Best Practices for Evaluating a SOAR Solution and SOAR Vendor

Back to all articles

evaluating SOAR solution

As the final blog in this mini series about the process you should go through when deciding upon a SOAR solution and SOAR vendor, this post will focus on the evaluation elements. Once you have outlined the problems you are trying to solve, your goals, and your must-have and would-like requirements, the stage should be set to begin evaluating.

Solution Evaluation

Defining a core set of questions which will be asked of each SOAR vendor is critical for obtaining an accurate, unbiased comparison of each solution. This process may be as formal as creating an RFx which will be sent to each vendor, or as informal as a list of questions which will be asked during a product demo. In either case, the questions should be established and agreed upon before the first solution is evaluated. Questions should focus on determining how well each solution will meet the project goals you defined at the beginning of this process.

Most mature SOAR solutions will provide a core set of features, such as a GUI workflow editor or ingestion of common protocols such as syslog. If any of these core functions are critically important for your use case, it may make sense to ask more detailed questions regarding these functions. However, in general questions regarding these functions, such as “Do you support syslog?”, are unlikely to differentiate the solutions in any meaningful way.

With that in mind, here are some common questions that should provide some meaningful differentiation between SOAR solutions to assist in your evaluation:


  • What problems does the solution solve?

  • How does the solution solve these problems?

  • What are the solution’s primary differentiators?

  • What are some of the most common use cases current customers have implemented? What are some of the most unusual use cases current customers have implemented?

Automation & Orchestration

  • Does the solution allow human decisions to be made at critical junctions? How?

  • How does the solution orchestrate actions between different integrations?


  • How is the solution implemented?

  • How long does it take until the solution can be fully operational?

Incident Management

  • What incident management capabilities does the solution provide?

  • How does the solution support team collaboration and information sharing?

  • Does the solution support evidence management?


  • What product integrations does the solution support?

  • How many of your ‘must have’ integrations are on the list?

  • Are your specific integration use cases supported? (i.e. can you perform the actions you need?)

  • What is the process for getting a new integration added?


  • What pricing models are available?

  • What is included in the base price and what is considered an ‘add-on’?

  • Are professional services or consulting required to get up and running with the solution?

Reporting and Visualization

  • Does the solution provide the ability to generate custom reports and metrics?

  • Does the solution support customizable dashboards or other visualizations?

  • Does the solution allow you to record and report on custom attributes?

Remember, these are suggestions only. Each question you ask should be aimed at determining the product’s suitability based on one or more of your organization’s goals.

Vendor Evaluation

A SOAR solution should be considered a long-term investment. Once a SOAR solution is deployed and integrated in to the security process, the rip-and-replace cost will be high. For this reason, it is important to evaluate the vendor of the SOAR solution, along with the solution itself. The vendor chosen should be one that can continue to provide both a leading SOAR solution and responsive customer service for the foreseeable future.

Questions to Ask a SOAR Vendor

Here is a list of common questions which can be used to provide meaningful differentiation between SOAR vendors:

  • How do you provide post-sales customer support? When is support available?

  • What is the process for customer feature requests?

  • How many customers do you have? How many customers in your industry?

  • Who are your competitors?

  • Do you offer any professional services or other services?

  • Do you have any case studies or customer references available?

  • How does the company contribute to the security community?

Objectively evaluating which vendor has the best solution is a process which should be tailored to each organization’s individual requirements. Although this blog outlines some suggestions for common questions which may be beneficial when evaluating SOAR solutions, it is important that each organization consider what questions will be most impactful based on the problems they are trying to solve.

We wish you the best in your search for a SOAR solution that meets your needs and would welcome the opportunity to show you why we believe DFLabs IncMan SOAR is one of the most efficient, effective and open SOAR solutions available today.

DFLabs believes it has one of the most open and industry leading SOAR solutions available today, which is flexible enough to adapt to any use case, including those outside the traditional security operations space. Above all, here at DFLabs we are committed to making sure that all potential customers achieve the best possible solution to solving their critical security problems.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo