Security Orchestration, Automation and Response (SOAR) refers to the use of automated workflows to facilitate responses to security incidents. While security automation may take place without human intervention, security orchestration is necessary for people to collaborate on a response, and integrate the use of different tools to provide a proper response.

A SOAR tool should collect data on security incidents so it can be used to address current breaches, and plan for future improvements in security. Data on incidents should be analyzed in real time, and help enforce compliance with security measures. Remediation measures can be implemented quickly by computers.

SOAR systems should allow a security response to be extended and scaled appropriately. A good SOAR system will be HA/DR - highly available or in continuous operation and provide disaster recovery - continuing vital services after an incident.

In contrast to a SIEM (Security Information and Event Management) system, SOAR systems should allow for varying responses to different types of incidents.

Companies like Swimlane provide an application programming interface (API) for responses to security threats.