, which are triggered when pre-defined conditions (i.e. events) occur and are valid for a certain time period for a user or a group of users.  For example, blocking traffic for a certain user when an IDS signature is triggered, when a certain type of traffic is detected (for example, file sharing), when trying to access a phishing web resource.

Automatic prioritization of incidents is supported, which depends on the danger of detected events. It also supports interaction with UserGate Log Analyzer – software-hardware applications for analyzing IS events, monitoring, reporting and statistics.


Thus, this analysis of SOAR platforms and systems for responding to cyber incidents presents 34 different solutions: free and commercial, Russian and foreign.

As part of the analysis of SOAR platforms, we propose not to attach any significance to the number of integrations of any solution with external IT / Information security systems at the moment, since the list of supported products is updated by vendors almost daily. It is better to pay attention to the tools and protocols supported by the product in order to be able to quickly integrate (independently or with the help of a vendor) with the systems used in your infrastructure. According to the same reasons, one should not focus on the number of pre-configured workflows and playbooks, it is better to pay attention to the ability and convenience of creating personal custom response scenarios that will correspond to the order of handling cyber incidents directly in your organization.

All of the free solutions presented in our review may meet some of the needs of small Information security departments regarding collaboration tools and partial automation of cyber incident response processes, but we still consider the Cyphon and TheHive products to be the leaders among open source solutions. In addition, some vendors offer free Community Edition of their commercial products: FortiSOAR, PaloAlto Cortex XSOAR, Siemplify, Splunk Phantom, Tines SOAR. This can be useful for those teams that find the license and functional limitations of such versions acceptable.

Commercial foreign SOAR platforms can be roughly divided into complex solutions integrated into SIEM systems or IT platforms, and into specialized products that are not tied to any platform or ecosystem. For example, such solutions as Cisco SecureX, Fortinet FortiSOAR, IBM Security SOAR, LogRhythm RespondX, Micro Focus ArcSight SOAR, Rapid7 InsightConnect, RSA NetWitness Orchestrator, ServiceNow Security Operations, Splunk Phantom have very wide functionality, but their performance is guaranteed only when working as part of the corresponding ecosystems. D3 SOAR, Siemplify and Swimlane can be highlighted among the specialized products of vendors, which have wide integration and functionality. It is also important to pay attention to startups (Blumira, Cyware, Tines), which can become major players in 1-2 years and begin to compete with well-known developers of SOAR solutions.

The analysis of Russian SOAR platforms has shown that there are actually only two full-fledged and actively developing solutions for managing cyber incidents on the domestic market: R-Vision IRP and Security Vision IRP/SOAR. Both players compete in both the IRP segment and the SGRC segment of the market. Both offer complete platforms for end-to-end Information security management: asset management, vulnerability management, cyber incidents, cyber risks, cyber intelligence data, and regulatory compliance. Both products are certified by the FSTEC of Russia and can be used to provide Information security in significant objects of CII of the 1st category, in the GIS of the 1st security class, in the ISPD with the 1st level of personal data protection.

The R-Vision portfolio includes a cybersecurity analysis and anomaly detection product – R-Vision SENSE. Security Vision includes a module for working with BigData, which uses Machine Learning and Artificial Intelligence methods to automatically respond to cyber incidents.

The R-Vision portfolio includes the Threat Deception Platform, a product for detecting attacks using honeypots and traps. Security Vision has a module for operational risk management in accordance with 716-P. It is worth noting the proprietary Security Vision Auto-SGRC technology, which allows integration with almost all existing IT / OT systems and receiving Information security events from them, sending control commands to change the configuration, performing actions to search, contain, eliminate cyber threats and restoring systems into a pre-incident state.

In general, both domestic and foreign markets for SOAR platforms are still far from saturation. New players and new exciting features are coming. Cyber intelligence data processing systems, cyber threat detection, anomaly analysis, EDR and XDR solutions are widely used in responding to Information security incidents, the results of which complement the capabilities of IRP / SOAR platforms. It can be concluded that SOAR solutions can bring significant benefits both in terms of reducing the response time to cyber incidents and, consequently, reducing the potential damage from a cyber attack, as well as in terms of reducing the routine for Information security analysts to free up their valuable time resource for more interesting tasks and reduce staff turnover.