top of page

SOAR Engineering Services

SOAR Playbook Development and Consulting

Most security teams do not need more automation. They need automation they can trust. RDX Enterprise provides SOAR consulting and engineering services for teams that want playbooks built the way production software is built: designed on paper first, reviewed by humans, tested against real incident data, and shipped with an audit trail.

â–ª  Playbooks developed and hardened on Cortex XSOAR, Splunk SOAR, and Tines

â–ª  API integrations that connect your SIEM, EDR, and ITSM stack

â–ª  Approval gates in front of every action that could change your environment

RDX is a veteran-owned, SBA-certified SDVOSB based in Clayton, North Carolina. Every engagement follows one principle: Human-led. Agent-assisted. Evidence-proven.

SOAR Playbook Development That Holds Up in Production

A playbook that works in a demo and a playbook that works at 2 a.m. during a real incident are different things. RDX engineers start with your actual incident types, map the decision points a human analyst would make, then build SOAR playbooks that automate the repetitive work while keeping people in control of the calls that matter.
â–ª  Phishing triage, endpoint containment, credential compromise, alert enrichment
â–ª  Custom API integrations: Microsoft Sentinel, Splunk, CrowdStrike, VirusTotal, ITSM and EDR
â–ª  Error handling, timeout logic, and rollback paths most quick-start playbooks skip
â–ª  Documentation, test cases, and a change log your team can maintain after we leave
The goal is not more automation. It is automation your analysts trust enough to actually use.

Approval Gates, Guardrails, and Evidence You Can Show an Auditor

Most incident response automation consulting starts with speed. Ours starts with control. Automation that can disable accounts, isolate hosts, or block domains needs the same controls you would put on any privileged user. RDX builds those controls into the playbook itself. Approval gates route high-impact actions to a named human before they execute. Guardrails set hard limits on what a playbook can touch, in which environments, and how many times. Every automated step writes to an evidence trail: what fired, what data it saw, who approved it, and what changed. That record matters when an auditor asks how a containment decision was made, or when leadership asks why an account was locked. This is the working meaning of our principle, Human-led. Agent-assisted. Evidence-proven. Analysts stay in charge of judgment calls. Automation handles the volume. And the record proves both. If your current playbooks execute privileged actions with no approval step and no audit trail, that is the first thing we fix.

Playbook Sprawl Cleanup, Migration, and Multi-Platform Work

Most SOAR environments we see are two or three years old and carry the scars: dozens of half-finished playbooks, integrations nobody owns, hardcoded credentials, and automations that fire but nobody fully trusts. RDX runs a structured cleanup.
â–ª  Inventory what exists, test what works, retire what does not
â–ª  Consolidate duplicates into maintained, documented playbooks
â–ª  Migrate platforms by rebuilding logic deliberately, not porting problems
â–ª  Recommendations driven by your environment, not any vendor relationship
Cortex XSOAR is a product of Palo Alto Networks. RDX Enterprise is an independent engineering firm and is not affiliated with or endorsed by Palo Alto Networks. You get an engineering opinion, not a sales motion.

Use Case

Representative engagement (an illustrative scenario, not a claimed contract or past performance): picture a regional financial services company that has run its SOAR platform for three years. Forty-one playbooks exist in the platform. The security team trusts about six of them. Phishing triage works, but host isolation was switched to manual after an automation once quarantined a domain controller, and nobody can show an auditor who approved past containment actions. RDX would run this as a four-week engagement. Week one is inventory and testing: which playbooks fire, which error silently, which duplicate each other. Weeks two and three are consolidation, rebuilding the twelve playbooks that matter with approval gates on every containment action and evidence logging on every step. Week four is handoff: documentation, test cases, and a working session with the analysts who will own the playbooks. The team goes from forty-one playbooks to fourteen. More importantly, host isolation goes back on automation, because now a human approves each isolation and the record proves it.
 

Frequently Asked Questions

Which SOAR platforms does RDX work with?

RDX engineers build and harden playbooks on Cortex XSOAR, Splunk SOAR, and Tines, and on ServiceNow where it serves as the SOAR layer, and we build API integrations with the tools around your SOAR: Microsoft Sentinel, Splunk, CrowdStrike, VirusTotal, and the rest of your SIEM, EDR, threat intelligence, and ITSM stack. The engineering discipline is platform-independent, and so are we. Cortex XSOAR is a product of Palo Alto Networks, and RDX has no reseller or partnership relationship with any SOAR vendor, so our platform recommendations are based on your environment and your team, nothing else.

What does human-led incident response automation mean in practice?

It means a person stays accountable for every consequential decision. Enrichment, deduplication, ticket creation, and data gathering run automatically because they are reversible and low-risk. Actions that change your environment, disabling an account, isolating a host, blocking a domain, pause at an approval gate until a named analyst signs off. The playbook logs the request, the approval, and the result, so there is a defensible record of who decided what. Analysts get their time back without giving up control, and your leadership gets evidence instead of assurances.

Can our team maintain the playbooks after the engagement ends?

That is the design goal. Every playbook we deliver comes with documentation, test cases, and a change log, and we run handoff sessions with the analysts who will own the work. If your team wants to go deeper, RDX also runs RDX Academy, a SOAR Engineer Program that trains people in the same playbook development and governance practices we use in engagements. We would rather leave you with a team that can extend the automation than build a dependency on us. Ongoing support is available when you want it, not required.





 

bottom of page