Incident Response Solutions: In-House or Outsourced?

Back to all articles

incident response solutions

As the Security Orchestration, Automation and Response (SOAR) market continues to grow, with automation and orchestration being seen as valuable technologies by security teams, many vendors today offer a range of incident response solutions which security operations teams, in accordance with their security programs, can customize in-house or outsource via managed security service providers (MSSPs).

Gartner’s definition of SOAR is “technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a mix of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow. SOAR technology enables organizations to implement machine-driven incident analysis and response procedure workflows to automate repetitive security tasks until (or if) human intervention is needed.”

Enterprises are now implementing security operations automation and orchestration technologies, according to ESG analyst Jon Oltsik. Recent ESG research shows that 19 percent of enterprise organizations have adopted security operations automation and orchestration technologies extensively, 39 percent have done so on a limited basis, and 26 percent are part of a project to automate/orchestrate security operations.

One key thing I do want to point out is that there is a clear difference between SOAR and general orchestration and automation, which is often misunderstood (I explained this in a recent blog post). In this post though, I am referring to orchestration and automation as core components of SOAR.

Organizations that want to implement SOAR often have one question in mind – should they do this themselves, or outsource it to a managed security service provider?

Now, let’s focus on the advantages and challenges of each of these choices.

In-House Approach


  • Enables complete control of SOAR and integration with existing security infrastructure. SOC staff are able to customize APIs, other settings and so on to best meet the needs of the organization and the strengths of its IT staff.
  • Maintains system and data privacy, and eliminates risks associated with third-party security breaches.
  • Companies would avoid the risk of service provider lock if the vendor fails to meet the agreed performance and service.


  • It may require in-house expertise. If the organization doesn’t have the necessary resources, selecting an external vendor able to provide an easy to implement solution that caters for all of your security tool integration needs may be a better option.
  • For smaller companies and those with less mature security programs, the expenses associated with DIY SOAR can exceed those of a managed service, so using an MSSP is recommended.

Outsourced Approach


  • There’s no need for in-house expertise. By outsourcing on-demand services, companies aren’t required to hire or train additional headcount.
  • Additional resources aren’t necessary for implementation, management, and maintenance. A cloud-based SOAR solution delivers turnkey, automated services.


  • The organization will need to ensure the chosen MSSP is able to provide security of systems and data to avoid the risk of third-party breaches.
  • Organizations are obliged with a year-long or multi-year contract with an MSSP.
  • As with any outsourced service, an MSSP can contain some hidden or unanticipated costs. Other projects outside the scope of the service agreement (i.e. unanticipated on-site visits, for example) would mean additional, unforeseen expenses.
  • Not all MSSP customers are equal. Larger companies that represent a greater percentage of a service provider’s revenue are likely to be prioritized in comparison with smaller or mid-size customers.

Deciding between deploying SOAR in-house or to go for a managed security service provider often means taking several variables into consideration. First and foremost, this involves the maturity level of a company’s security program, the existing IT security infrastructure, the experience and expertise of security personnel and resources to train and/or hire new staff to support it.

By analyzing in-house and outsourced SOAR through this perspective, organizations can choose the method that is best suited to their individual needs.

DFLabs SOAR is available for both end users and MSSPs. If you would like to see IncMan SOAR live in action to better understand its features and capabilities and how it can integrate seamlessly into your existing security infrastructure, contact us today to arrange a personalized demo.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo