Contents
Get a Personalized Demo
See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.
Tal Benyunes was one of the first engineers at Torq and now leads Product for HyperAgents™, Torq’s agentic AI initiative. Shaped by early career roles in mission-critical cybersecurity environments and leading companies, Tal brings deep technical expertise and strategic insight to the development of AI Agents. Today, Tal combines that engineering background with product strategy to shape the future of intelligent automation for Torq customers.
Security teams are drowning in alerts, processes, and telemetry coming from tool sprawl. Every SOC leader knows the pain: repetitive triage, endless enrichment steps, communication loops with employees and stakeholders, and constant ticket-handling overhead. Humans are left acting as interpreters between tools instead of focusing on real threat investigation.
The result: bottlenecks, burnout, missed alerts… and massive inefficiency.
AI is now shifting this paradigm. Instead of static workflows that only follow deterministic logic, we are entering the era of agentic security operations driven by adaptive AI Agents, working alongside your staff, and capable of reasoning, communicating, and taking action.
This is where Torq HyperAgents™ comes in.
Our Solution: Torq HyperAgents™
Since announcing a private preview of Torq HyperAgents at Black Hat USA 2025, we have worked closely with key design partners at Fortune 500 enterprises, including CISOs, SOC leads, and security engineers, to forge and refine a new approach to SecOps automation.
The result is a breakthrough capability that moves security automation beyond painstaking workflow assembly into thinking, adaptive operations — no more wiring workflows for every edge case. Instead, HyperAgents operates like a skilled analyst working alongside your staff.
Purpose-built for security operations, HyperAgents is a group of transparent, autonomous, customizable AI Agents that transform SecOps workflows. It reasons, makes decisions, and takes action. It executes security tasks end-to-end, not as scripted steps but as reasoned operations that understand context and adapt to diverse use cases and evolving conditions.
Each AI Agent of HyperAgents is composed of three main components:
- Instruction and guidance that define the agent’s mission, boundaries, and goals.
- Instruction: What the agent must accomplish
- Guidance: How it should behave, escalate, and prioritize
- The AI model: The intelligence powering the agent — interpreting instructions, applying context, and generating actions or decisions based on patterns and real-world data.
- The AI Agent toolbox: A set of tools, APIs, actions, and integrations the agent can use to execute tasks across your security stack.
What Makes HyperAgents Different?
HyperAgents is described by the following characteristics and designed to operate within multi-agent architectures where several coordinated agents reason, communicate, and take action together:
- Customizable to match the customer’s specific environment and security policies
- Security-oriented with guardrails, audits, and reasoning baked in
- Easy to use with natural language configuration and tools management
- Transparent and accountable so you see how and why decisions are made, with full audit trails and guardrails that keep HyperAgents reliable in enterprise environments
Why HyperAgents Matters
HyperAgents represents the next evolution of Torq’s vision for the AI SOC, a world where humans and AI collaborate seamlessly, infusing intelligence into traditionally static workflows.
As the number of detection tools grows, so do the flood of events and alerts. With increasing complexity and volume, security operations teams struggle to keep pace, often constrained by limited time and talent.
HyperAgents changes that narrative altogether, equipping SOC teams with cutting-edge tech that delivers SecOps at scale. It works alongside your human experts, taking on repetitive tasks, analyzing context, and pivoting at machine speed. As such, Torq HyperAgents is a force multiplier that redefines how modern SOCs operate.
By automating the repetitive and mundane tasks traditionally handled by Tier 1 analysts – such as enrichment, normalization, correlation, and triage — HyperAgents gives your SOC analysts the time they need to focus on what really matters: deep investigations, threat hunting, and advanced detection engineering.
How HyperAgents Works
HyperAgents orchestrates intelligent security operations through an iterative loop. Here’s how.
Tool Interaction
As shown on the left side of the diagram above, the HyperAgents AI Agent interacts with various SOC tools and platforms, including identity systems, messaging platforms, and security products, to gather the necessary information. It then processes and normalizes the data so that it can be used in a clear, structured manner. This ensures that every step is based on up-to-date contextual information rather than static, predefined logic.
LLM-Driven Reasoning
As shown on the right side of the diagram above, HyperAgents collaborates with an LLM to inform its reasoning. HyperAgents generates a constructed query that incorporates the situation, available tools, and relevant prior context. The LLM returns an execution plan detailing what to do next, which tool to call, and what parameters to use. HyperAgents then carries out those actions, evaluates results, and loops as needed until the task is complete.
Core Elements of Torq HyperAgents
Multi-Stage Reasoning
HyperAgents breaks down the mission into deliberate steps. Analyzing signals, weighing options, and determining the best next move at each stage. It uses short-term memory to retain context and learn from prior actions, ensuring every decision builds on the last and drives consistent, goal-oriented outcomes.
Total Customizability and Bring Your Own AI Models
We’ve seen tremendous demand for a wide variety of AI model options — from providers like OpenAI, Google Vertex, Anthropic, and AWS Bedrock, to models such as GPT, Claude Sonnet, and Gemini — enabling users to leverage the best model for each specific task. There’s also a growing need to use internal AI model subscriptions. Customers want to utilize their own AI models to gain greater flexibility and ensure security. HyperAgents is designed to support exactly that level of flexibility.
Templates Library
Torq offers a collection of ready-to-use HyperAgents AI Agents designed to deliver immediate value for security operations teams. These templates provide a strong starting point for customization, allowing teams to operationalize HyperAgents while learning from proven best practices quickly. They help users accelerate adoption, adapt workflows to their needs, and draw inspiration when tailoring HyperAgents to their specific needs.
What Makes Torq HyperAgents Unique?
While other “AI automations” in the market still rely on static workflows dressed up with LLM prompts, Torq HyperAgents contains autonomous operational entities, each with:
- Contextual reasoning
- The ability to communicate and gather information in real time
- Built-in transparency mechanisms and compliance guardrails
- Its own memory and state logic
This is adaptive security operations, not linear automation.
HyperAgents in Action: EDR Alert Triage
Use Case: Automated security alert triage and decisioning
Triage is one of the team’s core missions, to rapidly make high-quality conclusions about whether an alert is malicious or not. It is also known all too well to be a manual and repetitive task.
One of the most common use cases for HyperAgents is to automate triage missions. Below, we outline how HyperAgents can help.
Processes that are traditionally manual and repetitive — such as enriching IOCs related to an alert, collecting and exchanging data about the alert, and opening a case with all relevant details — can now be done effortlessly using just three easy-to-use and easy-to-maintain HyperAgents AI Agents.
This workflow shows how a CrowdStrike® alert triggers a multi-agent sequence across Torq HyperAgents, moving from enrichment to communication to SOC decisioning, then completing the case automatically.
Step 1: Enrichment AI Agent
The EDR triage agentic workflow shown above includes a source (EDR) trigger, in this case from CrowdStrike. The Enrichment AI Agent is provided instructions on its role, objective, and available tools at its disposal. Its job is to:
- Identify device logs, network traces, historical alerts, and IOCs
- Normalize and correlate the data
- Interpret suspicious activity
- Pass structured intelligence to the next AI Agent
Step 2: Communication AI Agent
The Communication AI Agent takes input from the Enrichment AI Agent, and then:
- Reaches out to the relevant employee for clarification
- Provides structured questions and response validation
- Handles back-and-forth messaging without analyst involvement
Any SOC analyst reading this blog may already be rejoicing. With this mundane data collection taken off their plate, they can work on other tasks that they otherwise would not have time to address. The end result? HyperAgents expands the bandwidth and productivity of your existing staff.
Once the Communication AI Agent has gathered the information required according to its instructions and role, it passes the data along to the Decisioning & Ticketing AI Agent in the next step.
Step 3: Decisioning & Ticketing AI Agent
With full context, this Decisioning & Ticketing AI Agent:
- Determines severity and recommended next steps
- Creates an incident ticket with complete evidence
- Attaches enriched observables and artifacts
- Closes benign alerts automatically with clear reasoning
The result: The EDR alert triage completes in minutes, not hours, with complete explanatory detail readily available.
We place strong emphasis on logging and auditing to create a trusted AI experience. Every action, including the reason, timing, and details, is recorded, allowing for review and export on demand.
HyperAgents: The Operational Core of Torq HyperSOC™
Torq HyperAgents represents the next evolution of security automation — security workflows that don’t just execute, but reason. By infusing agentic intelligence directly into SecOps’ daily work, HyperAgents drives operational efficiency, simplifying workflows and transforming manual processes to scalable, adaptive, AI-driven operations. Bottlenecks are eliminated, and human judgment and oversight remain intact.
Agentic SecOps combines the best of human expertise with AI-augmented, agentic workflows. This amplifies productivity and reduces risk at scale. Torq HyperAgents is the foundation on which this future SOC is being brought to life today.
For more on Torq’s HyperSOC™ platform, explore the 2025 GigaOm Autonomous SOC Radar Report.
FAQs
Traditional SOAR platforms execute static, script-based playbooks — predefined sequences that follow deterministic logic and break when conditions change or vendor APIs update. HyperAgents are autonomous AI agents that reason through problems, adapt to context, and execute multi-step security workflows end-to-end without requiring a playbook for every scenario. Where SOAR requires dedicated engineering resources to build and maintain each workflow, HyperAgents use natural language instructions, LLM-driven reasoning, and a toolbox of integrations to investigate, communicate, and act — then loop and adapt until the task is complete. Valvoline’s legacy SOAR required hard-to-find coding skills and stalled on integrations for months; after switching to Torq, integrations that had been blocked were delivered in days.
HyperAgents break down each mission into deliberate stages using multi-stage reasoning. In a typical EDR alert triage, three coordinated agents work in sequence: an Enrichment Agent identifies device logs, network traces, and IOCs, then normalizes and correlates the data. A Communication Agent reaches out to the affected employee via Slack or Teams with structured questions, validating responses without analyst involvement. A Decisioning and Ticketing Agent then analyzes all enriched evidence, determines severity, creates a case with observables attached, and either closes benign alerts automatically with clear reasoning or escalates to a human analyst. Each agent retains short-term memory and context from prior steps, so every decision builds on the last. The entire process completes in minutes, not hours.
HyperAgents are designed for the repetitive, high-volume work that buries SOC analysts: IOC enrichment and correlation, alert triage and disposition, user verification and communication loops, case creation with full evidence chains, and automated closure of low-risk events with documented reasoning. For higher-severity or novel threats, HyperAgents complete the investigation and present structured findings for human review — so analysts start with a fully assembled case rather than a raw alert. Kenvue is automating 89% of cases using Torq’s platform and achieved a 60% decrease in MTTR within two months of deployment.
Each HyperAgent has access to a toolbox of APIs, actions, and integrations across your security stack. Torq supports 300+ native integrations and 4,000+ out-of-the-box actions — covering SIEM (Splunk, Sentinel, QRadar, Elastic), EDR (CrowdStrike, SentinelOne), identity providers (Okta, Entra ID), cloud platforms (AWS, Azure, GCP), ITSM (Jira, ServiceNow), and communication tools (Slack, Teams). HyperAgents also support bring-your-own AI models from providers like OpenAI, Google Vertex, Anthropic, and AWS Bedrock — so organizations can use internal model subscriptions for greater flexibility and security. When Kenvue’s customized IT environment blocked a native Jira integration, Torq deconstructed and rebuilt it to fit their constraints.
Rule-based automation executes the same steps in the same order regardless of context — and breaks when conditions change. Agentic SecOps, powered by HyperAgents, introduces contextual reasoning, real-time communication, adaptive decision-making, and built-in transparency. HyperAgents don’t just follow instructions — they interpret context, select which tools to query based on the situation, gather additional information when needed, and adjust their approach based on results. Every action is logged with full reasoning for audit and compliance. The practical difference: rule-based automation handles the scenarios someone anticipated and wrote a playbook for. HyperAgents handle the rest.
ROI is measured in days, not months. Valvoline saw operational value within 48 hours of deploying Torq, saving six to seven analyst hours per day by automating phishing triage that previously consumed up to 12 hours daily. Kenvue went from kickoff to production in six weeks and hit their end-of-year automation goals in six months. Torq’s template library of ready-to-use HyperAgents AI Agents accelerates deployment further — teams can operationalize proven workflows immediately while customizing to their specific environment over time.
The highest-impact use cases are the ones that combine high alert volume with repetitive, multi-step investigation patterns. EDR alert triage is the most common starting point — the blog’s walkthrough shows how three coordinated agents handle a CrowdStrike alert from enrichment through communication to case closure. Phishing response is another high-success use case: Valvoline automated end-to-end phishing triage including inbox monitoring, cross-tool correlation, and automated containment when users click malicious links. Case management and evidence assembly also deliver strong results — Kenvue’s team now goes “ten layers deeper” into investigations because HyperAgents handle the initial data collection and triage automatically, freeing analysts to focus on the work that actually requires human judgment.
