Role Definition
| Field | Value |
|---|---|
| Job Title | SOAR Engineer |
| Seniority Level | Mid-Level |
| Primary Function | Designs, builds, and maintains automated playbooks for incident response using SOAR platforms (Cortex XSOAR, Splunk SOAR, Swimlane, Tines). Integrates security tools via APIs to create orchestrated response workflows. Builds automation that SOC analysts consume daily for alert triage, enrichment, containment, and remediation. |
| What This Role Is NOT | NOT a SOC Analyst (who consumes the playbooks this role creates). NOT a Detection Engineer (who writes detection rules, not response automation). NOT a Security Engineer (broader infrastructure scope). NOT a DevSecOps Engineer (who secures CI/CD pipelines, not incident response). |
| Typical Experience | 3-7 years. Background typically includes SOC analyst or security engineering experience before specialising. Python scripting, REST API integration, and platform-specific certifications (Cortex XSOAR Engineer, Splunk SOAR Certified Developer). |
Seniority note: Junior SOAR engineers who build playbooks from templates and configure pre-built integrations would score Red. Senior SOAR architects who design automation strategy, define SOC operating models, and lead platform selection would score Green (Transforming).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based work. No physical component. |
| Deep Interpersonal Connection | 1 | Collaborates with SOC analysts, incident responders, and security engineers to understand workflow requirements. Trust matters in cross-team relationships but is not the core deliverable. |
| Goal-Setting & Moral Judgment | 1 | Some judgment in deciding which workflows to automate and how aggressively to auto-remediate, but operates within defined incident response procedures and CISO-approved response policies. Follows more than sets direction. |
| Protective Total | 2/9 | |
| AI Growth Correlation | 0 | Neutral. AI adoption creates more security incidents requiring automated response, but AI is simultaneously eliminating the need for human-built playbooks altogether. Prophet Security, Torq HyperSOC, and agentic AI SOC platforms use reasoning-based investigation instead of playbooks, directly displacing the core deliverable. Net effect is neutral. |
Quick screen result: Protective 2 + Correlation 0 = Likely Yellow or Red Zone (proceed to quantify).
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Playbook design & development | 30% | 3 | 0.90 | AUGMENTATION | Core skill: designing multi-step response workflows in Cortex XSOAR/Splunk SOAR. AI can generate playbook scaffolding from natural language descriptions and auto-suggest integration steps. But understanding which response actions are appropriate for a specific environment, balancing speed vs risk in auto-remediation, and handling edge cases requires human judgment. AI drafts, human architects. |
| Security tool integration & API orchestration | 20% | 3 | 0.60 | AUGMENTATION | Connecting SOAR to 300+ security tools via APIs. AI generates integration code and handles standard connectors, but debugging authentication flows, handling vendor-specific API quirks, and managing credential rotation in complex environments still requires engineering skill. Moving toward displacement as SOAR platforms ship AI-generated connectors. |
| Playbook testing, tuning & maintenance | 15% | 4 | 0.60 | DISPLACEMENT | Testing playbooks against simulated incidents, tuning thresholds, maintaining existing automation. Agentic AI platforms like Prophet Security eliminate playbook maintenance entirely by using reasoning-based investigation. Splunk SOAR and XSOAR both adding AI-assisted testing and auto-tuning. Structured, repeatable work that AI handles well. |
| Incident response workflow automation | 10% | 3 | 0.30 | AUGMENTATION | Translating incident response procedures into automated workflows. Requires understanding both the IR process and the technical capabilities of the platform. AI generates workflow drafts from runbook documentation, but validating that automation handles the nuances of real incidents (partial containment, business-critical systems, escalation logic) needs human oversight. |
| SOC team collaboration & requirements gathering | 10% | 2 | 0.20 | AUGMENTATION | Working with SOC analysts and IR leads to understand pain points, gather automation requirements, and train teams on new playbooks. Human interaction and organisational context are central. AI not meaningfully involved. |
| Platform administration & health monitoring | 10% | 4 | 0.40 | DISPLACEMENT | Monitoring SOAR platform health, managing resources, upgrading versions, troubleshooting performance. Increasingly automated by platform vendors themselves. Cloud-hosted SOAR (Cortex XSOAR hosted, Splunk Cloud SOAR) eliminates most admin overhead. |
| Documentation & knowledge transfer | 5% | 4 | 0.20 | DISPLACEMENT | Writing playbook documentation, creating runbooks, training materials. AI generates documentation from playbook logic automatically. Splunk SOAR and XSOAR both auto-document playbook workflows. |
| Total | 100% | 3.20 |
Task Resistance Score: 6.00 - 3.20 = 2.80/5.0
Displacement/Augmentation split: 30% displacement, 70% augmentation, 0% not involved.
Reinstatement check (Acemoglu): Partial. AI creates some new tasks: integrating agentic AI platforms into existing security stacks, validating AI-driven response actions, and designing human-in-the-loop escalation workflows for autonomous response. But these tasks are fewer in headcount demand than the playbook engineering work they replace. The reinstatement effect is weaker than for Detection Engineer or Incident Response Specialist.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 0 | ZipRecruiter shows active SOAR engineer listings ($104K-$208K range). Rockstar Games, National Grid, and Euroclear hiring. But "SOAR engineer" as a distinct title is niche — many postings are embedded within broader "Security Automation Engineer" or "Security Engineer" roles. Not declining, not surging. Stable. |
| Company Actions | -1 | Prophet Security raised $30M Series A specifically to build agentic AI that eliminates playbook maintenance. Splunk integrating agentic AI directly into SOAR, reducing the engineering layer. Torq HyperSOC markets "no-playbook" automation. Vendors are building products that directly target SOAR engineer headcount reduction. No mass layoffs of SOAR engineers yet, but the investment direction is clear. |
| Wage Trends | 0 | ZipRecruiter average $115,864/year. Glassdoor range $99K-$185K. Reddit reports SME-level SOAR engineers at $150K-$225K. Competitive with broader cybersecurity mid-level ($100K-$140K) but not premium. Wages stable, not surging — suggests balanced supply/demand rather than acute shortage. |
| AI Tool Maturity | -1 | Production tools directly targeting SOAR engineering: Prophet Security (agentic AI replaces playbooks entirely), Torq HyperSOC (AI-driven automation without playbooks), Tines (AI workflow generation), Splunk AI Assistant (generates SOAR playbooks from natural language), Cortex XSOAR with XSIAM (AI-first platform reducing manual playbook needs). These tools are in production, not experimental. They perform 50-80% of playbook creation and maintenance with human oversight. |
| Expert Consensus | 0 | Mixed. Prophet Security CEO explicitly frames agentic AI as replacing SOAR's playbook model. Gartner predicts 45% of cybersecurity tasks automatable by 2028. ISC2: 87% expect AI to enhance, 2% expect replacement. The "enhance vs replace" consensus applies generally to cybersecurity — but SOAR engineering sits closer to the "replace" end because the core deliverable (playbooks) is itself an automation artifact that can be auto-generated. No consensus that the role disappears, but clear directional pressure. |
| Total | -2 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | No formal licensing. But PCI DSS, HIPAA, SOC 2, and NIS2 require documented incident response procedures with human accountability. Automated response actions (blocking IPs, isolating endpoints) have operational consequences that require human sign-off in regulated environments. |
| Physical Presence | 0 | Fully remote capable. |
| Union/Collective Bargaining | 0 | Tech sector, at-will employment. |
| Liability/Accountability | 1 | Automated response actions can cause business disruption (isolating a production server, blocking a legitimate IP). When auto-remediation goes wrong, someone is accountable for the playbook logic. Organisations want a human responsible for response automation decisions. |
| Cultural/Ethical | 1 | SOC teams and CISOs want human engineers behind response automation, especially for high-impact actions. Trust in fully AI-generated response workflows is growing but not sufficient for critical infrastructure or regulated industries. |
| Total | 3/10 |
AI Growth Correlation Check
Confirmed at 0 (Neutral). AI adoption simultaneously creates demand for automated security response (more incidents, more complexity) and destroys demand for human-built playbooks (agentic AI platforms replace the playbook paradigm entirely). Prophet Security's "Agentic SOC" explicitly markets the elimination of playbook maintenance as a feature. Splunk and Palo Alto are both embedding AI directly into their SOAR platforms to reduce the human engineering layer. The recursive "more AI = more need for this role" property does not hold — more AI means more need for automated response but less need for humans to build that automation manually.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 2.80/5.0 |
| Evidence Modifier | 1.0 + (-2 × 0.04) = 0.92 |
| Barrier Modifier | 1.0 + (3 × 0.02) = 1.06 |
| Growth Modifier | 1.0 + (0 × 0.05) = 1.00 |
Raw: 2.80 × 0.92 × 1.06 × 1.00 = 2.7306
JobZone Score: (2.7306 - 0.54) / 7.93 × 100 = 27.6/100
Zone: YELLOW (Green >=48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 90% |
| AI Growth Correlation | 0 |
| Sub-label | Yellow (Urgent) — >=40% task time scores 3+ |
Assessor override: None — formula score accepted. The 27.6 sits near the bottom of Yellow, 2.6 points above the Red boundary. This is consistent with the calibration context: lower than Detection Engineer (44.3) because detection engineering involves more creative judgment, while SOAR playbook work is more structured and directly targeted by AI tooling. Higher than Security Administrator (23.2) because SOAR engineering requires meaningful design and integration skills. Close to SOC Analyst T2 (33.3), which makes sense — both are mid-level SecOps roles where AI is compressing human involvement.
Assessor Commentary
Score vs Reality Check
The 27.6 score places SOAR Engineer just above the Yellow/Red boundary. This is honest but bears watching. The score is not barrier-dependent — barriers contribute only a 6% boost. The weakness is twofold: moderate task resistance (2.80) driven by the structured nature of playbook engineering, combined with mildly negative evidence as agentic AI platforms explicitly target this function. The borderline position (2.6 points above Red) means a worsening evidence score in the next 12-18 months could push the role into Red territory. If Prophet Security, Torq, and Splunk's agentic AI capabilities mature as projected, the 2027 reassessment may land Red.
What the Numbers Don't Capture
- Function-spending vs people-spending. Organisations are investing heavily in SOAR platforms and AI-driven security automation — but this investment explicitly aims to reduce the number of humans building playbooks. The market for automated security response is growing; the human share of delivering that automation is shrinking.
- Platform lock-in creates temporary protection. Organisations with large Cortex XSOAR or Splunk SOAR deployments need engineers to maintain existing playbook libraries even as the platform evolves. This creates 2-3 years of maintenance demand that the score doesn't fully capture. But this is a trailing indicator, not a growth signal.
- Title rotation. "SOAR Engineer" is already being absorbed into broader "Security Automation Engineer" and "SecOps Engineer" titles. Some of the apparent stability in job postings reflects title consolidation rather than genuine demand for playbook-specific engineering.
- Rate of AI capability improvement. Agentic AI SOC platforms improved dramatically in 2025-2026. Prophet Security cuts investigation time by 90%. Splunk's integration of agentic AI into SOAR fundamentally changes the role from "build playbooks" to "supervise AI agents." This trajectory compresses the timeline.
Who Should Worry (and Who Shouldn't)
If you primarily build playbooks in a visual editor using pre-built integrations and templates — you are closer to Red Zone than Yellow. This is exactly what agentic AI eliminates first. The SOAR engineer who drags and drops actions in a GUI builder is performing work that AI now generates from natural language prompts.
If you architect complex multi-platform automation, write custom Python integrations, design SOC operating models, and understand incident response at a strategic level — you are safer than 27.6 suggests. The engineering-heavy, architecture-focused version of this role transitions naturally into Security Automation Architect or SecOps Platform Lead.
The single biggest separator: whether you are a playbook builder or a security automation architect. Playbook builders translate IR procedures into SOAR workflows using platform features. Security automation architects design end-to-end response ecosystems, evaluate and integrate AI-driven platforms, and make strategic decisions about what to automate vs where to keep humans in the loop.
What This Means
The role in 2028: The surviving SOAR engineer is no longer building playbooks manually. They are designing the integration layer between agentic AI platforms and the broader security stack, defining escalation policies for autonomous response, and validating AI-driven investigation workflows. The title likely shifts to "Security Automation Architect" or "SecOps Platform Engineer." Manual playbook creation becomes a legacy maintenance task, not a career path.
Survival strategy:
- Move from playbook builder to automation architect. Shift focus from creating individual playbooks to designing automation strategy, platform architecture, and AI integration patterns. The human value is in deciding what to automate and how, not in building the automation itself.
- Learn agentic AI platforms. Prophet Security, Torq HyperSOC, and the AI-native features in Splunk/XSOAR represent the future. Understanding how to deploy, configure, and supervise AI agents for security response is the growth skill.
- Deepen incident response and threat knowledge. The more you understand about real-world attacks and IR workflows, the better positioned you are to validate and improve AI-driven response actions. Domain expertise in security operations becomes the differentiator as the technical automation layer gets commoditised.
Where to look next. If you're considering a career shift, these Green Zone roles share transferable skills with SOAR Engineer:
- DevSecOps Engineer (AIJRI 58.2) — Automation skills, CI/CD expertise, and Python scripting transfer directly to securing development pipelines
- Incident Response Specialist (AIJRI 52.6) — Deep understanding of IR workflows and response automation translates to crisis-driven investigation leadership
- OT/ICS Security Engineer (AIJRI 73.3) — Security automation skills applied to industrial control systems, where physical-digital convergence adds strong protective barriers
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 2-5 years for significant role transformation. Agentic AI SOC platforms are the primary driver — the playbook-centric model is being replaced by reasoning-based automation. Engineers who evolve to architect-level survive; those who remain playbook builders face compression into Red territory.
