From Legacy SOAR to AI-Driven Security: How Time to Automation Became the New Standard

If you’ve been in security operations for a while, you know how far we’ve come. Remember the days when a flood of alerts meant late nights, manual investigations, and painstaking response workflows? Those were the early chapters of Security Orchestration, Automation, and Response (SOAR). Fast forward to 2025, and the landscape looks dramatically different. Automation is not some undergrad side project. It’s become fundamental, and artificial intelligence is taking it to new levels of efficiency.

Here at Blink Ops, we believe one metric in particular tells the story best: Time to Automation (TTA). In short, TTA measures how quickly you can completely change a detection or response need into an actual automated workflow. A lower TTA means you’re faster at adapting to threats, more efficient at responding to incidents, and better at scaling security operations across the entire organization. 

Below, we’ll revisit how SOAR evolved, discuss the challenges that led many teams to look for better solutions, and explain why TTA has become such a priority in 2025.

A Brief Look Back: SOAR’s Three Generations

1. The Manual Chaos Before SOAR

Before SOAR gained traction, the typical Security Operations Center (SOC) relied on disparate tools—firewalls, antivirus software, logging systems—each generating alerts without much cross-communication. Analysts had to jump between consoles, copy and paste data, and manage long checklists by hand. This led to fatigue, extended response times, and a perpetual risk of overlooking critical details.

Key Challenges:

• Manual Investigations: Repetitive tasks (e.g., parsing logs, correlating indicators of compromise) ate up countless hours.
• Siloed Tools: Bringing data together often required scripts or spreadsheets.
• High Alert Volumes: SOC teams faced too many alerts with too few hours in the day.

2. Generation 1 SOAR: The First Attempt at Automation

As security teams struggled to keep pace, early SOAR platforms emerged. They introduced the idea of connecting tools and automating responses through scripted “playbooks.” Vendors like Splunk SOAR (originally Phantom) offered a glimpse into how orchestration could reduce manual overhead.

Pros:

• Unified Workflows: Instead of juggling multiple dashboards, analysts could trigger a single automated workflow.
• Clear Value Proposition: Replacing manual steps with scripts saved time and helped eliminate small but costly mistakes.

Drawbacks:

• High Complexity: Building workflows required dedicated coding skills.
• Slow Deployments: TTA was often measured in weeks—or even months—because every new integration meant fresh scripts.
• Maintenance Burden: Frequent platform or tool updates forced constant playbook rewrites.

Still, these early-generation platforms demonstrated that automation could alleviate many headaches, providing a foundation for the next wave.

3. Generation 2 SOAR: Low-Code/No-Code Approaches

To ease the coding burden, a second generation of SOAR solutions introduced low-code and no-code interfaces. Users could design playbooks with drag-and-drop widgets, drastically cutting setup time for common tasks.

Pros:

• Reduced Coding Effort: Visual editors helped less technical team members build workflows.
• Quicker Onboarding: TTA improved, often dropping from weeks to days for straightforward use cases.

Ongoing Issues:

• Complex Integrations: Connecting to varied APIs or handling different data formats still required manual steps.
• Workflow Limitations: Teams had to carefully define each path in advance, so reacting to novel threats remained challenging.
• Learning Curve: Even with low-code, analysts had to master a new interface and keep up with ongoing changes.

4. Generation 3: AI-Driven (or AI-Enhanced) Security Automation

By 2024, advances in artificial intelligence started to reshape how security teams approached automation. We saw platforms move beyond rigid rule-based playbooks toward solutions that can interpret data, spot patterns, and make recommendations in real time. At Blink Ops, we’re part of this evolution—not just automating tasks, but helping security teams adapt workflows on the fly.

Key Shifts:

• Natural Language Descriptions: Instead of painstakingly building a workflow step-by-step, you can describe the outcome you want, and the platform suggests or creates the necessary automations.
• Adaptive Response: AI helps tailor actions by analyzing data context—no more writing code for every single if/then branch.
• Lower Maintenance: Dynamic systems handle many data-processing chores automatically, freeing teams to focus on strategic efforts.

What Drove Organizations to Embrace AI-Driven Security Automation?

1. Escalating Alert Volumes

Organizations face more alerts than ever, especially as they migrate workloads to the cloud and adopt more SaaS tools. Manual triage simply doesn’t scale. Even second-gen SOAR solutions sometimes struggled to filter out noise if the workflows weren’t meticulously maintained.

2. Faster-Evolving Threats

Modern attackers change tactics quickly. A static, rules-based approach can miss fresh techniques. Platforms that leverage AI can identify unusual behavior faster by examining historical baselines, threat intel feeds, and real-time data. This lets teams respond earlier in the attack chain, often before a threat is fully recognized.

3. Talent Shortages

Trained security professionals remain in high demand but are often short-staffed. AI-enhanced automation eases the burden on these experts, handling repetitive tasks so analysts can focus on strategy, threat hunting, and deeper investigations.

4. Shorter Time to Automation (TTA) Requirements

Competition, compliance mandates, and board-level pressure force security teams to implement new detection and response workflows quickly. Weeks or months of development time is no longer acceptable. AI-driven systems promise near-immediate deployment, especially when you don’t have to manually connect every data source or script each workflow.

Why Time to Automation (TTA) Is a Key Metric

Time to Automation (TTA) is a direct reflection of how quickly your security team can respond to threats, make workflow improvements, and scale processes without being bogged down by unnecessary complexities. At Blink Ops, we treat TTA as a litmus test for overall security agility, because it reveals whether your team can shift gears quickly or remains locked into lengthy cycles.

1. Emergency Responses

Scenario: A zero-day vulnerability surfaces in a commonly used server component (think Log4j or a widely deployed Linux library). The response window narrows fast, with attackers rushing to exploit new weaknesses before security patches are widely applied.

• High TTA: If your SOC relies on specialized scripts that require a developer’s help, it might take days or weeks to assemble and test a new automated workflow. During this window, attackers have free rein to exploit the vulnerability.
• Low TTA: With a more adaptive system, you could pivot within hours—or even minutes—implementing a detection rule, isolating vulnerable systems, and alerting the SOC when specific indicators appear. This rapid turnaround can reduce your organization’s attack surface significantly and contain potential breaches before they do real damage.

2. Ongoing Improvements

Security isn’t a “set it and forget it” discipline. Threat actors adapt daily, and so must your defensive workflows. Low TTA ensures you don’t let new ideas stagnate on a wishlist because each change would be too time-consuming.

• Shorter Feedback Loops: When TTA is low, your team can test new detection rules, see how well they perform in practice, and refine them quickly. This iterative cycle keeps your security posture fresh and adaptive.
• Fewer Bottlenecks: Many organizations rely on a small set of specialized engineers to update complex workflows. With an easier-to-use, AI-driven approach, more team members can introduce changes. This shared responsibility spreads knowledge and enhances readiness across the board.

3. Resource Utilization

One of the biggest pain points in traditional security operations is the sheer volume of manual work—like maintaining JSON configurations, writing custom scripts, or converting logs from multiple formats. These tasks might keep the lights on, but they don’t directly contribute to higher-value initiatives like threat hunting or strategic planning.

• High TTA: Analysts spend excessive time dealing with tedious tasks, leaving them little room to explore new threats or conduct deeper investigations.
• Low TTA: By shrinking the development overhead, your security experts can dedicate more energy to proactive measures, such as scanning for advanced persistent threats or refining incident triage processes. The overall effectiveness of your SOC rises, and job satisfaction often improves when experts can focus on challenging, intellectually stimulating work instead of repetitive chores.

4. Innovation and Collaboration

A less obvious but crucial benefit of low TTA is that it encourages innovation within the security team. If building or modifying a workflow is as simple as typing a request in plain English or dragging pre-built functions into a canvas, people at all skill levels can contribute ideas.

• Empowered Analysts: Junior staff or those without a coding background can propose and implement automation ideas. This inclusivity often sparks creative solutions to persistent security problems.
• Cross-Functional Alignment: Different departments—like DevOps, compliance, or IT—can also plug into automation efforts without needing a translator in the form of a dedicated scripting guru. Everyone benefits from consistent, transparent processes that adapt quickly when circumstances change.

5. Measuring TTA Over Time

An additional layer to consider is how you measure TTA across different workflows. Some processes—like phishing triage—are straightforward, while others might involve multiple layers of approval and integration (e.g., automated insider threat detection that ties into HR systems). Tracking TTA for each workflow type can highlight potential friction points in your operations.

• Continuous Improvement: By periodically evaluating TTA, you can identify recurring roadblocks—like outdated APIs, cumbersome approval processes, or complex compliance constraints. Addressing these issues systematically will shrink TTA over the long term.
• Organizational Maturity: As TTA improves, it usually indicates that your broader security culture is becoming more mature: people are aligned, tools integrate well, and new ideas flow freely.

TTA in a Nutshell

• High TTA = Slow to deploy new or updated workflows → Delayed responses, higher risk, and frustrated teams
• Low TTA = Fast to automate tasks → Swift reactions, more time for strategic projects, and a security posture that evolves in lockstep with emerging threats
  

Rethinking Security Workflows at Blink Ops

While we respect the foundations laid by earlier SOAR platforms, we at Blink Ops believe security automation should feel intuitive and adapt at the speed of business. That’s why we focus on:

1. Language-Based Workflow Creation
   Our approach lets you specify a goal in plain text. Instead of building logic blocks for each step, you outline what you need—like “Look for suspicious user account activity and lock the account if triggered”—and Blink Ops handles the details.
2. Adaptive Detection
   We integrate machine learning models that check for behaviors deviating from normal patterns. This isn’t about layering on complicated rules; it’s about giving your team real context so you can decide what’s worth investigating further.
3. Low Maintenance, High Flexibility
   We’ve seen firsthand how frequently SOC environments change, whether from new tool deployments or updated compliance requirements. Our aim is to cut the busywork of re-coding or re-configuring. By offloading much of the heavy lifting to an AI-driven backend, your team can focus on refining strategy rather than maintaining brittle scripts.
4. Collaboration at Scale
   Automation shouldn’t be locked behind the skillset of a single developer. By lowering technical barriers and providing straightforward workflows, we want everyone—from Tier-1 analysts to SOC managers—to contribute. This collective input leads to quicker, more thorough automation.

Looking Ahead to 2025 and Beyond

We foresee more organizations expecting near-instant automation as part of their standard operating procedures. Threat actors continually refine their methods, and detection must keep pace. That’s why we remain focused on:

• Deeper AI Models: There’s always room to improve how we identify subtle anomalies or piece together seemingly unrelated events into a coherent threat narrative.
• Broader Integrations: As companies adopt new tools and infrastructure, connecting them seamlessly to a security automation platform is essential for keeping TTA low.
• Human-AI Partnership: Ultimately, the best outcomes come when analysts and AI collaborate. Machines excel at processing massive data sets; humans excel at interpreting nuances and making judgment calls.

Final Thoughts

Security automation is about fundamentally rethinking how teams handle threats in a fast-moving and unpredictable environment. Early SOAR platforms introduced the idea of orchestration, but they often brought complexity and rigid workflows. More recent low-code and AI-powered tools demonstrate that automation can be more intuitive, adaptive, and less dependent on specialized coding.

At Blink Ops, we view these changes as part of a broader shift—one that frees security professionals to focus on analysis and strategy, rather than wrestling with cumbersome software. Rather than seeing AI-driven automation as the “next version” of SOAR, we see it as an entirely new approach that emphasizes flexibility, ease of use, and rapid response when new threats appear.

Ultimately, it’s clear that legacy playbooks and high-maintenance frameworks can’t keep up with today’s threat landscape. By embracing simpler, more intelligent automation practices, security teams can proactively defend their environments, detect emerging risks sooner, and spend more time on what truly matters—staying one step ahead of attackers, instead of constantly playing catch-up.