Best Incident Response Tools

Incident response is the process of identifying a cyberattack, blocking it, and recovering from the damage that it caused. Incident response tools include support software and services that help identify a cyberattack and also those tools that automatically block attacks.

The incident response doesn’t have to be automated. However, software that independently triggers actions upon detection of an intrusion or malware activity is becoming more available. This type of incident response system is called SOAR, which stands for “Security Orchestration, Automation, and Response”.

SOAR systems connect attack identifiers through analysis utilities and on to defense systems that shut down the attack and reverse and damage that occurred. SOAR is almost synonymous with an Intrusion Prevention System (IPS). However, SOAR integrates another leading attack detection standard: SIEM.

Here is our list of the best incident response tools:

  1. SolarWinds Security Event Manager EDITOR’S CHOICE A SIEM tool that includes analysis and action triggers that make it an incident response tool. Start a 30-day free trial.
  2. UnderDefense MAXI Platform (GET DEMO) This platform is a remote Security Operations Center that will manager your cybersecurity systems for you, providing expertise for the software you already own. Access a free demo.
  3. ManageEngine Log360 (FREE TRIAL) This SIEM generates notifications to service desk systems for incident response. Runs on Windows Server. Start a 30-day free trial.
  4. AT&T Cybersecurity USM Anywhere A full cloud-based SOAR service built around AlienVault OSSIM.
  5. Splunk SOAR A coordinating service that acts as a hub for other security tools, optionally triggering responses. Runs as a virtual appliance over VMware.
  6. CrowdStrike Falcon Insight A hybrid solution that supports attack detection by coordinating event data gathered from every endpoint on a network.
  7. Exabeam A SaaS security platform that includes a SIEM, analytics, and automated incident response.
  8. LogRhythm SIEM A next-gen SIEM platform that includes user and entity behavior analytics, threat hunting, and a SOAR.

SIEM stands for “Security Information and Event Management”. It forms the detection part of SOAR and relies on two strategies: security information management, which examines log files for signs of malicious activity, and security event management, which examines traffic patterns on a network and other live indicators.

As SIEM is a major part of SOAR, the vendors of SIEM tools are at the cutting edge of SOAR, expanding their expertise into the fields of threat analysis and incident response. The other big players in the field of incident response are the producers of antivirus systems. These companies have long been in the business of seeking out malware and removing it. To provide a full incident response tool, they just need to add the defense against hacker activity and intrusion to their armory.

The best incident response tools

Although industries are often overturned by disruptive and innovative newcomers, established and experienced businesses that adapt their expertise to new techniques generally prevail. In the field of incidence response, software houses that have a strong background in cybersecurity systems offer the best incident response tools.

Our methodology for selecting an incident response system

We reviewed the market for incident response tools and analyzed the options based on the following criteria:

  • Links from detection to resolution systems
  • Coordination with access rights managers and firewalls
  • Customizable action rules
  • Action logging
  • Live status reports
  • A free trial or a demo option for a risk-free assessment opportunity
  • Value for money that is provided by an automated system at a reasonable price

Using this set of criteria, we looked for a range of incidence response services that will integrate with the security services that already operate on your network.

1. SolarWinds Security Event Manager (FREE TRIAL)

Solarwinds security event manager

SolarWinds excels at system monitoring and it approached its incident response tool development from that starting point. Despite being called the Security Event Manager (SEM), this tool is a Security Information Manager (SIM). It searches through log files to identify possible malicious activity. This puts the tool in the SIEM category of security solutions and SolarWinds has pushed the boundaries of this format to reach into incident response territory.

Key Features:

  • On-premises for Windows Server
  • Threat prioritization
  • Customizable rules
  • Integrates with Active Directory
  • Connects to firewalls

Why do we recommend it?

SolarWinds Security Event Manager is a SIEM system that is able to detect threats and then trip automated responses. The mechanism that links threat types to responses is a rule base, which sends instructions to other tools to suspend user accounts and block packets from a suspicious IP address at the firewall.

SolarWinds includes a module with SEM that is called Active Response. This is the final phase in making SEM a full incident detection and response service. The SIM detects anomalies and refines threat priorities, providing a triage service through an alerting mechanism. An alert can be left to just inform an operator who is then in a position to decide on mitigation actions. However, if Active Response is turned on, a lot of the manual labor of responding to events can be wiped out.

Active Response is a rule base of triggering events and actions – Trigger A launches Action X. Letting a system tool implement response might be considered a danger. However, those action rules are customizable and the operator can decide how far the SEM should go in running the response system. The types of actions that the SEM can launch include launching a trace, suspending a user account in Active Directory, or updating a firewall table to block access from a specific IP address. All of these actions can be reversed because they are all documented.

Who is it recommended for?

This system is an on-premises package. It collects log messages from around a site. However, it doesn’t include cloud platforms in its supervision. So, this is a good choice for a large business that mainly uses in-house services. The service is also able to implement compliance reporting.


  • Offers both incident response tools as well as automated remediation and prevention
  • Enterprise focused SIEM with a wide range of integrations
  • Simple log filtering, no need to learn a custom query language
  • Dozens of templates allow administrators to start using SEM with little setup or customization
  • The historical analysis tool helps find anomalous behavior and outliers in the network


  • SEM Is an advanced SIEM product built for professionals, requires time to fully learn the platform

The software for SolarWinds Security Event Manager installs on Windows Server. You can put it through its paces with a 30-day free trial.


With SolarWinds Security Event Manager you will never miss a security event anywhere on your network. SEM is also great for responding to threats in real time with the Active Response module where you can set rules to trigger actions. A must have tool.

Start 30-day Free Trial:

OS: Windows Server

2. UnderDefense MAXI Platform (GET DEMO)

UnderDefence SIEM - Activity on Site view

UnderDefense MAXI Platform provides the technicians to run your cybersecurity systems. This is a remote management package rather than a fully managed service because the deal doesn’t include cybersecurity software. If you don’t have a security system in place, UnderDefense will advise you on which systems to buy. If you do already have cybersecurity systems in place, the team will assess it and recommend changes where necessary. Once everything is OK, UnderDefense provides 24-hour system management for your cybersecurity protection.

Key Features:

  • Cybersecurity system assessment
  • An outsourced security operations center
  • Cybersecurity experts on call

Why do we recommend it?

UnderDefense MAXI Platform provides a team of experts rather than a specific system. The service gives you cybersecurity experts to run your security software but it doesn’t include a proprietary security package – you buy the software separately. The team will install and maintain your threat detection and response software for you.

The UnderDefense system relies on your own software purchases for threat detection. Those packages could be hosted on your own servers or subscribed to as SaaS platforms. The majority of threat detection systems are automated and need little human intervention. However, the link between detection and response does sometimes need expertise.

Modern threat detection systems use machine learning to adapt alert triggers to a business’s normal activity. This method is particularly important when guarding against insider threats and account takeovers. However, there are always borderline issues and events that require the scrutiny of a human expert.

UnderDefense experts watch over the alerts that come out of the threat detection system and can set up automated response paybooks, which will be refined over time. However, there will always be some events that defy classification and periodic analysis of past events helps the UnderDefense team come up with recommendations for system security tightening to close off a previously undiscovered blindspot.

The UnderDense team is available around the clock and the service is a custom package, so your contract will decide the exact degree of engagement that you get. For example, you can get access to an expert by phone for advice but the exact number and length of those calls is down to your service level agreement.

Who do we recommend it for?

Not all companies can afford an in-house cybersecurity team; This is because they are too small or in an area where there are no qualified applications or in a place where there is a concentration of corporations competing for those experts and driving up the wages.


  • Cost-saving outsourcing of cybersecurity support
  • Technicians on call for cybersecurity advice
  • A bespoke package that can be adapted to all sizes of businesses


  • UnderDefense needs to get full access to your systems

UnderDefense doesn’t offer IT system support packages – it is not a managed service provider. The company provides a SOC as a managed security service provider. Thus, you will still need in house staff or a contracted service to support your network, endpoints, and non-cybersecurity software. Get in touch with UnderDefense to get a demo of the MAXI Platform.

UnderDefense MAXI Platform GET DEMO

3. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 Dashboard

ManageEngine Log360 is an on-premises SIEM that collects data from multiple systems and searches through a pool of log messages for indicators of an attack. The tool doesn’t implement response directly but sends notifications through service desk systems to get the immediate attention of system technicians.

Key Features:

  • Searches sites and cloud platforms
  • Consolidates log formats
  • Threat detection
  • Log management

Why do we recommend it?

ManageEngine Log360 is a SIEM tool with many additional functions. Those extra features include user behavior analysis Active Directory change logging, log collection and archiving, data loss prevention, threat intelligence, and automated responses. The system is able to interface with third-party tools to collect indicators of attacks and implement mitigating actions.

The Log360 package includes a library of agents – one for each operating system and also for cloud platforms, such as AWS and Azure. You install the agents on each endpoint and cloud account. It then collects all log messages from the operating system and software packages. The tool gets Windows Events from Windows systems and Syslog messages from Linux. The agents can interact with more than 700 software packages to extract operational data.

The agents forward log messages to a central log server. This converts all arriving messages into a standard format. With the logs standardized, they can be collected together in the Log360 data viewer and also in log files. The log server manages log storage, rotating files and storing them in a meaningful directory structure. This is important because logs need to be accessible for compliance auditing if you need to be certified for a data protection standard. The Log360 package includes compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

The dashboard shows live statistics on log message throughput and the results of the threat detection scans. The console has a data viewer that shows log messages as they arrive. It is also possible to load in a log file. The data viewer includes tools for analysis.

ManageEngine provides a threat intelligence feed that collates information about hacker attacks and intrusion events that are happening all over the world. Getting information on the current attack strategies gives the threat hunting function in Log360 a better idea of what to look for. The system deals with a large volume of data that is added to constantly and getting directions on what to look for first speeds up the threat detection process.

When the threat hunter in Log360 discovers suspicious activity, it generates an alert. You can view alerts in the dashboard but it is also possible to get them fed through to your service desk system. The tool can work with  ManageEngine ServiceDesk Plus, Jira, and Kayoko. The priority given to Log360 within your service desk system is up to the policy that you set up in the team management tool. You can decide to route Log360 alerts to specific team members and also add a priority rating.

Who is it recommended for?

This a large package and so it would be particularly suitable for a big corporation. The price tag of the system put it out of the reach of small businesses. The tool is able to collect activity records from cloud platforms as well as on-premises systems. So, companies that use AWS, Azure, Microsoft 365, or Salesforce would be particularly interested in this package.


  • Consolidates logs from many sources
  • Collects Syslog, Windows events, and application logs
  • Routes notification through service desk systems
  • Compliance reporting


  • No server software for Linux

The server for ManageEngine Log360 installs on Windows Server. You can assess the package with a 30-day free trial.

ManageEngine Log360 Start 30-day FREE Trial

4. AT&T Cybersecurity USM Anywhere

AT&T Cybersecurity USM Anywhere

Up until recently, this system security package was called AlienVault Unified Security Management. AlienVault was acquired by AT&T in 2018 and the new owners have retired the old AlienVault brand.

Key Features:

  • Cloud-based
  • Based on OSSIM
  • Proactive system hardening

Why do we recommend it?

AT&T Cybersecurity USM Anywhere is a higher, paid plan for the well-known free AlienVault OSSIM. As well as operating threat hunting, this package provides log management, vulnerability scanning, and automated responses. The tool is compatible with the free Open Threat Exchange (OTX) threat intelligence feed.

USM Anywhere is the paid version of the widely praised free open source AlienVault OSSIM – AT&T left the AlienVault name on that product. OSSIM standards for “open source security information management”. It is a widely-used SIEM tool and it forms the core of USM Anywhere.

The OSSIM section of USM Anywhere is a data gatherer and threat analyzer. The service searches through log files and scans network traffic looking for signs of malicious activity. With USM Anywhere, the system monitoring features of OSSIM are heightened with hardware and software asset discovery plus inventory management starting off the whole process. The SIEM system consolidates and files log messages, providing access to those records through a viewer that includes sorting and search facilities.

USM Anywhere adds vulnerability assessment algorithms to its network scanning routines. The asset management and vulnerability scans enable system managers to become aware of configuration weaknesses that can be dealt with in order to harden the system.

System monitoring is controlled from AT&T servers in the cloud. The service is able to protect all of the assets of a subscribing business, including multiple locations and also AWS and Azure cloud servers.

USM Anywhere is a SOAR because it includes data gathering from third-party sources, threat intelligence feeds, threat prioritization, and automated responses, which include interaction with other services, such as firewalls. The threat intelligence feed comes from the Open Threat Exchange (OTX), an AlienVault-managed, crowd-provided threat information platform.

Who is it recommended for?

USM Anywhere is comprehensive and highly respected. Consequently, it is very expensive and would only be within the budget of large businesses. Smaller companies would be advised to take a look at OSSIM instead. USM Anywhere is a cloud package but OSSIM is an on-premises package that runs as a virtual appliance.


  • Can scan log files as well as provide vulnerability assessment reports based on devices and applications scanned on the network
  • User powered portal allows customers to share their threat data to improve the system
  • Uses artificial intelligence to aid administrators in hunting down threats


  • Would like to see a longer trial period
  • Would like to see more integration options into other security tools

This is a cloud service that includes storage space and a reporting engine as well as cybersecurity services. Report templates that are formatted for data security standards are included in the package. AT&T Cybersecurity USM Anywhere is a subscription service with three editions: Essential, Standard, and Premium. The main difference between these plans lies in the data retention period. The Essentials plan doesn’t include automated incident response mechanisms or interaction with third-party utilities for orchestration.

5. Splunk SOAR

Splunk SOAR

Splunk SOAR coordinates the work of other security tools. This package is able to trigger automated responses, so it can be seen as a threat mitigation add-on for security systems that can’t launch responses themselves.

Key Features:

  • Coordinates other security tools
  • Protects on-premises and cloud systems
  • Runs as a virtual appliance

Why do we recommend it?

Splunk SOAR is a security orchestration, automation, and response package. This type of service is becoming increasingly popular because it doesn’t require you to throw away your existing security systems, such as AVs or firewalls because it interfaces with those systems to automate threat responses.

The Splunk SOAR system has a library of connectors. This enables it to interface with other tools even if those tools weren’t written to work with this SOAR system. That library includes references to 350 security tools. The package can implement 2,800 different actions by sending instructions to those other systems.

The console of Splunk SOAR includes a canvas that lets you assemble a sequence of steps. This creates a playbook. You might not be too confident about creating these rule sets but the package comes with 100 pre-written playbooks that cover the most likely threats and you can refer to these existing plans to help you create your own.

Once you have Splunk SOAR set up, it will get notifications from those connected third-party tools and automatically run a playbook to shut down that attack. The operator doesn’t really need to do anything. However, you will get a notification that a threat has been detected and action has been taken. That information is also written to a log file, which you can use for compliance reporting.

Who is it recommended for?

This is a great solution for cost-conscious established businesses who have already made an investment in security tools that they want to improve for little cost. There is a community edition that is free to use and that will appeal to small businesses but it is limited to 100 actions per day.


  • Easy-to-write playbooks for responses
  • Can implement multi-stage responses with several third-party systems
  • Squeezes value for money out of your existing security system


  • Doesn’t do anything without other tools being present

There are many SOAR systems available on the market right now. However, Splunk is a highly respected brand and this tool is one of the best SOARs available. The free Community Edition will handle up to 100 actions per day. The software for Splunk SOAR runs as a virtual appliance over a VMware hypervisor.

6. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an incident response service. This is a human-based consultancy that can be contracted to clean up after a security breach. Customers are only likely to contact that service when they find out that they have already had a security incident.

Key Features:

  • Hybrid system
  • Coordinates events on endpoints
  • Will run on offline endpoints
  • Technical response team

Why do we recommend it?

CrowdStrike Falcon Insight is a hybrid package. The core system of the Falcon solution is the on-device next-gen anti-virus system called Falcon Prevent. If you buy the Insight package every installation of Falcon Prevent acts as an agent for the threat hunter in the Insight package.

The tools that the technicians of CrowdStrike’s Incident Response team use are also marketed to businesses as part of a suite of security software, called CrowdStrike Falcon.

CrowdStrike Falcon is a security platform. It includes many elements, each of which covers a different aspect of infrastructure or service for security research. The modules in the Falcon platform all work together in order to completely protect a system.

Falcon Insight is an Endpoint Detection and Response service (EDR). This is an evolved antivirus system. However, it doesn’t replace an AV because it the Falcon suite includes a net-gen AV, called Falcon Prevent. Falcon Insight’s specialized role is to coordinate defense strategies between many endpoints on a network.

The Falcon platform combines on-premises software and a cloud-based element that creates a dual focus for security services. The installed element is what would pass for an antivirus system. The advantage of having the software installed on each endpoint is that it can continue to work even if the internet connection goes down or if there is a problem with the network. The cloud part of the service aggregates data from all endpoints on a site to create a view of network activity. Falcon Insight bridges between these two elements.

The endpoint software provides immediate protection while the central data consolidator acts as a SIEM tool, analyzing event records uploaded by the endpoint agents to look for patterns of behavior that would indicate an intrusion or some other type of system-wide attack. The central Falcon service also updates all endpoints with new detection strategies, so the coordination of many instances creates a security network.

Falcon Insight works in concert with other elements in the platform to create a SOAR. The priority task of Falcon Insight in this team project is to identify and prioritize potential threats. This is known as “triage” in incident response. It cuts mitigation time by identifying the most likely point of the activity that could spread further, enabling defense strategies to home in on the location of a new attack.

CrowdStrike markets the Falcon platform in packages. Every package includes Falcon Prevent, the next-gen antivirus system. The four plans offered by CrowdStirke are Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete. Every one of these editions except for Falcon Pro includes Falcon Insight.

Overall, each element in the suite of services in the platform has its own specialist methodologies and the combination of these creates a unified security service that is stronger than the sum of its parts.

Falcon Insight combines the traditional activities of an AV and a firewall that protect a device with the data scanning features of a SIEM tool. This is an imaginative reinterpretation of pre-existing technologies that provides a hardened defense system through a platform strategy.

Who is it recommended for?

CrowdStrike Falcon is a great package because it turns all of the installations of Falcon Prevent into a unified threat detection and response system. The tool will send response instructions to Prevent and also to third-party tools. However, the system is quite pricey and too expensive for small businesses.


  • Doesn’t rely on only log files to threat detection, uses process scanning to find threats right away
  • Acts as a hybrid SIEM/SOAR product
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Can install either on-premise or directly into a cloud-based architecture
  • Lightweight agents won’t slow down servers or end-user devices


  • Would benefit from a longer trial period

The Falcon plans are charged for by subscription with a rate per endpoint per month. You can get 15-day free trial of the Falcon system, although this only includes Falcon Prevent.

7. Exabeam


Exabeam is a security operations suite that is based on a SIEM. The service is hosted and so you also get the processing power and storage space on the Exabeam servers. The SIEM requires data collection agents to be installed on-site. These collect log messages and upload them to the Exabeam server. This source data is collated and unified into the Exabeam Data Lake, which is the source for both the SIEM and analytical functions in the Exabeam console.

Key Features:

  • Cloud-based
  • Implements SOAR
  • Response playbooks

Why do we recommend it?

Exabeam is a cloud-based SIEM that gathers data from a site by the installation of agents. Like most SIEM services, this system performs its threat hunting on log messages from around the network that are uploaded to the Exabeam platform. The tool also includes a user behavior analysis tool and automated responses.

The security suite includes a User and Entity Behavior Analytics (UEBA) module, called Exabeam Advanced Analytics, which is an AI-based machine learning process that examines typical activity to set a benchmark and then identify deviations from that norm.

Incident responses can be launched manually through the console, or set to run automatically through Exabeam’s SOAR mechanism. The Exabeam Incident Responder is based on “playbooks”. These are workflows that define actions to be launched on the detection of a particular event. Playbooks can also create action guidance for manual response workflows. Completion of each step in a playbook is logged, providing an audit trail for compliance reporting.

Exabeam offers good value for the money and excellent closed-loop services by combining the UEBA and SOAR systems together with the SIEM – many rival products charge separately for each module.

As it is an online service, you don’t need to worry about maintaining software. The console is accessed through any standard browser. Exabeam also offers an archiving service that can be added to an Exabeam package to hold logfile archives.

Who is it recommended for?

This package provides a lot of services and it would be a good choice for a security operations center. So, the centralized cybersecurity team for a large organization is the ideal audience for the Exabeam product. Responses are driven by playbooks, with many pre-written instances included.


  • Supports incidents response workflows, playbooks, and automation
  • Offers usefully query features for filtering large datasets
  • Can be used for compliance reporting and internal audits for HIPAA, PCI DSS, etc.
  • Offers data archiving as a service – great for companies looking to record their threat data


  • The interface could use improvement – simpler layout, better graphing, etc.

The Exabeam SaaS is available on a free trial.

8. LogRhythm SIEM

LogRhythm Dashboard

LogRhythm NextGen SIEM Platform provides modules of services to detect and shut down security threats. The system includes live monitoring tools that provide an extra service to users while also gathering information to feed into the SIEM. These are NetMon for network monitoring and SysMon for endpoint monitoring. SysMon also gathers log messages to upload to the LogRhythm server. The receiving log server is called AnalytiX.

Key Features:

  • Cloud-based
  • Uses SOAR
  • Remediation workflows

Why do we recommend it?

LogRhythm SIEM is a cloud SIEM that operates through on-site agents for data gathering. There is very little difference between this system and the Exabeam service. This package can collect log messages from cloud platforms for threat detection as well as from your sites.

AnalytiX offers a data viewer with rudimentary analysis tools such as searching and sorting. The final two modules of LogRhythm SIEM are DetectX, which is a threat hunting system, and RespondX which is a SOAR. The automated incident response services are contained in RespondX. Subscribers to LogRhythm have the option of upgrading DetectX by adding UserXDR, which is a user and entity behavior analytics system to refine anomaly detection.

RespondX, as a SOAR, is able to interact with third-party tools, such as firewalls to implement lockdown routines. The core incident response module of the SOAR is called SmartResponse Automation. This offers a workflow option that will trigger automatically according to pre-set or customized rules.

Who is it recommended for?

The cloud platform of LogRhythm allows you to centralize all of your security services in one security operations center for the whole enterprise. So, this is a solution for large, multi-site organizations and it works particularly well for those businesses that also use cloud services.


  • Uses simple wizards to setup log collection and other security tasks, making it a more beginner-friendly toolSleek interface, highly customizable, and visually appealingLeverages artificial intelligence and machine learning for behavior analysis does an excellent job at live data processing


  • Would like to see a trial option

LogRhythm is available as a cloud-based service. It can also be acquired for installation on-premises with software that runs on Windows Server. LogRhythm can also be delivered as a network appliance.

Choosing an incident response tool

A good source of incident response tools comes from SIEM suppliers who have expanded their core product to create SOAR platforms. This other main category of incident response tool suppliers lies with cybersecurity service companies that offer attack mitigation services. The technicians of these businesses developed in-house tools for their jobs and many of those also get released to the wider business community. Exploring all sources of security software, we have identified some very good options.

Incident response systems FAQs

What is the most extensively used tool in cloud incident response?

The incident response tools market is dominated by SIEM systems. In recent years, the providers of SIEM tools have moved their software to the cloud. These tools can supervise the security of multiple sites and cloud resources from one account. 

What are the 7 steps in incident response?

The seven steps of incident response are:

  1. Prepare
  2. Identify
  3. Contain 
  4. Eradicate
  5. Restore
  6. Learn
  7. Test and Repeat