From 24/7 On-Call to Holidays Off: AI SOC Automation Results from Three Security Teams

I spent 20 years as a CISO. I know what it feels like to run a SOC that’s stretched thin and held together by sheer effort — where every alert, regardless of severity, means someone’s pulling out a laptop at midnight or stepping away from their family on a holiday.

So when I sat down with three security leaders at a recent Torq customer panel, I wasn’t interested in the pitch-perfect version of their AI SOC automation journey. I wanted the real one: what broke, what they tried, what actually worked, and what changed for the people doing the work.

What I got were scenes I’ve seen play out a hundred times — lean teams, brittle tools, a breaking point — followed by something I’ve rarely seen: three teams that came out the other side with fundamentally different operations. Not incrementally better. Truly different.

Here are their stories.

Why These Security Teams Hit the Limits of Manual SOC Operations

Every team had a different trigger. The pattern underneath was identical: too few people, too many tools, and manual work that couldn’t scale, no matter how hard the team worked.

Corey Kaemming, CISO at Valvoline, inherited the problem three months into the job: a corporate divestiture that cut his team in half overnight. And the technologies split with it. The SOAR they’d been running was heavily customized — the kind of system that works until it doesn’t, and when it doesn’t, everything goes down. On top of that, their MDR provider was only responding to alerts from two tools. If an alert didn’t come from one of those two tools, it functionally didn’t exist.

Three months in, half the team gone, a brittle SOAR, and blind spots across the stack. That was Corey’s starting position.

Dustin Nowak, Cyber Threat Manager at Kenvue (the parent company of brands like Johnson’s, BAND-AID, and Neutrogena), faced a nearly identical divestiture — but his challenge was even more foundational. His team needed to stand up an internal hybrid SOC from scratch. They needed case management that could support a structured investigative process — something that followed NIST or SANS methodology, not just a ticketing queue. Most platforms they evaluated treated case management as an afterthought.

Matthew Brister, Staff IR and Threat Hunting Engineer at Henry Schein One, had four people covering 24/7 operations. Every alert, every time — Tuesday afternoon or Christmas morning — someone was on a laptop. For a team that small, every hour burned on a low-priority alert was an hour stolen from an investigation that actually mattered.

What AI SOC Automation Delivered in the First 30 Days

The first month on a new platform is where reality either matches the demo or it doesn’t. For these teams, Torq matched — and in some cases exceeded — their expectations.

Matt’s team moved the fastest. They tackled all five of their priority use cases in the first week. The remaining three weeks were spent exploring what else was possible. “I kept calling my team saying, ‘Show me something cool,'” he said.

But the number that doesn’t capture what actually changed is the one Matt told me next. Before Torq, his lean team was on call around the clock, every day and on every holiday. If an alert came in at 2am on Christmas, someone opened a laptop. After deploying Torq’s AI SOC platform, any obviously malicious action is automatically locked down. Last Christmas was the first holiday where alerts came in, but nobody had to leave their family.

I’ve sat in hundreds of vendor sessions. That’s the kind of outcome that sticks with you.

Corey’s team saw the efficiency gains immediately: six to seven hours per day saved in analyst work by removing manual, repetitive tasks. But what mattered just as much was what the platform didn’t require. “If it’s going to take three to four people to manage it, I’m out,” he said. “The time my team spends in Torq isn’t on care and feeding — it’s on building. That’s huge value, especially with a lean team.”

Mitch started where he had to — with a single pane of glass. When you’re operating across so many SOC tools, the first win isn’t automation. It’s being able to see everything in one place. Unified case management gave his team that foundation. From there, they moved into enrichment automation: the meta lookups, the IoC checks, the steps that run the same way for every incident.

Dustin took the most deliberate approach. He didn’t try to automate everything on day one. He started with case management — building the investigative structure first, then layering integrations and automation on top. It was the slowest start on paper. It was also the foundation that let everything else scale.

How to Build the Business Case for AI SOC Automation

Getting the Torq platform approved was only half the fight. Getting the organization to believe in it — and to stop defaulting to the tools they already had — was the real work.

Corey ran a head-to-head evaluation against a competitor. He chose a use case that the competitor couldn’t solve. Torq figured it out in three to four days. That made the technical case. The ROI case came from the six to seven hours per day saved in analyst time. But the political battle was harder: differentiating Torq from everything else already in the stack. Splunk was already there. Azure was already there. Why couldn’t those tools do this?

The answer was in the operational reality. None of those tools could unify the workflow across the full stack without heavy customization and a dedicated team to maintain it. Torq could, and it didn’t require an engineering staff to keep it running.

Dustin’s approach was different, and it’s the one I’d recommend to any CISO trying to make the SOC relevant to leadership. Kenvue makes Tylenol, Band-Aids, and consumer health products. To get leadership’s attention, the security team had to speak the business’s language.

One of their biggest use cases turned out to be digital rights protection — monitoring social media for fake accounts and brand threats. When someone set up fake Facebook accounts, Dustin’s team ingested the threat intelligence, automated monitoring, and told the business exactly what was happening regionally in real time. That took the SOC from cost center to what Dustin calls a Cyber Fusion Center (CFC) — relevant to the business in a way that MTTR metrics alone never could be.

Matt had the smoothest internal path. His boss was hands-on with the SOC and had leadership backing from the start. The team said yes immediately. The only question was how to divide up the work. Later, Matt built a dashboard in Torq to justify expenses across security tools — and it worked so well that teams outside security started asking him to build dashboards for their tools, too.

When AI + Automation Expands Beyond Security Operations

Here’s what surprised me: None of these teams stopped at security operations. Once Torq proved its value in the SOC, adjacent teams began to show up.

One of the themes that came up across the panel was how teams combine different approaches to security operations — and whether automation can scale the function at a fraction of the cost. At Kenvue, the team is already exploring that: rather than outsourcing to an MDR at full price, they’re looking to bring it in-house through the automation they’ve already built.

Corey’s team is advancing identity-focused security after experiencing impersonation attempts. In response, they are developing an identity verification workflow using Torq that relies on contextual validation rather than traditional methods. The approach leverages existing organizational signals to help confirm legitimacy, reducing reliance on static or easily exploited verification techniques.

Matt’s team is leaning into agentic AI and pushing for deeper data retention capabilities. They’ve already built creative workarounds using Torq workflows and dashboards to hold onto investigation data longer — and they want that to go further. It’s a sign of how much operational weight the platform is carrying: teams aren’t just using it for automation, they’re building core SOC infrastructure on top of it.

What These Security Leaders Learned Deploying AI SOC Automation

I asked each panelist what advice they’d give to a CISO or SOC leader considering a similar move. 

Corey: Trust your team. Empower them to make decisions. Get governance right before you deploy — especially around AI, data privacy, and PII. Bring legal in early, not after. And once it’s running, market it internally. Don’t gate-keep. When other teams come asking, the answer should be “yeah, I can help — I have a tool for that.”

Matt: Get your foundation right in month one. Alerts aggregated. Use cases defined. If you don’t set the base, everything you build on top of it will be shaky.

Dustin: Make it relevant to the business. If you’re only reporting in SOC metrics, you’re invisible. Translate your impact into language the business understands, by region, by business unit, by brand risk.

The AI SOC Automation Playbook

Different companies, different industries, and different team sizes. The same arc: a breaking point that forced a change, a first month that proved the value, an internal battle that tested whether the platform could survive organizational gravity, and an expansion that nobody planned but everyone benefited from.

The teams that deployed Torq for AI SOC automation didn’t just get faster metrics. They got analysts who stopped dreading on-call rotations. They got SOCs that earned credibility with the business. They got a platform that other teams wanted to use. And in one case, they got their Christmas back.

That’s not a vendor story. That’s an operational one. And it’s the kind of outcome that only happens when the technology actually works the way the demo said it would.

These conversations happened at a recent Torq customer panel. Thank you to Corey, Dustin, and Matt for their time, honesty, and willingness to share what they’ve learned.

Torq surveyed 450 CISOs and security leaders on where AI in the SOC is delivering, where trust is breaking down, and what a true AI SOC actually looks like.

FAQs