AI SOC Hyperautomation Use Cases

Torq HyperAgents: The Next Evolution of Agentic SecOps

By Tal Benyunes
December 3, 2025
9 Minute Read
Torq Hyperagents

Contents

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Tal Benyunes was one of the first engineers at Torq and now leads Product for HyperAgents, Torq’s agentic AI initiative. Shaped by early career roles in mission-critical cybersecurity environments and leading companies, Tal brings deep technical expertise and strategic insight to the development of AI Agents. Today, Tal combines that engineering background with product strategy to shape the future of intelligent automation for Torq customers.

Security teams are drowning in alerts, processes, and telemetry coming from tool sprawl. Every SOC leader knows the pain: repetitive triage, endless enrichment steps, communication loops with employees and stakeholders, and constant ticket-handling overhead. Humans are left acting as interpreters between tools instead of focusing on real threat investigation. 

The result: bottlenecks, burnout, missed alerts… and massive inefficiency.

AI is now shifting this paradigm. Instead of static workflows that only follow deterministic logic, we are entering the era of agentic security operations driven by adaptive AI Agents, working alongside your staff, and capable of reasoning, communicating, and taking action.

This is where Torq HyperAgents come in.

Our Solution: Torq HyperAgents

Since announcing a private preview of Torq HyperAgents at Black Hat USA 2025, we have worked closely with key design partners at Fortune 500 enterprises, including CISOs, SOC leads, and security engineers, to forge and refine a new approach to SecOps automation. 

The result is a breakthrough capability that moves security automation beyond painstaking workflow assembly into thinking, adaptive operations — no more wiring workflows for every edge case. Instead, HyperAgents operate like a skilled analyst working alongside your staff.

Purpose-built for security operations, HyperAgents are transparent, autonomous, customizable AI Agents that transform SecOps workflows. They reason, make decisions, and take action. They execute security tasks end-to-end, not as scripted steps but as reasoned operations that understand context and adapt to diverse use cases and evolving conditions.

Each HyperAgent is composed of three main components:

  1. Instruction and guidance define the agent’s mission, boundaries, and goals.
    • Instruction: What the agent must accomplish
    • Guidance: How it should behave, escalate, and prioritize
  2. The AI model: The intelligence powering the agent — interpreting instructions, applying context, and generating actions or decisions based on patterns and real-world data.
  3. The AI agent toolbox: A set of tools, APIs, actions, and integrations the agent can use to execute tasks across your security stack.
The IOC Enricher HyperAgent uses its toolbox of integrations like VirusTotal to gather context and deliver structured intelligence.

What Makes a HyperAgent Different?

HyperAgents are described by the following characteristics and are designed to operate within multi-agent architectures where several coordinated agents reason, communicate, and take action together:

  • Customizable to match the customer’s specific environment and security policies
  • Security-oriented with guardrails, audits, and reasoning baked in
  • Easy to use with natural language configuration and tools management
  • Transparent and accountable so you see how and why decisions are made, with full audit trails and guardrails that keep HyperAgents reliable in enterprise environments
HyperAgents extract and enrich every IOC automatically, mapping each indicator to the right tool for investigation.

Why HyperAgents Matter

HyperAgents represent the next evolution of Torq’s vision for the AI SOC, a world where humans and AI collaborate seamlessly, infusing intelligence into traditionally static workflows.

As the number of detection tools grows, so do the flood of events and alerts. With increasing complexity and volume, security operations teams struggle to keep pace, often constrained by limited time and talent.

HyperAgents change that narrative altogether, equipping SOC teams with cutting-edge tech that delivers SecOps at scale. They work alongside your human experts, taking on repetitive tasks, analyzing context, and pivoting at machine speed. As such, Torq HyperAgents are a force multiplier that redefines how modern SOCs operate.

By automating the repetitive and mundane tasks traditionally handled by Tier 1 analysts – such as enrichment, normalization, correlation, and triage — HyperAgents give your SOC analysts the time they need to focus on what really matters: deep investigations, threat hunting, and advanced detection engineering. 

How HyperAgents Work

A HyperAgent orchestrates intelligent security operations through an iterative loop. Here’s how.

Tool Interaction

As shown on the left side of the diagram above, the HyperAgent interacts with various SOC tools and platforms, including identity systems, messaging platforms, and security products, to gather the necessary information. It then processes and normalizes the data so that it can be used in a clear, structured manner. This ensures that every step is based on up-to-date contextual information rather than static, predefined logic.

LLM-Driven Reasoning

As shown on the right side of the diagram above, the HyperAgent collaborates with an LLM to inform its reasoning. The HyperAgent generates a constructed query that incorporates the situation, available tools, and relevant prior context. The LLM returns an execution plan detailing what to do next, which tool to call, and what parameters to use. The HyperAgent then carries out those actions, evaluates results, and loops as needed until the task is complete.

Core Elements of Torq HyperAgents

Multi-Stage Reasoning

HyperAgents break down their mission into deliberate steps. Analyzing signals, weighing options, and determining the best next move at each stage. They use short-term memory to retain context and learn from prior actions, ensuring every decision builds on the last and drives consistent, goal-oriented outcomes.

The execution flow shows HyperAgents chaining reasoning and tool calls to investigate alerts end-to-end without manual intervention.

Total Customizability and Bring Your Own AI Models

We’ve seen tremendous demand for a wide variety of AI model options — from providers like OpenAI, Google Vertex, Anthropic, and AWS Bedrock, to models such as GPT, Claude Sonnet, and Gemini — enabling users to leverage the best model for each specific task. There’s also a growing need to use internal AI model subscriptions. Customers want to utilize their own AI models to gain greater flexibility and ensure security. HyperAgents are designed to support exactly that level of flexibility.

Templates Library

Torq’s template library provides ready-to-use HyperAgents that accelerate deployment of intelligent, security workflows.

Torq offers a collection of ready-to-use HyperAgents designed to deliver immediate value for security operations teams. These templates provide a strong starting point for customization, allowing teams to operationalize HyperAgents while learning from proven best practices quickly. They help users accelerate adoption, adapt workflows to their needs, and draw inspiration when tailoring HyperAgents to their specific needs.

What Makes Torq HyperAgents Unique?

While other “AI automations” in the market still rely on static workflows dressed up with LLM prompts, Torq HyperAgents are autonomous operational entities, each with:

  • Contextual reasoning
  • The ability to communicate and gather information in real time
  • Built-in transparency mechanisms and compliance guardrails
  • Its own memory and state logic

This is adaptive security operations, not linear automation.

HyperAgent in Action: EDR Alert Triage

Use Case: Automated security alert triage and decisioning

Triage is one of the team’s core missions, to rapidly make high-quality conclusions about whether an alert is malicious or not. It is also known all too well to be a manual and repetitive task.

One of the most common use cases for HyperAgents is to automate triage missions. Below, we outline how HyperAgents can help.

Processes that are traditionally manual and repetitive — such as enriching IOCs related to an alert, collecting and exchanging data about the alert, and opening a case with all relevant details — can now be done effortlessly using just three easy-to-use and easy-to-maintain HyperAgents.

This workflow shows how a CrowdStrike alert triggers a multi-agent sequence across Torq HyperAgents, moving from enrichment to communication to SOC decisioning, then completing the case automatically.

Step 1: Enrichment HyperAgent

The EDR triage agentic workflow shown above includes a source (EDR) trigger, in this case from CrowdStrike. The Enrichment HyperAgent is provided instructions on its role, objective, and available tools at its disposal. Its job is to:

  • Identify device logs, network traces, historical alerts, and IOCs
  • Normalize and correlate the data
  • Interpret suspicious activity
  • Pass structured intelligence to the next HyperAgent
The Enrichment HyperAgent reviews raw alert data, pulls user, device, and IOC details from integrated tools, and produces a structured summary that sets the foundation for downstream triage.

Step 2: Communication HyperAgent

The Communication HyperAgent takes input from the Enrichment HyperAgent, and then:

  • Reaches out to the relevant employee for clarification
  • Provides structured questions and response validation
  • Handles back-and-forth messaging without analyst involvement

Any SOC analyst reading this blog may already be rejoicing. With this mundane data collection taken off their plate, they can work on other tasks that they otherwise would not have time to address. The end result? HyperAgents expand the bandwidth and productivity of your existing staff.

Once the Communication HyperAgent has gathered the information required according to its instructions and role, it passes the data along to the HyperAgent in the next step, Decisioning & Ticketing.

The Communication HyperAgent sends contextual Slack messages to users, validates their responses, and feeds structured answers back into the investigation without analyst involvement.

Step 3: Decisioning & Ticketing HyperAgent

With full context, this Decisioning & Ticketing HyperAgent:

  • Determines severity and recommended next steps
  • Creates an incident ticket with complete evidence
  • Attaches enriched observables and artifacts
  • Closes benign alerts automatically with clear reasoning
The Decisioning & Ticketing HyperAgent analyzes all enriched evidence, assigns severity, creates a case with observables, and closes low-risk events while notifying the SOC with the full audit trail.

The result: The EDR alert triage completes in minutes, not hours, with complete explanatory detail readily available.

The IOC Enrichment HyperAgent extracts file hashes, IPs, domains, and URLs, selects the right tools, and generates a structured IOC report used in downstream decisioning.

We place strong emphasis on logging and auditing to create a trusted AI experience. Every action, including the reason, timing, and details, is recorded, allowing for review and export on demand.

The execution log captures the HyperAgent’s final reasoning, tool calls, and case actions, providing a complete audit trail for an alert resolved as a false positive.

HyperAgents: The Operational Core of Torq HyperSOC™

Torq HyperAgents represent the next evolution of security automation — security workflows that don’t just execute, but reason. By infusing agentic intelligence directly into SecOps’ daily work, HyperAgents drive operational efficiency, simplifying workflows and transforming manual processes to scalable, adaptive, AI-driven operations. Bottlenecks are eliminated, and human judgment and oversight remain intact.

Agentic SecOps combines the best of human expertise with AI-augmented, agentic workflows. This amplifies productivity and reduces risk at scale. Torq HyperAgents are the foundation on which this future SOC is being brought to life today.

For more on Torq’s HyperSOC platform, explore the 2025 GigaOm Autonomous SOC Radar Report.

Get the Report
Share

Related Articles

SEE TORQ IN ACTION

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

Compuquip logo in white

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

Fiverr logo in black

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

Carvana logo in black

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

Riskified logo in white

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

See Torq in Action

Get a demo to see how Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?