AI capabilities in security orchestration, automation, and response (SOAR) aim to automate security operations centers (SOCs), reducing human tasks and increasing efficiency. Several types or subsets (e.g. machine learning) of AI are employed in the SOC. Three of the most prevalent applications are outlined below:
- Gen 1 (mid-2010s) – AI analytics: Around 2015, the first SOAR tools began incorporating AI capabilities, particularly for analytics. These early platforms broadly fit the definition of artificial intelligence and used machine learning to make statistical analyses for:
- Identifying patterns
- Detecting anomalies in threats
- Gen 2 (2020-2023) – GenAI: SOAR with GenAI machine learning capabilities developed in 2020, and widespread deployment began in 2023. These tools had AI-driven no-code interfaces that allowed analysts to make conversational commands via chatbots & co-pilots for:
- Querying systems
- Searching logs or escalating incidents
- Triggering incident response
- Generating reports
- Gen 3 (2023-to date) – AI agents: AI agents in cybersecurity started appearing in the market in 2023. These solutions offer a proactive approach to automating tasks and producing complete work units without human intervention. They offer incident response AI agents and can be used in several SOAR use cases, including:
- Tier 1 (Initial Threat Identification): Automating triage and investigation.
- Tier 2 (Action-Based): Isolating affected systems and removing malware.
Some SOAR vendors offering GenAI tools (Securonix, Splunk Enterprise Exabeam) initially offered products only with AI analytics, Later, they incorporated GenAI tools into newer versions. These tools include Securonix EON, Splunk AI Assistant, and Exabeam Copilot.
Gen 1 (mid-2010s): AI analytics in SOAR
Early SOAR platforms used AI capabilities to optimize analytics, leveraging machine learning algorithms for statistical analysis, behavioral modeling, and anomaly detection.
The primary focus was on threat intelligence & hunting, improving the ability to identify threats more efficiently than traditional rule-based systems. These platforms had static playbooks, implementations (which often required coding), and significant maintenance requirements.
- What it does for the security operations center (SOC): Detect potential threats.
- When it is used: Pre-detection stage.
Use cases of AI analytics in SOAR applications
Most companies utilize machine learning analytics in SOAR applications for fundamental use cases such as user Behavior Analytics (UBA), phishing attack detection, and credential stuffing detection.
Some companies used them beyond simple use cases, such as:
- Threat intelligence and correlation
- Initial triage of security alerts
- Sending automated alerts
1. User behavior analytics (UBA)
AI-driven analytics in SOAR leverage machine learning to analyze user activity patterns to identify deviations that could indicate malicious behavior or compromised accounts. By continuously monitoring user behavior, it can flag abnormal activities, such as:
- Accessing restricted areas
- Logging in at unusual hours
- Accessing sensitive data
Real-life case study: Bank One uses Darktrace’s AI-driven user behavior analytics (UBA)
Bank One leverages Darktrace to detect anomalous activity in email communications. Darktrace analyzes user interaction patterns with emails and identifies deviations from normal behavior to detect phishing and impersonation attempts.
2. Phishing attack detection
AI-driven analytics in SOAR can evaluate incoming emails for known phishing characteristics, such as:
- Suspicious links
- Unusual attachments
- Malicious domain names
Real-life case study: Barracuda Networks uses AI analytics for phishing attack detection
Calgon Carbon, an industrial manufacturing company, leverages AI analytics in SOAR for phishing attack detection. The company analyzes logs from various sources to identify suspicious patterns associated with phishing attacks, such as unusual login attempts or unauthorized access.
3. Credential stuffing detection
AI-driven analytics in SOAR can be used in credential stuffing detection to identify suspicious login patterns like:
- Rapid failed login attempts from different locations
- Unusual IP addresses, or a high volume of logins within a short time frame
This lets security teams quickly investigate and take necessary actions like account lockouts or further verification steps.
Real-life case study: Canadian food chain prevents credential stuffing
Canada’s largest retail pizza chain uses machine learning to automatically detect attacks, eliminating the need for analysts to manually identify and piece together signs of an impending threat.
Example vendors
AI analytics tools: Early-stage SOAR vendors (AI analytics tools) laid the foundation for more autonomous tools, which would evolve to incorporate generative AI (genAI).
- Abnormal Security: Offers AI-powered email security solutions, focusing on phishing and email anomaly detection.
- Darktrace: Leverages machine learning and AI analytics to detect cyber threats by analyzing network traffic and other data points.
SOAR tools (with embedded AI analytics):
- Securonix: Securonix initially introduced AI-powered analytics for behavioral analysis and threat detection, and launched the AI assistant Securonix EON in 2024.
- Exabeam: In 2015, Exabeam launched its platform with AI-driven user behavior intelligence tools, then added GenAI capabilities to its platform with Exabeam Copilot in 2025.
- Splunk Enterprise: In 2018 Splunk began offering AI analytics with Splunk Enterprise 7.1 to identify threats through statistical models and correlation. In 2023 Splunk released Splunk AI Assistant.
Gen 2 (2020-2023): GenAI in SOAR
Gen 2 SOAR platforms with GenAI capabilities improved workflow efficiency by allowing analysts to interact with systems using natural language via chatbots and a co-pilot is a helper tool, often with a chatbot interface built on top of a large language model, quickly access relevant information, and receive guidance on the best course of action.
These platforms offer no-code, drag-and-drop editors, and extensive playbook libraries, helping to automate multi-step workflow execution
- What it does for the security operations center (SOC): Assists analysts with their tasks in the security operations center.
- When it is used: Typically used in the post-detection stage to aid in further analysis and decision-making.
Use cases of GenAI in SOAR applications
1. Initial triage of security alerts
GenA in SOAR querying systems searching logs, network traffic, and related events. It extracts key details, such as:
- Attack vector (e.g., email phishing).
- Affected systems (e.g., servers, endpoints, or user devices).
- Potential impact (e.g., data loss, unauthorized access).
Based on its analysis, it assigns an incident severity score based on the threat’s potential impact.
Real-life case study: Blackstone automates initial triage of security alerts
Blackstone uses its SOAR platform for the initial malware triage, integrating it with their security infrastructure. When an email malware alert is received, the SOAR platform automatically activates its playbook, which begins by querying the security information and event management (SIEM) system for relevant data. This included extracting key email details such as:
- The recipients of the email.
- Their associated business group, title, and location are from Active Directory.
This context helps analysts prioritize alerts based on the recipient’s role, and their potential impact, reducing the risk of oversight.
2. Threat intelligence with data correlation
GenAI in SOAR can correlate information from various sources b:
- Ingesting large volumes of security data from various sources including SIEM, threat intelligence, and endpoint data
- Using machine learning or deep learning algorithms) analyze the data to correlate data points
Real-life case study: Global retailer correlates threat data from multiple sources
A global retailer uses a SOAR platform with GenAI capabilities to correlate threat intelligence from various security tools to provide incident data and automate response workflows.
3. Alert generation and response
Once a threat is identified, GenAI in SOAR can:
Automated Alerting: Trigger automated alerts to security teams with relevant context, enabling them to assess and respond quickly.
Automated Response: Based on predefined workflows, initiate responses, such as:
- Blocking a malicious IP or user account
- Isolating an infected endpoint
Note that, GenAI relies heavily on data correlation and pattern recognition. Its decision-making process is based on historical data and statistical analysis to respond to threats. It is less proactive compared to agentic AI models.
4. Automatically generate reports
GenAI in SOAR can autonomously generate comprehensive incident reports from the logs, including:
- A description of the incident
- Time and date of occurrence
- Affected components or services
- Potential causes based on historical data
- Suggested remedial actions
Real-life case study: HCL streamlines security operations with automated report generation
HCL Technologies leverages ManageEngine’s Log360 SOAR tool for log management and reporting. The platform automatically transfers logs from various sources to a central repository where they are parsed, indexed, and analyzed to generate detailed reports.
5. Predictive recommendations
GenAI in SOAR platforms helps analysts by suggesting actions for handling security incidents based on alert and log analysis. It can recommend steps for containment, remediation, or further investigation, making it easier for analysts to decide how to respond.
Real-life case study: PSCU reduces downtime with predictive SOAR insights
PSCU, the largest credit union service organization in the United States, leverages Splunk Enterprise (along with their natively integrated SOAR capabilities) to receive predictive insights related to IT operations, security events, and system health monitoring.
6. Natural language interaction (chatbots)
With Gen AI-driven SOAR tools, analysts started interacting with the SOAR platform using conversational AI (chatbots) instead of manually navigating complex dashboards or code scripts.
Real-life case study: IBM Security SOAR offers a chatbot for incident response
IBM Security SOAR has integrated its Watson AI assistant with genAI capabilities to allow analysts to interact with the platform using natural language commands.
Instead of manually sorting through security alerts and triaging them one by one, analysts can simply type a command like “Analyze last 24 hours of alerts for high-priority threats”.
7. Use drag-and-drop & no-code editors
GenAI in SOAR tools enables no-code, drag-and-drop interfaces for building and automating incident response playbooks. These interfaces help non-technical users create and customize their automation workflows, significantly reducing reliance on specialized security engineers.
Real-life case study: Jams uses playbook automation & no-code editors
Jamf, an IT services company specializing in solutions for the Apple environment, dramatically improved its security operations with Tines’ SOAR platform. By leveraging Tines’ drag-and-drop interface, Jamf’s non-technical analysts could streamline their phishing response without requiring any coding expertise.
Key impacts:
- Workflow build time was reduced by 95%, from a week to just one or two hours.
- In the first month alone, the team saved 150 person-hours.
- They expanded automation to 4x more team members, enhancing cross-functional collaboration and speeding up the development of security processes.
Example vendors
SOAR tools with genAI capabilities were developed in 2020, and widespread deployment began in 2023.
- Microsoft Security Co-pilot: Automates threat investigation, provides contextual insights, and prioritizes incidents based on severity. Analysts interact with the platform via natural language to receive insights on attack vectors, impacted systems, and recommended remediation steps.
- SentinelOne Purple AI: Offers a co-pilot functionality that facilitates the automation of complex workflows such as isolating compromised systems or triggering additional scans.
- Splunk’s AI Assistant: An AI chatbot that offers a chat experience to help you translate a natural language prompt into a Splunk query that you can execute. It is Splunk’s first offering powered by generative AI, released in 2023.
Gen 3 (2023-to date): AI agents in SOAR
AI agents in SOAR operations function as autonomous decision-makers capable of monitoring networks and analyzing data.
- What does it do for the security operations center (SOC): Increases SOC productivity by automating significant portions of work.
- When does it happen: Post-detection, performing analysis, and decision-making previously handled by human SOC analysts.
AI agents offer a more proactive and autonomous than genAI, for example:
- A GenAI-based system might generate incident reports, draft response strategies, or create summaries from raw data and events.
- An Agentic AI system could block a malicious IP, isolate a compromised endpoint, or enforce security policies automatically without human oversight.
Use cases of AI agents in SOAR applications
1. Automated triage and investigation
Agentic AI agents can identify security alerts before they reach human analysts. Unlike, GenAI, They can fully automate triage and investigation operations by mimicking human SOC routines and decision-making, performing tasks such as:
Alert deduplication: Automatically filters out duplicate alerts to reduce system noise.
Alert grouping: Groups-related alerts based on impacted assets (e.g., endpoints, servers) for better analysis.
Alert enrichment: Adds valuable context to alerts, including:
- IOC Enrichment: Cross-references IPs and file hashes with threat databases for further insight.
- Machine enrichment: Provides system-specific data like OS version and patch status for clearer understanding.
- Account enrichment: Gathers user-specific data, such as login activity and privileges, to add depth to alerts.
2. Automated response execution
AI agents can automatically apply predefined security policies, such as blocking an infected endpoint or disabling a compromised user account.
Isolating compromised endpoints: Disconnecting infected devices from the network to prevent further spread.
Blocking malicious IP addresses: Adding identified malicious IPs to a firewall blacklist to prevent connections.
Quarantining malicious files: Moving suspicious or infected files to a secure, isolated location for analysis.
Disabling compromised user accounts: Suspending accounts exhibiting abnormal behavior to prevent unauthorized access.
3. Adaptive threat hunting
Unlike GenAI, which is typically reactive and generates insights or suggestions based on historical data, Agentic AI can adapt and respond to evolving threats in real-time by:
Decomposing alerts: Classifying indicators into:
- Basic elements like IPs, domains, emails, and file hashes.
- Data-derived information like malware size or encoded strings.
Searching basic elements and data-derived information: Creating queries to retrieve data on basic elements (like IP addresses) and data-derived information (such as malware file sizes) from SIEMs and other security tools.
Analyzing behavior: Connecting behavioral indicators with frameworks like MITRE ATT&CK to map network activity and search historical data across connected systems.
4. Automated policy enforcement
Based on new regulatory changes or internal security policies, AI agents update policies and continuously enforce them across systems without manual intervention by:
Continuously monitoring systems for compliance with regulatory controls: (e.g., GDPR data retention, HIPAA access rules).
AlertIing and remediating policy violations: (e.g., a user accessing sensitive data without the proper credentials).
Enforce security policies:
- Restricting unauthorized access
- Ensuring encryption,
- Applying data classification rules.
Leveraging adaptive policy authentication: Enforces multi-factor authentication (MFA) or additional authentication checks when suspicious activities or risk factors are detected.
5. Generating real-time reports
AI agents use past incident data to incorporate lessons learned into the organization’s knowledge base for better incident reposting.
Agents can automatically update dashboards with real-time metrics and generate incident summary reports by:
Impact assessment:
- Automated incident timeline creation: Generating a timeline of key events, including attack detection, compromise points, and resolution.
- Data enrichment for reporting: Cross-referencing indicators of compromise (IOCs) with known threat actors for deeper analysis.
Data enrichment and analysis:
- Automated impact assessment: Assessing incident impact by measuring system uptime, identifying affected endpoints, and detecting data exfiltration.
- Action effectiveness evaluation: Reviewing triggered responses, and correlating actions with outcomes to evaluate the effectiveness of automated responses.
What is agentic AI?
Agentic AI refers to autonomous artificial intelligence systems that can perceive their surroundings, make decisions, and perform tasks. Unlike traditional rule-based automation, agentic AI adapts dynamically, optimizing methods based on real-time inputs.
Key features of agentic AI:
- Autonomy: Operates independently without constant human intervention.
- Goal-oriented behavior: Utilizes reaching particular objectives with minimum prompting.
- Context awareness: Uses environmental information to make informed decisions.
- Learning and Adaptation: Continuously evolves by learning from results.
In cybersecurity, this involves transitioning from reactive systems to proactive defensive mechanisms capable of mitigating threats before they escalate.
What is SOAR (security orchestration, automation, and response)?
SOAR (security orchestration, automation, and response) is a collection of compatible software applications that allows an organization to collect data on cybersecurity risks and respond to security events with little or no human intervention. Implementing a SOAR platform increases the efficiency of physical and digital security operations.
SOAR platforms include three main parts: security orchestration, security automation, and security response.
1. Security orchestration
“Security orchestration” refers to how SOAR platforms integrate and coordinate the hardware and software components in a company’s security system. Examples of connected systems:
- Vulnerability scanners
- Endpoint protection products
- User and entity behavior analytics
- Firewalls
- Intrusion detection and prevention systems (IDS/IPS)
- Security information and event management (SIEM) platforms
- Other third-party sources
2. Security automation
SOAR security solutions automate repetitive tasks like opening support tickets, event enrichment, and alert prioritization. They can also trigger actions from integrated security tools, streamlining complex security operations.
For example, when an endpoint detection and response (EDR) system detects suspicious activity on a laptop:
- The SOAR platform triggers a playbook.
- The playbook opens an incident ticket,
- The playbook enriches the alert with data from threat intelligence feeds and executes automated responses, such as isolating the infected endpoints.
- SOAR integrates with ticketing management systems to send a ticket to a security analyst for final resolution or further action.
3. Security response.
Security analysts may utilize SOARs to investigate and resolve events without switching between tools. SOARs, like threat intelligence systems, collect data and alerts from external feeds and combine them into a centralized dashboard. Analysts may combine data from many sources, filter out false positives, prioritize warnings, and identify the threats they are dealing with. Then, analysts can respond by activating the necessary playbooks.
