How Torq and Wiz Power End-to-End Cloud Threat Detection and Response

Modern cloud threats move fast. Detection and response has to move faster.

Wiz gives security teams the visibility and precision they need to detect real threats across sprawling cloud environments. Torq turns those threat detections into action — instantly. Together, they’re a cheat code for cloud security operations.

In this post, we break down how Torq HyperSOC™ and Wiz Defend work hand-in-hand to deliver intelligent, automated, end-to-end cloud threat detection and response that filters through alert noise — dramatically cutting MTTR and freeing analysts to focus on what matters most.

How Wiz Defend Alerts Flow into Torq

Modern cloud environments are dynamic and often opaque to traditional security tools. Wiz changes that by collecting and correlating rich telemetry across the entire cloud stack, not just from infrastructure and workloads, but from identities, repositories, runtime signals, and more.

What makes this powerful isn’t just the data itself — it’s how Wiz transforms that data into high-fidelity alerts that are seamlessly fed into Torq for immediate action.

How Wiz Finds and Detects Cloud Threats

Wiz begins by ingesting telemetry from multiple sources across your cloud footprint, including:

• Cloud-native logs: AWS CloudTrail, S3 data events, Azure Diagnostic Logs, and GCP Audit Logs
• Identity activity: Okta, cloud IAM policies, and role assumptions
• DevOps and Kubernetes tools: GitHub, container registries, and CI/CD pipelines
• Runtime sensors for visibility into container and serverless workload behavior
  

But rather than alerting on every anomalous signal or potentially malicious indicator, Wiz applies correlation logic that groups related signals into what it calls a Wiz Threat — a complete, narrative alert that reflects an unfolding cloud attack path.

Together, these detections are stitched into one high-confidence alert that captures both the technical indicators and the business risk, allowing SOC teams to move faster with greater certainty.

Prioritized, Correlated, and Automated Cloud Threat Detection

Each Wiz Threat is not just a set of log events — it’s a structured object that includes:

• Detection metadata: source, time, cloud account, and service, region
• Linked findings: secrets, misconfigurations, and vulnerabilities
• Enriched security context: tags, asset owners, MITRE ATT&CK tactics, and runtime behavior
• Calculated risk severity based on business impact and adversary activity
  

This comprehensive data is packaged and passed to Torq HyperSOC via webhook or API integration. 

What Gets Sent to Torq

• Threat name and summary
• Affected cloud assets
• Event timeline and sequence
• MITRE ATT&CK classification
• Associated user identities and network exposure
• Recommendations from Wiz’s threat intelligence team
  

How Socrates Automates and Orchestrates the Cloud Threat Response

Once inside Torq, the Wiz Threat becomes a case, a centralized workspace where Torq’s AI SOC Analyst, Socrates, takes over. Here’s how the end-to-end workflow looks.

Step 1: The Wiz Alert Becomes a Torq Case

When the alert lands in Torq, a new case is created and populated with structured context from Wiz Defend. Analysts are immediately presented with a dynamic AI-generated case summary, which adapts in real-time as new signals, observables, or comments are added.

Step 2: Socrates Begins Enrichment and Investigation

With the case live, Socrates, Torq’s AI SOC Analyst, steps in as the first responder. Socrates parses the detection, extracts IPs, hashes, URLs, and related indicators, and enriches them using your chosen threat intelligence providers (e.g., VirusTotal, AlienVault, Recorded Future). Threat enrichment happens within seconds, and the insights are automatically written back into the case file.

Then, Socrates dynamically identifies asset owners based on tags, CMDB entries, or environment metadata — instantly resolving ownership questions that traditionally slow down response times in cloud environments.

Next, Socrates builds a response plan. Using the MITRE ATT&CK tactics mapped from the Wiz alert and a library of security procedures, it proposes a remediation workflow customized to the threat and environment, whether it’s privilege misuse, misconfigurations, or lateral movement attempts.

Step 3: Autonomous Action and Analyst Escalation (If Needed)

Now the case enters automated execution. Socrates follows a runbook tailored to the case type, executing actions such as:

• Collecting additional context from Wiz, AWS, and container workloads
• Mapping and enriching security groups and cloud configurations
• Identifying blast radius and lateral exposure for potential data exfiltration
• Capturing a forensic memory dump of the asset to AWS S3
• Notifying asset owners and cloud security teams via Slack or Jira
• Removing public IP associations from exposed assets
• Tagging the case with relevant MITRE ATT&CK TTPs
  

For cloud threats meeting certain criteria, Socrates can auto-remediate the incident entirely, containing the issue before a human even sees the alert. For more critical threats, the case is escalated to a human analyst with full context, including recommended next steps and suggested actions.

Step 4: Automatic Post-Incident Reporting

Once the threat has been handled, Socrates generates a full post-incident report that includes:

• A summary of the detection and context
• Enrichment and investigation details
• The full remediation timeline
• Root cause analysis of vulnerabilities or misconfigurations
• Blast radius insights
• Analyst performance scoring (if applicable)
• Recommendations for continued improvement of cloud security posture

This report is stored as a PDF attachment to the case and accessible as a structured note, ready for audits, compliance, and continuous SOC training.

As the final touch, Torq automatically tags the case with MITRE ATT&CK TTPs used in the attack. This enables teams to build a MITRE ATT&CK heatmap across Wiz, Torq, and other detection sources, giving CISOs and threat hunters strategic visibility into adversary behavior across cloud and hybrid infrastructure.

Why Torq is the Definitive Automation Tool for Your Wiz Environment

Torq is uniquely built to provide the critical automation layer needed to bridge detection to action with unparalleled efficiency and accuracy. Unlike generic automation tools or manual scripting, Torq understands Wiz alerts natively. As soon as Wiz identifies a high-confidence threat, Torq’s built-in workflows are triggered automatically without extra scripting, manual integrations, or complicated setup.

With Torq, Wiz Defend customers experience immediate threat containment asSocrates enriches alerts, performs investigations, and resolves threats independently. This fully autonomous approach significantly reduces MTTR and frees your analysts to focus on complex scenarios and overall SOC strategy.

Torq doesn’t just enhance Wiz cloud alerts — it completes them.

Wiz and Torq: Your Ultimate Cheat Code for Cloud Security Operations

Cloud threat detection is just half the battle. Together, Wiz and Torq close the loop by coupling high-fidelity detections with instant, automated, and intelligent response. By bridging the gap between detection and action, security teams can finally stay ahead of rapidly evolving cloud threats, reduce alert fatigue, and accelerate remediation. 

The integration of Wiz Defend’s rich, correlated telemetry with Torq HyperSOC’s autonomous threat handling isn’t just a solution — it’s your SOC team’s ultimate cheat code.

See Wiz Defend and Torq HyperSOC in action together.