Most of us will have spotted the pun in the heading from a mile away, but that is what headings are for. Their intent is to arouse curiosity about the content. If you have come this far, it means we have succeeded in drawing your attention. So, without much ado, let us talk about the topic: A comparison of 2024 and 2025 SPARK matrices for the Security Orchestration and Response (SOAR) market. SOAR tools are becoming necessary as they help SOCs detect, investigate, and respond to threats faster. It achieves this objective by automating repetitive tasks and orchestrating (executing multiple operations across various tools, such as threat intelligence feeds, firewalls, and endpoint detection software) actions across different tools. Now that we have talked about the need for SOAR tools, let us compare SPARK Matrix 2024 and 2025 for this tool’s market.
Let us start with a comparison of participating companies’ positions in 2024 and 2025, along with the likely reasons behind the positionings.
| Vendor | 2024 Position | 2025 Position | Likely causes for the Shift |
| Palo Alto Networks | Leader | Leader | Expanded orchestration in its broader SecOps/XDR stack; strong brand trust and deep integrations. |
| Fortinet | Leader | Leader | Consistent execution; tight network + SOC integration; good balance of automation and Zero Trust. |
| Splunk (Cisco) | Leader | Leader | Cisco acquisition boosts scale, brand synergy; SIEM + SOAR story still resonates strongly. |
| ServiceNow | Leader | Leader | Leading on SecOps workflow automation; strong enterprise loyalty; expanding playbook templates. |
| Swimlane | Leader | Leader | Maintaining niche SOAR leadership with low-code/no-code playbooks; sticky partnerships. |
| Sumo Logic | Leader | Leader | Cloud-native SIEM plus mature automation; staying power with mid-market buyers. |
| Trellix | Strong Contender | Leader | Post-McAfee/FireEye merger maturing; sharper orchestration capabilities; regained market trust. |
| Tines | Strong Contender | Leader (Emerging Innovator) | Fast-growing low-code disruptor; developer-friendly; high buzz in DevSecOps and SOC automation. |
| Logpoint | Leader | Strong Contender | Need to improve technology excellence & impact; likely lagging scale and integrations compared to peers. |
| ManageEngine | Leader | Strong Contender | Good for mid-market but limited big-enterprise traction; needs to improve ecosystem integration. |
| Torq | Leader | Strong Contender | Early buzz cooled off; execution gaps; less differentiation vs. other low-code SOAR players. |
| Strong Contender | Strong Contender | Good in-house tech but remains siloed; still lacks full orchestration appeal vs. integrated SecOps suites. | |
| Cyware | Strong Contender | Strong Contender | Solid threat intel angle, but orchestration depth still maturing; niche use cases. |
| Rapid7 | Strong Contender | Strong Contender | AI-driven response and cross-stack integration are still catching up. |
| OpenText (Micro Focus) | Strong Contender | Strong Contender | Legacy strength; needs fresher orchestration value; brand transition still in play. |
| Anomali | Strong Contender | Strong Contender | Known for threat intel; orchestration remains second fiddle to core platform. |
| Devo | Strong Contender | Strong Contender | Solid SIEM but struggles to stand out for robust orchestration; more investment needed in automation depth. |
| ThreatQuotient | Technology Leader | Not Visible | Disappears in 2025; likely lost share or shifted focus; not keeping pace with leaders on orchestration and response. |
| D3 Security | Strong Contender | Aspirant | Slips lower on impact; possibly stuck in mid-market; lack of standout differentiators. |
| Threat Connect | Strong Contender | Aspirant | Same story; less visible traction; overshadowed by bigger or more modern players. |
| DTonomy | Aspirant | Not Visible | Vanished in 2025; suggests pivot, limited traction, or getting squeezed out of deals. |
| SIRP | Not Visible | Aspirant | New to the matrix; niche or regional player trying to stand out in a crowded market. |
Market landscape:
A side-by-side comparison of both matrices reveals one key fact: the leaders need to pull up their socks. The leader quadrant of the 2024 matrix is heavily populated by established giants. 2025 matrix showed that while some players have kept their crowns, some have slipped. Some contenders have broken into the leader quadrant. Let us first look at the winners for both years: Palo Alto Networks, Fortinet, Cisco (Splunk), ServiceNow, Swimlane, and Sumo Logic. The likely reasons these companies have managed to hold on to their spots are tightened cross-stack integrations, maturing automation layers, and focus on real hybrid orchestration.
Coming to the contenders, this quadrant holds some pretty big names. Google, Rapid7, Cyware, OpenText (Micro Focus), Anomali, Devo, and ManageEngine are all stuck here. The likely reason?
The companies offer decent orchestration building blocks. However, they lack the seamless integration, AI-driven response, or compelling differentiation that buyers now expect.
About the rest, DTonomy and ThreatQuotient, present in 2024, have vanished for unknown reasons. D3 Security and ThreatConnect both fell to the Aspirant quadrant — replaced by SIRP, which appears for the first time as a wildcard.
What is driving the winners ahead?
The winners are stitching SOAR into XDR, SIEM, identity, and cloud-native controls to provide orchestration across hybrid environments.
Final word:
If you are looking for a SOAR product, ask yourself these four questions:
- Does the vendor have a clear roadmap for staying ahead, or are they coasting on last year’s feature sheet?
- How does this solution integrate with my SIEM, EDR, IAM, and third-party tools?
- Does the platform learn and adapt?
- Can the product support hybrid and multi-cloud?
SOAR is now becoming an essential part of SecOps. As we can see from the matrices, the market is maturing, with a large section of the 2024 leaders staying on as leaders. But the distance between leaders and contenders is decreasing fast. The key to success will be the ability to make orchestration simple, adaptive, and deeply embedded in the security fabric.