AI AI SOC

The Blueprint for a True AI SOC

By John White, Field CISO
May 26, 2026
7 Minute Read
Blueprint for a true AI SOC based on 2026 AI SOC Leadership Report findings

Contents

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

John White is the Field CISO for EMEA at Torq. A respected security executive with more than 20 years of leadership experience, John previously served as CISO at Virgin Atlantic, where he led a multi-year transformation deploying the Torq AI SOC Platform to modernize cyber operations. Prior to Virgin Atlantic, he built and transformed security functions for global organizations, including ASOS, Liberty Global, AEG Europe, and KPMG.

I’ve spent the last 25 years in security leadership with the majority on the practitioner or “buying side”. Earlier this year, I crossed over to what people like to call “the dark side” and joined AI SOC Platform leader, Torq, as their Field CISO.

That decision wasn’t accidental.

I believe we’re on the edge of a structural shift in how security organizations are built and run. Not incrementally. Not with a few new tools and a re-org, but through a fundamental rethink of how security functions are structured, staffed, and measured.

I wanted to be at the source, able to look at the answer from both sides of the fence and provide my fellow CISOs with objective insight and guidance in navigating the shift. 

Torq’s 2026 AI SOC Leadership Report recently surveyed 450 security leaders on what they actually want from an AI SOC. The results weren’t abstract or aspirational; they were blunt.

The top capabilities read like a checklist:

  • 92% want continuous learning and adaptation
  • 91% say full platform integration is critical
  • 90% care about explainable AI decisions
  • 89% want true end-to-end SecOps, from triage through remediation

That’s the destination. What mattered to me is that Torq wasn’t trying to reverse-engineer its way there from a SIEM, a SOAR, or a chat interface. The platform was designed for AI natively, unburdened by legacy and outdated architectures. That’s what closed the deal.

Why AI Tools Don’t Equal an AI SOC

AI is everywhere in the SOC. 94% of organizations use it in at least one function. 79% have embedded it into workflows. Yet only 37% say adoption is widespread.

Why? Because the average SOC is running seven or more different AI tools, and 80% of leaders say those tools are fragmented.

Seven-plus AI engines. Seven sets of alerts. Seven interpretations of “truth.” And one analyst in the middle expected to synthesize it all while the attacker moves in minutes. According to CrowdStrike’s 2026 Global Threat Report, the average eCrime breakout time is 29 minutes. The fastest intrusion they observed took just 27 seconds.

This is the point-solution trap. A new threat appears, a new tool gets bought. Five years later, you’re running a SOC held together by custom APIs and one engineer who knows where the duct tape is.

This doesn’t persist because CISOs are naïve. We all read our own stacks. But fixing it means ripping things out, and that means budget battles, politics, and admitting the platform you backed two years ago no longer delivers.  

The data point that stuck with me: 53% of security leaders believe a fully integrated AI SOC would resolve their trust issues with AI. That’s the whole story. The trust problem isn’t philosophical; it’s architectural. Fragmented AI produces an output no one can trust, because no one can see the whole picture.

Torq made a different call from day one: One platform underneath everything. One orchestration layer spanning the entire threat lifecycle. Every AI agent operates through the same execution fabric. Every action is grounded in the same data. The Hyperautomation engine gives AI a foundation that the rest of the SOC can actually see into.

AI SOC REPORT

Where AI Actually Belongs First in the SOC

97% of leaders say they’re confident AI can handle triage and prioritization. They’re right, that’s where the biggest value is. Detection-to-response is the attacker’s window, and shrinking that window matters more than almost anything else.

Yet only 37% are actually using AI for triage today. Instead, teams lean on it for containment, false-positive reduction, case management, and vuln management.

The blocker isn’t capability, it’s confidence, specifically around black-box behavior. Teams are comfortable letting AI handle medium-severity and below. Beyond that, CISOs want clarity and control.

The right model is severity-based autonomy. High-severity incidents touching critical systems? Humans decide. Low-severity, high-confidence patterns? AI runs end-to-end.

That breakpoint is exactly how Torq is built. At Carvana, 100% of Tier 1 and Tier 2 alerts are handled by Torq’s AI agents. Humans focus on where they add the most value: Tier 3 critical risk.

What Explainable AI Actually Requires

Nearly half of security leaders say transparency is the single biggest factor in their trust in AI, and 92% cite at least one factor actively reducing their trust today.

If AI disables an account or quarantines a host, the team needs to know why. Not eventually. Immediately. Otherwise, you’re left with a black box that occasionally gets it right.

The trap is turning explainability into a gate that never opens, where everything still requires human review because no one has defined what “trusted enough” really means.

Torq HyperAgents are designed to clear that gate. They run under declarative instruction. You define the role, the tools, the data, and the authority. Every action is logged. Every decision is written into an immutable audit trail. When a CISO asks what the AI did and why, the answer is already there.

How AI Changes Tier 1 Work for the Better

SOC teams spend an average of 8.6 hours a week on AI oversight. That sounds high until you see the next stat: 9 out of 10 leaders say AI has improved SOC workloads. Those hours aren’t busywork. They’re the shift from execution to judgment.

In an agentic SOC, the environment is calmer. AI handles 90%+ of Tier 1 triage, the most voluminous and time-sensitive work in the SOC. Shrink that exposure window, and the panic goes with it. Tier 1 work is repetitive but critical. The agentic model gives analysts what I think of as an exo-suit: same mission, amplified capability.

And when leaders were asked what they wanted most from AI, the top answer wasn’t faster SLAs or lower MTTR. It was a better work-life balance. AI is how people get back to doing meaningful security work.

How a Real AI SOC Builds Memory

92% of leaders say continuous learning is the defining capability of a true AI SOC. Very few are close.

Most SOCs learn in batches. Investigate. Document. Update a playbook. By the time it’s done, the attack has evolved. An adaptive SOC learns in real time. Outcomes feed the next decision immediately. That’s SOC memory, and it doesn’t form across seven disconnected tools. It forms when everything flows through one system.

In Torq’s platform, that system is Socrates, the AI SOC orchestrator. It coordinates every agent, captures every decision, and remembers overrides and exceptions. Each closed case sharpens the next one. That’s the shift from rules-based automation to agentic AI.

Rules execute instructions, whereas AI agents reason with context.

If I Were Building an AI SOC from Scratch

Three decisions, immediately:

  1. Start with the execution layer. AI and automation run at machine speed, 24/7. Everything else sits on top of that foundation.
  2. Define outcomes before roles. Don’t start with the headcount. Start with what needs to be delivered. AI executes. Humans provide strategy and judgment.
  3. Measure before you deploy. Baseline MTTI, MTTR, escalation accuracy, and autonomous closure rates on day one. Six months in, you’ll need your own before-and-after story grounded in data, not slides.

These were the decisions Torq made long before I joined. That made the move an easy one.

Closing the Gap

Security leaders agree on what a true AI SOC looks like. The gap is execution.

450 leaders align on the blueprint. Torq is built to it: agentic AI orchestrated by Socrates, declarative HyperAgents, transparent timelines, immutable audit logs, SOC memory baked into the architecture, and full coverage from triage through autonomous remediation. Customers like Carvana are already living this reality. The blueprint isn’t theoretical anymore.

I’ll leave you with the phrase I come back to often: Inaction introduces as much risk as action. That’s the cost most CISOs are underestimating right now.

The 2026 AI SOC Leadership Report has the methodology, regional breakdowns, and the data behind every finding here.

Get the Report
Share

Related Articles

SEE TORQ IN ACTION

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

Compuquip logo in white

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

Fiverr logo in black

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

Carvana logo in black

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

Riskified logo in white

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

See Torq in Action

Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?