Contents
Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.
Why AI-driven Hyperautomation is the answer to your SOC pain.
About 10 years ago, Alex Pinto came up with the idea of the threat intelligence “Pyramid of Pain” in the talk Measuring the IQ of Your Threat Intelligence Data at at DEF CON ‘22. I love this idea and I think it applies to a lot of aspects of cybersecurity, especially as we move towards a more autonomous, less human-involved security operations center (SOC).
Looking to automate your SOC? Below, I walk through each level of the Pyramid of Pain applied to the security automation journey as a framework for reducing business risk and accelerating incident mean time to respond (MTTR).
The SOC Automation Pyramid of Pain: From Bottom to Top
Level 1: The Basics — Integrations, Enrichment, and Context
The promise of legacy SOAR was to automate the core functions of a SOC, especially from a Tier-1 and Tier-2 perspective. These are the most basic aspects of automating security operations and have been around forever, dating back to Perl scripts! Whether you use Python, Go, or any other automation capabilities including PowerShell, these capabilities have existed since security operations centers have been a thing.
Any automation platform that you implement should have these enrichment capabilities inherently built into them to enhance and contextualize indicators of compromise (IOCs), identities, and assets. They’re the foundation of automation and the core of security operations. Crucially, they should also enable the humans who work in your SOC to be as efficient and effective as possible when it comes to responding to threats, new vulnerabilities, and systems that exist in your environment.
Difficulty: Low
Business risk impact: Low
| Time savings: 80-90% reduction in manual data enrichment, saving 1-2 hours per SOC analyst daily. | Cost efficiency: Up to 730 hours saved per analyst annually (based on 2-3 hours of manual tasks per day). At an average hourly rate of $50, this equals $36,500 saved per analyst per year, or $365,000 for a 10-analyst team. | Productivity gains: 30-50% faster triage due to immediate access to enriched data. | Overall risk reduction: Fewer missed IOCs due to consistent enrichment (priceless!). |
Level 2: Moving Up — Collaborative Case Management
Case management is an essential piece of any security operations automation platform. Legacy SOAR and traditional case management systems do not take into account all of the other teams and functions that are involved in a typical incident response scenario.
In contrast, Torq’s case management system in HyperSOC™ allows collaboration between teams’ workflows and workspaces that enable different organizations to enrich and contribute to an incident response scenario.
Difficulty: Low
Business risk impact: Low
| Time savings: 25-50% reduction in time spent managing cases due to automated workflows. | Cost efficiency: Avoiding the need to hire one additional analyst saves $100K-$150K annually (varies by location), including salary and benefits. | Productivity gains: SOC analysts can consistently handle 2-3x more cases at the same time without additional headcount. | Reduced Mean Time to Respond (MTTR): Automation reduces MTTR by up to 50-70%, allowing faster incident containment and remediation. | Risk reduction: Faster response minimizes the potential financial impact of a breach. The average cost of a data breach was $4.88M in 2024. |
Level 3: Automated Reporting — KPIs and SOC Metrics
SOC metrics have consistently posed a challenge for enterprises. Metrics such as Mean Time to Respond (MTTR), Mean Time to Detect (MTTD), Mean Time to X, and other similar measurements often fail to capture the true scope of business risk.
To address this, an automation system should facilitate collecting metrics across all security tools and the entirety of an enterprise’s security stack. This provides a comprehensive view of the SOC’s activities, processes, and resulting business outcomes — ensuring that the impact of security operations is clearly understood.
Difficulty: Low
Business risk impact: Medium
| Time savings: Up to 90% reduction in time spent generating compliance and audit reports. | Reporting accuracy: Minimal to no errors in reporting, ensuring compliance with regulatory frameworks like GDPR and PCI-DSS. | Fine avoidance: By ensuring reporting accuracy and compliance, companies could avoid, for example, $50K-$100K per month for PCI-DSS violations (depending on the transaction volume and duration), or up to €10 million or 2% of global annual revenue, (whichever is greater) for GDPR non-compliance. |
Level 4: Basic Automated Response — Point Solution Capabilities
Every security vendor, whether endpoint, firewall, email, or any other point solution, should prioritize robust API capabilities to enable automated response and remediation.
At this point in the security automation journey, enterprises should be able to automate responses to critical incidents, such as host isolation, malicious processes, stolen or compromised identities, and assets that have been identified as vulnerable to critical Internet-exposed vulnerabilities.
Difficulty: Medium
Business risk impact: High
| Response time improvement: 80%+ faster containment for malware infections, phishing attacks, and account compromises. | Overall risk reduction: Significantly decreased threat exposure window through automated response actions within seconds to minutes. | Increased employee satisfaction: Reduced analyst burnout as analysts focus on complex threats instead of repetitive tasks. 89% of employees report higher job satisfaction after adopting automation solutions. | Savings through talent retention: With a global shortage of 2.3M+ SOC analysts, retaining talent is paramount. More satisfied analysts leads them to stay around longer — and not needing to hire an additional single SOC analyst saves between $50-$100K (varies by region), including recruitment, training, and lost productivity. Companies using Hyperautomation report retention as a key ROI metric for 43% of leaders. |
Level 5: The Point of the Spear — Fully Automated Remediation Across the SOC
At the highest level of security automation maturity, organizations should be bringing together all of the capabilities of their security stack. This integration should extend to IT security operations, DevOps, cloud communications, and cloud capabilities, as well as any on-premise or custom applications, enabling a comprehensive automated response to threats and vulnerabilities.
The aim is to streamline and automate all processes that are identified to reduce business risk and improve MTTR, integrating the entire IT and security stack to achieve autonomous remediation. This paves the way for an autonomous SOC that handles routine security responses, with human intervention reserved for critical decisions.
Difficulty: High
Business risk impact: High
| MTTR reduction: Up to 70% decrease in MTTR, minimizing business disruption during high-severity incidents. | Risk elimination and consistency: Near-zero human error ensures consistent, immediate investigation and remediation of critical incidents. | Operational scalability: SOCs can handle a 200-300% spike in incident volume without adding headcount. | Labor cost savings: Near-zero human intervention required for routine remediation actions saves thousands of hours annually, equivalent to $300K-$500K in labor costs (region dependent). |
Level Up: Security Automation Value Across the Pyramid of Pain
| Pyramid of Pain Level | Tangible Value and Metrics |
| 1. Enrichment and API Integration | 80-90% time savings on data enrichment $50K-$100K cost savings 30%-50% faster triage |
| 2. Collaborative Case Management | 25-50% time savings on case management 3x case handling capacity $100K+ annual savings50-70% MTTR reduction |
| 3. Metrics/KPIs and Automated Reporting | 90% time savings on generating reports Regulatory non-compliance fine avoidance |
| 5. Basic Automated Response | 80%+ faster response Higher employee retainment and satisfaction Improved threat containment |
| 6. Fully Automated Remediation | Near-zero manual effort Scalable security operation $300K-$500K in labor cost savings |
More Autonomy, Less Pain
By harnessing the power of agentic AI on a Hyperautomation engine, Torq’s platform combats SOC killers like alert fatigue, manual workflow building, inefficient case workloads, and wading through pages of logs to write case summaries and reports. Autonomous triage, investigation, and response reduces MTTR and frees up analysts to focus on the fun stuff like strategic projects and complex, critical incidents.
This is the promise of the autonomous SOC — and it’s the pitch that won Torq the Innovation Sandbox competition at CPX 2025.
Want to chat about how to reach the top of the SOC Automation Pyramid of Pain?
