The SOC automation market is doing what every adjacent cybersecurity segment has done before it: collapsing from a buffet of specialists into a shortlist of platforms. In the last ninety days the three major XDR vendors — Palo Alto Networks, CrowdStrike and Microsoft Defender — all shipped native workflow engines positioned as direct replacements for standalone SOAR tooling. Combined with the Cisco/Splunk ingestion of on-cloud orchestration, more than 60% of buyers are now being steered toward a bundled decision.
What the platforms are actually shipping
All three vendors’ announcements look remarkably similar: visual playbook canvas, LLM-powered case triage, auto-generated enrichment, and a runtime that treats alerts as mutable records rather than immutable tickets. The differences are at the edges — who owns the data plane, how modular the connector catalogue is, and whether the engine can drive non-native tools (most can, but reluctantly).
Who’s at risk
Standalone SOAR vendors — Tines, Torq, Demisto-alumni shops, the open-source community around Shuffle — are responding with two strategies. The first is vertical specialisation (Torq’s recent pivot toward “agentic SOC” is an example). The second is data portability: as platforms start capturing alert lifecycle state, smaller vendors are positioning around the idea that lock-in of workflow logic is the real cost buyers should care about.
For buyers
Practitioners we interviewed said the consolidation is genuinely helpful for teams under six analysts. For mature SOCs with existing SOAR investment, the question is sunk-cost: keep the playbook library, or accept the rewrite cost to get native LLM-assisted triage. Expect that conversation to dominate Q3 budget discussions.