Contents
Get a Personalized Demo
See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.
AI in security operations is moving fast. Agent capabilities are compounding, and the conversation has shifted from whether AI belongs in the SOC to how much it can take on alongside human analysts. But every serious conversation with a CISO eventually lands on the same question: can I trust it?
Trust isn’t a model problem. It’s a grounding problem.
In Torq’s 2026 AI SOC Leadership Report, 90% of security leaders said explainable AI decisions matter most to an AI SOC platform. The number tracks a deeper concern. The real bottleneck in AI-driven response is whether the agents are reasoning on grounded truth. Model capability and execution speed have raced ahead; the grounding hasn’t kept up.
Most AI agents in the market re-query the same sources for every alert. Each time a case opens, the agent rebuilds the picture from scratch. When the case closes, the picture disappears. The next investigation starts at zero. Analysts end up spending 85% of time of their triage time on contextualization — manually assembling a story that, in any well-architected platform, should already exist before the agent ever shows up to the case.
Now, with the acquisition of Jit, Torq is even better equipped to uncover that story and act upon it.
Why Jit
Trust is the barrier to AI in the SOC, and agents have to be grounded in real, current truth to earn it. Torq is built to integrate across the full security stack and execute across the full threat lifecycle. Execution is the easy part once the foundation is right. The harder part is making sure every decision is grounded in what’s true about the environment at the moment the decision gets made.
Jit is an agentic security platform whose agents reason on top of a comprehensive Security Context Graph. The Jit team built a live graph layer that their agents consume in production to make grounded decisions, along with the patterns that feed those decisions back into the graph as agents operate.
Jit doesn’t just inventory what exists in your environment. It understands what your environment means. Who is who, what’s sensitive, what’s exposed, why an alert that’s medium severity for one user is critical severity for another, even when the two users are sitting on identical machines.
For Torq, this accelerates work already underway. We’ve been building context into agentic decisions from day one. Jit closes the gap between where we are and where the next phase of the AI SOC needs us to be — by years. With Jit on board, Torq becomes the first AI SOC platform that reasons from full context and acts on full context, with every action traceable back to the grounded decision that produced it.
What Is the Torq Context Graph?
The distinction between knowledge graphs and context graphs isn’t new. It’s been discussed in the graph database community for years. A knowledge graph captures entities and relationships: what exists and how it connects. Users connected to devices. Devices connected to networks. Useful, but incomplete. It tells you what is, not what it means.
A context graph layers operational meaning on top of that structure. When a fact was true. Where it came from. What policy governs it. Why a decision was made on top of it.
What’s new is applying that distinction rigorously to security operations and wiring it into agents that reason and act on top of it. That’s what Torq, and now Jit, have been building.
Take the canonical example. Craig and John work at the same company. Same laptop model. Same applications. The same alert fires on both endpoints. A knowledge graph sees two nearly identical situations. A context graph sees something else entirely: Craig is a contractor with read-only access to public marketing assets, while John is a finance director with privileged access to the M&A data room. Same alert, different stories, different verdicts, and different responses.
The Five Dimensions of a Context Graph
Five dimensions elevate a context graph from informational to agentic reasoning-grade context.
- Temporal Context (When): Captures time-based validity (valid-from, valid-to), transaction dates, and sequence. The graph supports time-travel queries — what was true about this asset 14 days ago when the original alert first fired? — and reflects historical validity, not just the current state.
- Provenance Context (Source): Tracks where every statement came from, how reliable the source is, and when the data was ingested. The graph knows which system or which person provided each piece of information.
- Semantic Context (Meaning): Defines specialized relationships rather than generic links. The edge between two nodes isn’t a vague “related to.” It’s “approved by,” “transforms,” “governs,” or whatever the actual operational relationship is.
- Governance Context (Constraints): Embeds policies, security access controls, and retention rules directly into the graph as queryable nodes and properties.
- Decision Trace Context (Why): Every triage verdict, case decision, exception, and override is captured as a first-class node. Who made the call? What context did they have at the time? Which SOP did they follow, or choose not to follow, and why?
The fifth dimension is what makes the Context Graph different from anything else in the security graph space today. Decisions are modeled as nodes — with their context, their justification, and their outcomes — rather than buried in free-text fields nobody can query. That’s what lets agents detect patterns in how a SOC actually operates and adapt to the team’s real judgment, not the version written down two years ago in a runbook.
Capturing the Decisions, Not Just the Data
The hardest knowledge to capture in a SOC isn’t the data, it’s the judgment. Why did the lead analyst override the playbook last quarter? Why does this team always escalate an alert type that policy says to auto-close? Why did the on-call grant a temporary exception, and why did the team lead reverse it the next morning?
This knowledge lives in senior analysts’ heads, in Slack threads, and in the gap between what the SOP says and what the team actually does. When an analyst leaves, most of it walks out the door. Agents trying to support the team hit it as a wall: the documented process says one thing, the institutional reality is another, and they have no way to learn the difference.
The Torq Context Graph captures decision traces as native graph objects. Every override, every approved exception, every deviation from SOP, with the surrounding context of when and why. The longer you run Torq, the more the graph reflects your SOC’s actual operating logic, not the version written down two years ago.
A graph that goes stale produces decisions that do the same. The Torq Context Graph is built to keep up with the environment as it changes — close to real-time, where the data sources support it, on regular refresh cycles where they don’t. By the time the next alert fires, the agents’ reasoning on it have the current view of the environment to work from.
That’s what makes meaningful AI assistance possible. An agent that knows your SOPs is brittle. An agent that also knows when your senior analysts deviate from them, and why, is one your team can rely on alongside them.
Learning Your People, Process, and Technology
Every decision Torq AI Agents make feeds back into the Context Graph, enriching the next investigation or case. This is the difference between an AI SOC that simply processes alerts and one that genuinely learns and gets better at security over time.
People: The Context Graph learns how your team makes decisions. What analysts override, what they approve, and what exceptions they grant under what circumstances. Over time, the AI calibrates to your organizational judgment instead of a generic industry baseline.
Process: Every Torq AI Agent is context-aware from the moment it’s created. It already knows which assets are sensitive, which users have elevated privileges, and which integrations are available and trusted. As your processes evolve, the Context Graph evolves with them. Your team isn’t maintaining static contextual guidelines for every agent. Every Torq AI Agent draws from a single source of truth in real time.
Technology: As your security stack changes, the Context Graph updates. New integrations come in, old tools get deprecated, and the Torq AI SOC Platform adapts to your new environment. Workflows don’t break the day a key SME leaves the company, taking the institutional knowledge with them.
Customer-specific learning, with proper data isolation, produces a more precise and better-calibrated AI SOC. Your data stays in your environment, never touching a shared pipeline. With the Torq Context Graph, the longer you use Torq, the better it gets for your environment. Point solutions come and go. The platform underneath the SOC has to be the part that compounds.
End-to-End SecOps, Grounded in Full Context
SOC analysts need the full story to do their jobs well. Without it, you have a lot of information that doesn’t make sense in isolation. The Context Graph is what lets Torq tell the whole story behind every alert.
Torq is among the first companies in SecOps to build a real Context Graph. With Jit on board, Torq is the only company basing every agentic decision on the full story across the full lifecycle of the case — not just delivering an enriched alert with recommended next steps, but acting end-to-end from triage through response, with every agentic action traced back to the grounded decision that produced it.
The Context Graph is the new foundation underneath everything Torq customers already run. It makes the platform materially better across the board, without adding a separate product line for teams to adopt.
Build
Security engineers using the Agentic Builder create new workflows on top of a live, context-aware model of the environment. Builder gets smarter and faster because it works from the same grounded truth every other part of the platform draws on. Engineers stop repeating static instructions. They build on a live model.
Triage
Verdicts come from the full story of an alert, not a correlated signal enriched by threat intelligence. The Torq AI SOC Platform understands context, not just signals. Real risk surfaces because Torq knows what “real risk” means for your specific organization.
Investigate
Torq HyperAgents™ don’t re-query the SIEM, the EDR, and the IAM from scratch for every case. Investigations compound. Every agent reasons from the same shared, current, normalized intelligence layer. Planning, reasoning, and execution stay consistent across every case the SOC handles.
Respond
Socrates coordinates response actions grounded in the same context that produced the triage verdict. Every containment decision and remediation step traces back through the full reasoning chain, transparently documented at every step. Every action is auditable. Every decision can be replayed with the context that was true at the time. Nothing operates on a siloed data point.
The Future of Torq with Jit
Trust in AI-assisted security operations won’t come from better models. It will come from better grounding. From agents that can show, for any recommendation they make, exactly what they knew, when they knew it, and why they acted on it.
New models will only improve the reasoning of the agent and its general knowledge of the world or of cybersecurity. That won’t improve its capability to understand your environment, your tech stack, or your particular company policies. Only a comprehensive organizational context can do that.
The Torq Context Graph, now strengthened by Jit, is how we get there. Every alert investigated, every response executed, every exception granted feeds back in. The longer you run Torq, the more the platform reflects how your SOC thinks.
That’s the foundation the AI SOC has been missing, and it’s the foundation we’re now building on.
Leonid Belkind is a Co-Founder and Chief Technology Officer at Torq, the AI SOC platform. Prior to Torq, Leonid co-founded Luminate Security, a pioneer in Zero Trust Network Access and Secure Access Services Edge. At Luminate, Leonid guided this enterprise-grade service from inception, to Fortune 500 adoption to acquisition by Symantec.
David Melamed is the new Head of Emerging Technologies at Torq, joining through the company’s acquisition of Jit, which he co-founded and led as CTO since 2020. A cloud security veteran with more than 20 years of experience, David previously held senior technical roles in the Cloud Security CTO Office at Cisco (via the CloudLock acquisition) and at MyHeritage.
