SOAR (Security Orchestration, Automation and Response) integrates security tools via APIs to automate incident response workflows — SIEM alert → automatic IOC enrichment → endpoint isolation → ticket creation → analyst notification.
SOAR reduces MTTR by automating repetitive Tier 1 tasks. ROI: automating 100 tickets/day at 15 min each = 25 hours of analyst time saved daily. Platforms: Splunk SOAR, Palo Alto XSOAR, Microsoft Sentinel SOAR. Playbooks encode IR procedures into automated workflows.