Trust in an AI SOC doesn’t come from bigger models. It comes from grounding. The Torq Context Graph and Memory Layer power every agentic decision on the Torq AI SOC Platform, grounding each verdict in your environment’s truth and your analysts’ past judgments — progressively sharpening triage, investigation, and response with every closed case.
The Torq Context Graph
Captures what your environment means. Not just what exists.
The Torq Context Graph is a continuously updated security intelligence layer that grounds every agentic decision in the current state of your environment. Identities, assets, networks, and policies from every source — IdP, EDR, SIEM, cloud, HR, ITSM, threat intel — are resolved into one normalized representation, enriched with your business context, and time-stamped, source-tagged, and governed by access tier.
Most importantly, the graph captures decisions as first-class objects: every verdict, every escalation, and every exception, with the rationale and counterfactual that produced it.
Unified, Cross-Source Entity Resolution
One user node fed by Okta, Entra ID, Slack, Workday, and HR. One host node fed by EDR, MDM, and CMDB. Agents reason on a single resolved view of your organization, not on four parallel API calls per alert.
Trace Decisions, Not Just Data
Every fact carries when it was true, where it came from, what it means, who’s allowed to see it, and — uniquely — why a related decision was made. Agents reason far more accurately on rich semantic edges than on undifferentiated ‘related-to’ links.
Same Alert. Different Stories.
An alert on Dan’s contractor laptop touching public marketing content is not the same alert as an identical one on Scott’s machine touching material non-public information. The Context Graph reads the difference instantly. A generic model can’t.
AI Verdicts Without Context
Are Just Guesses
Generic AI models don’t know which host is a crown jewel. They don’t know that Scott the finance director is touching the M&A data room while Dan the contractor only has read-only marketing access. They don’t remember what your senior analysts decided about a near-identical alert last Tuesday.
Without that grounding, every verdict is a guess in your environment and every analyst correction is forgotten the moment the case is closed.
Torq closes the gap with two complementary layers for agents to reason on: the Context Graph, a unified, organization-specific map of identities, assets, threats, policies, and analyst judgments, and a Memory Layer, powered by Recall and Reflex, that adds the historical dimension of what your security operations team actually did when handling similar situations.
“The longer Torq runs in our environment, the more it sounds like our best analysts. That’s the part no other platform delivers.”
Director of Security Operations, Fortune 500 Financial Services
The Memory Layer
Two memories. One verdict. Compounding judgment.
The Context Graph tells agents what is true right now. The Memory Layer captures how your security team handled similar issues in the past: the verdicts they confirmed, the follow-up actions they took, and the outcomes they documented. Through two complementary mechanisms, Recall and Reflex, that operational experience informs future decisions as agents triage, investigate, and respond. With every closed case, the system becomes more informed, reliable, and effective.
Torq Recall: Deliberate Reasoning Over Precedent
When a new alert arrives, Recall asks a structured question: which prior cases in your environment shared the same entities, relationships, or patterns? Using the Context Graph’s resolved view of the alert, it retrieves the most relevant historical cases and ranks them by overlap. A semantic LLM then analyzes the notes, actions, and resolution rationale from the top matches to determine how their lessons apply to the current investigation. Every Recall-informed verdict cites the precedents that shaped it.
Torq Recall pipeline. Closed cases flow from Case Management into an indexed history; for every new alert, Recall pulls the most relevant precedents through fast index-based similarity retrieval, then runs a deep relevance judgement with an AI model on the top matches. The resulting Recall Impact feeds Auto Triage’s verdict alongside business context and enrichments. Constant feedback loop on the left. Optimized clustering and retrieval on the right.
Torq Reflex: The Triage Model That’s Uniquely Yours
Reflex is a stateful, per-tenant model trained continuously on your team’s confirmed verdicts and corrections. Its encoder operates on Context Graph-enriched alerts and cases — every entity resolved, every property tagged, every business attribute attached — and a classifier learns the patterns that emerge in your environment and assigns a calibrated confidence score to every verdict. High-confidence Reflex verdicts get expedited; low-confidence ones escalate for deeper LLM analysis and analyst review. Each correction becomes training data, steadily improving performance over time.
Torq Reflex feedback loop. Alerts from every source flow into Auto Triage, where Reflex contributes a fast verdict. Cases are closed in Case Management with the analyst’s confirmed disposition, and those closed cases feed the Encoder + Classifier — producing a transformer model that is unique to each source and each organization. Constant feedback loop on the left. Machine learning on the right.
Together: Coverage Neither Can Deliver Alone
Recall is sharpest when an alert’s entities have a real footprint in your case history. Reflex covers novel actors and unfamiliar entities running familiar patterns — what Recall alone would miss. When they agree, the verdict carries the weight of both deliberate precedent and learned intuition. When they disagree, the disagreement itself is a high-interest signal worth a human’s attention.
Built for Your SOC. Trained on Your Truth.
Tenant-Isolated
by Design
Your graph, your memory, your model. Nothing crosses organizational boundaries. Nothing trains a shared model.
Audit-Ready
by Default
Every verdict traces back to its grounding: the Context Graph facts that contributed, the past cases Recall cited, the signal Reflex carried.
Coaching,
Not Surveillance
Decision data shapes training and learning — not performance reviews. Divergence is a learning signal.
One Substrate. One Memory. Every Agent.
The Context Graph and the Memory Layer feed every part of the Torq AI SOC Platform — and every decision flows back into them.
Auto Triage
Verdicts are grounded in live posture and ranked precedent. The decision is rendered in under a second, with the exact reasoning behind every call and the single factor that would have flipped the verdict for analysts to audit.
Socrates and
Torq HyperAgents™
Multi-hop investigations compound instead of restarting. Every pivot, every ruled-out hypothesis, every analyst note becomes a new edge inherited by the next investigation.
Hyperautomation and Response
Containment and remediation policies are graph-aware: Scott’s finance host doesn’t auto-isolate. Dan’s contractor laptop does. Every action’s receipt flows back as new evidence.
The Context Graph Evolves With Every Decision Your Team Makes.
Every alert closed becomes a decision trace on the Context Graph. Every correction retrains Reflex. Every Socrates investigation writes new nodes and edges back to the graph. Static SOPs become live operating logic. Recurring exceptions surface as unwritten rules to promote, or control gaps to fix. The system gets sharper the more your team uses it — in the shape of your team’s own judgment, not a generic baseline.
The Future of Security Operations is Agentic
See Torq’s Context Graph and Memory Layer in action.
Schedule a Demo
