As the intensity and sophistication of cyber-attacks, and the complexity of business IT environments continue to increase amid an ongoing worldwide shortage of skilled cybersecurity professionals and a growing number of data protection regulations, many organizations are looking to security automation as a potential solution.

As machine learning and other forms of artificial intelligence have matured, security automation has become increasingly practical, but at the same time it has become increasingly necessary to stem the tide of cyber-attacks that thanks to the same AI technologies are also becoming automated, faster, bigger, smarter, and stealthier.

In the age of increased state-sponsored attacks that can adapt to circumvent existing defense systems, cyber defenders need to automate security as much as possible to speed up incident response processes, improve accuracy, and deal with the high volume of known attacks through automated blocking, quarantining, and remediation so that security experts are free to concentrate on improving strategy, innovation, and proactively dealing with unknown threats.

In the light of the fact that threat detection systems may be registering hundreds of thousands and even billions of events a day, the only way these events can be analyzed to identify potential attacks is by using security automation to identify those events that need the attention of a security analyst.

By taking care of the high volume of known attacks and mundane, time-consuming tasks such as log processing, alert correlation, DNS lookups, searches for indicators of compromise, elimination of false positives, initial investigations, and generating reports and metrics, security automation frees up experts to focus on more interesting and challenging threats. It also helps to alleviate the cybersecurity skills gap and to ensure compliance with industry, state, and regional data protection regulations though automatic security policy enforcement.

Security automation also makes sense in the light of the increasingly complex hybrid business IT environments as organizations move to cloud-based services from multiple cloud service providers, with many retaining some on-prem legacy applications for the foreseeable future.

In fact, one of the biggest advantages of moving into the cloud is that it provides new opportunities for organizations to automate security due to the growing range of tools designed to automate security controls and operations. In the cloud, for example, there are tools to automatically configure instances and containers according to best practice standards, ensure consistent cloud services deployments and security configurations, tag assets based on security conditions, log everything in the environment, and monitor all IT assets and scan for vulnerabilities.

As traditional approaches to cybersecurity began failing in the face of increasingly frequent and sophisticated cyber-attacks, organizations have looked to security automation as a solution, starting with Security Information and Event Management (SIEM) tools. Then came second generation SIEMs that incorporated machine learning and evolved in parallel with Security Orchestration, Automation and Response (SOAR) products, which now complement or directly integrate with SIEMs to form the foundation of contemporary Security Operations Centers (SOCs) that are either in-house or outsourced through SOC-as-a-Service (SOCaaS) offerings.

SOARs are designed to centralize many of the SOC analyst common and repetitive tasks, thereby decreasing the chance of errors and promoting efficiency. As the latest in the evolution of automated cyber defenses, we expect SOAR platforms to continue to mature and to see more organizations around the world either adding SOAR to their cybersecurity portfolios in the coming years, or outsourcing SOAR functionality to MSSPs.

Security automation is likely to become increasingly common practice to increase productivity of security teams as the technologies mature, and while it is worth investigating as an option to deal with modern cybersecurity challenges, it is always important to understand how the technology works, know its limitations, and to ensure that it is the best option for your organization before making a commitment.

The end goal of SOAR is being able to automate incident responses among the various security systems. To this end, SOAR platforms often support dozens to hundreds of playbook scenarios and offer hundreds to thousands of possible incident response actions.

— John Tolbert, Lead Analyst, KuppingerCole

Because we understand the importance of effective and efficient cybersecurity, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.


For an overview of the SOAR market to guidance on how to find the solution that best meets your needs, have a look at this Leadership compass on Security Orchestration, Automation and Response (SOAR) and it related Buyer’s compass that provides questions to ask vendors, criteria to select your vendor and requirements for successful deployments.

To learn more about security automation in modern IT environments, have a look at this Leadership Compass on Container Security.

As mentioned previously, SOCaaS is an option for organizations looking to outsource their SOC function, with a growing number of service providers including security automation supported by ML and other forms of AI. To learn more, have a look at this Market Compass on Security Operations Center as a Service.


The adoption of cloud-based services presents various opportunities for security automation. To learn more, have a look at this Advisory Note entitled: Rising to the Security Challenge of Heavy Cloud Adoption.


If you would prefer to hear what our analysts have to say on topics related to security automation, listen to this Analyst Chat that covers SOC, SIEM, and SOAR in an episode entitled: The Alphabet Soup of Security Analytics or this Analyst Chat on how to achieve automation of management and security across the hybrid, multi-cloud IT environment entitled: Policies and Automation to Secure Your Agile and Dynamic IT Environment.

To learn more about what to expect from security automation, with specific reference to the financial sector, have a look at this partner presentation from the recent EIC conference in Berlin entitled: Security Automation in the Financial Sector: Research Findings, Best Practices, and Lessons Learned.

The topic of security automation has also featured at other former events, such as this panel discussion on Best Practices to Implement Security Automation and this keynote presentation on Improving Operational Maturity with an Automation First Strategy, which looks at how automating Identity and Access Management can evolve your operational maturity and strengthen your security programs.


Security automation has also featured in blog posts. For short, incisive perspective on the topic from our analysts, choose from the following list:


The most relevant webinar on the topic is probably this one entitled: Are You Ready for Security Automation?,  which looks at SOAR and why it is not only for large enterprises.

For a perspective on security automation in the context of EDR solutions, have a look at this webinar entitled: Effective Endpoint Security With Automatic Detection and Response Solutions, and in the context of API security, have a look at this webinar entitled: Why Continuous API Security Is Key to Protecting Your Digital Business.

Finally, have a look at this webinar on Improving Agility and Reducing Cyber Risks with Business-Driven Security Policy Management and Automation for guidance on finding the right balance between strong data protection and unhindered productivity across thousands of security controls.


As previously mentioned, the move to the cloud provides new opportunities for security automation. In fact, security automation is one of the important security criteria to consider when selection a cloud service provider. To find out more, have a look at this White Paper entitled: Safeguarding Your Most Valuable Data: Five Key Criteria to Assess Cloud Provider Security.

This White Paper on Why Your Organization Needs Data-centric Security examines the topic of security automation from yet another perspective, setting out why orchestration and automation capabilities are required to enable efficient security operations at scale.

Tech Investment 

Organizations investing in technologies to support security automation, can have a look at some of the related technology solutions that we have evaluated: 

See also