The security automation market just got its definitive evaluation and its new name.

KuppingerCole Analysts is the global analyst firm that sets the benchmark for cybersecurity technology evaluations. Their Leadership Compass is the gold-standard independent assessment enterprises rely on when making platform decisions, rigorously scoring vendors across product maturity, innovation, and market execution. When KuppingerCole Analysts names a category, the industry follows. When they name a Leader, buying teams listen.

KuppingerCole Analysts’ April 2026 Leadership Compass retired the SOAR category entirely. The report is now called The Emerging AI SOC to reflect the market transformation. In the words of KuppingerCole analyst Matthew Gardiner, “Traditional rule-based workflow and playbook-based SOAR systems have hit an efficiency and implementation brick wall. The cost and expertise required to get significant ROI from traditional SOAR systems is out of reach for average security organizations… AI is showing early signs of changing this calculus and lowering the bar for smart(er) automation.” 

We couldn’t agree more. The new frontier is agentic AI, adaptive reasoning, and platforms that augment analysts, not replace them. Transparency and control have been at the heart of our AI SOC strategy for years.

Torq was named a Leader by KuppingerCole Analysts in all four categories for the AI SOC: Overall, Product, Innovation, and Market.

Torq scored highest in both Innovation Leadership and Product Leadership. We are named a Market Leader driven by rapid customer growth, expanding revenues, and increasingly comprehensive capabilities. And was evaluated as an Overall Leader across every dimension that KuppingerCole Analysts measures.

Here’s what the KuppingerCole Analysts Leadership Compass for the Emerging AI SOC found and what it means for the market.

The AI SOC Category Is Official. SOAR Is Not Coming Back.

KuppingerCole Analysts rebranded the report category because the underlying technology for security automation has fundamentally shifted. Newer automation capabilities “increasingly focus on AI-based reasoning, natural language chat interfaces, contextual enrichment, and adaptive decision support” rather than simply executing preconfigured rules and playbooks. Rule-based systems only work when the problem space is stable, and security operations are anything but.

The competition has shifted with the market. Differentiation is no longer about who has the most predefined playbooks or the longest feature list. It’s about usability, flexibility, scalability, and the ability to support heterogeneous, tool-rich environments without excessive engineering or people-intensive overhead. Playbooks and out-of-the-box integrations still matter, but they’re table stakes. The real differentiator is how effectively a platform reduces the human burden while handling the messy, multi-vendor reality of a modern SOC.

This is the shift Torq was built for — and the criteria KuppingerCole Analysts used to separate Leaders from the rest of the field.

The report also names the operational problem driving that shift: agentic AI has the potential to rebalance the false-positive-to-false-negative tradeoff that has defined SOC work for years. With manual triage, alert fatigue is so severe that missed threats become an accepted cost. AI agents don’t experience fatigue. They triage 100% of alerts continuously, shifting sensitivity to catch threats rather than just manage volume.

The buyer data backs this up. Torq’s 2026 survey of 450 security leaders found that 97% are confident AI can handle triage, the highest-volume function in the SOC. But only 35% have deployed it there. The confidence exists. The platforms to act on it haven’t — until now.

Where Torq Outscored in the KuppingerCole Analysts AI SOC Evaluation

KuppingerCole Analysts evaluates vendors across product leadership, innovation, and market execution. Here’s where Torq stands.

Product Leader. Torq scored highest in product leadership. The Product Leaders in this analysis stand out for the breadth, depth, and maturity of their current product capabilities, delivering robust, production-grade platforms that address the full lifecycle of modern SOC operations. This includes detection integration, triage, investigation, automation, case management, governance, and reporting. Torq earned this position with strong architectural foundations, rich functionality, and proven suitability for complex operational environments.

Innovation Leader. As Gardiner states, “Innovation Leaders push the boundaries of how SecOps are designed, automated, and augmented with AI.” Torq scored highest in innovation, with a standalone callout for behavioral detection coverage across users, devices, AI agents, and other non-human identities, as well as threat actor attribution, cloud infrastructure automated response coverage, and extensive AI decision explainability.

Market Leader. Market Leadership weighs the number of customers, their geographic distribution, deployment size, support services, partnership ecosystem, and financial health. As KuppingerCole Analysts makes clear, “Market Leadership requires global reach.” Named a Market Leader, Torq has quickly emerged as a security automation market leader, driven by rapid customer and revenue growth, unique branding, and increasingly comprehensive product capabilities — reshaping expectations for modern security automation by emphasizing simplicity, extensibility, and rapid deployment through low-code automation, lowering the barrier to adoption while supporting complex enterprise use cases.

Overall Leader. Named an Overall Leader, the Torq AI SOC Platform exemplifies a new generation of security automation — excelling at low-code orchestration, rapid automation across security tools, and AI-assisted and agentic workflows. Positioned as a security automation engine within the SOC that is independent of the large security platforms. And in a relatively short time, acquired a significant number of enterprise customers.

Torq’s AI SOC Strengths Documented in the KuppingerCole Analysts Leadership Compass

The report identified eleven specific strengths for Torq. Here are the ones that matter most for buying teams.

Proven Agentic AI 

Torq has measurable, documented success with agentic AI among early-adopter customers, including Fortune 500 production security operations. 

Our 2026 Torq AI SOC Leadership Report found that 72% of CISOs and security leaders are comfortable with fully autonomous AI for medium-severity incidents and below, but most haven’t deployed it because the platform controls aren’t in place. Not a problem with Torq. Documented customer success with Torq Agentic AI shows that Torq controls work in practice, not just in a demo environment.

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts and has automated 41 different runbooks within just one month of deployment.”

– Carvana

Deep Integration Layer

KuppingerCole Analysts noted Torq’s extensive support for third-party SIEM, EDR/XDR, ITSM, web gateways, firewalls, threat intelligence sources, IAM/PAM, UEBA, and file sandbox systems as the first in its list of strengths.

300+ pre-built integrations covering a broad spectrum of SOC use cases. Extensive support for public cloud response actions, including enabling/disabling users and starting/stopping instances. Deep integrations with ITSM platforms like ServiceNow, Jira Service Management, BMC Helix, Freshservice, and Ivanti. Broad support for incident communication systems, including email, Slack/Teams, PagerDuty, and SMS. Customization support for both enterprise customers and MDR providers. 

This directly addresses the fragmentation problem we see in SOCs: 85% of CISOs want a unified AI SOC platform. You can’t unify what you can’t integrate.

AI-Native Architecture 

The Torq platform supports Retrieval Augmented Generation (RAG) for pulling in external data sources, Model-Context Protocol (MCP) for standardized tool connectivity, and agent-to-agent collaboration, enabling specialized AI agents to coordinate across investigation steps without human handoffs. Analysts can describe what they want in plain language — “enrich this alert with threat intel, check if the user has had prior incidents, and isolate the endpoint if confidence is high” — and the platform automatically generates and validates a production-ready workflow. 

This is the architectural difference the KuppingerCole Analysts AI SOC evaluation is measuring: whether AI is the foundation of the platform or a feature layer added on top of legacy automation. Torq was built for the former. 

Our research found that 92% of security leaders want AI that learns and adapts to attack patterns, which requires an architecture designed for continuous learning from the ground up.

Enterprise-Grade Trust and Governance 

Torq provides broad support for role-based, attribute-based, and policy-based access controls, along with strong authentication for administrative users — giving security teams granular control over who can do what within the platform. Global datacenter support enables regional data sovereignty, which is critical for EU customers operating under strict compliance requirements. 

And for MSSPs and large enterprises, the platform supports full look-and-feel customization, white-labeling, and tenant isolation — so providers can deliver Torq-powered services under their own brand without exposing the underlying platform to end customers.

In our recent report,  92% of security leaders cited at least one factor that reduces their trust in AI; governance isn’t optional. The number one thing that would build confidence is full transparency into AI decision-making. Torq scored highest in the Leadership Compass for AI decision explainability — the exact capability buyers say they need before they’ll expand AI autonomy.

Financial Stability and Market Momentum 

Torq’s recent unicorn-level $1.2 billion valuation is a strength noted by KuppingerCole Analysts because it matters when you’re betting your SOC infrastructure on a vendor’s longevity. Torq has quickly emerged as a market leader, driven by rapid customer growth and expanding revenues, and has acquired a significant number of enterprise customers in a relatively short time.

For buying teams evaluating standalone AI SOC platforms against platform vendors, commercial viability is a real consideration. KuppingerCole Analysts’ inclusion of this as a documented strength signals that Torq has crossed the threshold from promising startup to established market participant.

What This Means for Security Teams

The AI SOC is no longer a concept; it’s a defined market category with a formal evaluation framework, scored vendors, and documented production outcomes. The KuppingerCole Analysts Leadership Compass for AI SOC makes that official. And the data from 450 security leaders in the 2026 Torq AI SOC Leadership Report confirms the urgency: security teams aren’t debating whether AI belongs in the SOC. That adoption argument is over, with 94% already using AI. The conversation is now about accountability and results. Enterprises are seeking an AI SOC platform that actually delivers.

For buying teams, the decision comes down to architecture. Do you extend a legacy system with bolted-on AI capabilities and questionable ongoing investment? Or do you invest in a cloud-native, AI-augmented platform designed for the multi-vendor, multi-signal reality of your security stack?

KuppingerCole Analysts evaluated that exact question across product strength, innovation, and market execution. One platform scored highest in innovation and product leadership, and earned Leader status in every measured category — with production-grade results to back the scores.

Security operations teams have never had more technology at their disposal… and they’ve never been more overwhelmed by it. The average SOC is now running 7 AI-powered solutions. 10% are managing 10 or more. And across the broader enterprise, organizations deploy an average of 83 security tools from 29 vendors, according to IBM research.

Every one of those SOC tools was added for a reason. Better detection, faster enrichment, smarter alerting. Individually, they deliver value. But collectively, they’ve created a problem the industry is only now beginning to quantify: SOC tool sprawl.

Torq’s 2026 AI SOC Leadership Report — a survey of 450 CISOs and security leaders — puts hard numbers on the cost of that sprawl. 80% of SOC teams rely on disconnected point solutions. 36% cite a “patchwork of multiple tools” as a functional gap. Analysts spend 8.6 hours per week validating AI outputs across those tools. And the teams that can least afford the overhead are absorbing the most of it.

This isn’t a tooling problem; it’s an architecture problem. And it’s getting worse every quarter organizations don’t address it.

What Is SOC Tool Sprawl?

SOC tool sprawl is what happens when security teams continuously add point solutions — each solving a real, specific problem — without a unifying layer to connect them. Over time, the result is an overextended stack where siloed data, overlapping functionalities, and operational inefficiencies compound faster than the tools themselves can deliver value.

The pattern is predictable: A new threat vector emerges. A point solution gets purchased to address it. It works — within its own console. But it doesn’t talk to the SIEM, doesn’t share context with the EDR, and doesn’t feed into case management. So the analyst becomes the bridge, manually pulling data from one tool, correlating it with another, and pasting findings into a third.

Multiply that across seven or more AI tools — each with its own confidence model, alerting format, and severity scoring — and the cost becomes structural. SOC tool sprawl doesn’t just add complexity; it also creates inefficiency. It changes how the SOC operates and not for the better.

The SOC Tool Sprawl Tax: What Fragmentation Actually Costs

The real cost of SOC tool sprawl isn’t measured in licensing fees. It shows up in four places most organizations aren’t tracking.

1. Oversight hours: Our report found that analysts spend an average of 8.6 hours per week on human oversight of AI-powered outputs. That’s not inherently a problem. AI has taken over the execution layer — processing alerts, enriching data, running playbooks — and analysts have moved into a judgment layer: validating decisions, providing context, and making calls that require institutional knowledge. 9 in 10 security leaders say AI has positively impacted SOC workload, and almost 90% say it’s reduced stress and burnout. The problem is when SOC tool sprawl makes that judgment work inefficient. Disconnected tools produce outputs with different confidence models, formats, and reasoning chains. Instead of spending 8.6 hours on strategic oversight, analysts spend it reconciling conflicting information across siloed dashboards. 37% of security leaders say AI requires too much manual oversight — and that burden scales with the number of tools, not the number of incidents. Consolidate into a single orchestration layer with transparent reasoning, and those 8.6 hours become what they’re supposed to be: high-value, strategic time.
2. Breach lifecycle: IBM research shows that fragmented stacks take 72 days longer to detect threats and 84 days longer to contain them. When context is scattered across a dozen consoles, the time between “alert fired” and “incident contained” stretches in ways that directly increase breach costs. IBM’s Cost of a Data Breach Report found that organizations using AI extensively cut the breach lifecycle by 80 days and saved $1.9 million on average — but that ROI only materializes when the AI tools are integrated, not fragmented.
3. Integration maintenance: Data from our AI SOC report shared that 95% of security leaders run multiple tools with overlapping functions, yet fewer than a third have them fully integrated. Every tool added is another API to maintain, another update cycle to manage, another integration that can break when a vendor pushes a change. For SOC teams already stretched thin, integration maintenance becomes a permanent tax on engineering capacity that never appears in the budget.
4. Skill gaps: The more tools a team runs, the harder it becomes for analysts to be proficient with each one. Suboptimal tool usage — where capabilities aren’t fully leveraged — weakens the overall security posture. The paradox of SOC tool sprawl is that buying more tools can make you less secure, not more.

Why SOC Tool Sprawl Hits Lean Teams the Hardest

The teams with the fewest resources bear the highest fragmentation costs and have the least capacity to address them.

The 2026 AI SOC Leadership Report found that smaller teams — 15 or fewer — are twice as likely to default to legacy automation: 30% compared to 15% for teams of 35 or more. Not because they prefer legacy tools, but because switching costs feel prohibitive when you’re barely keeping up with the queue.

Except the cost of staying put isn’t static. It’s growing. 44% of lean SOC teams say false positives are reducing their trust in AI, compared to 28% of larger teams. With fewer analysts to absorb the noise, fragmentation doesn’t just slow the team down — it actively erodes confidence in the tools themselves. SOC tool sprawl becomes a staffing problem, not because they don’t have enough people, but because their people are spending time managing tools rather than managing threats.

How SOC Tool Sprawl Erodes Trust in AI

The trust gap in AI-powered security operations is one of the most discussed challenges in the industry. 92% of security leaders cite at least one factor that reduces their trust in AI. The conversation usually frames this as an AI problem — the models aren’t good enough, the outputs aren’t reliable, the technology isn’t ready.

Our data tells a different story. The issue isn’t whether AI works. It’s whether the architecture around it lets teams verify that it does.

When AI outputs come from so many different systems with so many different confidence models, analysts have no consistent baseline to calibrate trust against. There’s no single source of truth. Each tool has its own alerting format, its own severity scoring, and its own enrichment logic. An alert that scores high-severity in one tool might not even surface in another. Analysts can’t build trust in AI when the AI itself is fragmented across systems that don’t talk to each other.

This creates a self-reinforcing cycle: more tools generate more outputs that require more validation. More validation means more oversight hours. More oversight hours mean analysts feel less confident in AI — because they’re spending all their time checking it instead of benefiting from it. And when trust stays low, teams add another tool to fill the gap that the last one created. The sprawl feeds itself.

37% of security leaders say AI requires too much manual oversight. That’s not a statement about AI’s capability. It’s a statement about what happens when you deploy AI across seven disconnected systems and ask a human to be the integration layer between them.

How to Fix SOC Tool Sprawl: What 85% of Security Leaders Want

The survey asked security leaders what would fix this. The answer wasn’t “fewer tools.” 85% want a unified AI SOC platform. Not one tool that replaces everything. One platform that connects to everything.

That distinction is critical. Nobody is asking to rip out their SIEM, their EDR, their identity tools, or their cloud security posture management. Those tools exist because they solve real detection and protection problems. What’s missing is the layer that sits across all of them — correlating, enriching, and orchestrating so the SOC operates as one system instead of seven disconnected ones.

More than half say unification alone would resolve their trust issues with AI. The trust problem isn’t the AI. It’s the architecture. Give them a single orchestration layer with consistent context, unified case management, and one place to validate AI decisions — and the trust follows.

This also explains why the lean-team trap is so persistent. The teams running four people and multiple tools aren’t going to do a forklift migration. They can’t afford the downtime, the retraining, or the risk. What they need is a platform that lets them consolidate at their own pace — bringing tools into a single orchestration layer without ripping anything out. Integration over replacement. Unified and flexible, not one or the other.

The organizations that figure this out first won’t just reduce complexity. They’ll turn the 8.6 hours per week that their analysts spend on AI oversight from fragmented busywork into strategic judgment time. They’ll break the cycle where low trust drives more tools, which drives lower trust. And they’ll give lean teams the operational leverage to compete with SOCs several times their size — not by adding headcount, but by eliminating the fragmentation tax that’s consuming the headcount they already have.

The Cost of Ignoring SOC Tool Sprawl

Seven or more AI tools. 8.6 hours a week in oversight. 80% reporting operational complexity. The teams that need help most are the least likely to make a change, and the fragmentation compounds every quarter they wait.

The cost of SOC tool sprawl is measurable in hours lost to validation, trust eroded by inconsistent outputs, and incidents that take longer than they should because context lives in five different tabs. It shows up in analyst burnout, in MTTR that plateaus no matter how many tools you add, and in the growing gap between what AI can do in theory and what teams actually let it do in practice.

What 450 security leaders are asking for isn’t complicated. It’s a platform that connects to everything they already have, gives them a single place to triage, investigate, and respond, and lets their AI operate as a single system rather than a collection of competing ones.

The data says 85% want it. The question is how long they’ll wait.