Updated May 15, 2026 · 10 platforms evaluated

Top 10 Security Incident Management Software in 2026: A Buyer-First Comparison

Honest 2026 ranking of the 10 best security incident management platforms covering NIST 800-61, ISO 27035, OSHA 1904, breach notification, and case management.

By RiskWatch Editorial · Security Operations and Incident Management Software Research

Verdict

TL;DR

If you are shopping security incident management software in 2026 the category splits along two axes: cyber-side SOAR for the SOC running on a SIEM, and physical-and-investigation case management for the corporate security team running workplace violence, theft, fraud, and breach-notification cases. RiskWatch ranks first on our weighted score because it is the only platform here that ships a unified incident workspace covering NIST SP 800-61 r3 cyber-incident handling, ISO/IEC 27035-1:2023 incident management, OSHA 29 CFR 1904 workplace incident logging, HIPAA 60-day individual notification under 45 CFR 164.404, state breach notification across 50 states plus DC, GDPR Article 33 72-hour reporting, and investigation case management with chain-of-custody in one tenant at $99 per month entry. Resolver is the strongest physical-security and investigation specialist with the deepest chain-of-custody handling and the strongest case workflow in the category. ServiceNow Security Operations wins for enterprise SOCs where the CMDB and ITSM already live on the Now Platform. Splunk SOAR (formerly Phantom) and Cortex XSOAR (Palo Alto Networks, formerly Demisto) are the pure-play SOAR leaders and they still win the SOC bake-off when the workload is high-volume alert triage with a SIEM-native correlation requirement. IBM QRadar SOAR (formerly Resilient) carries the deepest NIST 800-61 r3 playbook library and the breach-notification regulatory-clock automation that the privacy office will want. Tines is the cleanest no-code SOC automation platform with a $1.13B valuation and a story rate that no SOAR-incumbent matches. D3 Security is the cyber-physical convergence specialist with NextGen SOAR plus physical incident management on one platform. OnSolve is the critical-event-management leader for mass notification, workplace violence response, and active-assailant communications. Swimlane is the low-code SOAR challenger with the strongest hyperautomation AI overlay. Three honest callouts: pure-play SOAR (Splunk, Cortex XSOAR) still wins on SIEM-native correlation depth and alert-triage throughput for the largest SOCs; physical-security specialists (Resolver, D3) still win on case-investigation workflow depth and chain-of-custody defensibility; OnSolve still wins on mass-notification delivery at active-assailant scale (sub-60-second delivery to 100,000+ recipients across SMS, voice, email, and mobile push). Pick by the operating reality of which incident types you actually run, not by analyst-quadrant placement, because seven of the ten platforms here gate full pricing behind a demo.

Pick by use case

Where each platform fits

Unified incident workspace for cyber, physical, and breach-notification cases at $99 per month entry: RiskWatch: The only platform in this ranking that ships NIST SP 800-61 r3 + ISO/IEC 27035-1:2023 + OSHA 29 CFR 1904 + HIPAA 45 CFR 164.404 60-day individual notification + state breach notification across 50 states + DC + GDPR Article 33 + investigation case management with chain-of-custody in one tenant; Standard $99/month published; 40+ pre-mapped framework libraries; single-tenant deployment with customer-owned data residency at the Enterprise tier.
Deepest physical-security and investigation case management with chain-of-custody for board, regulator, and civil-discovery scrutiny: Resolver: Kroll subsidiary since March 2022; founded 2000 Toronto; strongest investigation case workflow in the GRC category with chain-of-custody handling defensible against board, regulator, civil-discovery, and criminal-case scrutiny; G2 Leader 2025 with 87% user satisfaction across 246+ reviews; pre-built workflow for fraud, ethics-line, whistleblower, workplace violence, theft, and supply-chain incident cases.
Enterprise SOC where CMDB + ITSM + change-management already live on the Now Platform: ServiceNow Security Operations: NYSE NOW ~$90B market cap May 2026; Security Operations module ties incident response to the CMDB, change management, vulnerability response, and threat intelligence on one Now Platform; Now Assist for Security Operations 2024 release adds generative-AI playbook drafting; strongest fit when the ITSM foundation is already paid for; per-employee licensing scales fast ($250-500K+/yr full-suite SecOps).
High-volume alert triage SOC running Splunk Enterprise Security as the SIEM: Splunk SOAR: Phantom heritage 2014 acquired by Splunk April 2018 for $350M; Splunk acquired by Cisco March 2024 for $28B; deepest SIEM-native correlation depth in the category when paired with Splunk Enterprise Security; 350+ integrations and the largest community-contributed playbook library; the right SOAR pick for SOCs already running Splunk ES.
Pure-play SOAR for SOCs running Cortex XDR or any non-Splunk SIEM: Cortex XSOAR (Palo Alto Networks): Demisto acquisition February 2019 for $560M; Cortex XSOAR is the historical Gartner SOAR leader before the 2022 category convergence; 750+ content packs in the Cortex Marketplace; native integration with Cortex XDR, Cortex XSIAM, and Prisma Cloud; the right SOAR pick when the buyer is standardising on the Palo Alto Networks platform stack.
Deepest NIST 800-61 r3 playbook library and breach-notification regulatory-clock automation: IBM QRadar SOAR: Resilient acquisition February 2016 (Bruce Schneier was CTO); IBM sold the QRadar SaaS portfolio to Palo Alto Networks May 2024 for $500M while the on-premises QRadar SOAR continues under IBM through customer migration; deepest pre-built breach-notification regulatory-clock library covering HIPAA 60 days + GDPR 72 hours + state breach notification + sector-specific mandates; the right pick when the privacy office owns half the incident programme.
Cyber-physical convergence on one platform (SOC and physical-security operations centre under one workflow): D3 Security: Founded 1995 Vancouver; one of the only platforms in this category that ships NextGen SOAR alongside physical incident management, investigation case management, and ASIS-aligned workflow in one tenant; FedRAMP Moderate; pre-built playbooks for cyber + physical convergence at airports, utilities, federal facilities, and Fortune 500 GSOCs.
No-code SOC workflow automation with the cleanest UX and a published $1.13B valuation: Tines: Founded 2018 Dublin by Eoin Hinchy and Thomas Kinsella; $600M Series C August 2024 at $1.13B valuation led by Goldman Sachs Growth and Felicis; no-code story-builder is the cleanest SOC automation UX in the category; G2 4.9/5 the highest in this ranking; fit for SOCs that want a SOAR replacement without the playbook-engineering tax.
Critical event management and mass notification for workplace violence, active assailant, and physical incidents: OnSolve: OnSolve was Send Word Now plus One Call Now merged in 2020 and went private under Crisis24 / GardaWorld in late 2022; sub-60-second mass-notification delivery to 100,000+ recipients across SMS, voice, email, and mobile push; pre-built workflow for active-assailant response, severe-weather alerting, and business-continuity activation; the right pick when the incident programme is physical-side first.
Low-code SOAR challenger with the strongest hyperautomation AI overlay: Swimlane: Founded 2014 Louisville CO; $70M growth round December 2021; Turbine platform (formerly Swimlane SOAR) ships AI hyperautomation for alert triage; Swimlane AI overlay generates playbooks from natural-language; G2 4.7/5; the right pick for SOCs that want low-code with AI hyperautomation rather than pure no-code (Tines) or pure SIEM-native (Splunk SOAR).

Security incident management software has two buyers, not one. The CISO and SOC manager need SOAR-style alert triage, playbook automation, and SIEM-native correlation for the cyber-incident workflow defined in NIST SP 800-61 r3 (the third revision drafted April 2024 and expected to replace the August 2012 r2 as the procurement-language reference) and ISO/IEC 27035-1:2023 (Information security incident management, Principles and process). The Director of Corporate Security, Director of Workplace Safety, and Director of Investigations need physical-incident logging under OSHA 29 CFR 1904 (Form 300 + 300A + 301), workplace-violence case workflow aligned to ASIS WVPI.1-2020, theft and fraud case management with chain-of-custody handling defensible against board, regulator, civil-discovery, and criminal-case scrutiny, and a mass-notification path when the incident escalates to an active-assailant or severe-weather event. Between the two there is a third programme load that neither pure-play SOAR nor pure-play physical specialists carry cleanly: breach notification under HIPAA 45 CFR 164.404 (60 calendar days to individuals), state breach notification across 50 states plus DC plus 3 territories (California Civil Code 1798.82 the 2003 origin, New York SHIELD Act effective March 2020, Florida 501.171 within 30 days), and GDPR Article 33 (72 hours to the supervisory authority). The right platform fits the operating reality of which of these three loads you actually run.

We considered 23 candidate platforms across the Gartner SOAR cohort (last published as a stand-alone Magic Quadrant in 2022 before the category convergence with TDIR and XDR and hyperautomation), the Forrester Wave for Security Analytics Platforms 2024 and 2025, the Forrester Wave for Investigation and Case Management 2024, G2 Grid leaderboards for SOAR and for Physical Security GRC, Capterra Shortlist for Incident Management, and the 2026 RSA Conference SOC track expo lineup. We cut to ten by removing pure SIEMs that ship an incident-response module as a side effect rather than as a backbone (Splunk Enterprise Security itself, Microsoft Sentinel, Google Chronicle, Elastic Security), removing pure XDR platforms without first-class case management (CrowdStrike Falcon, SentinelOne Singularity, Trellix XDR), removing pure ethics-line intake tools without investigation workflow (NAVEX EthicsPoint standalone, Convercent), and removing pure threat-intelligence platforms (Recorded Future, ThreatConnect TIP). The result is ten platforms a real buyer shopping security incident management software would actually shortlist in 2026, spanning unified-platform (RiskWatch), physical-and-investigation specialists (Resolver, D3 Security, OnSolve), pure SOAR (Splunk SOAR, Cortex XSOAR, IBM QRadar SOAR, Tines, Swimlane), and the enterprise platform play (ServiceNow Security Operations).

Pricing transparency is poor in this category. Seven of the ten platforms here gate full pricing behind a demo. Only RiskWatch (Standard $99 per month and Professional $36K per year published; Enterprise quote-only) and Tines (Community free tier published; Professional and Enterprise gated) make any pricing visible without a sales cycle. We have triangulated prices for the opaque vendors from Vendr ACV reports 2025-2026, third-party SOAR market analyses, and customer reference calls, and dated each estimate to 2026-05-15. Three things have changed in this category over the last 18 months that matter for a 2026 buyer. First, the SOAR category has converged into TDIR (threat detection, investigation, response) and XDR; Gartner stopped publishing a stand-alone SOAR Magic Quadrant in 2022 and the pure-play SOAR vendors are repositioning. Second, IBM sold the QRadar SaaS portfolio to Palo Alto Networks in May 2024 for $500M, creating procurement uncertainty for IBM QRadar SOAR customers; on-premises QRadar SOAR continues under IBM through customer migration but new contracts ask hard questions about the 3-year roadmap. Third, the NIST SP 800-61 r3 draft (April 2024) is the new procurement-language reference for cyber-incident handling and the platforms that have not updated their pre-built playbook libraries from the 2012 r2 are losing RFPs.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

Rank	Product	Best for	Pricing transparency	G2	Verdict
1	RiskWatch RiskWatch	Mid-market or growth-stage organisations that run cyber + physical + breach-notification + investigation cases under one programme and want a unified workspace at a published price under $100 per month entry. Strong fit for healthcare networks, regional banks, state and local government agencies, federally-funded research nonprofits, and Tier-2 utilities where one team owns all four incident types.	Partial	4.5/5 70+ reviews	Only platform in this ranking that ships unified cyber-incident + physical-incident +...
2	Resolver Resolver (a Kroll business)	Corporate security teams, fraud and ethics-line owners, and retail loss-prevention programmes that need the deepest investigation case workflow with chain-of-custody handling and ASIS POA.1-2022 alignment. Strong fit when the General Counsel owns the incident programme jointly with the Director of Corporate Security.	Opaque	4.3/5 250+ reviews	Strongest investigation case workflow in the GRC category with chain-of-custody...
3	ServiceNow Security Operations ServiceNow, Inc.	Enterprise SOCs at organisations whose ITSM, CMDB, change management, and vulnerability response already run on the Now Platform. Strong fit when the security and IT operations teams report into a shared platform leader.	Opaque	4.4/5 320+ reviews	Native CMDB integration on the Now Platform is the strongest tie-in to asset,...
4	Splunk SOAR Splunk (a Cisco company)	SOCs already standardised on Splunk Enterprise Security as the SIEM, where the SOAR investment piggy-backs on the SIEM contract. Strong fit for Fortune 500 SOCs with deep playbook-engineering benches.	Opaque	4.3/5 240+ reviews	Deepest SIEM-native correlation depth in this ranking when paired with Splunk...
5	Cortex XSOAR Palo Alto Networks, Inc.	SOCs standardised on the Palo Alto Networks platform stack (Cortex XDR, Cortex XSIAM, Prisma Cloud, PAN-OS firewalls). Strong fit for Fortune 500 SOCs willing to commit to the PAN ecosystem.	Opaque	4.5/5 220+ reviews	Gartner SOAR Magic Quadrant Leader 2020-2022 (last SOAR MQ before category convergence)
6	IBM QRadar SOAR IBM Corporation	Regulated-industry SOCs (healthcare, financial services, public sector) where the privacy office and the legal team co-own the incident programme alongside the SOC. Strong fit for HIPAA-regulated entities and EU-subsidiary organisations running GDPR Article 33 clocks.	Opaque	4.2/5 160+ reviews	Deepest pre-built breach-notification regulatory-clock library in this ranking (HIPAA...
7	D3 Security D3 Security Management Systems, Inc.	Organisations that run a converged SOC plus GSOC under a single Chief Security Officer, especially in TSA-regulated airports, NERC CIP utilities, federal facilities, and Fortune 500 multinational GSOCs with both cyber and physical operations centres on the same floor.	Opaque	4.4/5 90+ reviews	Cyber-physical convergence on one platform; SOC and GSOC under one workflow
8	Tines Tines, Inc.	SOCs that want a SOAR replacement without the playbook-engineering tax. Strong fit for cloud-native SaaS, fintech, and crypto-exchange SOCs whose analyst team wants no-code story-building with high time-to-value.	Partial	4.9/5 240+ reviews	Cleanest no-code SOC automation UX in the category (Tines stories)
9	OnSolve OnSolve (a Crisis24 / GardaWorld company)	Organisations whose primary incident load is mass notification, active-assailant response, severe-weather alerting, or business-continuity activation. Strong fit for K-12 districts, higher education campuses, healthcare systems, retail chains, manufacturing facilities, and Tier-1 corporate enterprises with workplace-violence response programmes.	Opaque	4.5/5 180+ reviews	Sub-60-second mass-notification delivery to 100,000+ recipients across SMS, voice,...
10	Swimlane Swimlane, Inc.	SOCs that want low-code playbook authoring with AI hyperautomation. Strong fit for mid-market and growth-stage enterprises whose analyst team has 1-3 playbook engineers and wants AI to do the rest.	Opaque	4.7/5 130+ reviews	Strongest hyperautomation AI overlay in this category (Swimlane AI; natural-language...

Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

Employees500

11.3k2.5k3.8k5k

RiskWatch

Professional (≤ 1,000 employees)

$36,000/yr

Resolver

Resolver Investigations (quote-only tier)

Contact sales

ServiceNow Security Operations

ServiceNow Security Operations (Standard) (quote-only tier)

Contact sales

Splunk SOAR

Splunk SOAR (stand-alone) (quote-only tier)

Contact sales

Cortex XSOAR

Cortex XSOAR (quote-only tier)

Contact sales

IBM QRadar SOAR

IBM QRadar SOAR (on-premises) (quote-only tier)

Contact sales

D3 Security

D3 Smart SOAR (quote-only tier)

Contact sales

Tines

Community (quote-only tier)

Contact sales

OnSolve

OnSolve Platform (quote-only tier)

Contact sales

Swimlane

Swimlane Turbine (quote-only tier)

Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-15. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

Ease of use20%

How quickly a non-technical control owner reaches first value

Feature breadth20%

Module coverage across ERM, IT, audit, TPRM, BC

Value20%

Price to value ratio at mid-market

Customer support15%

Quality and responsiveness of vendor support

Scalability15%

Handling 5,000+ employees, multiple entities, regions

Integrations10%

Breadth of native connectors and APIs

Weights sum: 100%

1
RiskWatch
Editorial rank #1
8.82
2
Tines
Editorial rank #8
8.78
3
Cortex XSOAR
Editorial rank #5
8.40
4
Resolver
Editorial rank #2
8.38
5
Swimlane
Editorial rank #10
8.37
6
OnSolve
Editorial rank #9
8.32
7
Splunk SOAR
Editorial rank #4
8.30
8
ServiceNow Security Operations
Editorial rank #3
8.22
9
D3 Security
Editorial rank #7
8.21
10
IBM QRadar SOAR
Editorial rank #6
7.93

Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To	RiskWatch	Resolver	ServiceNow Security Operations	Splunk SOAR	Cortex XSOAR	IBM QRadar SOAR	D3 Security	Tines	OnSolve	Swimlane
RiskWatch	.	E	H	M	M	H	M	E	E	E
Resolver	E	.	H	E	E	M	E	E	E	E
ServiceNow Security Operations	H	H	.	H	H	H	H	H	H	H
Splunk SOAR	E	E	H	.	E	E	E	E	E	E
Cortex XSOAR	E	E	H	E	.	E	E	E	E	E
IBM QRadar SOAR	E	E	H	E	E	.	E	E	E	E
D3 Security	E	E	H	E	E	E	.	E	E	E
Tines	M	M	H	H	H	H	H	.	M	M
OnSolve	E	E	H	M	M	M	M	E	.	E
Swimlane	E	E	H	E	E	M	E	E	E	.

Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.

Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

We scored each of the ten platforms on six axes calibrated for the security-incident-management buyer: Ease of Use for SOC analysts and non-technical physical-security investigators running cases without a six-month implementation (20 percent); Feature Breadth across NIST SP 800-61 r3 cyber-incident handling, ISO/IEC 27035-1:2023, OSHA 29 CFR 1904 physical incident logging, breach notification (HIPAA 60-day + state + GDPR 72-hour), investigation case management with chain-of-custody, mass notification, and root-cause analysis under 5 Whys and Ishikawa fishbone and fault-tree analysis (20 percent); Value across published versus opaque pricing and 3-year total cost of ownership for a representative mid-market SOC plus corporate security team (20 percent); Customer Support including SOC-domain expertise in the implementation team, ASIS / IIA / IAPP-credentialed customer-success staff, and incident-response retainer availability (15 percent); Scalability across SOC tier-1 alert volumes, multi-site physical-security operations centres, multi-entity holding-company breach notification, and global incident-reporting cadence (15 percent); and Integrations with SIEM (Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar SIEM, Sumo Logic, Elastic Security), XDR (CrowdStrike Falcon, SentinelOne Singularity, Palo Alto Cortex XDR), ITSM (ServiceNow, Jira Service Management), CMDB (ServiceNow CMDB, BMC Atrium), threat intelligence (Recorded Future, Mandiant, ThreatConnect), identity (Okta, Microsoft Entra ID), and physical-security access control (Genetec, Lenel S2, Software House) (10 percent). Scores are 0-10 and calibrated within this security-incident-management category (highest features 9.5, lowest 6.5). Ratings reference G2 and Capterra figures pulled 2026-05-15. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-15; where pricing is opaque we report a range based on Vendr ACV data and customer-reference triangulation. Layered evaluation criteria: NIST SP 800-61 r3 alignment, ISO/IEC 27035-1:2023 alignment, OSHA 29 CFR 1904 logging fit, HIPAA 60-day + state breach notification + GDPR 72-hour regulatory-clock automation, investigation case management with chain-of-custody, SIEM-native correlation depth, and mass-notification delivery latency. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use: 20%
Feature breadth: 20%
Value: 20%
Customer support: 15%
Scalability: 15%
Integrations: 10%

RiskWatch

RiskWatch · Founded 1993 · Sarasota, Florida, USA

Unified incident workspace covering cyber, physical, breach notification, and investigation case management at a $99 per month entry tier.

Partial pricingG2 4.5 · Capterra 4.6 · 70+ reviews

Summary

RiskWatch ships a unified incident management workspace built on the same 40-plus framework library that powers the broader risk and compliance platform. The incident workspace covers cyber-incident handling aligned to NIST SP 800-61 r3 and ISO/IEC 27035-1:2023, physical incident logging aligned to OSHA 29 CFR 1904 (Form 300 + 300A + 301), workplace violence case workflow aligned to ASIS WVPI.1-2020, investigation case management with chain-of-custody handling, breach-notification regulatory-clock automation covering HIPAA 60-day individual notification under 45 CFR 164.404 plus state breach notification across 50 states plus DC plus 3 territories plus GDPR Article 33 72-hour reporting, and root-cause analysis with 5 Whys and Ishikawa fishbone diagram templates. The Standard tier at $99 per month is the only published entry price in this ranking that ships a unified cyber-plus-physical-plus-breach workspace; single-tenant deployment with customer-owned data residency is available at the Enterprise tier. RiskWatch is honest about its profile: it is a unified incident, risk, and compliance platform first and a pure-play SOAR or pure-play physical-security specialist second, with less depth than Splunk SOAR or Cortex XSOAR on SIEM-native correlation and less depth than Resolver or D3 on investigation case workflow. It earns first place on the weighted score because the unified workspace plus the breach-notification regulatory-clock library plus the $99/month entry tier fits the mid-market and growth-stage incident-programme brief better than any single specialist.

Strengths

Only platform in this ranking that ships unified cyber-incident + physical-incident + breach-notification + investigation case management in one tenant
Standard tier $99 per month is the only published entry price in this ranking; Professional $36K per year published; Enterprise quote-only
Pre-built breach-notification regulatory-clock library covering HIPAA 45 CFR 164.404 (60 days), state breach notification across 50 states + DC + 3 territories (California 1798.82, New York SHIELD Act, Florida 501.171 30 days), and GDPR Article 33 (72 hours)
NIST SP 800-61 r3 and ISO/IEC 27035-1:2023 pre-mapped incident-handling workflow with the lessons-learned step linked to the broader risk register
OSHA 29 CFR 1904 workplace-incident logging with Form 300 + 300A + 301 export and electronic submission for high-hazard NAICS codes due March 2
Investigation case management with chain-of-custody handling, evidence vault versioning, ethics-line intake, and 5 Whys + Ishikawa fishbone RCA templates
33-year operating history with US state, federal, and regulated-industry customers gives a stability story that VC-funded SOAR vendors cannot match
Single-tenant deployment with customer-owned data residency at the Enterprise tier; relevant when the regulator (state Attorney General, HHS OCR, EU DPA) requires data-locality evidence on breach files

Weaknesses

Not a SIEM-native SOAR at Splunk SOAR or Cortex XSOAR depth; high-volume alert triage SOCs running Splunk Enterprise Security or Cortex XDR will need to pair RiskWatch with the SIEM-native SOAR or accept lower correlation depth
Not a pure-play physical-security or investigation specialist at Resolver or D3 depth; case-investigation workflow is solid but the ethics-line intake and the chain-of-custody export library is shallower than Resolver
No mass-notification delivery surface at OnSolve depth; an active-assailant or severe-weather notification fan-out to 100,000+ recipients in under 60 seconds requires pairing with OnSolve, Everbridge, or AlertMedia
Smaller SIEM and XDR integration count than Cortex XSOAR (750+ content packs) or Splunk SOAR (350+ integrations); a SOC with deep tool sprawl will need API work
No native AI hyperautomation overlay at Swimlane Turbine or Cortex XSIAM depth; AI playbook drafting is newer and has a shorter learning curve
Sub-100 G2 reviews in the security-incident-management cohort specifically; brand awareness in pure-play SOAR is lower than Splunk SOAR, Cortex XSOAR, and Tines

Best for

Mid-market or growth-stage organisations that run cyber + physical + breach-notification + investigation cases under one programme and want a unified workspace at a published price under $100 per month entry. Strong fit for healthcare networks, regional banks, state and local government agencies, federally-funded research nonprofits, and Tier-2 utilities where one team owns all four incident types.

Worst for

Pure-cyber SOCs at Fortune 500 scale running 1M+ alerts per day on Splunk Enterprise Security or Cortex XDR; the SIEM-native SOAR (Splunk SOAR, Cortex XSOAR) wins that brief. Also a poor fit for organisations whose primary incident load is active-assailant or severe-weather mass notification at scale; OnSolve or Everbridge fits that brief better.

Key features

Unified cyber + physical + breach-notification + investigation incident workspace
NIST SP 800-61 r3 and ISO/IEC 27035-1:2023 pre-built incident handling workflow
OSHA 29 CFR 1904 workplace incident logging with Form 300 + 300A + 301 export
Breach-notification regulatory-clock automation (HIPAA 60 days + state + GDPR 72 hours)
Investigation case management with chain-of-custody handling and evidence vault versioning
Root-cause analysis templates (5 Whys, Ishikawa fishbone, fault tree)
Cross-mapping engine that links each incident to the affected control framework
ASIS WVPI.1-2020 workplace violence case workflow
Single-tenant deployment for data-residency requirements
Audit-ready incident export for board, regulator, and civil-discovery scrutiny

Integrations

30+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, ServiceNow, Salesforce, Custom REST API.

Target size

50 to 25,000 employees · US · Canada · EU · UK · AU

Radar score

Pricing

Standard$99/month
Up to 250 employees
- · Cyber + physical + breach-notification + investigation incident workspace
- · NIST SP 800-61 r3 + ISO/IEC 27035-1:2023 + OSHA 1904 pre-built workflow
- · Up to 3 frameworks for cross-mapped controls
- · Email + named-CSM support
Professional$36,000/year
Up to 1,000 employees
- · Up to 10 frameworks cross-mapped
- · Unlimited incidents + investigations
- · Breach-notification regulatory-clock automation (HIPAA + state + GDPR)
- · SSO + SAML + API access
- · Phone + dedicated CSM
EnterpriseContact sales
- · All 40+ frameworks
- · Single-tenant deployment
- · Customer-owned data residency (US / EU / UK / CA / AU)
- · Custom incident playbook authoring
- · 24/7 support + solutions architect on retainer

Watch for

· Implementation services billed separately (typical 1-time fee 15-25% of first-year licence)
· Custom incident playbook authoring beyond the pre-built library is scoped per request

Standard $99 per month and Professional $36K per year are published. Enterprise is quote-only because single-tenant deployment topology varies materially.

Resolver

Resolver (a Kroll business) · Founded 2000 · Toronto, Ontario, Canada

Deepest physical-security and investigation case management with chain-of-custody defensibility.

Opaque pricingG2 4.3 · Capterra 4.4 · 250+ reviews

Summary

Resolver was founded in 2000 in Toronto and was acquired by Kroll (a Duff and Phelps subsidiary) in March 2022. The platform carries the strongest investigation case workflow in the GRC category, with chain-of-custody handling defensible against board, regulator, civil-discovery, and criminal-case scrutiny. Pre-built workflows cover fraud, ethics-line, whistleblower, workplace violence, theft, supply-chain incidents, and retail loss prevention. Resolver is the right pick when the incident programme is physical-side first and the buying committee is the Director of Corporate Security plus the General Counsel rather than the CISO. G2 Leader 2025 with 87 percent user satisfaction across 246-plus reviews.

Strengths

Strongest investigation case workflow in the GRC category with chain-of-custody handling defensible against board, regulator, civil-discovery, and criminal-case scrutiny
Kroll subsidiary integration (since March 2022) brings Kroll Risk Intelligence adverse-media and sanctions screening for investigations into the same tenant
Pre-built workflow for fraud, ethics-line, whistleblower, workplace violence, theft, supply-chain incidents, and retail loss prevention
G2 Leader 2025 with 87% user satisfaction across 246+ reviews
ASIS POA.1-2022 Investigations Standard alignment with the Investigator role and case-handling-officer role pre-built
Strongest retail loss-prevention case workflow in this ranking (large enterprise retail customer base)

Weaknesses

Not a cyber-SOAR at Splunk SOAR or Cortex XSOAR depth; SIEM-native correlation requires pairing with a dedicated SOAR or accepting integration work
No published pricing; Vendr triangulates $45K-$120K typical mid-market with enterprise quote-only ($200K+)
Smaller breach-notification regulatory-clock library than IBM QRadar SOAR or RiskWatch; HIPAA 60-day and GDPR 72-hour automation is partial rather than first-class
UI shows operational-heritage; competing newer cloud-first SOAR entrants (Tines, Swimlane) have a more polished first-run experience for the analyst-fluent SOC
Kroll-ownership renewal-pressure dynamic increased post-2022; multiple customer references cite 8-12% renewal uplifts

Best for

Corporate security teams, fraud and ethics-line owners, and retail loss-prevention programmes that need the deepest investigation case workflow with chain-of-custody handling and ASIS POA.1-2022 alignment. Strong fit when the General Counsel owns the incident programme jointly with the Director of Corporate Security.

Worst for

Pure-cyber SOCs running 1M+ alerts per day on Splunk ES or Cortex XDR; Splunk SOAR or Cortex XSOAR fits that brief better. Also a poor fit for organisations that need mass-notification delivery at active-assailant scale; OnSolve fits that brief.

Key features

Investigation case management with chain-of-custody handling
Pre-built workflow for fraud, ethics-line, whistleblower, workplace violence, theft
ASIS POA.1-2022 Investigations Standard alignment
Kroll Risk Intelligence integration for adverse-media and sanctions screening
Evidence vault with versioning and chain-of-custody export
Corporate security incident management
Retail loss-prevention workflow
Ethics-line intake with multi-channel reporting

Integrations

80+ native. Notable: Microsoft 365, ServiceNow, Salesforce, Okta, NAVEX EthicsPoint, Genetec, Lenel S2.

Target size

500 to 2,00,000 employees · US · Canada · EU · UK · AU

ServiceNow Security Operations

ServiceNow, Inc. · Founded 2004 · Santa Clara, California, USA

Enterprise security operations on the Now Platform with CMDB-native incident response and Now Assist GenAI.

Opaque pricingG2 4.4 · Capterra 4.4 · 320+ reviews

Summary

ServiceNow Security Operations is the security-incident workflow module on the Now Platform, with native ties to the CMDB, change management, vulnerability response, and threat intelligence. ServiceNow trades at roughly $90B market cap in May 2026. Now Assist for Security Operations (2024 release) ships generative-AI playbook drafting and analyst-summarisation. The strongest fit is when the ITSM foundation already runs on ServiceNow; the per-employee licensing scales fast and the buyer should cost-justify only when the existing Now Platform investment is paid for. FedRAMP authorised at multiple levels on the broader ServiceNow platform with Security Operations inheriting that boundary.

Strengths

Native CMDB integration on the Now Platform is the strongest tie-in to asset, configuration, and change management in this ranking
Vulnerability Response module ties incident response to remediation tickets in the same workflow
Now Assist for Security Operations (2024 release) generative-AI for playbook drafting and analyst-summarisation
FedRAMP authorised at multiple levels on the broader ServiceNow platform; Security Operations inherits the boundary
Largest installed base in the ITSM category creates a familiar workflow language for the SOC
Strongest Threat Intelligence module of the enterprise platforms in this ranking

Weaknesses

Per-employee licensing scales fast ($250-500K+/yr full-suite SecOps before negotiation); the platform is cost-justifiable only when the existing Now Platform investment is paid for
Implementation is consultant-heavy; mid-market buyers commonly pay 1.0-1.5x licence fee in Year 1 services
No native physical-security incident workflow at Resolver or D3 depth; mostly cyber-side
Breach-notification regulatory-clock automation is thinner than IBM QRadar SOAR or RiskWatch; HIPAA + state + GDPR clocks require custom workflow
Renewal pressure runs through ServiceNow account managers across the broader Now Platform; security-specific cost containment is hard

Best for

Enterprise SOCs at organisations whose ITSM, CMDB, change management, and vulnerability response already run on the Now Platform. Strong fit when the security and IT operations teams report into a shared platform leader.

Worst for

Mid-market SOCs without an existing Now Platform investment; the per-employee licensing math does not work. Also a poor fit for organisations whose primary incident load is physical-security or investigation case management.

Key features

Security Incident Response on the Now Platform
Vulnerability Response module
Threat Intelligence module
Now Assist for Security Operations (Generative AI)
Native CMDB integration for asset context
Change management integration for remediation tickets
Workflow automation across the Now Platform
Configuration Compliance module

Integrations

300+ native. Notable: ServiceNow CMDB, Splunk Enterprise Security, Microsoft Sentinel, CrowdStrike Falcon, Tenable, Qualys, Recorded Future.

Target size

1,000 to 5,00,000 employees · US · EU · UK · CA · AU · JP · SG

Splunk SOAR

Splunk (a Cisco company) · Founded 2014 · San Francisco, California, USA (Cisco HQ: San Jose)

Pure-play SOAR with deepest SIEM-native correlation when paired with Splunk Enterprise Security.

Opaque pricingG2 4.3 · Capterra 4.4 · 240+ reviews

Summary

Splunk SOAR is the Phantom platform that Splunk acquired in April 2018 for $350M, integrated into the Splunk security portfolio, and inherited under the Cisco acquisition of Splunk in March 2024 for $28B. Splunk SOAR is the deepest SIEM-native correlation SOAR in this ranking when paired with Splunk Enterprise Security, with 350-plus integrations and the largest community-contributed playbook library. The right SOAR pick for SOCs already running Splunk ES or planning to. Pricing is opaque and Splunk SOAR is increasingly bundled with Splunk Enterprise Security and Splunk Mission Control under the Cisco hyperscaler-pricing model.

Strengths

Deepest SIEM-native correlation depth in this ranking when paired with Splunk Enterprise Security
350+ integrations and the largest community-contributed playbook library
Cisco acquisition (March 2024, $28B) brings the broader Cisco security portfolio (Talos threat intelligence, Cisco XDR, Duo) into the SOAR roadmap
Strongest fit for SOCs already running Splunk ES (the most-installed enterprise SIEM)
Splunk Mission Control unified workspace ships in 2025-2026 release pairing SOAR + SIEM + UEBA in one UI
Largest analyst-community playbook contribution rate in this ranking

Weaknesses

Strongest fit only when paired with Splunk Enterprise Security; on a non-Splunk SIEM the correlation depth is materially lower
Opaque pricing; Splunk SOAR is increasingly bundled with Splunk ES and Mission Control rather than sold stand-alone, complicating the procurement math
Cisco-acquisition uncertainty (March 2024) creates 2026-2027 roadmap questions; multiple customer references cite re-platforming discussions
Playbook-engineering tax: pre-built playbooks need significant SOC-specific tuning compared to Tines or Cortex XSOAR Content Packs
No native physical-security incident workflow; SOC-side cyber only
Splunk pricing model (data-ingest-based) creates predictability issues that the Cisco transition has not fully resolved

Best for

SOCs already standardised on Splunk Enterprise Security as the SIEM, where the SOAR investment piggy-backs on the SIEM contract. Strong fit for Fortune 500 SOCs with deep playbook-engineering benches.

Worst for

SOCs running Microsoft Sentinel, IBM QRadar SIEM, Google Chronicle, or Elastic Security as the SIEM; Cortex XSOAR or Tines or Swimlane fits those briefs better. Also a poor fit for buyers that need physical-security incident workflow.

Key features

Playbook orchestration with visual workflow builder
350+ integrations across SIEM, XDR, EDR, identity, ticketing, threat intelligence
Splunk Enterprise Security correlation
Splunk Mission Control unified workspace (SOAR + SIEM + UEBA)
Community-contributed playbook library
Case management with timeline and evidence
Cisco Talos threat intelligence integration (post-acquisition)
Splunk SOAR Cloud and on-premises deployment

Integrations

350+ native. Notable: Splunk Enterprise Security, Cisco Talos, CrowdStrike Falcon, Microsoft Sentinel (limited), ServiceNow, Recorded Future, Okta.

Target size

1,000 to 5,00,000 employees · US · EU · UK · CA · AU · JP · SG

Cortex XSOAR

Palo Alto Networks, Inc. · Founded 2015 · Santa Clara, California, USA

Historical SOAR leader with 750+ Content Packs and native Cortex XSIAM + XDR integration.

Opaque pricingG2 4.5 · Capterra 4.5 · 220+ reviews

Summary

Cortex XSOAR is the Demisto platform that Palo Alto Networks acquired in February 2019 for $560M. Cortex XSOAR was the Gartner SOAR Magic Quadrant Leader in the 2020-2022 windows (the last SOAR MQ was 2022 before the category convergence with TDIR). 750-plus Content Packs in the Cortex Marketplace. Native integration with Cortex XDR, Cortex XSIAM (the AI-native SecOps platform launched 2023), and Prisma Cloud. The right SOAR pick when the buyer is standardising on the Palo Alto Networks platform stack. In May 2024 Palo Alto Networks acquired the QRadar SaaS portfolio from IBM for $500M, consolidating two of the four pure-play SOAR incumbents in this ranking under one parent.

Strengths

Gartner SOAR Magic Quadrant Leader 2020-2022 (last SOAR MQ before category convergence)
750+ Content Packs in the Cortex Marketplace, the largest pre-built playbook library in this ranking
Native integration with Cortex XDR, Cortex XSIAM (AI-native SecOps), and Prisma Cloud
Palo Alto Networks portfolio bundle creates a discount path for buyers also running PAN firewalls or Prisma Cloud
Cortex XSIAM (2023 launch) ships AI-native SecOps that subsumes SIEM + SOAR + UEBA in one platform; XSOAR roadmap is being absorbed into XSIAM
Acquisition of IBM QRadar SaaS portfolio (May 2024, $500M) consolidates the SOAR incumbent market under one parent

Weaknesses

XSIAM convergence creates 2026-2027 roadmap uncertainty for stand-alone XSOAR customers; multiple customer references cite re-platforming discussions
Strongest fit only when standardised on Palo Alto Networks platform; on a non-PAN stack the bundle math does not work
Opaque pricing; Vendr triangulates $100K-$300K typical mid-market and $500K-$2M+ Fortune 500
Playbook authoring requires Cortex-specific scripting knowledge; learning curve longer than Tines no-code
No native physical-security incident workflow; cyber-side only
PAN-firewall licence discount path can mask the standalone SOAR cost for buyers without a PAN platform commitment

Best for

SOCs standardised on the Palo Alto Networks platform stack (Cortex XDR, Cortex XSIAM, Prisma Cloud, PAN-OS firewalls). Strong fit for Fortune 500 SOCs willing to commit to the PAN ecosystem.

Worst for

SOCs running Splunk Enterprise Security or Microsoft Sentinel as the SIEM; Splunk SOAR (for Splunk) or Tines / Swimlane (for Sentinel) fit those briefs better. Also a poor fit for buyers that want pure-no-code at Tines depth.

Key features

Playbook orchestration with visual canvas
750+ Content Packs in the Cortex Marketplace
Native integration with Cortex XDR and Cortex XSIAM
Threat intelligence management
Case management with collaboration
Playbook-as-code (Python) authoring
Cortex XSOAR Marketplace community
Multi-tenant for MSSPs

Integrations

750+ native. Notable: Cortex XDR, Cortex XSIAM, Prisma Cloud, Palo Alto Networks NGFW, Microsoft Sentinel, CrowdStrike Falcon, ServiceNow.

Target size

1,000 to 5,00,000 employees · US · EU · UK · CA · AU · JP · SG

IBM QRadar SOAR

IBM Corporation · Founded 2010 · Armonk, New York, USA

Deepest NIST 800-61 r3 playbook library and breach-notification regulatory-clock automation.

Opaque pricingG2 4.2 · Capterra 4.3 · 160+ reviews

Summary

IBM QRadar SOAR is the Resilient platform that IBM acquired in February 2016 (Bruce Schneier was Resilient CTO at the time). In May 2024 IBM sold the QRadar SaaS portfolio to Palo Alto Networks for $500M plus a 5-year services agreement; on-premises QRadar SOAR continues under IBM through customer migration. QRadar SOAR carries the deepest pre-built breach-notification regulatory-clock library in this ranking, covering HIPAA 60-day individual notification, GDPR 72-hour supervisory-authority notification, state breach notification across 50 states plus DC, and sector-specific mandates (NYDFS Part 500, GLBA Safeguards Rule, financial-services regulator timing). The right pick when the privacy office co-owns the incident programme alongside the SOC.

Strengths

Deepest pre-built breach-notification regulatory-clock library in this ranking (HIPAA + state + GDPR + sector-specific)
Resilient heritage (Bruce Schneier CTO) and IBM Watson AI overlay (2018+) ship privacy-office-friendly workflow
Strongest fit when the privacy office co-owns the incident programme alongside the SOC
IBM Cloud Pak for Security integration ties SIEM (QRadar SIEM legacy) + SOAR + UBA on one platform
Pre-built NIST SP 800-61 r3 and r2 playbooks; updated for the April 2024 r3 draft
On-premises deployment continues under IBM through customer migration (Palo Alto Networks QRadar SaaS acquired May 2024 only)

Weaknesses

Palo Alto Networks acquisition of QRadar SaaS portfolio (May 2024) creates 2026-2027 roadmap uncertainty; on-premises customers facing a forced migration path within the 5-year services agreement window
Smaller integration count than Cortex XSOAR (750+) or Splunk SOAR (350+); IBM ecosystem-tied
UI shows operational-heritage; competing newer cloud-first SOAR entrants have a more polished first-run experience
Opaque pricing; Vendr triangulates $80K-$250K typical mid-market and $400K-$1M+ Fortune 500
IBM consultant-heavy implementation model; mid-market buyers commonly pay 1.0-1.5x licence fee in Year 1 services
No native physical-security incident workflow; cyber and breach-notification only

Best for

Regulated-industry SOCs (healthcare, financial services, public sector) where the privacy office and the legal team co-own the incident programme alongside the SOC. Strong fit for HIPAA-regulated entities and EU-subsidiary organisations running GDPR Article 33 clocks.

Worst for

SOCs running entirely on Palo Alto Networks platform; Cortex XSOAR (same parent post-May 2024 for SaaS) fits that brief. Also a poor fit for buyers that want pure-no-code at Tines depth.

Key features

Pre-built NIST SP 800-61 r3 playbook library
Breach-notification regulatory-clock automation (HIPAA + state + GDPR)
IBM Watson AI for incident summarisation
Dynamic playbook execution with branching logic
Privacy-office workflow integration
IBM Cloud Pak for Security platform
On-premises and hybrid-cloud deployment
Multi-tenant for MSSPs

Integrations

180+ native. Notable: IBM QRadar SIEM, IBM Watson, ServiceNow, Splunk Enterprise Security, Microsoft Sentinel, CrowdStrike Falcon, Cisco SecureX.

Target size

1,000 to 5,00,000 employees · US · EU · UK · CA · AU · JP · SG · IN

D3 Security

D3 Security Management Systems, Inc. · Founded 1995 · Vancouver, British Columbia, Canada

Cyber-physical convergence specialist with NextGen SOAR plus physical incident management on one platform.

Opaque pricingG2 4.4 · Capterra 4.5 · 90+ reviews

Summary

D3 Security was founded in 1995 in Vancouver and is one of the only platforms in this category that ships NextGen SOAR alongside physical incident management, investigation case management, and ASIS-aligned workflow on one tenant. FedRAMP Moderate authorisation. The Smart SOAR platform (the latest D3 platform generation) ships pre-built playbooks for cyber-physical convergence at airports (TSA-regulated environments), utilities (NERC CIP), federal facilities, and Fortune 500 Global Security Operations Centres (GSOCs). The right pick when the SOC and the GSOC report to the same Chief Security Officer.

Strengths

Cyber-physical convergence on one platform; SOC and GSOC under one workflow
FedRAMP Moderate authorisation; eligible for federal-government deployments
30 years of operating history in physical security (founded 1995); not a VC-funded SOAR pivot
Pre-built playbooks for TSA-regulated airports, NERC CIP utilities, federal facilities, and Fortune 500 GSOCs
Smart SOAR platform with codeless playbook authoring
MSSP-friendly multi-tenant architecture

Weaknesses

Smaller installed base than Splunk SOAR or Cortex XSOAR; fewer community playbooks
Opaque pricing; Vendr triangulates $60K-$200K typical mid-market and $250K-$700K Fortune 500
UI shows the cyber-physical merge complexity; analyst-onboarding curve longer than Tines or Swimlane
Brand awareness in pure-cyber SOAR cohort is lower than the Gartner-leader incumbents
Smaller analyst-community contribution rate than Cortex XSOAR Marketplace

Best for

Organisations that run a converged SOC plus GSOC under a single Chief Security Officer, especially in TSA-regulated airports, NERC CIP utilities, federal facilities, and Fortune 500 multinational GSOCs with both cyber and physical operations centres on the same floor.

Worst for

Pure-cyber SOCs without physical-security operations centre integration needs; Splunk SOAR or Cortex XSOAR fits that brief. Also a poor fit for pure-investigation case management; Resolver fits that brief.

Key features

NextGen SOAR with codeless playbook authoring
Physical incident management on the same platform
Cyber-physical convergence workflow
FedRAMP Moderate authorisation
Pre-built playbooks for TSA / NERC CIP / federal facilities
MSSP multi-tenant architecture
Investigation case management with chain-of-custody
ASIS-aligned workflow

Integrations

200+ native. Notable: Splunk Enterprise Security, Microsoft Sentinel, ServiceNow, CrowdStrike Falcon, Genetec, Lenel S2, Software House.

Target size

500 to 2,00,000 employees · US · Canada · EU · UK · AU · AE

Tines

Tines, Inc. · Founded 2018 · Dublin, Ireland (US HQ: Boston)

No-code SOC automation with the cleanest UX and the highest G2 satisfaction in this ranking.

Partial pricingG2 4.9 · Capterra 4.8 · 240+ reviews

Summary

Tines was founded in 2018 in Dublin by Eoin Hinchy (former eBay security lead) and Thomas Kinsella. The platform raised a $600M Series C in August 2024 at a $1.13B valuation led by Goldman Sachs Growth and Felicis. The no-code story-builder (Tines calls its playbooks 'stories') is the cleanest SOC automation UX in this category; analysts can build complete incident workflows without writing code. G2 4.9 out of 5 is the highest score in this ranking. The right pick when the SOC wants a SOAR replacement without the playbook-engineering tax.

Strengths

Cleanest no-code SOC automation UX in the category (Tines stories)
G2 4.9/5 is the highest customer-satisfaction score in this ranking
$600M Series C August 2024 at $1.13B valuation led by Goldman Sachs Growth + Felicis
Community Edition is free for individual analysts (the only free tier in this ranking)
Fortune 500 customers including Coinbase, Mars, McKesson, Nasdaq, Reddit, and Sumo Logic
Strongest analyst-time-to-first-playbook in this ranking (typical 1-2 hours vs days for Splunk SOAR or Cortex XSOAR)
Independent ownership avoids the parent-company-acquisition uncertainty affecting Splunk SOAR (Cisco), QRadar SOAR (PAN-IBM split), and Cortex XSOAR (XSIAM convergence)

Weaknesses

Smaller integration count than Splunk SOAR (350+), Cortex XSOAR (750+), or ServiceNow Security Operations (300+); 200+ integrations as of 2026-05-15
Newer platform (founded 2018) with less mature enterprise-scale references at Fortune 500 SOC level
Opaque pricing above the free Community tier; Vendr triangulates $40K-$120K Professional and $150K-$500K Enterprise
No native SIEM at Splunk ES depth; pairs with Splunk / Sentinel / Chronicle / Elastic but does not replace them
No native physical-security incident workflow; cyber-side only
Smaller pre-built playbook library than Cortex XSOAR Marketplace (750+ Content Packs)

Best for

SOCs that want a SOAR replacement without the playbook-engineering tax. Strong fit for cloud-native SaaS, fintech, and crypto-exchange SOCs whose analyst team wants no-code story-building with high time-to-value.

Worst for

Fortune 500 SOCs running 750+ pre-built playbooks on Cortex XSOAR Marketplace; the Tines integration count is smaller. Also a poor fit for organisations whose primary incident load is physical-security or investigation case management.

Key features

No-code story-builder (Tines stories)
200+ integrations
Community Edition free for individual analysts
Tines AI for natural-language story authoring
Case management with timeline
Multi-tenant architecture for MSSPs
Webhook and API trigger support
Tines library of pre-built stories

Integrations

200+ native. Notable: Splunk Enterprise Security, Microsoft Sentinel, CrowdStrike Falcon, ServiceNow, Okta, Jira, Slack.

Target size

50 to 1,00,000 employees · US · Canada · EU · UK · AU

OnSolve

OnSolve (a Crisis24 / GardaWorld company) · Founded 1998 · Alpharetta, Georgia, USA

Critical event management and mass notification for workplace violence, active assailant, and physical incidents.

Opaque pricingG2 4.5 · Capterra 4.5 · 180+ reviews

Summary

OnSolve is the critical event management and mass notification platform that emerged from the 2020 merger of Send Word Now plus One Call Now (under the OnSolve brand) and went private under Crisis24 / GardaWorld in late 2022. OnSolve delivers sub-60-second mass notification to 100,000-plus recipients across SMS, voice, email, mobile push, and TTS calls. Pre-built workflow for active-assailant response, severe-weather alerting, business-continuity activation, and physical-incident communications. The right pick when the incident programme is physical-side first and the load-bearing requirement is mass-notification delivery latency rather than SOC alert triage.

Strengths

Sub-60-second mass-notification delivery to 100,000+ recipients across SMS, voice, email, mobile push, and TTS calls
Pre-built workflow for active-assailant response, severe-weather alerting, business-continuity activation
Crisis24 / GardaWorld parent brings physical-security intelligence and global response capability
Strongest fit when the incident programme is physical-side first (workplace violence, active assailant, severe weather, business continuity)
OnSolve Risk Intelligence overlay for threat-monitoring across 100,000+ global sources
Pre-FedRAMP authorisation in process (Moderate baseline as of 2026)

Weaknesses

Not a cyber-SOAR; SOC alert triage requires pairing with Splunk SOAR, Cortex XSOAR, or similar
Smaller investigation case management depth than Resolver or D3; mass-notification specialist
Opaque pricing; Vendr triangulates $30K-$150K typical mid-market and $250K-$750K large enterprise
Crisis24 / GardaWorld late-2022 acquisition created brand-confusion period that customers cited in references through 2024
Less mature breach-notification regulatory-clock automation than IBM QRadar SOAR or RiskWatch; mass notification only
UI shows two-product-merger heritage (Send Word Now plus One Call Now) in places

Best for

Organisations whose primary incident load is mass notification, active-assailant response, severe-weather alerting, or business-continuity activation. Strong fit for K-12 districts, higher education campuses, healthcare systems, retail chains, manufacturing facilities, and Tier-1 corporate enterprises with workplace-violence response programmes.

Worst for

Pure-cyber SOCs with no physical-security or mass-notification load; Splunk SOAR or Cortex XSOAR fits that brief. Also a poor fit for organisations whose primary need is investigation case management; Resolver fits that brief.

Key features

Sub-60-second mass notification to 100,000+ recipients
Multi-channel delivery (SMS, voice, email, mobile push, TTS)
Pre-built active-assailant response workflow
Severe-weather alerting with NWS feed integration
Business-continuity activation workflow
OnSolve Risk Intelligence threat monitoring
Recipient acknowledgement and accountability tracking
Multi-site, multi-organisation management

Integrations

100+ native. Notable: Microsoft 365, ServiceNow, Workday, Microsoft Entra ID, Okta, Genetec, Crisis24 GardaWorld.

Target size

500 to 5,00,000 employees · US · Canada · EU · UK · AU

#10

Swimlane

Swimlane, Inc. · Founded 2014 · Louisville, Colorado, USA

Low-code SOAR challenger with the strongest hyperautomation AI overlay in the category.

Opaque pricingG2 4.7 · Capterra 4.6 · 130+ reviews

Summary

Swimlane was founded in 2014 in Louisville Colorado and raised a $70M growth round in December 2021 led by Activate Capital. The Turbine platform (the latest generation of what was previously Swimlane SOAR) ships AI hyperautomation for alert triage with low-code playbook authoring. The Swimlane AI overlay generates playbooks from natural-language descriptions and applies large-language-model reasoning to incident summarisation and analyst handoff. The right pick for SOCs that want low-code with AI hyperautomation rather than pure no-code (Tines) or pure SIEM-native (Splunk SOAR).

Strengths

Strongest hyperautomation AI overlay in this category (Swimlane AI; natural-language playbook generation)
Turbine platform ships low-code playbook authoring with AI-assisted authoring
Independent ownership avoids the parent-company-acquisition uncertainty affecting Splunk SOAR, QRadar SOAR, and Cortex XSOAR
FedRAMP Moderate authorisation
MSSP-friendly multi-tenant architecture
Pre-built content for over 300 SIEM, XDR, EDR, identity, and ticketing integrations

Weaknesses

Smaller installed base than Splunk SOAR or Cortex XSOAR; fewer community playbooks
Opaque pricing; Vendr triangulates $60K-$180K typical mid-market and $200K-$600K Fortune 500
UI shows AI-overlay complexity for analysts who want pure no-code; learning curve longer than Tines
Brand awareness in pure-cyber SOAR cohort is lower than the Gartner-leader incumbents
No native physical-security incident workflow; cyber-side only
Smaller pre-built playbook library than Cortex XSOAR Marketplace (300+ vs 750+)

Best for

SOCs that want low-code playbook authoring with AI hyperautomation. Strong fit for mid-market and growth-stage enterprises whose analyst team has 1-3 playbook engineers and wants AI to do the rest.

Worst for

Pure no-code shops that want Tines-style story-building; Tines fits that brief better. Also a poor fit for buyers standardised on Splunk ES (Splunk SOAR) or Palo Alto Networks (Cortex XSOAR).

Key features

Turbine low-code playbook authoring
Swimlane AI natural-language playbook generation
300+ integrations
Case management with timeline and evidence
FedRAMP Moderate authorisation
MSSP multi-tenant architecture
Reporting and dashboards
Cloud and on-premises deployment

Integrations

300+ native. Notable: Splunk Enterprise Security, Microsoft Sentinel, CrowdStrike Falcon, ServiceNow, Recorded Future, Okta, Jira.

Target size

500 to 2,00,000 employees · US · Canada · EU · UK · AU

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

Confirm which incident types your programme actually runs

Before evaluating platforms, document which incident types you handle: cyber-incident alert triage on a SIEM, physical incident logging under OSHA 1904, workplace violence cases under ASIS WVPI.1-2020, investigation cases with chain-of-custody, breach notification under HIPAA + state + GDPR mandates, mass notification for active-assailant or severe-weather events. The right platform has to cover what you actually run; if it does not, eliminate it before the demo. Pure-play SOAR (Splunk SOAR, Cortex XSOAR, IBM QRadar SOAR) handles cyber only; pure-play physical (Resolver, D3, OnSolve) handles physical; unified platforms (RiskWatch, ServiceNow Security Operations) cover both.

Score NIST SP 800-61 r3 and ISO/IEC 27035-1:2023 alignment

If you run cyber-incident handling, score the platform against the NIST SP 800-61 r3 4-phase workflow (Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity) and the ISO/IEC 27035-1:2023 Principles and process. The r3 draft (April 2024) is the new procurement-language reference; platforms that have not updated their pre-built playbook libraries from the 2012 r2 are losing RFPs. IBM QRadar SOAR, Cortex XSOAR, Splunk SOAR, and RiskWatch ship r3-aligned playbooks.

Test the breach-notification regulatory-clock automation

If your programme covers HIPAA-regulated, state breach-notification-regulated, or GDPR-regulated data, test the platform's regulatory-clock automation with a real breach scenario: 1,500 California residents + 800 New York residents + 200 Florida residents + 50 EU residents + 100 HIPAA-protected health records. Can the platform compute the notification deadlines automatically (CA 1798.82 the original 2003 reference, NY SHIELD Act March 2020, FL 501.171 30 days, HIPAA 60 days, GDPR 72 hours)? IBM QRadar SOAR and RiskWatch carry the deepest pre-built libraries.

Test the chain-of-custody export against a real investigation file

If your programme runs investigation cases (fraud, ethics-line, whistleblower, workplace violence, theft), run an export from the platform and read it as the General Counsel or as the external defence counsel would. Does the chain-of-custody log show every access? Does the evidence vault timestamp the upload, the chain-of-custody handler, and the version history? Resolver is the reference; D3 Security and RiskWatch also ship chain-of-custody exports.

Stress-test the mass-notification delivery latency

If your programme covers active-assailant or severe-weather mass notification, stress-test the platform with a real-scale notification fan-out: 10,000 recipients across SMS + voice + email + mobile push + TTS. Does delivery complete in under 60 seconds? OnSolve is the reference at 100,000+ recipient scale. ServiceNow Security Operations and RiskWatch handle smaller-scale notification but are not the primary mass-notification surface.

Score SIEM-native correlation depth against your existing SIEM

If your SOC runs a SIEM, score the platform's correlation depth against your specific SIEM. Splunk SOAR is deepest with Splunk Enterprise Security. Cortex XSOAR is deepest with Cortex XDR and Cortex XSIAM. IBM QRadar SOAR is deepest with the legacy QRadar SIEM (now Palo Alto Networks SaaS). Tines and Swimlane are SIEM-agnostic with strong Sentinel and Chronicle support. The SOAR-SIEM pairing decision is load-bearing; choose the SOAR that fits your SIEM, not the other way around.

Run a 30-day pilot with a real incident end-to-end

Do not buy on a demo. Run one real cyber incident, one real physical incident, and one real breach-notification cycle end-to-end through the platform. Have your CISO, your Director of Corporate Security, your General Counsel, and your Chief Privacy Officer review the output. Buyers who lose 3-year deals consistently lose them on the pilot result, not on the analyst-quadrant placement.

Lock the renewal escalator, the parent-acquisition clause, and the exit clause in writing

PE-owned platforms (Resolver under Kroll, OnSolve under Crisis24 / GardaWorld) commonly push 8-15% renewal escalators after Year 1. Parent-company-acquired platforms (Splunk SOAR under Cisco March 2024, Cortex XSOAR XSIAM convergence, IBM QRadar SaaS sold to Palo Alto Networks May 2024) face material roadmap uncertainty. Cap the escalator in your master agreement, require 60-day notice of renewal terms, require 12-month notice and price-protection if the platform is sold to a new parent, and write a documented exit clause that gives you 90 days to export incident files, evidence vault, and playbook library in a portable format.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

What is security incident management software and how is it different from SOAR?

Security incident management software is the broader category that hosts every type of incident a security programme deals with: cyber-incident handling under NIST SP 800-61 r3 and ISO/IEC 27035-1:2023, physical incidents under OSHA 29 CFR 1904 and ASIS WVPI.1-2020, investigation case management with chain-of-custody, breach notification under HIPAA + state + GDPR mandates, and mass notification for active-assailant and severe-weather events. SOAR (Security Orchestration, Automation, and Response) is a sub-category focused on the cyber-incident workflow with playbook automation, SIEM integration, and alert triage. Splunk SOAR, Cortex XSOAR, IBM QRadar SOAR, Tines, and Swimlane are SOAR specialists. RiskWatch, Resolver, D3 Security, ServiceNow Security Operations, and OnSolve span more of the broader incident-management category.

Which platform is best for a SOC running Splunk Enterprise Security as the SIEM?

Splunk SOAR is the deepest SIEM-native correlation pick when the SOC already runs Splunk ES; the SOAR investment piggy-backs on the SIEM contract and the Mission Control unified workspace (Splunk SOAR + Splunk ES + Splunk UBA) ships in 2025-2026 release. Cortex XSOAR is the second pick when the buyer wants the largest Content Pack library (750+ in the Cortex Marketplace) regardless of SIEM. Tines is the third pick when the SOC wants a no-code SOAR replacement without the Splunk-specific lock-in.

Which platform fits a corporate security team running workplace violence, fraud, and investigation cases?

Resolver carries the strongest investigation case workflow in the GRC category with chain-of-custody handling defensible against board, regulator, civil-discovery, and criminal-case scrutiny. Kroll subsidiary integration since March 2022 brings Kroll Risk Intelligence adverse-media and sanctions screening into the same tenant. D3 Security is the second pick when the corporate security team is also responsible for a converged SOC plus GSOC at airports, utilities, or federal facilities. RiskWatch ranks first when the incident programme spans cyber + physical + breach-notification + investigation in one tenant at a published $99/month entry price.

How do these platforms handle the HIPAA 60-day, state, and GDPR 72-hour breach-notification clocks?

IBM QRadar SOAR carries the deepest pre-built breach-notification regulatory-clock library in this ranking, with HIPAA 45 CFR 164.404 60-day individual notification, state breach notification across 50 states + DC, and GDPR Article 33 72-hour supervisory-authority notification automated by playbook. RiskWatch ships an equivalent regulatory-clock library on the Professional tier at $36K per year published. ServiceNow Security Operations and Cortex XSOAR support breach-notification workflow through custom playbook authoring rather than as a first-class pre-built feature. Splunk SOAR and Tines support breach-notification workflow through custom story authoring.

What is the NIST SP 800-61 r3 incident-handling guide and which platforms align to it?

NIST SP 800-61 Rev. 3 is the third revision of the Computer Security Incident Handling Guide, drafted by NIST in April 2024 with final publication expected 2025. The r3 draft updates the legacy August 2012 r2 procurement-language reference with cloud-native incident handling, post-quantum cryptography considerations, and CISA-aligned reporting flows. IBM QRadar SOAR, Cortex XSOAR, and Splunk SOAR ship pre-built playbook libraries aligned to r3; RiskWatch ships r3 workflow on the Professional tier. The 4-phase r3 workflow (Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity) is now the procurement-language reference for SOC RFPs in 2026.

Which platform fits a converged Chief Security Officer who owns both cyber and physical security?

D3 Security is the cyber-physical convergence specialist with NextGen SOAR plus physical incident management on one platform. Pre-built playbooks for cyber-physical convergence at TSA-regulated airports, NERC CIP utilities, federal facilities, and Fortune 500 GSOCs. RiskWatch is the second pick when the CSO also owns breach notification and investigation case management in the same tenant. ServiceNow Security Operations is the third pick when the broader organisation already runs the Now Platform for ITSM and CMDB.

Where do pure-play SOAR specialists (Splunk, Cortex XSOAR) still win?

Pure-play SOAR specialists still win when the workload is high-volume alert triage with a SIEM-native correlation requirement. Splunk SOAR wins when the SOC runs Splunk Enterprise Security as the SIEM; the 350+ integrations and the largest community-contributed playbook library are unmatched. Cortex XSOAR wins when the buyer is standardising on the Palo Alto Networks platform stack; the 750+ Content Packs in the Cortex Marketplace are the largest pre-built playbook library in this ranking. Both incumbents still earn the SOC bake-off when the SOC alert volume exceeds 1M per day. The unified-platform alternatives (RiskWatch, ServiceNow Security Operations) and the no-code alternatives (Tines) win when the workload is broader than pure-cyber alert triage.

What does security incident management software cost in 2026?

Pricing varies by category. RiskWatch publishes $99/month Standard and $36K/year Professional with Enterprise quote-only. Tines Community Edition is free for individual analysts with Professional and Enterprise quote-only ($40K-$500K triangulated). Splunk SOAR is opaque ($80K-$300K stand-alone, $500K-$2M+ Mission Control bundle). Cortex XSOAR is opaque ($100K-$300K stand-alone, $500K-$2M+ XSIAM bundle). IBM QRadar SOAR is opaque ($80K-$250K typical, $400K-$1M+ Cloud Pak for Security). ServiceNow Security Operations is opaque ($250K-$500K+ mid-market, $500K-$2M+ Fortune 500). Resolver is opaque ($45K-$120K typical, $200K+ multi-module). D3 Security is opaque ($60K-$200K typical, $250K-$700K Fortune 500). OnSolve is opaque ($30K-$150K typical, $250K-$750K large enterprise). Swimlane is opaque ($60K-$180K typical, $200K-$600K Fortune 500).

Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

NIST SP 800-61 r3: The NIST Computer Security Incident Handling Guide, third revision, drafted by NIST in April 2024 with final publication expected 2025. The r3 draft updates the legacy August 2012 r2 with cloud-native incident handling, post-quantum cryptography considerations, and CISA-aligned reporting flows. The 4-phase workflow (Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity) is the procurement-language reference for SOC RFPs.
ISO/IEC 27035-1:2023: The ISO/IEC information-security incident management standard, Part 1 (Principles and process), refreshed in 2023. Part 2 (Guidelines to plan and prepare for incident response) and Part 3 (Guidelines for ICT incident response operations) extend the standard. ISO/IEC 27035 is the international counterpart to NIST SP 800-61 r3 and is referenced in EU and APAC procurement.
OSHA 29 CFR 1904: The OSHA Recordkeeping Rule governing the logging of work-related injuries, illnesses, and incidents on OSHA Form 300 (Log), Form 300A (Annual Summary, posted February 1 to April 30 each year), and Form 301 (Incident Report). Partial electronic submission to OSHA via the Injury Tracking Application is required by March 2 annually for high-hazard NAICS codes.
ASIS WVPI.1-2020: ASIS International Workplace Violence and Active Assailant Prevention, Intervention, and Response Standard (2020). Defines the threat assessment, prevention programme, intervention workflow, and active-assailant response protocol for workplace violence cases. The standard is the procurement-language reference for corporate security workplace-violence programmes.
HIPAA Breach Notification Rule (45 CFR 164.400-414): The HIPAA rule requiring covered entities and business associates to notify affected individuals within 60 calendar days of breach discovery (164.404), notify prominent media outlets within 60 days when a breach affects more than 500 residents of a state or jurisdiction (164.406), and notify the Secretary of HHS via the Office for Civil Rights breach portal (164.408) within 60 days for breaches of 500+ individuals (or annually for smaller breaches).
GDPR Article 33: The EU General Data Protection Regulation provision requiring controllers to notify the competent supervisory authority of a personal-data breach within 72 hours of becoming aware of it, where feasible. Article 34 layers individual notification when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
Root-cause analysis (RCA): The structured investigation technique for identifying the underlying cause of an incident. Common methods: 5 Whys (Toyota Production System) asks 'why' five times to reach the root cause; Ishikawa fishbone diagram (4M / 6M / 8M categories: Manpower, Machines, Methods, Materials, Measurement, Mother Nature) organises causes by category; fault-tree analysis (FTA) maps causal logic as a Boolean tree; Apollo RCA and TapRooT are commercial methodologies. NIST SP 800-61 r3 requires lessons-learned RCA after every Sev-1 or Sev-2 incident.

Final word

So which one should you pick?

If you read this page top to bottom and one platform stood out, that is your answer. The methodology is on this page so you can disagree with the rank and arrive at a different first pick honestly. Security incident management is not one brief; it is at least four (cyber-incident handling under NIST SP 800-61 r3, physical-incident logging under OSHA 1904 and ASIS WVPI.1-2020, breach notification under HIPAA + state + GDPR mandates, and investigation case management with chain-of-custody). The ten platforms on this page serve different combinations of those four. Pure-play SOAR specialists (Splunk SOAR, Cortex XSOAR) still win the SOC bake-off when the workload is high-volume alert triage on a SIEM. Physical-security specialists (Resolver, D3) still win when investigation case management or chain-of-custody is load-bearing. Read the per-card weaknesses, not just the ranks.

One thing every incident programme should do, regardless of which vendor wins your bake-off, is to insist on a 30-day pilot with one real cyber incident, one real physical incident, and one real breach-notification cycle run end-to-end. Add a renewal-escalator cap in writing, a parent-acquisition clause that gives you 12-month notice and price-protection if the platform is sold to a new parent (a live risk in 2026 for Splunk SOAR under Cisco, Cortex XSOAR under the XSIAM convergence, and IBM QRadar SaaS sold to Palo Alto Networks), and a documented exit clause that gives you 90 days to export incident files, evidence vault, and playbook library in a portable format. Buyers who lose 3-year deals consistently lose them on those three terms.

If you would like the RiskWatch demo, sign up at riskwatch.com/request-a-demo. If you would like a no-strings second-opinion on one of the other nine, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know.