AI Product

HyperSOC-2o: The Game-Changing, Analyst-Validated Autonomous SOC

By Bob Boyle
April 22, 2025
10 Minute Read

Contents

IDC, Gartner, and Cyber Research Analyst Francis Odum validate Torq HyperSOC-2o for establishing the important building blocks for achieving the autonomous SOC.

The autonomous SOC is here. It is no longer a distant reality, it’s not a pipe dream, and it’s certainly not just another cybersecurity buzzword. According to IDC’s latest report exploring the evolution from generative AI to agentic AI in cybersecurity, the autonomous SOC is “heaven on earth…everyone should want it.” 

And with the release of Torq HyperSOC-2o, now everyone can have it.  

WTF is HyperSOC-2o? 

HyperSOC-2o is the latest release of Torq HyperSOC™ — our most autonomous model to date and the first truly agentic SecOps platform. 

Torq HyperSOC™ was first released in April 2024 as a purpose-built solution that harnesses the power of the AI-driven Torq Hyperautomation™ platform to automate, manage, and monitor critical SOC responses at machine speed. At the time of initial launch, IDC had this to say: 

“Every day, IDC is engaged with SOC professionals who communicate the existential challenges they’re facing, both in terms of keeping up with ever-escalating threat complexity and volume, and the incredible burden that places on the shoulders of their teams.

Torq HyperSOC is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We are also impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”

Chris Kissel, Vice President, Security & Trust Products, IDC Research, Achieving Machine Speed Detection and Response  

A lot has changed since HyperSOC was first released, but SOC challenges remain the same. In a recent Emerging Techscape for Detection and Response Startups report, Gartner notes that as cybersecurity threats grow in volume and complexity, SOC teams continue to experience increasingly heavy workloads. While the surge in AI-supported threats demands more resources, more attention, and puts significant pressure on SOC teams to respond to threats effectively, Gartner says “AI agents are emerging as a critical solution to enhance efficiency, reduce burnout, and enable teams to focus on strategic initiatives.” 

SOC teams are still struggling to keep up with increasingly complex threats, utilizing the limited resources available to them. According to IDC’s report, “Agentic AI is the next step toward a more autonomous SOC, but there must also be a bridge where local decisions have to become extensible to the greater network.” That bridge is HyperSOC-2o. 

The Need for the Autonomous SOC

SOCs have been using AI, machine learning (ML), and large language models (LLMs) to collect information, assess risk, and prioritize alerts for some time now. These common GenAI use cases perform the first stages of security event triage, enabling security teams to interact and guide investigations through a natural language interface — significantly reducing the detection and response time to alerts. So why do we need the autonomous SOC?

An AI-influenced SOC, supported by a GenAI digital assistant, is still reliant on the ability and capacity of a human analyst to instruct and guide remediation actions. While security automation plays a significant role in the real-time response to these threats at machine speed — certainly faster than a human analyst could triage, investigate, and respond without GenAI augmentation — the truth is that GenAI and automation alone is still a reactive security posture. 

What good are AI-driven, triaged, enriched, and prioritized comprehensive security cases that sit there waiting for a human to press the big red remediate button, if SOC analysts are still drowning in so-called “high priority” alerts? AI is supposed to reduce a SOC analyst’s workload, not create more manual tasks to watch over and approve. 

Moving from the Aspirational to the Inspirational in SOC Processes

Agentic AI is different. The IDC report explains that “[agentic AI] can solve problems, adapt to its environment, and make complex decisions based on goals and available information. It does this in real time without constant human supervision. Agentic AI is self acting and self deterministic.” The promise is that agentic AI will become as effective on the prevention side as its GenAI predecessor has become in detection and response.

By 2026, AI will increase SOC efficiency by 40% compared with 2024 efficiency, beginning a shift in SOC expertise toward AI development, maintenance and protection. AI and ML are revolutionizing proactive defense security by adding preemption and enhancing detection and response capabilities.”

Gartner, Emerging Tech: Techscape for Detection and Response Startups, March 2025

IDC goes on to state that the next leap towards the autonomous SOC is fusing the MTTD and MTTR improvements of GenAI with the human-like decision making of agentic AI to produce the following improved SOC outcomes:

  • Agentic AI becomes the mastermind of every incident: AI agents will handle over 95% of manual case triage, investigation, and enrichment without requiring constant human intervention — shifting from human-in-the-loop to human-on-the-loop. This supervisory model means humans will get involved much later in the case management lifecycle, if at all — likely only when the AI agent deems a case critical enough to require human oversight. 
  • The incident detection and response life cycle will have embedded compliance and governance: Blackbox decision making from AI solutions does not suffice. Agentic AI records the deterministic logic and reasoning behind its decision-making in real-time for a security case, reducing the manual burden and risk of human error associated with case management documentation today. 
  • The threat detection and response life cycle greatly improves a company’s proactive cybersecurity posture: The three key pillars that define agentic AI and allow it to solve complex problems and make human-like decisions are semantic memory, episodic memory, and procedural memory. As a result, agentic AI can apply what it’s learned from managing similar incidents in the past to improve future response processes and adapt to the latest emerging threats.
  • Fully automated responses will be nearly ubiquitous in the SOC: AKA… achieving the autonomous SOC. Together, GenAI and agentic AI will eliminate 95% of Tier-1 security tasks as most SOC processes become fully automated. 

Agentic AI has enormous potential in security operations because of its ability to process and solve problems like a human SOC analyst. Alone, however, agentic AI still isn’t enough to achieve autonomy — Hyperautomation becomes the key to holding it all together. To truly achieve the autonomous SOC, security teams must use agentic AI to combine and contextualize relevant security event data in an instant, then leverage Hyperautomation to take remediation action as quickly as possible, without the delay of human intervention. 

“Torq’s Hyperautomation capabilities can help improve the efficacy of security teams now and with an eye to the future. Hyperautomation is a type of glue logic that binds static entities, such as logs, directories, and applications, creating usable correlations for observation, detection and response, and remediation. Torq is working on all SOC fronts while improving MTTD, MTTR, threat hunting, and remediation actions impactfully. The agentic AI architecture is disruptive.”

Chris Kissel, Vice President, Security & Trust Products, IDC Research

The unique combination of GenAI, agentic AI, and Hyperautomation is why IDC recognizes Torq alone to have established the most important building blocks needed to achieve the autonomous SOC. 

HyperSOC-2o: Achieving the Autonomous SOC

Last week Torq announced HyperSOC-2o — the world’s first truly autonomous SOC. 

This latest version of Torq HyperSOC™ expands Torq’s Multi-Agent System (MAS) by incorporating cutting-edge Retrieval Augmented Generation (RAG) technology into existing agentic AI functionality. RAG allows Torq AI Agents to reference massive amounts of data and produce extremely specific outputs that are highly contextual, continuously improving in accuracy and enabling game-changing deep research capabilities. 

Socrates, the agentic AI SOC Analyst, sits at the helm of HyperSOC-2o, acting as an OmniAgent responsible for controlling and collaborating with four new RAG-enabled micro-agents. These agents are trained in specific areas of expertise and capable of using sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously. The four micro-agents are:

  • Runbook Agent: Plans highly customized agentic threat investigations and responses based on its ability to learn from past incident outcomes, recognize similar attack patterns, and adapt to emerging threat vectors.
  • Investigation Agent: Uncovers hidden attack patterns across disparate data sources, performs detailed root cause analysis, and accurately assesses threat impact to help HyperSOC-2o effectively prioritize responses.
  • Remediation Agent: Takes action across the security stack either completely autonomously, or by intelligently escalating critical cases for human-in-the-loop remediation, reducing MTTR and enabling SOC analysts to trigger complex actions at machine speed.
  • Case Management Agent: Delivers faster access to real-time and historical data through AI-generated case summaries, enabling more accurate threat identification, dynamic case prioritization, and streamlined decision-making by eliminating irrelevant noise.

Think of Socrates like the head coach of a football team. The head coach is surrounded by specialists — an offensive coordinator, a defensive coordinator, a special teams coordinator, assistant coaches, and so on. While it is the head coach’s responsibility to make the final play calls on game day, they rely heavily on their specialists to study the opponent’s game film, design the plays, and make real-time adjustments on the fly. 

This is exactly how Socrates operates. When a case is assigned to Socrates for auto-remediation — Socrates calls on the Runbook Agent to formulate the most efficient investigation and response strategy. When a SOC analyst asks Socrates to analyze the observables of a case — Socrates employs the Investigation Agent to correlate third-party threat intelligence and find the relevant event data.

And when a threat needs immediate containment, Socrates works through the Remediation Agent to trigger the appropriate hyperautomation workflow — whether that is using Crowdstrike to isolate an endpoint, Okta to reset a password, or Abnormal to remove a phishing attack from an end user inbox.

“Torq HyperSOC makes the potential of AI in a SOC attainable and sustainable by connecting AI with the SOC’s full range of tools and processes. With Torq HyperSOC, you can automate more than 95% of Tier-1 analyst tasks and significantly reduce the burden on existing SOC teams. Torq HyperSOC is a huge game-changer for enterprises.

Francis Odum, Software Analyst, Cyber Research

Don’t Just Change the Game — Flip the Gameboard

In security, the odds are always stacked against the defender. The attacker has the element of surprise, access to the same AI and security tooling, and room to fail over and over and over again — biding their time until that one successful breach. 

To stay ahead, we need to empower SOC teams to act as quickly, accurately, and proactively as they possibly can. HyperSOC-2o gives teams that fighting chance — leveraging AI agents and Hyperautomation to reduce investigation times by up to 90%, increasing the SOC’s capacity to handle 3-5x more alerts with no added headcount, and remediating over 95% of security threats — completely autonomously. 

Dive deeper into IDC’s exploration of agentic AI as the next leap in the autonomous SOC.

Get the Report
Share

Related Articles

AI Insights Product

Torq HyperSOC™ is the First Autonomous SOC Platform with Native Model-Context Protocol (MCP) Support

By Leonid Belkind, Co-Founder and CTO
April 22, 2025
9 Minute Read

Contents

Innovation in cybersecurity technology, particularly in security operations, is advancing at an incredible pace. The past few months have seen a surge in announcements of Agentic AI solutions and SOC Analyst AI Agents, transforming the landscape rapidly. At BlackHat USA 2023, Torq pioneered this space by introducing Socrates, the first AI Agent SOC Analyst. This highlights the remarkable acceleration of AI adoption in cybersecurity and the significant advancements made in a relatively short period.

Socrates, our Agentic AI SOC Analyst, has been up and running for a solid year and a half, which is pretty impressive for this kind of tech. It’s dealing with thousands of real security issues every hour for major companies. Since the initial release of Socrates, Torq has expanded our agentic AI portfolio by launching a comprehensive Multi-Agent System (MAS), as well as the latest version of Torq HyperSOC™ powered by Retrieval-Augmented Generation (RAG) technology.  

Even as new entrants jump on the AI-in-SOC bandwagon, Torq continues to push the envelope — Socrates keeps learning and evolving, and Torq remains steps ahead in the Autonomous SOC space.

Today, Torq is proud to announce another ‘first’ in the Autonomous Security Operations field: the first platform to support a Model-Context Protocol (MCP) natively in its architecture. This groundbreaking advancement unlocks a new realm of possibilities in security operations, enabling powerful and exciting outcomes that were previously unattainable. By integrating MCP into its core framework, Torq is paving the way for more intelligent, adaptive, and efficient security solutions, setting a new standard for the industry. 

What is Model-Context Protocol?

Model-Context Protocol (MCP) is an open protocol designed to standardize how applications provide context to Large Language Models (LLMs) and AI Agents to retrieve contextual information from applications and systems. 

When a security operations process is orchestrated by an AI Agent, native integration with MCP Servers delivers outcomes far greater than static lists of tools and actions, or even extensions with APIs and workflows. This dynamic integration accelerates Security Operations outcomes by improving detection and triage accuracy, and reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Torq as a Model-Context Protocol Host: Endless Extensibility

Torq HyperSOC-2o acts as an Model-Context Protocol Host, meaning it can natively interface with MCP servers to both fetch context and execute actions. The flexibility of MCP makes integrations with corporate systems and cloud services more agile than ever. 

Torq HyperSOC-2o acts as an Model-Context Protocol Host, meaning it can natively interface with MCP servers to both fetch context and execute actions. The flexibility of MCP makes integrations with corporate systems and cloud services more agile than ever. 

Your AI agent isn’t operating with a fixed toolbox — it can seamlessly tap into real-time data sources, internal databases, SaaS applications, cloud workloads, and more, all through standardized MCP connections. This extensibility ensures your autonomous SOC is always armed with the most up-to-date information and capabilities, leading to more intelligent and effective security operations.

Today, during the early days of Model-Context Protocol adoption, most MCP Servers available for use require self-hosting, making it extremely important to provide an enterprise-grade security for the transport and access layers in order to benefit from the capabilities without compromising the underlying data or operations.

Torq provides unique benefits by leveraging its secure communications infrastructure used for a scalable Hyperautomation of hybrid cloud environments.

Torq platform natively extends its automation and orchestration capabilities to become Model-Context Protocol hosts, allowing access to both self-hosted and cloud-hosted MCP servers in an intelligent and secure manner.

The schematics above depicts how the Torq platform natively extends its automation and orchestration capabilities to become Model-Context Protocol hosts, allowing access to both self-hosted and cloud-hosted MCP servers in an intelligent and secure manner.

Key advantages of Torq’s native MCP Host capability include:

  • Real-Time Contextual Awareness: AI-driven investigations can pull in live context (user details, asset data, threat intel, etc.) exactly when needed, rather than relying on stale or predefined inputs. This leads to smarter decisions and fewer false positives.
  • Unlimited Extensibility: Thanks to MCP’s open standard, any new tool or data source that supports MCP can be plugged into your SOC workflows instantly. Torq HyperSOC-2o transforms into a plug-and-play powerhouse, adapting as your environment evolves.
  • Faster, Smarter Response: Dynamic context enables higher-fidelity alerts and faster root-cause analysis. Early users have seen significant improvements in detection precision and response times, cutting down the investigative workload on analysts.
  • Enterprise-Grade Security: All MCP interactions through Torq are encrypted, authenticated, and audited. You can safely connect to self-hosted knowledge bases or third-party MCP services, confident that communications meet your security and compliance standards.

Torq as an MCP Server: New Ways to Access Your Processes

Torq’s native Model-Context Protocol architecture opens up an exciting paradigm where Torq workflows, steps, and integrations can be securely utilized as tools and actions within other MCP Hosts. This enables a significant increase in productivity for both security professionals and organizational information employees. 

By providing secure, managed, and monitored organizational processes as context to external LLM applications such as Claude Desktop and various IDEs, Torq facilitates seamless integration and enhances the capabilities of these platforms. This approach ensures that sensitive organizational processes are handled with the utmost security while empowering users with advanced AI-driven functionalities.

Imagine an organization embracing self-service processes for various IT and Security functions as a means for increasing organizational efficiency. Torq Hyperautomation has been the hub for such activities since its inception, and now these processes can be accessed in a completely new way, through the organization’s chosen and adopted AI tools.

Torq MCP Server provides access from the organization’s chosen AI tools to Torq workflows, steps, and integrations, increasing the efficiency of leveraging various organization-approved security operational practices natively.

The schematics above depict how a Torq MCP Server provides access from the organization’s chosen AI tools to Torq workflows, steps, and integrations, increasing the efficiency of leveraging various organization-approved security operational practices natively.

For example, a security analyst using a chatbot interface like Anthropic’s Claude or a developer working in an IDE with an AI coding assistant can simply ask their AI agent to perform a task, “Hey AI, scan this newly reported IP across our logs and threat intel sources.” Behind the scenes, the AI agent invokes a Torq workflow (exposed via MCP) that conducts a multi-step investigation across all your tools, then returns the result directly into the chat or IDE. The person didn’t need to switch consoles or manually run any script; the AI, powered by Torq, handled it instantly.

Torq HyperSOC-2o makes this scenario a reality by providing a secure, managed, and monitored way for external AI applications (from chatbots to SIEMs to custom AI assistants) to leverage your organization’s existing Torq automations as first-class actions. Importantly, all of this is done with the utmost security and control. 

Torq’s permissioning and audit logs extend into the MCP domain, ensuring that any action an external AI triggers is authorized and tracked. Your sensitive processes remain protected, even as they become more accessible and useful to your teams via AI. 

In short, Torq as an MCP server turns the AI tools your team already uses into powerful gateways for your automated SOC workflows — dramatically increasing efficiency and accessibility without sacrificing security.

Security Operations Data as MCP Resources

The above examples of Torq’s innovation in natively adopting the Model-Context Protocol framework are just the beginning. The potential of MCP resources and prompts opens up an exciting avenue for creating native user experiences for navigating and analyzing security events and case data. By leveraging MCP, any AI tool can be transformed into a powerful threat hunting and digital forensics orchestration environment, providing unparalleled capabilities for security professionals. This advancement allows for deeper insights and more effective responses to security incidents, significantly enhancing an organization’s overall security posture.

Consider what this could mean: Analysts will be able to navigate and analyze security events through natural language via their AI assistants, with Torq feeding the relevant data on demand. An AI agent could correlate an ongoing incident with past cases, highlight patterns, or even suggest remediation steps by drawing from your organization’s entire trove of security knowledge — all in seconds, all within the AI’s conversational or analytical environment. 

This kind of seamless, context-rich interaction provides unparalleled capabilities for security professionals. It leads to deeper insights, more proactive threat hunting, and ultimately more effective responses to incidents. By breaking down data silos and making institutional knowledge available in real time through MCP, Torq HyperSOC-2o significantly enhances an organization’s overall security posture. It’s not just about doing things faster; it’s about empowering humans and AI to collaborate on tasks that were previously impossible.

Stay Tuned: This is Just The Beginning 

“An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense intuitive linear view”, said Ray Kurtzweil in “The law of accelerating returns” in 2021. Almost a quarter of a century later, this statement, which in itself can be seen as a generalization of Moore’s Law from 1965, is being proven as true time after time.

Torq’s journey with AI and automation in security is a testament to this acceleration. We went from conceptualizing an AI SOC analyst to having one in production within months, and now to enabling an open protocol that can fundamentally change how AI systems interact with security tools and data. And we’re far from done. 

Torq HyperSOC-2o’s introduction of native Model-Context Protocol support is just the first chapter in an exciting new era of autonomous security operations. Torq will continue to innovate and lead as technology races forward, ensuring our customers stay ahead of the curve. We are privileged to be part of this revolution – and we’re committed to driving it.

Stay tuned for more updates as we continue to expand what’s possible in the SOC. The future of security operations is unfolding now, and with Torq, you’re not just witnessing it — you’re leading it alongside us. Let’s embrace this future together and redefine what a truly autonomous SOC can achieve.

Share

Related Articles

AI News Product

All Gas, No Brakes: The Autonomous SOC Revolution is Here

By Ofer Smadari, CEO & Co-Founder
April 15, 2025
5 Minute Read
Learn how Torq is leading the autonomous SOC revolution with Torq HyperSOC 2o and the acquisition of Revrod.

Contents

The era of static playbooks and reactive security is over. A new generation of AI-driven security operations is emerging — one that combines cloud-native scale with intelligent, agentic automation to redefine how Security Operations Centers (SOCs) work. 

As CEO of Torq, I’ve had a front-row seat to this transformation. In speaking with countless CISOs and analysts, one theme rings loud and clear: We can’t fight modern threats with yesterday’s tools. SOC teams today are wilting under an onslaught of alerts and “busywork,” creating an existential crisis in security operations. It’s time for a bold leap forward.

Leading the Charge: Torq HyperSOC-2o and the Revrod Leap

Earlier this month, we took a decisive step into the future by launching Torq HyperSOC-2o, fresh on the heels of our acquisition of Revrod — a stealth-mode Israeli AI startup with advanced multi-agent AI expertise. This move isn’t just about adding features; it positions Torq at the forefront of the autonomous SOC revolution. 

Torq HyperSOC-2o is built around a comprehensive OmniAgent that can identify, prioritize, and remediate threats across the entire organization. By integrating Revrod’s cutting-edge multi-agent RAG (Retrieval-Augmented Generation) technology, we’ve supercharged our platform’s ability to do deep research, planning, and generative reasoning in the SOC. In plain terms: HyperSOC-2o can analyze threats and coordinate responses with near-human-level insight and precision at machine speed.

This isn’t hype — it’s happening now. Torq was recently named an “AI Startup to Watch” by Business Insider, recognizing the momentum and innovation behind our approach. With Revrod’s team now part of Torq, that momentum accelerates. 

“Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations.”

I can confidently say Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations. Revrod’s technology “fundamentally changes what’s possible in a SOC,” and by weaving it into HyperSOC-2o, we’re giving our customers the ability to operate faster and smarter than ever. In demos at RSA Conference, attendees will see firsthand that the autonomous SOC isn’t a distant vision — it’s here, and Torq is leading it.

Beyond Legacy SOAR: A Generational Leap in SOC Automation

To understand why this leap matters, consider the tools many SOCs have relied on until now: legacy SOAR platforms like Palo Alto’s Cortex XSOAR (Demisto), Splunk Phantom, or Siemplify. These systems were pioneering in their day, but they were built for a different era and a different scale. Traditional SOAR demanded extensive coding and constant maintenance to keep up with new threats and systems. 

In contrast, Torq HyperSOC is built on an agentic architecture where AI agents actively collaborate, reason, and take initiative across the full security stack. We’ve developed an OmniAgent that can orchestrate a team of specialized AI agents, each with its own focus area, dynamically working together like a human SOC team.

Compared to the rigid, one-track automations of legacy SOAR, Torq’s multi-agent brain represents a generational leap. It’s the difference between a scripted assistant and an autonomous colleague. It auto-calibrates its response playbooks and tools on the fly to mitigate threats faster and more accurately than any static playbook could.

Inside Torq HyperSOC-2o: AI Agents on the Front Lines

Rather than a monolithic black box, Torq HyperSOC-2o is an ensemble of intelligent agents working in concert — a “virtual SOC team” that never gets tired. Here’s a closer look at the AI agents powering HyperSOC-2o:

  • Investigation Agent — Performs deep-dive investigations in seconds, uncovering hidden patterns across disparate data sources and tools to pinpoint root causes and assess threat impact.
  • Case Management Agent — Gathers real-time and historical data, organizes case timelines, highlights key indicators, and reprioritizes incidents based on evolving information.
  • Runbook Agent — Autonomously executes and adapts incident response runbooks with institution-specific knowledge built-in.
  • Remediation Agent — Executes remediation actions autonomously, closing the loop with verifiable outcomes, operating in orchestrated or human-in-the-loop configurations.

Together, these agents function as an AI-powered SOC unit: ingesting alerts, investigating, collaborating, and remediating as a cohesive intelligence.

Real Results: Faster Responses, Greater Scale, Happier Analysts

Fortune 500 companies have already deployed Torq’s agentic SOC platform. In early deployments, organizations saw:

  • Up to 90% reduction in investigation time.
  • 3–5× increase in alert handling capacity with no added headcount.
  • 95%+ of Tier-1 security tasks automated.
  • Significant improvements in key SOC KPIs like MTTR (mean time to respond).

Security leaders can now shift from a reactive stance to a proactive strategy. They can spend more time on strategic initiatives because the AI agents have their backs on the front lines.

The Road Ahead: How AI Agents Will Redefine Cybersecurity Operations

The introduction of intelligent, collaborative AI agents into the SOC is not just an incremental improvement — it’s a tectonic shift. Security operations will never be the same.

Organizations will be able to achieve a level of security posture and responsiveness previously limited to only the most well-staffed enterprises — not by hiring armies of analysts, but by deploying intelligent agents that work like armies of analysts.

The autonomous SOC is here, and it’s here to stay.

Share

Related Articles

AI Insights

The Fast Eat the Slow: AI Adoption for Survival in Modern Cybersecurity

By John "JQ" Quinsey
April 14, 2025
4 Minute Read
Explore the importance of AI adoption in the SOC.

Contents

John Quinsey, regional director at Torq

John Quinsey (also known as “JQ”) is a regional director at Torq with 25 years in software and SaaS sales, solving business problems with disruptive technologies. He firmly believes AI has the power to revolutionize modern security operations.

Just five years ago, the average dwell time for a ransomware attack was seven months. Today, it’s five days and shrinking. Lateral movement breakout times have also accelerated significantly, dropping from 62 minutes to 48 minutes, with the fastest recorded breakout happening in just 51 seconds.

Why? Among other reasons, the bad guys are now leveraging AI to increase both the speed and breadth of their attacks. To put it bluntly, they’ve gotten a hell of a lot faster — and SOCs are struggling to keep up.

Don’t Play Checkers While Attackers Play Chess

Security teams today face an overwhelming number of alerts, many of which result from harmless Internet activity. With countless alerts pouring in daily, identifying the real threats becomes incredibly difficult, and serious vulnerabilities can go unnoticed amid the noise. This is where AI in the SOC comes in. 

AI has become essential for detecting and stopping sophisticated threats at scale. By rapidly filtering out irrelevant traffic, an AI SOC analyst can give human analysts a clear head start. Capable of tirelessly sifting through millions of data points, auto-remediating the majority of Tier-1 alerts, and intelligently escalating critical cases, an AI SOC analyst enables human analysts to tackle high-priority threats in real time.

This combination of AI-driven anomaly detection and response with human-led investigation for critical events is essential in today’s cybersecurity landscape, where attackers are constantly evolving their tactics. Relying on traditional methods to defend your organization against a modern attack is akin to playing checkers while the bad guys play chess. 

The Early Adopter Advantage in the Age of AI

A few years ago, embracing an early adopter mindset in IT and security operations was considered risky, a gamble on unproven technology. Today, AI adoption in the SOC has become a necessity to combat existential threats. Organizations that are slow to adopt AI run the risk of being eaten alive.

The new cutting edge in AI for SecOps is agentic AI, a paradigm shift that empowers autonomous SOC operations. Agentic AI can coordinate specialized AI agents to autonomously handle cases, build workflows, write case summaries and reports, transform data, and more. 

Making the shift to an early adopter mindset for AI in SecOps involves more than just deploying new tools. It requires investment in training so that security teams are equipped to leverage AI effectively and responsibly. It also requires a strategic approach to building trust in AI systems through transparency, explainability, and guardrails, ensuring that AI-driven decisions are reliable and aligned with organizational objectives.

‘The Best Practical Use of AI From Any Vendor’

Torq has GenAI and agentic AI embedded throughout our platform. We use it to help with integrations, to help build workflow automations, and to improve the quality of life of human analysts. By automating routine tasks and providing enriched insights, AI adoption in the SOC frees human analysts to focus on the most critical threats, enabling faster and more effective responses.

I was recently on a call with the CISO at a Fortune 500 company that has been a customer for over a year. She said, and I quote, “Torq has the best practical use of AI I’ve seen from any vendor.” 

Ready to turbocharge your SOC with AI so you don’t get eaten alive? Get the AI or Die Manifesto to learn how to deploy AI the right way, so your SOC — and the humans in it — survive.

Get the Manifesto
Share

Related Articles

Insights News

Evolution Equity Partners’ Portfolio Companies Tackle a Cyber Crisis

By Patrick “PO” Orzechowski
April 7, 2025
4 Minute Read
Follow along in this retelling of a cyber crisis simulation, hosted by Evolution Equity Partners to showcase portfolio companies including Torq’s AI-driven Hyperautomation platform

Contents

Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

I recently took part in a cyber crisis simulation event which showcased Evolution Equity Partners’ portfolio companies and made Torq’s real-world value strikingly clear.

The simulation presented a realistic scenario: a data breach at a fictional wealth management firm, with the attack’s progression followed through detection, investigation, response, and resolution. Participating companies included Torq, Sweet Security, Oleria, Halcyon, and Cytactic

This cyber simulation reinforced the need for proactive security: automation, robust identity management, and agile cloud response. It also underscored the importance of having a crisis management system in place for simulating a live event — so when the inevitable happens, all teams, stakeholders, and external parties that need to be involved in resolving a major incident are included from the beginning.

A Cyber Crisis Simulation Unfolds

1. Detecting the Impossible Alert

The initial attack factor in the simulation was a compromised credential initially identified by an “impossible journey” detection in Torq’s AI-native Hyperautomation platform. Torq was able to identify this impossible travel through authentication logs that contained geographical source login information. 

The targeted financial services company had several layers in place to detect and respond to these types of attacks, so the incident was kicked off through the initial case management system in Torq. 

Through its AI-powered automated response capabilities, Torq’s platform triaged, enriched, and investigated the alert, ultimately determining that it required escalation.

Inside Torq’s platform, this event could then be tracked by the SOC throughout the incident lifecycle until being handed off to Legal, PR, and potentially cyber-insurance and external incident response partners. 

2. Confronting the Extortion

After the initial attack, it was determined that the user did in fact access sensitive information contained in an S3 bucket, which was detected by Sweet Security’s unified detection and response platform. 

Once the attacker procured the data, they sent an extortion threat letter to the company which included screenshots of contracts and other sensitive information. At this point, management had to:

  • Decide whether or not to disclose the breach
  • Determine whether or not the breach was “material”
  • Assess if they need to contact their customer base. 

From there, Oleria identity security platform discovered the attacker had gained access to an insecure SharePoint site, but only accessed a limited amount of sensitive data.It was determined that the SharePoint site needed to be secured and, due to the limited data exposure, a negotiation team was brought in. They then found that the attacker was attempting to move laterally through the company’s systems.

3. Stopping Ransomware Escalation

From there, the company deployed Halcyon’s ransomware defense solution to determine if ransomware was active. Halcyon successfully detected and blocked infections on the systems where it was installed, but the attacker was able to begin encryption on systems where it was not.

The company then engaged Halcyon’s Professional Services to attempt to decrypt what the attacker was encrypting without having to pay for the keys.he keys. 

Minimal Damage, Maximum Defense

In the end, the company was able to handle the incident without a breach disclosure and minimal impact to customer operations. This event could have been much worse if the services company did not have advanced detection and response capabilities already deployed within its security stack.

  • Torq streamlined detection and initial investigation through SOC automation and integration with the entire security stack
  • Sweet Security correlated alerts and prevented exfiltration attempts in the cloud.
  • Oleria uncovered user account activities and assessed breach scope.
  • Halcyon blocked ransomware escalation and secured endpoints.
  • Cytactic enhanced tracking and decisionmaking capabilities for incident response.

Learn how Torq and Sweet Security operationalize cloud security automation >

Building Cyber Resilience through Proactive Simulation

This “impossible journey” simulation demonstrated the critical importance of establishing effective cybersecurity strategies and deploying innovative security solutions.

Proactive cyber crisis simulations enable businesses to build resilience and minimize the impact of potential attacks by:

  • Identifying vulnerabilities.
  • Improving mean time to detect and respond
  • Testing incident response plans
  • Improving decision-making under pressure
  • Understanding the impact of cyberattacks
  • Facilitating learning and continuous improvement

Want to learn more about leveling up your SOC’s automation and autonomous response capabilities? Read the SOC Automation Pyramid of Pain.

Read the Pyramid of Pain
Share

Related Articles

Insights Integrations

Operationalize Data Security Automation with Cyera and Torq

By Torq
April 1, 2025
4 Minute Read
Together, Cyera and Torq deliver unparalleled data security automation in the SOC. Learn how Torq operationalizes Cyera’s data security intelligence to enforce policies and remediate data risks at machine speed.

Contents

Data is the critical foundation for all organizations, powering innovation, decisions, and growth. It’s also the fastest-growing attack surface, with sensitive information scattered across clouds, on-premise servers, and SaaS platforms. 

Cyera, the leader in modern data security, provides rich visibility into sensitive data down to its DNA level, providing vital context, identifying data risks and vulnerabilities, and delivering SOC teams a clear map of their data attack surface.

Once data insights are uncovered, SOC teams must take swift and consistent action. Torq’s platform operationalizes Cyera’s data security intelligence, organizing remediation and policy enforcement with machine-speed efficiency. Together, Cyera and Torq enable SOCs to protect sensitive data and intellectual property quickly, precisely, and accurately.

Solving Data Security’s Greatest Challenges 

Today’s landscape has opened a paradox. Organizations rely on data for business to thrive, yet the more data is generated, the harder it is to secure. Sensitive information is being spread everywhere, stored in cloud buckets, shared across SaaS apps, and accessed by a growing number of users and systems. SOC teams are tasked with protecting this sprawling landscape, but the sheer volume of alerts and manual processes makes it nearly impossible to keep up.

Cyera cuts through this noise, giving teams a clear view of what sensitive data exists, where the data lives, who (or what) has access to it, and the risks the data faces. Cyera’s approach is rooted in clarity — mapping the attack surface and delivering insights needed to protect critical assets.

This is where Torq comes in. By integrating with Cyera, Torq automates the actions required to secure data, eliminating inefficiencies and enabling SOC teams to instantly respond to data risks.

Data Security Automation at Work

When Cyera identifies a risk, such as an exposed cloud storage bucket or an anomalous data transfer, Torq acts immediately to execute tailored workflows, automating everything from remediation to stakeholder notifications. Here’s how Cyera and Torq work together: 

Comprehensive Data Discovery: Cyera scans your environment to identify sensitive data, classify it, and assess its risk profile.

Real-Time Insights: When Cyera detects an anomaly or identifies a risk, it triggers an event and passes the data insights along to Torq

Automated Orchestration: Torq picks up the baton, automatically launching workflows tailored to the specific alert, whether that’s notifying the right stakeholders, enforcing security controls, or triggering remediation actions.

Continuous Improvement: Cyera and Torq enable SOC teams to refine processes iteratively, reducing noise and improving response efficiency over time.

For example:

  • Cyera flags a misconfigured cloud storage bucket as containing sensitive PII. Torq automatically executes a remediation workflow, closing the bucket’s exposure and notifying relevant teams.
  • Cyera identifies an anomalous data transfer from a high-risk location. Torq not only alerts analysts but also enriches the alert with context and executes automated containment actions.

Cyera and Torq: Better Together

What makes Cyera and Torq a revolutionary pair is the shared commitment to scalability, speed, and precision. Cyera’s intelligence provides a clear path forward, while Torq delivers the power to act quickly and precisely.

Everyone in cyber knows speed is no longer an option. Manual processes simply can’t keep pace with the breakneck pace of today’s security landscape. Torq and Cyera together turn hours of work into seconds, automating everything from alert triage to remediation. Cyera provides 95% precision classification, while data security automation workflows from Torq ensure every response is consistent, reliable, and error-free, even under the pressure of an escalating incident.

As your organization grows, so do your risks. Cyera and Torq scale effortlessly, adapting to evolving needs and protecting data across clouds, Saas platforms, and beyond.

Elevate Your SOC

The integration of Cyera and Torq sets the new standard for what SOC teams can achieve with data security automation. By combining Cyera’s data-first approach with Torq’s automation expertise, organizations gain the tools to move faster, act smarter, and confidently secure data. 

Request a demo today to see how Cyera and Torq can transform your SOC.

See It in Action
Share

Related Articles

AI Hyperautomation Integrations

How to Turn a SOAR Migration into SOC Transformation

By Torq
March 24, 2025
5 Minute Read

Contents

SOAR is dead-dead (too inflexible, too complex, and too limited on integrations) — but it’s not quite buried in some SOCs where it’s only hanging on because migrating can feel daunting when mission-critical workflows are tied to the system.

AI-driven Hyperautomation from Torq is the SOAR killer. Our team has helped major enterprises from every industry make the switch, quickly and easily, to achieve true SOC transformation.

We chatted with Mark Carosella, Sr. Sales Engineer at Torq, to hear firsthand what surprises new Torq customers the most when they pull the plug on their SOAR and learn what it is about Torq that makes migrating from legacy SOAR not just fast, but also transformative.

1. Don’t Just Switch Platforms — Optimize

One of the first — and most striking — realizations for companies logging into the Torq platform for the first time is just how easy it is to build SOC workflow automations. For those who previously used code-heavy automation tools and had to manage thousands of lines of Python, Torq’s intuitive, drag-and-drop workflow designer and AI workflow builder is game-changing — enabling security teams to build and deploy Hyperautomated workflows faster than ever before. Users can also test each step of their workflow in real-time, gaining instant feedback and making adjustments on the fly.

With Torq, even customizing integrations with APIs or configuring various data sources becomes accessible to those without advanced dev skills, by using AI agents with expert coding logic and syntax for script writing, CLI, and data manipulation

When migrating existing workflows to Torq, the ease of use and robust scalability of the platform provides the opportunity to do things that simply weren’t possible with legacy SOAR. To escape tech debt and inefficient and outdated processes, Torq encourages new customers to think beyond a “lift and shift” mentality so they can optimize SOC processes, rather than replicating them exactly as they were. The result is a true SOC transformation, not just a platform change.

The Torq team has seen it all and has a vast store of expertise and experience to recommend best practices for optimizing security processes. Torq Hyperautomation makes it much simpler to combine traditional workbooks into seamless workflows that take advantage of the platform’s strengths, such as AI-driven remediation and dynamic case management

Most Torq customers are able to consolidate security processes during the migration —  achieving the same outcomes with significantly fewer and much more efficient automations.

2. Reclaim Control Over Your Security Stack

During Torq Proof of Concepts (POCs), new users consistently highlight the same recurring challenges with their legacy SOAR platforms: limited integrations and difficulty connecting to essential data within existing tech stacks. This often forced their teams to resort to extensive, time-consuming Python coding, a painful and difficult-to-scale process. 

In contrast, Torq enables rapid, limitless integrations. Companies can connect their entire security stack in record time by using AI to generate integrations in seconds, or they can maintain granular control with draggable, low-code or full-code capabilities. Even if your third-party API or data format changes (a recipe for disaster in legacy SOAR platforms), real-time API monitoring ensures none of your integrations are at risk of breaking, so your stack always stays connected for uninterrupted automation. 

In one example Mark shared, a customer needing specific SIEM technology functions — which were previously inaccessible through their SOAR platform —  achieved their goal in minutes by simply copying an API command into Torq’s intuitive workflow builder canvas, eliminating the need to wait months for a team to develop custom code to create the connection.

3. Accelerate Adoption and Time-to-Value 

“Whenever we talk to customers or to the folks that are POCing Torq and getting into the platform for the first time, there’s one word that comes up in every single engagement: intuitive.”

Mark Carosella, Sales Engineering Manager, Torq 

Building security automation workflows in Torq’s drag-and-drop and AI-assisted interface is highly intuitive, which means teams quickly grasp the fundamentals to get up and running during onboarding. Mark shared that within a day or two, new users are often independently building custom automation workflows. This can feel like a major “aha” moment for users who came in with the perception of automation as a complex, code-heavy experience in legacy SOAR platforms. 

One Torq user shared, “My favorite thing about Torq is that concepts go from my head to a working reality in just a few hours, instead of a few weeks, largely in part to the no-code functionality.”

This ease of use empowers any user, regardless of their coding skills, to rapidly implement workflows and adapt their security operations, accelerating time to value.

Transform Your SOC: Get the SOAR Migration Guide

If you’re ready to finally pull the plug on your SOAR, get the Kill Your SOAR Migration Guide to plan ahead. It covers the big picture of what you need to know going into a migration, plus a migration success story from a leading security company, advice from a SOC manager who made the switch, and the top 3 POC use cases. 

With Torq, your migration isn’t just about switching platforms — it’s an opportunity to transform your security operations.

Get the Guide
Ready for SOC transformation? Get the Kill Your SOAR migration guide.
Share

Related Articles

Insights Research

SANS Survey: 5 Security Challenges Keeping SOCs in the Dark

By Torq
March 20, 2025
6 Minute Read
SANS Detection and Response Survey shows that SecOps teams are facing existential security challenges.

Contents

The 2024 SANS Detection and Response Survey sheds new light on some all-too-familiar security challenges: security operations teams are overwhelmed with alerts, struggling to respond fast enough, and tracking the wrong KPIs. Sure, automation adoption is increasing (64% of organizations now leverage it in some capacity), but most SecOps teams are still operating in slow, reactive, and heavily manual environments.

Five Security Challenges Faced by SecOps Teams

1. Security teams are stuck in semi-automation mode.

Most security operations teams think they have automated response mechanisms, but they’re really just babysitting inefficient, semi-automated workflows. The SANS Survey data shows that while 64% of teams have automated response mechanisms in place, less than a quarter have fully automated their processes. That means the vast majority still rely on analysts to manually intervene and execute responses.

2. Slow response times are leaving organizations exposed.

Speed matters. Attackers are betting you’ll take a while to respond to threats. SANS found that a whopping 32.8% of teams take hours to respond to threats, and 41.4% say they respond within minutes. In today’s reality, even minutes can be too slow. Recent data shows that lateral movement breakout times dropped from 62 minutes to 48 minutes, with the fastest recorded breakout happening in just 51 seconds. If a response takes more than a minute, the damage may already be done. 

3. Alert fatigue and data overwhelm are killing security team productivity.

It’s loud in the SOC. More than half of security teams say false positives are a huge problem, and 62.5% are overwhelmed by sheer data volume. Every second spent triaging junk alerts is a second not spent investigating real threats — meaning SOCs are burning through their most precious and expensive resource: human focus. Analysts’ expertise is critical for threat investigation and response, yet most of their time is wasted manually sorting through thousands of low-value alerts that should’ve been filtered out in the first place. This wastes time, burns out analysts, and, worst of all, lets real threats slip through. 

4. Security teams are still tracking the wrong KPIs.

The most surprising part of the survey responses is that more than 50% of security teams aren’t even tracking KPIs like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). ​​Instead, they’re tracking vanity metrics like the number of incidents detected  —  or, worse, they don’t have enough data to measure their own efficiency. Without the right data, SOC teams cannot optimize performance or reduce response times.

5. SOAR is holding teams back.

SOAR was supposed to be the answer to security automation… right? The majority of respondents use SOAR for threat response, but half still rely on manually running commands to respond to threats. This proves what we at Torq already know: SOAR hasn’t lived up to its promise. SOAR platforms were supposed to automate security workflows, but most teams still struggle with slow response times, rigid playbooks, and high maintenance overhead.

The Fix: An Autonomous SOC Powered by AI-Driven Hyperautomation

The answer to these existential security challenges isn’t manually tuning SOAR, tweaking detection rules hoping something works, or hiring more analysts (Be real: Where are you even finding them? The SANS Survey found the majority of security teams struggle with lack of skilled personnel). The real fix is an autonomous SOC powered by AI-driven Hyperautomation: a SOC that invests in AI and automation to eliminate inefficiencies, take action at machine speed, and, ultimately, shorten response times.

Comparison table showing how an autonomous SOC fixes 5 key security challenges.

1. Go autonomous. 

Ditch the scripts, stop the manual tuning, and let AI take over. An autonomous SOC removes the need for engineers to build, maintain, and tweak workflows with extensive coding. Instead, teams can simply describe a workflow, use case, or outcome using natural language to guide agentic AI as it implements workflows to secure the organization faster than ever before. An autonomous SOC can handle 95% of Tier-1 cases — allowing security teams to focus on critical, high-impact threats, rather than babysitting outdated playbooks or struggling with the limitations of rigid SOAR architectures.

“With Torq Agentic AI, the answer is yes to questions such as: Are analysts happier? Are they sticking around? Do they have time to focus on more interesting and complex investigations? Are MTTM and MTTR lower? Torq Agentic AI extends and enhances our team so it can make better decisions more quickly — resulting in stronger security all around.” 

– Mick Leach, Field CISO, Abnormal Security  

2. Slash response time.

With SOC automation, alerts don’t sit in a queue waiting for an analyst to take action. AI-driven Hyperautomation instantly takes action to investigate alerts, enrich cases, and contain threats  — isolating infected endpoints, disabling compromised accounts, and blocking malicious infrastructure before damage is done. Unlike SOAR’s static playbooks, an autonomous SOC leverages AI to tirelessly and intelligently analyze and remediate massive volumes of security incidents, shrinking response times from hours to seconds.

3. Eliminate alert fatigue.

AI Agents don’t just process alerts — they triage and prioritize them. AI-powered SOCs use sophisticated planning and contextual reasoning to filter out low-fidelity alerts, suppress false positives, and escalate only the alerts that matter. Analysts no longer have to sift through thousands of useless alerts  —  AI handles the noise so teams can focus on critical security risks.

4. Track the right KPIs.

An autonomous SOC should be able to measure security response and provide visibility into operations. Instead of requiring analysts to manually track and compile data, AI can capture and log detection times, response actions, and remediation speeds automatically. SOC leaders finally get a clear picture of what’s working, where bottlenecks exist, and what to optimize.

5. SOAR is dead. Ditch it.

SOAR is simply too slow, rigid, and high-maintenance to keep up with modern SOC demands. An autonomous SOC doesn’t rely on pre-scripted playbooks — it builds, executes, and adapts automation dynamically, all in natural language. With AI-driven Hyperautomation, security teams move faster than attackers, not the other way around. See the difference.

It’s time to move past the limitations of SOAR and slow, reactive security operations. Take your SOC autonomous — learn how easy it is to switch to AI-driven Hyperautomation from Torq.

Get the SOAR Migration Guide
Share

Related Articles

Hyperautomation Use Cases

Combating Ransomware, Phishing, and Zelle Fraud at Financial and Bank SOCs

By Bob Boyle
March 12, 2025
7 Minute Read
Learn how financial services and bank SOCs are using security Hyperautomation to replace spreadsheets, defend against phishing, and combat Zelle fraud.

Contents

Banking and financial services companies sit on a goldmine of sensitive customer data, making them a prime target for phishing and ransomware attackers hoping to strike a payout. 

Even with defenses like MFA and security training, human error continues to be a critical point of failure for financial institutions — a 2024 report found that 3 out of every 1000 individuals working in banking click on a phishing link each month. This stark reality of risk highlights the industry’s urgent need for more proactive, automated security processes.

Below, we break down the top financial and bank SOC use cases for security Hyperautomation and cover how a major regional bank successfully reinstated Zelle services by automating account lockdowns for fraud alerts.

The Automation Imperative in Finance and Bank Security Operations

Two of the most common — and critical — security operations priorities for CISOs we’ve talked to at banks and financial services companies are to:

  • Mitigate risk by quickly responding to, containing, and remediating attacks.
  • Maintain materiality by focusing on the most important security issues that could cause the biggest problems and by being able to accurately assess when a cybersecurity incident requires SEC reporting.

Achieving these requires reducing Mean Time to Respond (MTTR), ensuring swift and effective remediation, and gaining visibility across all identities and security assets. However, manual processes, a jungle of spreadsheets, and siloed data compound operational challenges at financial and banking organizations. 

To modernize their financial and bank SOCs, forward-thinking CISOs are embracing Hyperautomation as a way to unify their security stack and automate incident response. Integrating solutions like ServiceNow or Snowflake with Torq’s AI-driven Hyperautomation platform can provide a single source of truth and streamline security operations for a stronger security posture and greater visibility across the SOC. 

Top 5 Bank SOC Challenges Solved by Hyperautomation

Below are the top use cases being Hyperautomated by Torq’s financial services customer base, along with real-world examples of the workflows they have built.

1. Phishing Alert Analysis

Automate the extraction and aggregation of URLs, file hashes, and message headers from Outlook messages and attachments, providing a comprehensive data set for further security analysis. 

Workflow Steps:

  1. Receive potential phishing alert from Microsoft 365.
  2. Execute parallel tasks to extract URLs from the email body, retrieve message headers, and process attachments (if present).
  3. For the email body, extract all unique URLs and collect them.
  4. Retrieve message headers using Microsoft Graph API and store them.
  5. If the email has attachments, list them and filter out non-file attachments.
  6. For each file attachment, retrieve detailed information and extract URLs from the content if available.
  7. Collect and combine URLs from various sources (e.g. body and attachments). Set default values if no URLs are found.
  8. Link message headers from the email and attachments, setting default values if none are found.
  9. Generate a structured output containing URLs, file hashes, and message headers.
  10. Nested Workflow: Case Management

2. Ransomware Case Creation and Categorization

Automate the ingestion and processing of CrowdStrike threat data by creating a comprehensive case in Torq. Once the case is created, notify the security team via email while categorizing the threat and adding relevant observables for further analysis. 

Workflow Steps:

  1. Extract specific fields from the incoming CrowdStrike event data into a sparse JSON object.
  2. Flatten the JSON object for easier processing and format it for a markdown table.
  3. Convert the event’s creation date to a specified format.
  4. Create a markdown table from the formatted data.
  5. Use a switch-case structure to categorize the threat as malware or ransomware, setting a variable accordingly.
  6. Create a case in Torq using the extracted and formatted data, including custom fields and tags.
  7. Add observables to the case, such as file hashes, with specified reputation scores.
  8. Query historical cases and link any closed cases with matching observables. 
  9. Generate an access token for Microsoft 365 and send an email notification about the new case to the specified recipient list.

3. Automated Threat Analysis and Enrichment 

Automate the process of extracting and analyzing threat intelligence data based on specific commands submitted by the security team — e.g. “Check IP”, “Check Hash”, or “Check Host”. Facilitate communications through Microsoft Teams to trigger the workflow and receive the enriched threat analysis. 

Workflow Steps:

  1. Evaluate incoming event text to determine the command type (!checkip, !checkhash, !checkhost).
    • For !checkip: Extract IP address using regex and retrieve information for each IP from AbuseIPDC
    • For !checkhash: Extract patterns using regex, retrieve analysis reports from AnyRun and get threats from SentinelOne
    • For !checkhost: Extract patterns using regex and initiate a scan on SentinelOne agents, wait for a specified duration, then retrieve threats from SentinelOne.
  2. Reply with the information gathered to the thread in the originating Microsoft Teams channel. 

4. Case Management

Automate the process of checking for existing cases and creating new cases if necessary, ensuring efficient case management and reducing duplicate cases. This workflow is a valuable and repeatable tool for any case management program. Consider using a “nested workflow” attached to other Hyperautomated use cases (for example, see Phishing Alert Analysis above).

Workflow Steps:

  1. Query existing cases to check if a case already exists with the specified name, event data, or observable submitted.
  2. If a case exists, attach the new observable to the case and exit the workflow with the existing case ID.
  3. If no case exists, create a new case with the provided details such as title, SLA, severity, and state.
  4. After attempting to create a case, check the creation status.
  5. If the case creation is successful, exit with the new case ID.

5. Fraud Detection

Automate the process of locking or unlocking a user account based on suspected fraud event data. Update your CRM with relevant fraud activity and notify the appropriate stakeholders with contextual information about the actions taken.

Workflow Steps:

  1. Set workflow parameters to include user ID and notification email addresses.
  2. Check if required fields are present in the event data.
  3. Verify the user’s status via an API call and determine if the user should be locked or unlocked.
    1. If lock: Execute an API call to lock the user and set a variable indicating the action taken.
    2. If unlock: Execute an API call to unlock the user and set a variable indicating the action taken.
  4. If the lock/unlock action is successful, query Salesforce to retrieve the user’s account information.
  5. Add a “fraud task” to the user’s account in Salesforce and notify the specified email addresses of the action taken.
  6. If adding the activity to Salesforce fails, send a failure notification to the specified email addresses.

Case Study: Automating Zelle Fraud Detection and Lockdown from End to End

A major regional U.S. bank with billions in assets faced an urgent, compliance-driven requirement to automate their detection and response to fraud alerts in Zelle, a customer-facing payment service that had been suspended by the SEC due to a surge in fraudulent activity.  

With Torq’s Hyperautomation platform, the bank’s SOC quickly automated the end-to-end process of locking down accounts triggered by fraud alerts, enabling them to reinstate Zelle services. Torq also automates CRM updates, giving customer service immediate context when talking to customers about account lockdowns.

And that’s not all they achieved with Torq — read the case study for the full story of how they published over 100 workflows in just 3 months and reduced their Mean Time to Investigate (MTTI) from hours to minutes.

Get the Case Study

Share

Related Articles

AI Hyperautomation

The SOC Automation Pyramid of Pain

By Patrick “PO” Orzechowski
March 4, 2025
7 Minute Read
Explore each level of the SOC Automation Pyramid of Pain.

Contents

Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

Why AI-driven Hyperautomation is the answer to your SOC pain.

About 10 years ago, Alex Pinto came up with the idea of the threat intelligence “Pyramid of Pain” in the talk Measuring the IQ of Your Threat Intelligence Data at at DEF CON ‘22. I love this idea and I think it applies to a lot of aspects of cybersecurity, especially as we move towards a more autonomous, less human-involved security operations center (SOC).

Looking to automate your SOC? Below, I walk through each level of the Pyramid of Pain applied to the security automation journey as a framework for reducing business risk and accelerating incident mean time to respond (MTTR). 

The SOC Automation Pyramid of Pain: From Bottom to Top

Get a Copy

Level 1: The Basics — Integrations, Enrichment, and Context

The promise of legacy SOAR was to automate the core functions of a SOC, especially from a Tier-1 and Tier-2 perspective. These are the most basic aspects of automating security operations and have been around forever, dating back to Perl scripts! Whether you use Python, Go, or any other automation capabilities including PowerShell, these capabilities have existed since security operations centers have been a thing.

Any automation platform that you implement should have these enrichment capabilities inherently built into them to enhance and contextualize indicators of compromise (IOCs), identities, and assets. They’re the foundation of automation and the core of security operations. Crucially, they should also enable the humans who work in your SOC to be as efficient and effective as possible when it comes to responding to threats, new vulnerabilities, and systems that exist in your environment. 

Difficulty: Low
Business risk impact: Low

Time savings: 80-90% reduction in manual data enrichment, saving 1-2 hours per SOC analyst daily.Cost efficiency: Up to 730 hours saved per analyst annually (based on 2-3 hours of manual tasks per day). At an average hourly rate of $50, this equals $36,500 saved per analyst per year, or $365,000 for a 10-analyst team.Productivity gains: 30-50% faster triage due to immediate access to enriched data.Overall risk reduction: Fewer missed IOCs due to consistent enrichment (priceless!).

Level 2: Moving Up — Collaborative Case Management

Case management is an essential piece of any security operations automation platform. Legacy SOAR and traditional case management systems do not take into account all of the other teams and functions that are involved in a typical incident response scenario. 

In contrast, Torq’s case management system in HyperSOC™ allows collaboration between teams’ workflows and workspaces that enable different organizations to enrich and contribute to an incident response scenario.

Difficulty: Low
Business risk impact: Low

Time savings: 25-50% reduction in time spent managing cases due to automated workflows.Cost efficiency: Avoiding the need to hire one additional analyst saves $100K-$150K annually (varies by location), including salary and benefits.Productivity gains: SOC analysts can consistently handle 2-3x more cases at the same time without additional headcount.Reduced Mean Time to Respond (MTTR): Automation reduces MTTR by up to 50-70%, allowing faster incident containment and remediation.Risk reduction: Faster response minimizes the potential financial impact of a breach. The average cost of a data breach was $4.88M in 2024.

Level 3: Automated Reporting — KPIs and SOC Metrics

SOC metrics have consistently posed a challenge for enterprises. Metrics such as Mean Time to Respond (MTTR), Mean Time to Detect (MTTD), Mean Time to X, and other similar measurements often fail to capture the true scope of business risk. 

To address this, an automation system should facilitate collecting metrics across all security tools and the entirety of an enterprise’s security stack. This provides a comprehensive view of the SOC’s activities, processes, and resulting business outcomes — ensuring that the impact of security operations is clearly understood.

Difficulty: Low
Business risk impact: Medium

Time savings: Up to 90% reduction in time spent generating compliance and audit reports.Reporting accuracy: Minimal to no errors in reporting, ensuring compliance with regulatory frameworks like GDPR and PCI-DSS.Fine avoidance: By ensuring reporting accuracy and compliance, companies could avoid, for example, $50K-$100K per month for PCI-DSS violations (depending on the transaction volume and duration), or up to €10 million or 2% of global annual revenue, (whichever is greater) for GDPR non-compliance.

Level 4: Basic Automated Response — Point Solution Capabilities

Every security vendor, whether endpoint, firewall, email, or any other point solution, should prioritize robust API capabilities to enable automated response and remediation. 

At this point in the security automation journey, enterprises should be able to automate responses to critical incidents, such as host isolation, malicious processes, stolen or compromised identities, and assets that have been identified as vulnerable to critical Internet-exposed vulnerabilities.

Difficulty: Medium
Business risk impact: High

Response time improvement: 80%+ faster containment for malware infections, phishing attacks, and account compromises.Overall risk reduction: Significantly decreased threat exposure window through automated response actions within seconds to minutes.Increased employee satisfaction: Reduced analyst burnout as analysts focus on complex threats instead of repetitive tasks. 89% of employees report higher job satisfaction after adopting automation solutions.Savings through talent retention: With a global shortage of 2.3M+ SOC analysts, retaining talent is paramount. More satisfied analysts leads them to stay around longer — and not needing to hire an additional single SOC analyst saves between $50-$100K (varies by region), including recruitment, training, and lost productivity.  Companies using Hyperautomation report retention as a key ROI metric for 43% of leaders.

Level 5: The Point of the Spear — Fully Automated Remediation Across the SOC

At the highest level of security automation maturity, organizations should be bringing together all of the capabilities of their security stack. This integration should extend to IT security operations, DevOps, cloud communications, and cloud capabilities, as well as any on-premise or custom applications, enabling a comprehensive automated response to threats and vulnerabilities. 

The aim is to streamline and automate all processes that are identified to reduce business risk and improve MTTR, integrating the entire IT and security stack to achieve autonomous remediation. This paves the way for an autonomous SOC that handles routine security responses, with human intervention reserved for critical decisions.

Difficulty: High
Business risk impact: High

MTTR reduction: Up to 70% decrease in MTTR, minimizing business disruption during high-severity incidents.Risk elimination and consistency: Near-zero human error ensures consistent, immediate investigation and remediation of critical incidents.Operational scalability: SOCs can handle a 200-300% spike in incident volume without adding headcount.Labor cost savings: Near-zero human intervention required for routine remediation actions saves thousands of hours annually, equivalent to $300K-$500K in labor costs (region dependent).

Level Up: Security Automation Value Across the Pyramid of Pain

Pyramid of Pain LevelTangible Value and Metrics
1. Enrichment and API Integration80-90% time savings on data enrichment
$50K-$100K cost savings
30%-50% faster triage
2. Collaborative Case Management25-50% time savings on case management
3x case handling capacity
$100K+ annual savings
50-70% MTTR reduction
3. Metrics/KPIs and Automated Reporting90% time savings on generating reports
Regulatory non-compliance fine avoidance
4. Basic Automated Response80%+ faster response
Higher employee retainment and satisfaction
Improved threat containment 
5. Fully Automated RemediationNear-zero manual effort
Scalable security operation
$300K-$500K in labor cost savings

More Autonomy, Less Pain

By harnessing the power of agentic AI on a Hyperautomation engine, Torq’s platform combats SOC killers like alert fatigue, manual workflow building, inefficient case workloads, and wading through pages of logs to write case summaries and reports. Autonomous triage, investigation, and response reduces MTTR and frees up analysts to focus on the fun stuff like strategic projects and complex, critical incidents. 

This is the promise of the autonomous SOC — and it’s the pitch that won Torq the Innovation Sandbox competition at CPX 2025. 

Want to chat about how to reach the top of the SOC Automation Pyramid of Pain?

Let’s Talk
Share

Related Articles

See Torq in Action

Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?