AI Hyperautomation Research Security Automation 101

Incident Response Automation and Why It’s Critical for Your SOC

By Torq

March 14, 2025

8 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Speed is everything in security. Delayed responses to security incidents can result in business data loss, eroded trust, and significant financial impact. Traditional manual incident response can’t keep pace with today’s threats.

This is where incident response automation comes in. Using automated incident response tools and incident response orchestration, SOCs can now detect, investigate, and contain threats automatically — often before they escalate into critical incidents.

In this blog, we’ll break down what incident response automation is, why it’s essential, and real-life use cases for modern SOCs.

What Is Incident Response Automation?

Manual incident response relies heavily on human intervention and human reaction time. Analysts must identify the threat, triage, determine its impact, decide on a course of action, execute that action, and document everything — often while juggling dozens of other critical duties. It’s slow. It’s error-prone. And it leaves your organization vulnerable.

Powered by AI, incident response automation enables instant detection and response by automatically identifying and neutralizing threats — often before users even become aware of an issue. It delivers scalability by handling multiple incidents simultaneously across sprawling, complex environments without overwhelming the SOC.

Incident response automation empowers analysts by offloading repetitive, routine tasks, with predefined incident response playbooks, allowing human experts to focus their time and energy on strategic, high-value initiatives. And it drives operational maturity by feeding AI-driven insights back into detection and response processes, improving incident prevention.

What Are Automated Workflows in Incident Response?

At the core of incident response automation are automated workflows: rule-based sequences that determine what happens when a specific alert or event occurs. These workflows act as digital playbooks, ensuring every step of detection, containment, and remediation happens quickly, consistently, and without human error.

For example, when a phishing email is detected, an automated workflow might:

Identify and classify the threat
Quarantine the affected inbox
Revoke access tokens or reset credentials
Notify analysts via Slack or Teams with relevant context
Log and document the entire process automatically

Core Components of Automated Incident Response

Tool integration: Seamlessly integrates with existing security tools like SIEMs, EDR, firewalls, and threat intelligence platforms.

Scalability: Automated responses allow SOCs to handle more incidents without increasing headcount or operational costs.

Consistency: Uniform execution of best-practice-driven response actions reduces risk and ensures predictable outcomes.

Flexibility: Retains human oversight, allowing analysts to intervene or supervise as needed.

Alerting and detection: Real-time, automated detection reduces delays, ensuring immediate response.

Incident prioritization: Automated systems categorize incidents by severity, helping teams focus resources efficiently.

Remediation: Predefined automated actions such as quarantining compromised systems, blocking malicious IPs, and applying patches help ensure threats are rapidly contained and systems are restored to a secure state.

Reporting and post-mortems: Automated documentation simplifies root cause analysis and improves future responses.

Why Manual Incident Response Falls Short

Traditional manual incident response often suffers from:

Slow response times: Manual investigation wastes precious time during an active attack.
Inconsistency: Human error and variable response introduces risk at every step.
Alert overload: SOCs are overwhelmed by alerts. Manual triage is not sustainable.
Resource constraints: Manual processes are resource-intensive and don’t scale efficiently.

Automated incident response solves all of this. It scales with increasing volume, enforces consistency, and frees up your team’s time and energy to focus on strategic security initiatives.

Benefits of Automated Incident Response

Implementing automated incident response delivers clear advantages:

Faster response times: Automated detection and containment reduce response times (MTTR) from hours to seconds, limiting dwell time and minimizing impact.
Improved accuracy: Standardized, automated playbooks ensure predictable, repeatable actions that minimize human error.
Reduced alert fatigue: By automating repetitive triage and enrichment tasks, SOC analysts regain time for proactive defense and complex investigations — improving morale and retention.
Efficiency and accuracy: Automation scales effortlessly, handling hundreds of concurrent incidents without increasing headcount.
Streamlined compliance: Automated systems generate real-time incident logs, case summaries, and remediation records, ensuring every action is tracked for audits and compliance without manual effort.
Fewer false positives: AI-driven correlation and enrichment reduce noise by filtering out redundant or low-priority alerts, allowing analysts to focus only on genuine, high-risk threats.
Stronger security posture: Automation platforms continuously refine detection and response workflows using AI insights, adapting to new threats and strengthening your organization’s overall resilience.

Examples of Automated Incident Response in Action

Here’s how incident response automation plays out across different attack scenarios.

Phishing Attacks

When a phishing email bypasses perimeter defenses and lands in an employee’s inbox, time is of the essence. Automated incident response detects indicators like suspicious URLs, anomalous user behavior, or credential harvesting attempts. The automation system instantly isolates the affected inbox, revokes access to compromised credentials, removes the phishing email from all mailboxes, blocks the sender, and notifies impacted users.

Malware Containment

If malware is detected on an endpoint, automated workflows instantly disconnect the infected endpoint from the network, trigger forensic scans, kill malicious processes, and initiate recovery steps — containing the spread before it can escalate.

IAM Security

Identity and Access Management (IAM) is a prime target for attackers. Automated incident response continuously monitors for unusual login patterns, privilege escalation, dormant accounts, and policy violations. Upon detection, automation can instantly disable user accounts, enforce password resets, revoke elevated privileges, or require multi-factor authentication (MFA).

Cloud Detection and Response

Cloud security automation monitors cloud environments for misconfigurations like exposed storage buckets or open firewall ports. Upon detection, the system automatically isolates compromised assets, contacts the correct owners, executes remediation, and minimizes damage before analysts need to step in.

How to Automate Incident Response with SentinelOne and Torq

One of Torq Hyperautomation™’s greatest strengths is its ability to integrate with virtually any security tool. We team up with leading platforms like SentinelOne to create seamless automations that simplify SOC workflows, eliminate manual grind, and dramatically improve incident response times.

Here’s how Torq and SentinelOne combine forces to bring autonomous incident response to life:

1. Auto-Enrich SentinelOne Incidents with Intezer

Torq continuously polls SentinelOne for any unresolved threats. It extracts file hashes from those incidents and queries Intezer for threat intelligence enrichment. The results from Intezer are posted directly into the SentinelOne incident notes.

At the same time, Torq launches a Deep Visibility query to determine the extent of the threat across your environment. If Intezer flags a file as malicious or suspicious, Torq automatically prompts your SOC team in Slack to decide whether to launch an Intezer Live Scan. If the team answers yes, Torq remotely installs the Live Scan agent, runs the scan, gathers the results, and updates both the Slack channel and the SentinelOne threat notes.

2. Threat Hunt for SHA1 Signatures Across SentinelOne Endpoints

Torq enables rapid threat hunts that can be triggered directly from Slack. When a SOC analyst sends a Slack command containing a platform and a SHA1 file signature, Torq initiates an immediate threat hunt.

Torq adds the file hash to the SentinelOne blacklist and launches a Deep Visibility query to find all instances of the file across your managed endpoints. It identifies and notifies endpoint owners by integrating with Jamf or Intune. Torq updates the relevant Slack channel and then triggers a full disk scan on any affected endpoints to eliminate threats promptly.

3. Enrich SentinelOne Findings with Advanced Threat Intelligence

Torq enhances SentinelOne incident analysis by layering in threat intelligence from VirusTotal and Recorded Future. Torq regularly polls SentinelOne for newly detected threats. Torq extracts relevant file signatures for each threat and queries VirusTotal and Recorded Future for enrichment data, including reputation scores, malicious behavior indicators, and associated threat actors. This context is automatically added to the incident notes within SentinelOne.

Torq can also run a Deep Visibility query for additional results associated with the same file hash, ensuring SOC teams have complete situational awareness without lifting a finger.

Incident Response Automation with Torq

Torq transforms the way SOC teams do incident response. Our platform empowers organizations to:

Deliver faster, more accurate automated incident responses without requiring major increases in staffing.
Automate repetitive tasks while maintaining human oversight when needed.
Enable analysts to focus on strategic initiatives that harden security postures, rather than burning out on alert triage.
Socrates, Torq’s AI SOC Analyst, coordinates specialized AI Agents that autonomously handle enrichment, investigation, containment, and remediation.

Torq Hyperautomation makes it easy to deploy integrated incident response automation across your security environment. Let Torq automate your incident response and everything with it.

See how to get started with Torq. Get the Don’t Die. Get Torq manifesto.

Get the Manifesto

FAQs

What is incident response automation?

Incident response automation combines security orchestration and AI to accelerate and scale every stage of the incident lifecycle — detection, triage, containment, and remediation. Modern automated incident management software integrates with your existing security tooling (like SIEM, EDR, IAM, and cloud platforms) to reduce mean time to detect (MTTD) and mean time to respond (MTTR).

In short, it makes your SOC faster, smarter, and more resilient.

How does automated incident response work?

Automated incident response uses predefined workflows and playbooks to detect threats, analyze alerts, and trigger containment or remediation actions. For example, when a suspicious login or phishing attempt is detected, automation tools can isolate affected systems, revoke compromised credentials, and alert analysts automatically — all in seconds. This process improves speed, accuracy, and consistency across security operations.

What are the benefits of automated incident response?

The primary benefits of incident response automation include faster detection and response times, reduced analyst workload, and improved accuracy. Automation eliminates repetitive manual tasks, minimizes human error, and allows teams to handle a higher volume of alerts efficiently. It also enhances compliance by automatically documenting actions and builds a stronger, continuously improving security posture.

What are automated incident response tools?

Automated incident response tools are platforms that connect to your security ecosystem to detect, investigate, and remediate threats automatically. These tools orchestrate actions across SIEMs, EDRs, firewalls, IAM systems, and cloud platforms. Advanced solutions, such as Torq Hyperautomation™, leverage agentic AI to coordinate specialized workflows that operate at machine speed while maintaining full human oversight.

What are common use cases for automated incident response?

Common use cases include phishing detection and response, malware containment, insider threat mitigation, and cloud security enforcement. Automated incident response workflows can quarantine compromised endpoints, disable risky user accounts, revoke access tokens, or correct misconfigurations — all without manual intervention.

How do automated workflows improve incident response?

Automated workflows standardize how incidents are handled by mapping each step — from detection to remediation — into a repeatable sequence. These workflows ensure consistency, minimize delays, and eliminate guesswork during critical incidents.

How does Torq enable automated incident response?

Torq Hyperautomation™ unifies your existing security tools and automates entire workflows — from detection to remediation. Its agentic AI system, Socrates, coordinates specialized AI Agents to perform enrichment, investigation, containment, and documentation autonomously. With Torq, SOCs achieve faster response times, fewer false positives, and higher operational resilience.

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

Customers Hyperautomation Use Cases

Combating Ransomware, Phishing, and Zelle Fraud at Financial and Bank SOCs

By Bob Boyle

March 12, 2025

7 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Banking and financial services companies sit on a goldmine of sensitive customer data, making them a prime target for phishing and ransomware attackers hoping to strike a payout.

Even with defenses like MFA and security training, human error continues to be a critical point of failure for financial institutions — a 2024 report found that 3 out of every 1000 individuals working in banking click on a phishing link each month. This stark reality of risk highlights the industry’s urgent need for more proactive, automated security processes.

Below, we break down the top financial and bank SOC use cases for security Hyperautomation and cover how a major regional bank successfully reinstated Zelle services by automating account lockdowns for fraud alerts.

The Automation Imperative in Finance and Bank Security Operations

Two of the most common — and critical — security operations priorities for CISOs we’ve talked to at banks and financial services companies are to:

Mitigate risk by quickly responding to, containing, and remediating attacks.
Maintain materiality by focusing on the most important security issues that could cause the biggest problems and by being able to accurately assess when a cybersecurity incident requires SEC reporting.

Achieving these requires reducing Mean Time to Respond (MTTR), ensuring swift and effective remediation, and gaining visibility across all identities and security assets. However, manual processes, a jungle of spreadsheets, and siloed data compound operational challenges at financial and banking organizations.

To modernize their financial and bank SOCs, forward-thinking CISOs are embracing Hyperautomation as a way to unify their security stack and automate incident response. Integrating solutions like ServiceNow or Snowflake with Torq’s AI-driven Hyperautomation platform can provide a single source of truth and streamline security operations for a stronger security posture and greater visibility across the SOC.

Top 5 Bank SOC Challenges Solved by Hyperautomation

Below are the top use cases being Hyperautomated by Torq’s financial services customer base, along with real-world examples of the workflows they have built.

1. Phishing Alert Analysis

Automate the extraction and aggregation of URLs, file hashes, and message headers from Outlook messages and attachments, providing a comprehensive data set for further security analysis.

Workflow Steps:

Receive potential phishing alert from Microsoft 365.
Execute parallel tasks to extract URLs from the email body, retrieve message headers, and process attachments (if present).
For the email body, extract all unique URLs and collect them.
Retrieve message headers using Microsoft Graph API and store them.
If the email has attachments, list them and filter out non-file attachments.
For each file attachment, retrieve detailed information and extract URLs from the content if available.
Collect and combine URLs from various sources (e.g. body and attachments). Set default values if no URLs are found.
Link message headers from the email and attachments, setting default values if none are found.
Generate a structured output containing URLs, file hashes, and message headers.
Nested Workflow: Case Management

2. Ransomware Case Creation and Categorization

Automate the ingestion and processing of CrowdStrike threat data by creating a comprehensive case in Torq. Once the case is created, notify the security team via email while categorizing the threat and adding relevant observables for further analysis.

Workflow Steps:

Extract specific fields from the incoming CrowdStrike event data into a sparse JSON object.
Flatten the JSON object for easier processing and format it for a markdown table.
Convert the event’s creation date to a specified format.
Create a markdown table from the formatted data.
Use a switch-case structure to categorize the threat as malware or ransomware, setting a variable accordingly.
Create a case in Torq using the extracted and formatted data, including custom fields and tags.
Add observables to the case, such as file hashes, with specified reputation scores.
Query historical cases and link any closed cases with matching observables.
Generate an access token for Microsoft 365 and send an email notification about the new case to the specified recipient list.

3. Automated Threat Analysis and Enrichment

Automate the process of extracting and analyzing threat intelligence data based on specific commands submitted by the security team — e.g. “Check IP”, “Check Hash”, or “Check Host”. Facilitate communications through Microsoft Teams to trigger the workflow and receive the enriched threat analysis.

Workflow Steps:

Evaluate incoming event text to determine the command type (!checkip, !checkhash, !checkhost).
- For !checkip: Extract IP address using regex and retrieve information for each IP from AbuseIPDC
- For !checkhash: Extract patterns using regex, retrieve analysis reports from AnyRun and get threats from SentinelOne
- For !checkhost: Extract patterns using regex and initiate a scan on SentinelOne agents, wait for a specified duration, then retrieve threats from SentinelOne.
Reply with the information gathered to the thread in the originating Microsoft Teams channel.

4. Case Management

Automate the process of checking for existing cases and creating new cases if necessary, ensuring efficient case management and reducing duplicate cases. This workflow is a valuable and repeatable tool for any case management program. Consider using a “nested workflow” attached to other Hyperautomated use cases (for example, see Phishing Alert Analysis above).

Workflow Steps:

Query existing cases to check if a case already exists with the specified name, event data, or observable submitted.
If a case exists, attach the new observable to the case and exit the workflow with the existing case ID.
If no case exists, create a new case with the provided details such as title, SLA, severity, and state.
After attempting to create a case, check the creation status.
If the case creation is successful, exit with the new case ID.

5. Fraud Detection

Automate the process of locking or unlocking a user account based on suspected fraud event data. Update your CRM with relevant fraud activity and notify the appropriate stakeholders with contextual information about the actions taken.

Workflow Steps:

Set workflow parameters to include user ID and notification email addresses.
Check if required fields are present in the event data.
Verify the user’s status via an API call and determine if the user should be locked or unlocked.
1. If lock: Execute an API call to lock the user and set a variable indicating the action taken.
2. If unlock: Execute an API call to unlock the user and set a variable indicating the action taken.
If the lock/unlock action is successful, query Salesforce to retrieve the user’s account information.
Add a “fraud task” to the user’s account in Salesforce and notify the specified email addresses of the action taken.
If adding the activity to Salesforce fails, send a failure notification to the specified email addresses.

Case Study: Automating Zelle Fraud Detection and Lockdown from End to End

A major regional U.S. bank with billions in assets faced an urgent, compliance-driven requirement to automate their detection and response to fraud alerts in Zelle, a customer-facing payment service that had been suspended by the SEC due to a surge in fraudulent activity.

With Torq’s Hyperautomation platform, the bank’s SOC quickly automated the end-to-end process of locking down accounts triggered by fraud alerts, enabling them to reinstate Zelle services. Torq also automates CRM updates, giving customer service immediate context when talking to customers about account lockdowns.

And that’s not all they achieved with Torq — read the case study for the full story of how they published over 100 workflows in just 3 months and reduced their Mean Time to Investigate (MTTI) from hours to minutes.

Get the Case Study

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

Hyperautomation Security Automation 101 Use Cases

Spear Phishing vs. Whaling: Targeted Email Attacks Are Getting Smarter – Is Your SOC?

By Torq

March 7, 2025

6 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Phishing attacks are no longer generic ‘spray and pray’ — they’re precision-engineered. With the rise of AI-generated content, attackers are crafting highly personalized emails that mirror real internal communication, complete with tone, context, and believable urgency. Whether it’s an HR request targeting a new hire or a fake wire transfer email impersonating your CFO, today’s phishing attacks are custom-built to manipulate individuals, not just inboxes.

That’s why understanding the differences between types of phishing — especially spear phishing vs. a whaling phishing attack — is crucial. The more personalized the attack, the higher the stakes. And the more manual your detection and response, the slower (and riskier) your SOC becomes.

What is Spear Phishing?

Spear phishing is a highly targeted cyberattack aimed at a specific individual or organization, setting it apart from generic, mass phishing. Attackers research their targets to craft customized and convincing messages, often leveraging publicly available information from social media and company websites, such as personal names, roles, recent activity, or inside information, to build trust

Highly Targeted Emails with Personal Details

Spear phishing messages may reference the recipient’s name, job title, or company-specific context to make them more believable and reduce suspicion.

Spear phishing attackers often impersonate trusted internal figures like IT, HR, or team leads and may use emotional manipulation tactics and a false sense of urgency, such as “I need these gift card codes ASAP for a client!” to coax users to click or respond quickly without taking time to verify the legitimacy of the request.

Common Goals: Credential Theft, Malware Delivery, Account Access

Most spear phishing campaigns are designed to either trick users into revealing login credentials, installing malware, or granting access to sensitive systems — all while flying under the radar of traditional defenses.

What is Whaling?

A whaling phishing attack is a high-stakes subcategory of spear-phishing that specifically targets or impersonates high-level executives, such as CEOs, CFOs, or General Counsel. These “big fish” are chosen due to their significant access to critical data and financial assets, promising a substantial payoff for attackers.

CEO/CFO/General Counsel Impersonation or Targeting

Whaling attackers focus on top executives or impersonate them to pressure subordinates.

A common whaling tactic cybercriminals use is to mimic the writing style of a CEO or CFO in emails or texts to executive assistants, finance staff, or vendors. Attackers may scrape public communications like press releases or LinkedIn profiles to make these messages feel authentic.

Usually Involves High-Value Requests: Wire Transfers, Sensitive Data

Whaling often centers around urgent financial transactions such as wire transfers of large sums of money, highly sensitive corporate data such as confidential M&A documents, or login credentials to critical systems — anything that can cause maximum damage if mishandled.

Tactics Include Urgency, Authority, and Spoofed Domains

Whaling attackers employ sophisticated tactics, including urgency, authority, and spoofed domains and emails, to pressure targets into immediate action without suspicion. They might use subtle misspellings in domain names or mimic corporate logos to enhance credibility, making these attacks particularly challenging to detect.

Spear Phishing vs. Whaling: Key Differences

Here’s how spear phishing and whaling compare head-to-head.

	Spear Phishing	Whaling
Target Audience	Any employee	Executives (CEO, CFO, General Counsel)
Payload & Objectives	Steal login credentials, access accounts, deliver malware	Initiate wire transfers, steal confidential data
Level of Personalization	High: includes personal/company context	Very high: mimics executive language/tone
Potential business Impact	Medium to high: data loss, lateral movement	Extremely high: Catastrophic financial loss, compliance risk, reputational damage

5 Ways to Detect and Prevent Spear Phishing and Whaling Attacks

Security teams can implement several layered defenses, but they won’t scale without security automation. Here’s what works.

1. Employee and Executive Phishing Awareness Training

Because spear phishing and whaling rely on social engineering and psychological manipulation, your people are your most important line of defense. Use mock phishing exercises to teach employees how to recognize impersonation, suspicious links, and pressure tactics. Executive-specific training should highlight whaling phishing threats.

2. Email Authentication (DMARC, SPF, DKIM)

Implementing email authentication protocols (e.g., DMARC, SPF, DKIM) is fundamental. These protocols help verify the legitimacy of email senders, making it much harder for attackers to spoof domains. Automation can be used to continuously monitor and enforce these policies, automatically flagging or blocking non-compliant emails at the gateway.

3. Suspicious Email Flagging and Sandboxing

Security automation platforms can automatically analyze incoming emails for suspicious links or attachments, detonate them in a secure sandbox environment to observe their behavior, and quarantine the original email if malicious activity is detected.

4. AI-Powered Phishing Detection Tools

AI-powered phishing detection can instantly analyze various email attributes — content, sender behavior, and metadata — to identify anomalies and patterns that indicate phishing. Automated workflows can then triage these alerts, escalating confirmed threats for immediate response.

5. Workflow-Based Phishing Response Automation with Hyperautomation

By orchestrating security tools across the entire environment, Torq Hyperautomation™ can automatically take action upon detecting a phishing attempt, such as blocking the sender, removing malicious emails from all inboxes, resetting compromised login credentials, and isolating affected endpoints — all at machine speed.

How Phishing Attempts Lead to SOC Burnout and Alert Fatigue

Let’s be blunt: phishing is killing SOC productivity.

Due to its sheer volume, phishing is one of the largest categories of alerts in most SOCs. Thanks to the increasing sophistication of phishing attempts, even false positives can require careful scrutiny. Analysts are stuck performing the same tedious phishing triage tasks over and over — decoding headers, extracting IOCs, checking against threat feeds, and drafting user responses.

This overload is unsustainable. It leads to alert fatigue, burnout, and missed threats. So what’s the solution?

How Torq Detects and Eliminates All Phishing Threats

Torq Hyperautomation eliminates the manual phishing grind by automating the entire phishing response lifecycle. Crucially, for high-stakes attacks like spear phishing and whaling, Torq:

Detects anomalies in email traffic by ingesting data from various sources, identifying unusual patterns in sender behavior, email content, and attachment types that may indicate a malicious attempt.
Connects with email security tools to block threats, orchestrating actions with Secure Email Gateway (SEG) providers like Abnormal Security, Microsoft, and Proofpoint to quarantine or remove malicious emails before they reach end users.
Automates incident response, ensuring that confirmed phishing attempts trigger immediate, predefined workflows, including isolating compromised accounts, initiating endpoint scans, and resetting credentials.
Streamlines reporting, providing a consolidated view of phishing threats and incidents and enhancing overall security posture with actionable insights.
Routes high-risk cases (like whaling attempts) to appropriate decision-makers instantly, ensuring that executive-level threats receive immediate attention and rapid, informed responses.

Hyperautomate Your Phishing Defenses

Spear phishing and whaling attacks are getting more convincing by the day, and can have devastating consequences. With Torq, your security team can cut through the noise of phishing attempts, automate rapid detection and response, and provide robust protection for even your highest-value targets. Stop chasing phishing attempts manually and start crushing them with machine speed, consistency, and precision.

Ready to build a more efficient, effective SOC to defend against modern threats?

Get the SOC Efficiency Guide

FAQs

Is whaling a type of phishing?

Yes, whaling is a subcategory of phishing, specifically a more advanced and targeted form of spear phishing.

What is the difference between phishing and spear phishing?

Phishing is a broad, untargeted cyberattack that uses generic messages to deceive a wide audience into revealing sensitive information. Spear phishing, on the other hand, is a highly targeted attack customized for specific individuals or organizations, making it more personalized and convincing.

Who are the typical targets of spear phishing attacks?

Spear phishing attacks can target any employee within an organization. In comparison, whaling focuses on top executives.

What is the primary goal of a spear phishing attack?

The primary goal of a spear phishing attack is to steal confidential information, such as login credentials or financial details, or to deliver malware to the target’s system.

What is an example of a spear phishing attack?

An example of a spear phishing attack is an email sent to an HR staffer, appearing to be from the CEO, urgently requesting employee payroll information, which then leads to the leaking of that data.

What is a commonality between spear phishing and whaling?

Spear phishing and whaling both rely on social engineering techniques and share the objective of stealing sensitive information or gaining access to critical accounts or systems.

What are the four types of phishing?

The four common types of phishing are phishing, spear phishing, whaling, and smishing (SMS phishing). Vishing (voice phishing) is also often included as a fifth.

What is the difference between clone phishing and spear phishing?

Clone phishing involves creating a near-identical copy of a legitimate, previously delivered email, but with malicious links or attachments. Spear phishing, while also highly targeted, focuses on crafting a new, personalized message from scratch based on extensive research of the target, rather than replicating an existing email.

What is the best example of spear phishing or whaling?

One of the best real-life examples of spear phishing or whaling involves an attacker posing as the CEO of Snapchat, who targeted an HR staffer, resulting in the leakage of payroll and other employee information.

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

AI AI SOC Hyperautomation Security Automation 101

AI SOAR Alternative: Why SOAR is Dead and What’s Next

By Torq

March 6, 2025

8 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Last Updated December 2025

Security Orchestration, Automation, and Response (SOAR) was once hailed as the answer to a more efficient and automated Security Operations Center (SOC). The idea was compelling: automate repetitive tasks, reduce manual workloads, and speed up response times.

But fast-forward to today, and despite generations of SOAR evolution, SOCs are still battling familiar challenges. Here’s why SOAR is dead — and why AI SOAR alternatives like Hyperautomation have replaced it.

What is SOAR?

SOAR first emerged in the mid-2010s, promising to automate SOC tasks and improve operational efficiency. It aimed to accelerate incident response, reduce manual workloads, and unify siloed tools.

While SOAR platforms were able to automate simple tasks like phishing response and threat intel propagation, they ultimately fell short in addressing the core challenges of modern SecOps: threat detection, investigation, and response (TDIR).

SOAR platforms were designed to orchestrate tools, automate workflows, and respond to alerts more efficiently. Theoretically, they should unify disparate technologies into a cohesive system where incidents can be enriched, triaged, and remediated through pre-built playbooks. So what went wrong?

Why SOAR Failed to Automate the SOC

To understand why SOAR hasn’t met expectations, examining the nature of SOC work is important. Security operations involve a combination of two types of tasks:

Thinking tasks: Interpreting alerts, determining scope and impact, and creating response plans.
Doing tasks: Activity-based tasks like taking response actions, updating systems, and notifying stakeholders.

SOAR platforms were pretty good at automating “doing” tasks, but they struggle with the more complex, judgment-driven “thinking” tasks. Here’s why:

Too complex: Thinking tasks require deep understanding, data synthesis, security expertise, and decision-making. Replicating these traits with static playbooks is nearly impossible.
Unpredictable: Security operations deal with highly variable inputs, which leads to an ever-expanding set of edge cases that are difficult to account for in playbooks.
Not customizable: Out-of-the-box playbooks rarely meet an organization’s specific needs, leading to expensive custom coding and high maintenance burdens.

Over 80% of organizations agree SOAR is too complex, costly, and time-consuming — and nearly 90% admit that building even basic automation requires a huge upfront investment in time and resources.

Even GenAI advancements aren’t enough. SOCs need security automation that can adapt and understand the complexities of threat detection and investigation. Automating the “thinking” tasks is the key to achieving true SOC automation.

Instead of solving problems, legacy SOAR platforms created new ones: rigid architectures, limited integrations, disconnected defenses, and overwhelmed analysts drowning in alert noise. Built on monolithic, non-cloud-native infrastructure, SOAR can’t scale, can’t adapt, and definitely can’t keep up with modern threat landscapes.

SOAR isn’t just outdated — it’s holding security teams back. See why SOAR is dead.

Introducing Hyperautomation: The Only AI SOAR Alternative

As organizations reach their breaking point with traditional SOAR’s shortcomings, they’re turning to the only effective AI SOAR alternative — Hyperautomation. This next-gen approach fuses Gen AI, agentic AI, low-code/no-code orchestration, and cloud-native infrastructure into a single, adaptive engine for modern security operations.

Unlike traditional automation or AI SOAR point solutions, agentic AI-driven Hyperautomation doesn’t just execute tasks — it thinks, learns, and scales. It mimics the analytical reasoning of human analysts, turning high-effort “thinking” functions into fully autonomous, intelligent workflows. From real-time triage to dynamic response, Hyperautomation redefines what’s possible in the modern SOC.

Hyperautomation + AI Agents = A Happy SOC

At the heart of a Hyperautomated SOC are AI agents. While Hyperautomation connects and automates the entire security stack, agentic AI brings the cognitive power — making independent decisions, adapting, and continuously learning from every signal.

This combination transforms traditional automation into something far more powerful: a fully autonomous SOC workflow that mimics human judgment at machine speed. The outcome isn’t replacing human analysts — it’s making their lives in the SOC less stressful and more engaging.

Benefits of AI agents in the SOC include:

Finding more real threats: Agentic AI can process and correlate every alert at machine speed, allowing SOCs to uncover real threats that might otherwise go unnoticed.
Reducing MTTR: By eliminating manual bottlenecks in triage and investigation, agentic AI can drastically reduce response times, helping SOC teams resolve incidents in minutes instead of days.
Boosting analyst productivity: Automating repetitive tasks frees up analysts to focus on higher-value work, such as investigating complex incidents or working on strategic initiatives.
Increased efficiency: With agentic AI handling the mundane tasks, analysts can shift their focus to more meaningful work, improving job satisfaction and reducing burnout.

Leading Analysts Agree: SOAR is Dead

Leading industry analysts, including Gartner, GigaOm, and IDC agree that legacy SOAR platforms are obsolete. Modern cybersecurity demands flexibility, speed, and intelligence that only Hyperautomation can provide.

In their recent report, IDC confirms what security teams already know: Legacy SOAR promised efficiency but delivered complexity. IDC specifically highlights AI SOAR replacement, Torq Hyperautomation™, as a game-changing platform that goes beyond automation and enters the realm of true autonomous operations — powered by agentic AI, built-in case management, and real-time orchestration across the entire security stack.

“Hyperautomation is the answer to existing SOAR platforms. Torq’s Hyperautomation capabilities can help improve the efficacy of security teams now and in the future. The agentic AI architecture is disruptive.”

– Chris Kissel, Vice President, Security & Trust Products, IDC Research

Real-World Impact: AI SOAR in Action

Valvoline: Saving 7 Analyst Hours Daily After Legacy SOAR Failed

When Corey Kaemming became Senior Director of InfoSec at Valvoline, his team had just been cut from 24 to 12 analysts during a major divestiture. Their legacy SOAR was a bottleneck — deeply customized, code-heavy, and impossible to maintain. Only a handful of SMEs could build new use cases, and when the SOAR broke, it broke everything. Analysts spent up to 12 hours daily reviewing and triaging phishing emails alone.

Valvoline deployed Torq Hyperautomation and saw operational value within 48 hours. A Rapid7 integration their legacy SOAR couldn’t complete after hundreds of hours was running in under a week. Torq now automatically monitors email activity, correlates data across Microsoft 365, Defender, and CrowdStrike, and escalates only when necessary.

The Results:

6–7 analyst hours saved per day on phishing workflows alone
Automated containment: Malicious link clicks trigger instant password resets, session terminations, and coordinated response
Operational ROI from day two with continued expansion across teams
Non-developers building workflows thanks to drag-and-drop logic and in-platform testing

Bloomreach: Scaling Automation Enterprise-Wide After Traditional SOAR Stalled

Bloomreach‘s 24×7 global SOC relied on traditional SOAR, but the platform demanded developer-level expertise for every workflow. Automation was siloed in the hands of just a couple of specialists. Adoption lagged, workflows bottlenecked, and the SOC couldn’t scale its automation culture beyond a few power users. Junior analysts were locked out of the automation process entirely.

Torq HyperSOC™ democratized workflow building across the entire team. Torq Socrates, the AI SOC Analyst, added intelligence to every step, from triage and enrichment to suggested actions. The platform’s flexibility allowed Bloomreach to extend automation beyond the SOC into Help Desk and Business Intelligence teams.

The Results:

5+ analyst hours saved per week from just two workflows — with dozens more in production
Analysts at every level now build and maintain workflows independently
Enterprise-wide adoption: Help Desk automates account management; BI automates Salesforce renewal workflows
Faster learning curve: Team members productive without completing formal training

Why Torq HyperSOC™ is the Definitive SOAR Replacement

Legacy SOAR platforms promised security automation. Torq HyperSOC delivers it at a scale, speed, and intelligence legacy systems simply can’t match.

Torq HyperSOC is the industry’s first fully autonomous SOC platform, powered by a Multi-Agent System (MAS) that triages, investigates, and remediates threats. It doesn’t just respond to alerts — it thinks, acts, and learns like a human analyst, but faster and 24/7.

Our cloud-native, AI-powered SOC platform delivers:

Limitless integrations: Torq connects with virtually any tool in your security ecosystem — EDR, SIEM, IAM, cloud, SaaS, or legacy — with no-code simplicity. You can integrate and automate stack-spanning workflows in minutes, not months.
Real-time threat response: Powered by agentic AI, Torq doesn’t just wait for alerts — it autonomously triages, investigates, and remediates threats as they emerge.
Proactive defense: Torq detects patterns, identifies risks before they escalate, and automates preemptive actions to neutralize threats at the source.
Unmatched scalability: Whether you’re processing 100 or 100,000 alerts daily, Torq’s cloud-native, event-driven architecture handles it without sweat.

This isn’t just an AI SOAR — it’s a whole new category. Torq Hyperautomation isn’t trying to fix legacy problems with band-aid solutions. It’s built from the ground up for the AI era, where speed, intelligence, and adaptability aren’t nice-to-haves — they’re SOC survival essentials.

The Torq Difference: What Sets Us Apart from SOAR Vendors

SOAR is Dead: Long Live Hyperautomation

The era of legacy SOAR is over. Organizations are increasingly making the switch to Torq Hyperautomation, the true AI SOAR alternative that can meet the modern SOC’s demand for speed, autonomy, and adaptability.

Ready to step into the future of security operations? Our team has helped major enterprises from every industry make the switch, quickly and easily.

Get the Migration Guide

Ready for SOC transformation? Get the Kill Your SOAR migration guide.

FAQs

What is AI SOAR and how does it differ from traditional SOAR?

AI SOAR integrates Artificial Intelligence (AI) and Machine Learning (ML) into security orchestration to enable autonomous decision-making. Unlike traditional SOAR, which relies on static, manual playbooks, AI SOAR can adapt to new threats, investigate complex incidents, and execute remediation without constant human intervention.

Why did traditional SOAR tools fail?

Traditional SOAR tools failed because they were rigid, complex, and unable to scale. They automated simple tasks but struggled with the “thinking” parts of security operations, requiring heavy maintenance and custom coding that overburdened security teams instead of relieving them.

How does Hyperautomation improve SOC operations?

Hyperautomation combines AI, machine learning, and robotic process automation (RPA) to automate as many business and IT processes as possible. In the SOC, this means moving beyond simple task automation to full-scale autonomous workflows that handle triage, investigation, and response at machine speed. Visit our in-depth guide on Hyperautomation for detailed insights >

What are the benefits of using Torq's AI solutions?

Torq’s AI solutions offer reduced Mean Time to Respond (MTTR), 95% automated triage of Tier-1 alerts, and significant reductions in analyst burnout. By deploying Agentic AI, Torq acts as a force multiplier, allowing lean teams to handle enterprise-scale threat volumes.

How can I integrate Torq's solutions into my existing SOC?

Torq is designed to be plug-and-play with an agentless, API-first architecture. It integrates with hundreds of security tools (SIEM, EDR, Cloud, Identity) out of the box, allowing you to deploy automated workflows in minutes without ripping and replacing your current stack.

Why is AI SOAR considered the future of security automation?

AI SOAR represents the future because it addresses the fundamental limitation of all previous automation approaches: the inability to handle cognitive tasks. As threat landscapes grow more complex and alert volumes explode, SOCs can’t hire their way out of the problem. AI SOAR — specifically agentic AI-powered Hyperautomation — provides the only scalable path forward, delivering autonomous operations that match human intelligence at machine speed and scale.

What actionable steps can a SOC take to implement AI SOAR?

Implementing AI SOAR follows a structured approach. Start by auditing your current SOAR pain points — identify which playbooks break most often and which tasks consume the most analyst time. Next, prioritize high-volume, repetitive use cases like phishing triage or endpoint alerts for initial automation. Then, select a platform with no-code integration capabilities to accelerate deployment. Finally, measure baseline metrics (MTTR, alert volume, analyst hours) before implementation to quantify ROI. Torq’s agentless, API-first architecture enables deployment in days, not months.

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

AI Hyperautomation Security Automation 101

What is the Pyramid of Pain in SOC Automation?

By Patrick “PO” Orzechowski

March 4, 2025

7 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Patrick Orzechowski (also known as “PO”) is Torq’s former Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

How to Solve Common SOC Pain Points With AI-Driven Hyperautomation

About 10 years ago, Alex Pinto came up with the idea of the threat intelligence “Pyramid of Pain” in the talk Measuring the IQ of Your Threat Intelligence Data at at DEF CON ‘22. I love this idea and I think it applies to a lot of aspects of cybersecurity, especially as we move towards a more autonomous, less human-involved security operations center (SOC).

Looking to automate your SOC? Below, I walk through each level of the Pyramid of Pain applied to the security automation journey as a framework for reducing business risk and accelerating incident mean time to respond (MTTR).

The SOC Automation Pyramid of Pain: From Bottom to Top

Get a Copy

Level 1: The Basics — Integrations, Enrichment, and Context

The promise of legacy SOAR was to automate the core functions of a SOC, especially from a Tier-1 and Tier-2 perspective. These are the most basic aspects of automating security operations and have been around forever, dating back to Perl scripts! Whether you use Python, Go, or any other automation capabilities including PowerShell, these capabilities have existed since security operations centers have been a thing.

Any automation platform that you implement should have these enrichment capabilities inherently built into them to enhance and contextualize indicators of compromise (IOCs), identities, and assets. They’re the foundation of automation and the core of security operations. Crucially, they should also enable the humans who work in your SOC to be as efficient and effective as possible when it comes to responding to threats, new vulnerabilities, and systems that exist in your environment.

Difficulty: Low
Business risk impact: Low

Time savings: 80-90% reduction in manual data enrichment, saving 1-2 hours per SOC analyst daily.

Cost efficiency: Up to 730 hours saved per analyst annually (based on 2-3 hours of manual tasks per day). At an average hourly rate of $50, this equals $36,500 saved per analyst per year, or $365,000 for a 10-analyst team.

Productivity gains: 30-50% faster triage due to immediate access to enriched data.

Overall risk reduction: Fewer missed IOCs due to consistent enrichment (priceless!).

Level 2: Moving Up — Collaborative Case Management

Case management is an essential piece of any security operations automation platform. Legacy SOAR and traditional case management systems do not take into account all of the other teams and functions that are involved in a typical incident response scenario.

In contrast, Torq’s case management system in HyperSOC™ allows collaboration between teams’ workflows and workspaces that enable different organizations to enrich and contribute to an incident response scenario.

Difficulty: Low
Business risk impact: Low

Time savings: 25-50% reduction in time spent managing cases due to automated workflows.

Cost efficiency: Avoiding the need to hire one additional analyst saves $100K-$150K annually (varies by location), including salary and benefits.

Productivity gains: SOC analysts can consistently handle 2-3x more cases at the same time without additional headcount.

Reduced Mean Time to Respond (MTTR): Automation reduces MTTR by up to 50-70%, allowing faster incident containment and remediation.

Risk reduction: Faster response minimizes the potential financial impact of a breach. The average cost of a data breach was $4.88M in 2024.

Level 3: Automated Reporting — KPIs and SOC Metrics

SOC metrics have consistently posed a challenge for enterprises. Metrics such as Mean Time to Respond (MTTR), Mean Time to Detect (MTTD), Mean Time to X, and other similar measurements often fail to capture the true scope of business risk.

To address this, an automation system should facilitate collecting metrics across all security tools and the entirety of an enterprise’s security stack. This provides a comprehensive view of the SOC’s activities, processes, and resulting business outcomes — ensuring that the impact of security operations is clearly understood.

Difficulty: Low
Business risk impact: Medium

Time savings: Up to 90% reduction in time spent generating compliance and audit reports.

Reporting accuracy: Minimal to no errors in reporting, ensuring compliance with regulatory frameworks like GDPR and PCI-DSS.

Fine avoidance: By ensuring reporting accuracy and compliance, companies could avoid, for example, $50K-$100K per month for PCI-DSS violations (depending on the transaction volume and duration), or up to €10 million or 2% of global annual revenue, (whichever is greater) for GDPR non-compliance.

Level 4: Basic Automated Response — Point Solution Capabilities

Every security vendor, whether endpoint, firewall, email, or any other point solution, should prioritize robust API capabilities to enable automated response and remediation.

At this point in the security automation journey, enterprises should be able to automate responses to critical incidents, such as host isolation, malicious processes, stolen or compromised identities, and assets that have been identified as vulnerable to critical Internet-exposed vulnerabilities.

Difficulty: Medium
Business risk impact: High

Response time improvement: 80%+ faster containment for malware infections, phishing attacks, and account compromises.

Overall risk reduction: Significantly decreased threat exposure window through automated response actions within seconds to minutes.

Increased employee satisfaction: Reduced analyst burnout as analysts focus on complex threats instead of repetitive tasks. 89% of employees report higher job satisfaction after adopting automation solutions.

Savings through talent retention: With a global shortage of 2.3M+ SOC analysts, retaining talent is paramount. More satisfied analysts leads them to stay around longer — and not needing to hire an additional single SOC analyst saves between $50-$100K (varies by region), including recruitment, training, and lost productivity. Companies using Hyperautomation report retention as a key ROI metric for 43% of leaders.

Level 5: The Point of the Spear — Fully Automated Remediation Across the SOC

At the highest level of security automation maturity, organizations should be bringing together all of the capabilities of their security stack. This integration should extend to IT security operations, DevOps, cloud communications, and cloud capabilities, as well as any on-premise or custom applications, enabling a comprehensive automated response to threats and vulnerabilities.

The aim is to streamline and automate all processes that are identified to reduce business risk and improve MTTR, integrating the entire IT and security stack to achieve autonomous remediation. This paves the way for an autonomous SOC that handles routine security responses, with human intervention reserved for critical decisions.

Difficulty: High
Business risk impact: High

MTTR reduction: Up to 70% decrease in MTTR, minimizing business disruption during high-severity incidents.

Risk elimination and consistency: Near-zero human error ensures consistent, immediate investigation and remediation of critical incidents.

Operational scalability: SOCs can handle a 200-300% spike in incident volume without adding headcount.

Labor cost savings: Near-zero human intervention required for routine remediation actions saves thousands of hours annually, equivalent to $300K-$500K in labor costs (region dependent).

The Value of Automating SOC: How Much You Can Save

Pyramid of Pain Level	Tangible Value and Metrics
1. Enrichment and API Integration	80-90% time savings on data enrichment $50K-$100K cost savings 30%-50% faster triage
2. Collaborative Case Management	25-50% time savings on case management 3x case handling capacity $100K+ annual savings 50-70% MTTR reduction
3. Metrics/KPIs and Automated Reporting	90% time savings on generating reports Regulatory non-compliance fine avoidance
4. Basic Automated Response	80%+ faster response Higher employee retainment and satisfaction Improved threat containment
5. Fully Automated Remediation	Near-zero manual effort Scalable security operation $300K-$500K in labor cost savings

More Autonomy, Less Pain

By harnessing the power of agentic AI on a Hyperautomation engine, Torq’s platform combats SOC killers like alert fatigue, manual workflow building, inefficient case workloads, and wading through pages of logs to write case summaries and reports. Autonomous triage, investigation, and response reduces MTTR and frees up analysts to focus on the fun stuff like strategic projects and complex, critical incidents.

This is the promise of the autonomous SOC — and it’s the pitch that won Torq the Innovation Sandbox competition at CPX 2025.

Want to chat about how to reach the top of the SOC Automation Pyramid of Pain?

Let’s Talk

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

News & Events

Torq Named One of America’s Best Startup Employers By Forbes and Business Insider

By Ofer Smadari, CEO & Co-Founder

February 28, 2025

3 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

I couldn’t be more proud of our employees and the unique corporate culture we’ve established at Torq since we began this journey in 2020. In 2024, we hit 200% in employee growth along with 300% revenue growth as our Agentic AI and autonomous SOC solutions gained dramatic Fortune 500 adoption.

And the world has taken notice with Forbes naming us to its America’s “Best Startup Employers 2025” list and Business Insider calling us one of the “43 startups to bet your career on in 2025.”

High Octane Culture & Careers

Having these top-tier publications validate and reflect what every Torq employee feels when they start work every day is truly gratifying. We established this company as one where employees could achieve their career goals, significantly enhance their skills and knowledge, and have a whole lot of fun in the process.

This culture was prominently on display at our Sales Kickoff a few weeks ago in Madrid, where employees from across the globe gathered to plan how the year unfolds and celebrate our incredible momentum and accomplishments to date. The enthusiasm at the event was electric and contagious as we drove our “All Gas, No Brakes” theme across every element of the organization.

Photo of Torq CEO Ofer Smadari at Torq's 2025 Sales Kickoff in Madrid — one of the best startup employers to work for. — “All gas, no brakes”: Torq CEO Ofer Smadari and team at the company’s 2025 Sales Kickoff in Madrid.

One of America’s Best Startup Employers

Forbes chose Torq for its list by analyzing a set of KPIs that correspond to company growth and workplace satisfaction. After gathering more that 7 million data points from over 20,000 eligible companies, 3,000 employers qualified for in-depth analysis. In the end, only 500 employers were included in the ranking, including Torq. Each employer’s final evaluation was based on three key criteria: employer reputation, employee satisfaction, and company growth.

A Startup to Bet Your Career On

Business Insider researched startups that have strong founding teams and investor dollars, with a focus on AI. It determined Torq was among a handful of companies advancing by leaps and bounds across sales and employee growth, along with technological prowess.

These accolades belong to every single Torq employee that’s contributed to this amazing journey to date. This is a place where people come to do their best work, push the technological envelope as far as it can go, and where every idea is given an open forum for consideration.

Thanks again to Forbes and Business Insider. And thanks to Torqers worldwide. We’re just getting started!

We’re Hiring

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

AI News & Events

Torq’s AI-Native Autonomous SOC Wins Check Point’s CPX 2025 Innovation Sandbox Competition

By Torq

February 27, 2025

4 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Torq took home the top prize at Check Point’s 2025 Innovation Sandbox Competition during their annual CPX conference in Las Vegas. Chris Coburn, Torq’s Sr. Director of Tech Alliances, faced off against 13 other companies to pitch Torq’s AI-native autonomous SOC to a panel of judges and voting audience.

As the Sandbox Innovation winner, Chris earned the opportunity to deliver a main-stage keynote to thousands of security professionals and leaders, sharing how Torq’s game-changing agentic AI and Hyperautomation capabilities are saving SOC analysts from burn out while strengthening overall security posture.

“We are witnessing a new era in cybersecurity, and we are thrilled with the innovation throughout the ecosystem. It’s clear that AI and machine learning will play a critical role in shaping the future,” said Brian Linder, Head of Cyber Evangelists in the Office of the CTO at Check Point. “We congratulate Torq on winning first place in the competitive Innovation Sandbox at CPX 2025 Americas and look forward to following their journey as they continue to innovate as an emerging player in cybersecurity.”

The Pitch: AI or Die — Saving the SOC with Agentic AI and Hyperautomation

“It’s time to adopt AI or die. Everybody’s saying it — AI’s here now and it’s going to be a massive part of cybersecurity going forward. Torq is using AI to help solve everything that is killing our SOC teams every day.”

– Chris Coburn, Sr. Director of Tech Alliances, Torq

SOCs are in crisis. Security teams are getting buried by alerts and they spend way too much of their time trying to make different tools communicate with each other and trying to get different data formats to make sense with each other. Even when analysts find a true positive alert, the investigation, communication, and remediation steps can be disjointed and painful. This overwhelm causes alerts to be missed, leaving organizations vulnerable to attacks and breaches.

To combat these SOC killers, Torq is offloading all of the mundane, highly repetitive tasks to Hyperautomation and AI — turning down the volume so human analysts can focus in on critical threats, with enriched insights to accelerate their decision-making.

Torq’s AI-native autonomous SOC is made up of three components:

A foundation of enterprise security-grade architecture built completely on zero trust, cloud-native, extensible software.
A Hyperautomation engine which makes building automations as easy and powerful as possible, integrated across your entire security stack.
AI agents that act as accelerators for SOC operations. These include an AI Workflow Builder that rapidly generates custom automation workflows using natural language prompts, AI Case Summaries that deliver concise, structured summaries so your team can get up to speed faster, and Socrates, Torq’s agentic AI SOC Analyst that can autonomously triage, investigate, and remediate 95% of Tier-1 cases.

AI-driven Hyperautomation changes the picture for SOCs today. With Torq, 95% of Tier-1 incidents can be autoremediated, allowing human security analysts to focus on the strategic and engaging work that they actually care about.

This is the promise of the autonomous SOC — and Torq is making it happen.

Explore Torq's winning autonomous SOC pitch for Check Point CPX 2025's Sandbox Innovation competition.

Want more where this came from? Get the AI or Die Manifesto >

Check Point Speeds Up Their SOC with Torq HyperSOC™

“With Torq HyperSOC, we can react automatically to problems before they become security incidents.”

– Jonathan Fischbein, CISO at Check Point

Check Point was facing a challenge that many security teams can relate to: too many alerts and too few analysts. When Check Point’s CISO Jonathan Fischbein went on the hunt for a security automation solution, feedback from fellow CISOs and CIOs led him to bypass legacy SOAR products in favor of Torq’s HyperSOC solution.

Key ‘wow factors’ for Check Point included:

Easy-to-use UI centered around the SOC analyst experience to make their jobs easier
Days-fast deployment of dozens of AI-driven playbooks, automating responses to some of the organization’s most repetitive security alerts
Integrations that “fit like a glove” with Check Point’s existing security stack

Today, Torq’s AI-driven HyperSOC investigates, triages and remediates many of Check Point’s internal security alerts without any human intervention. If an alert meets certain parameters based on security policies, the platform autonomously takes action, such as initiating an MFA challenge or locking out a suspicious user. High-priority incidents are routed for human intervention, with intelligent case insights and recommendations that help analysts make better decisions, faster.

The end result? Dramatic efficiency gains and reduced alert fatigue.

Read Check Point’s Story

SEE TORQ IN ACTION

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

AI AI SOC

The Dawn of Agentic AI in the SOC

By Torq

February 25, 2025

7 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

Now that six in ten security leaders view AI as a “game changer” across all security functions and 85% of security professionals report increased AI investment and usage in the past year, it’s clear that AI is no longer a fringe technology in security operations.

But the AI conversation has evolved recently as a new buzzword has taken over: agentic AI. Underlying the hype are real advancements that have the potential to transform security operations by adding autonomous, goal-oriented decision making to AI-powered SOCs. Gartner even named agentic AI one of the Top Strategic Technology Trends for 2025.

Agentic AI is especially promising for security operations as a way to tackle persistent challenges such as alert fatigue, analyst burnout, and an ongoing talent shortage. Additionally, as increasingly automated attacks intensify the stakes for SOC teams, agentic AI will be a pivotal technology to counteract evolving threats through improved proactiveness and scalability.

What is Agentic AI in the SOC?

Agentic AI refers to artificial intelligence systems that operate with enhanced autonomy to execute tasks and make decisions. Agentic AI can pursue complex goals and execute workflow tasks with limited direct human supervision. It uses sophisticated reasoning and iterative planning to solve complex, multi-step problems on its own, adapting to real-time data and learning from its environment.

Agentic AI can transform SOCs through the ability to independently triage, investigate and remediate threats — accelerating incident response and enhancing overall security posture.

When combined with Hyperautomation, agentic AI can help achieve the autonomous SOC, in which AI handles the vast majority of Tier-1 and Tier-2 alerts, freeing up human analysts to focus on complex, high-priority incidents and strategic projects (aka the rewarding, engaging, and impactful work that analysts actually want to spend their days doing, rather than wading through false positives and writing reports).

2 Key Use Cases for Agentic AI in the SOC

1. Agentic AI in Phishing Response

Phishing continues to plague SOCs as one of the most common attack vectors for data breaches and ransomware. Agentic AI can elevate phishing response capabilities by streamlining triage, investigation, and containment once detections are flagged by external systems.

Through seamless integrations with email security, identity management, threat intelligence, EDR, CMDB, and SIEM solutions, Torq’s Agentic AI can autonomously:

Examine recipients, email content, links, attachments, IOC reputations, and related case and threat information to determine scope and impact, identifying users who received, opened, or interacted with an email.
Execute environment-wide sweeps for malicious payloads and correlate data to reveal compromised accounts or systems.
Initiate containment steps such as quarantining emails, resetting credentials, terminating sessions with enforced MFA, and blocking malicious domains or IPs.

2. Agentic AI in EDR Response

Experts predict that 20% of new malware strains will be AI-assisted by 2025. Agentic AI can bolster malware detection and response by orchestrating rapid analysis, scoping, containment, and eradication once suspicious activity is flagged by external platforms.

Torq’s Agentic AI integrates with EDR, CMDB, SIEM, and threat intelligence tools to autonomously:

Analyze file behavior (including hashes, signatures, and sandbox results), monitor endpoint resource usage, and detect suspicious persistence mechanisms or privilege escalations.
Correlate anomalies across multiple endpoints to identify the scope of compromise, pinpointing infected hosts, associated IOCs, and potentially affected privileged accounts.
Swiftly isolate infected endpoints, disable compromised accounts, and kill malicious processes. Malicious file hashes and IP addresses are then added to deny lists for continuous monitoring. Eradication actions can include removing malicious files, cleaning up affected systems, or re-imaging endpoints, ensuring a thorough remediation.

Torq’s Multi-Agent System: Agentic AI in Action

When you peel them back, many “AI SOC Agents” on the market are simply ChatGPT-style natural language chatbots. They may be capable of running steps and workflows but lack deep integrations and autonomous capabilities.

In contrast, Torq’s Multi-Agent System is deeply integrated across the full security stack and able to take complex action and tackle multi-step tasks. At the helm is Socrates, Torq’s agentic AI SOC Analyst which can conduct fully autonomous case investigation, enrichment, and remediation from start to finish, as well as generating contextual recommendations. Alongside Socrates, Torq’s other AI agents provide AI-generated workflows, code, data transformations, case summaries, and more — helping SOC teams get more done, faster.

The Agentic AI ‘Wow Factor’ for Security Operations

“I believe the successful use of agentic AI in SOC operations shows up in practical outcomes. With Torq Agentic AI, the answer is ‘yes’ to questions such as: Are analysts happier? Are they sticking around? Do they have time to focus on more interesting and complex investigations? Are MTTM and MTTR lower? Torq Agentic AI extends and enhances our team so it can make better decisions more quickly — resulting in stronger security all around.”

– Mick Leach, Field CISO, Abnormal Security

Boosting analyst engagement and retention: Rather than replacing human analysts, agentic AI can actually help make their day-to-day work in the SOC more rewarding and engaging by eliminating many of the “SOC analyst killers” that bog them down, such as alert fatigue, summarizing cases, and writing reports. This is crucial in a cybersecurity field that continues to deal with an ongoing talent shortage.
Augmenting human expertise: For complex and high stakes cases that require human intervention, analysts can collaborate with agentic AI to make faster and better-informed decisions. This is thanks to agentic AI’s ability to correlate information from multiple tools, signals, and third-party threat intelligence to contextually enrich cases and provide deeper insights.
Improving security posture: Through its ability to identify patterns and anomalies that may indicate malicious activity, agentic AI improves threat detection and response, enabling SOCs to proactively mitigate threats. Automated incident response and alert triage can reduce mean time to detect (MTTD), mean time to respond (MTTR), and mean time to containment (MTTC), minimizing the impact of security incidents.
Enhancing operational efficiency and scalability: By handling Tier-1 and Tier-2 alerts and automating routine tasks, agentic AI frees up human analysts to focus on more strategic initiatives, such as threat hunting and vulnerability management. Agentic AI also enables SOCs to scale more efficiently, managing a higher workload without adding headcount.

Considerations for Building Trust in AI in the SOC

SOCs planning to deploy AI capabilities, including agentic AI, should take steps now to document and audit current processes, as it will be important to ensure that AI and automation is used to scale effective processes, rather than to compensate for ineffective ones. Security teams should also establish a method to quantify operational gains from an AI deployment.

As with any new technology, AI in the SOC will require new skills and training for security teams, such as learning how to effectively collaborate with agentic AI. Any agentic AI solution deployed should be able to raise a flag when it is missing information or requires human validation. For example, if the AI’s threat analysis leads it to recommend quarantining a laptop but the user’s title is “CEO”, the system should have the intelligence and boundaries to flag that the decision is “above its pay grade” and then escalate the decision for human review and approval.

To combat the risk of AI hallucinations and build trust in AI, the system must be able to transparently explain why it made the decisions it made and how it came to the conclusions it did. This requires the AI to bolster its insights and recommendations with citations to original, forensic evidence.

AI or Die: Get the Manifesto

While agentic AI is still a relatively nascent technology, its potential to revolutionize security operations is undeniable. But the crowded AI SOC market makes careful selection essential.

Get the AI or Die Manifesto to learn red flags that separate AI-washed vaporware from truly impactful AI for the SOC, as well as strategic considerations for effective adoption.

Get the Manifesto

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

AI Hyperautomation

Why Financial Institutions Need No Code Security Automation

By Torq

February 22, 2025

5 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

For financial institutions, the pressure to outpace fraudsters, stay ahead of regulators, and defend sprawling infrastructures is endless. Yet inside too many SOCs, it’s still the same story: manual processes, brittle legacy tools, and security workflows held together by spreadsheets and custom coding.

That’s changing fast.

Modern financial institutions are turning to no code workflow automation to eliminate inefficiencies, reduce risk, and scale operations. They’re moving away from legacy SOAR platforms that require months of scripting just to get basic use cases up and running. With Torq, teams are deploying powerful, cross-functional automations in days.

From regional banks to asset giants like Blackstone, the shift is clear: No code isn’t just easier. It’s better. Faster. More secure. And it’s how the smartest financial orgs are staying ahead of the threats, and the competition.

Why Financial SOCs Are Turning to No Code Workflow Automation

Financial and bank SOCs face a perfect storm:

Rising attack volumes and sophistication
Burdensome regulatory oversight
Analyst shortages and burnout
Pressure to do more with less

What Financial SOCs Are Automating First

Most financial customers come to Torq after hitting a wall with legacy SOAR. They’re tired of vendor sprawl, compliance nightmares, and tools that require a full engineering and professional services team just to run.

Finance orgs prioritize use cases that deliver fast wins in compliance-heavy, high-risk environments. The most common starting points are:

Phishing detection and remediation
Fraud response
Identity and access management
Threat intel and IOC enrichment
Ransomware containment

They choose Torq because it’s secure by design: zero-trust architecture, native SOC 2 compliance, and a platform built to scale. They stay because it just works.

Blackstone: From SOAR to 80+ No Code Automated Workflows

Legacy SOAR platforms require custom scripting and complex coding to implement basic use cases. This dependence on coding creates massive bottlenecks in financial organizations that juggle dozens of tools and deal with an evolving threat landscape. It slows everything down, requires specialized talent, and makes scaling automation nearly impossible.

That’s why financial leaders are ditching SOAR for no-code security automation solutions. With intuitive, drag-and-drop tools, analysts — not just engineers — can build powerful, scalable automations across fraud detection, IAM, phishing response, and more.

Blackstone, the world’s largest alternative asset manager, spent years keeping just a handful of workflows alive in their legacy SOAR. After switching to Torq, they launched 30+ automations in six months. Today, they’ve scaled to over 80 workflows across incident response, fraud, threat hunting, and IAM.

What changed?

A no code workflow automation platform built for security teams that actually works
A scalable Hyperautomation solution that meets the rigor of financial controls
A true partnership — not just another vendor with a steep learning curve

How a Leading U.S. Bank Beat Zelle Fraud with No-Code Workflow Automation

Preventing fraud is a top challenge for financial institutions. As attacks become more sophisticated and digital-first payment methods become increasingly more common, the scale of financial fraud is escalating beyond the reach of legacy defenses.

With the Torq platform’s no-code workflow automation, security teams can connect SIEMs, fraud detection systems, case management tools, and identity services with real-time, orchestrated workflows. Financial institutions can spot fraud faster, reduce false positives, and take immediate, coordinated action.

Case in point: After a surge in Zelle fraud forced a top 30 U.S. bank to suspend Zelle services under SEC pressure, they turned to Torq. In just 90 days, they built over 100 automated workflows, including a no-code system that autonomously locks down compromised accounts.

They were quickly able to reinstate Zelle services, and the fraud response time decreased from hours to seconds while automation expanded beyond the SOC into fraud, GRC, and IT. This is the power of no-code security workflow automation in action — fast, scalable, and built for high-stakes financial environments.

Why Torq Wins in High-Stakes Financial Environments

Financial institutions are highly regulated, highly targeted — and often highly siloed. That’s why they need automation that works, scales, and earns trust. Torq delivers:

No code architecture: Secure, scalable, built for both on-prem and cloud
Multi-tenant capabilities: Support for global SOC structures with centralized oversight
Fast, responsible AI: With Socrates and our multi-agent system, Torq lets humans direct strategy while AI handles Tier-1 remediation.
Audit-ready evidence: Every action is logged with full context and metadata.

Financial customers want to get it right the first time. With Torq, they can.

The Future of Financial SecOps Is Automated

Banks, insurers, and fintechs are under pressure to modernize fast without compromising security or compliance. Legacy security automation and orchestration won’t cut it. No code workflow automation built for financial security teams is the only path forward.

Torq Hyperautomation gives you:

Faster outcomes
Fewer manual handoffs
Stronger compliance posture
Real ROI from day one

And we integrate with the tools you already use. Here’s just a few of our integrations:

IT: ServiceNow, JIRA
Cloud: Wiz, Microsoft 365, Azure/Entra, AWS
SIEM & Logs: Splunk, Elastic, Chronicle, Stellar Cyber, Microsoft Sentinel
Identity: Microsoft Entra, Okta, SailPoint
Endpoint & Threat Detection: CrowdStrike, Defender, SentinelOne, Tenable
Phishing: Proofpoint, Abnormal Security
Threat Intelligence: VirusTotal, Recorded Future, AlienVault
Third-Party Risk: SecurityScorecard

Whether you’re replacing SOAR, launching security automation for the first time, or scaling into new business units — Torq is the partner to get you there.

Get a Demo

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

Integrations Use Cases

How to Automate Cloud Security with Wiz and Torq

By Torq

February 19, 2025

7 Minute Read

Get a Personalized Demo

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster.

Request a Demo

One of the Torq Hyperautomation platform’s superpowers is its ability to integrate with anything. By partnering with top security vendors like Wiz, Torq empowers SOC teams to automate and streamline critical cloud security workflows, dramatically improving security posture while freeing up analyst time.

Wiz is known for delivering rich context and visibility into cloud risk. Torq takes those alerts and turns them into real-time action. Together, they help security teams address high-priority issues and the long tail of medium- and low-priority vulnerabilities that often slip through the cracks.

With Torq and Wiz, SecOps teams can build fully automated or human-on-the-loop remediation flows for tasks like expired secrets, unused privileged access keys, or public S3 buckets. These cloud security automations are more flexible and powerful than legacy SOAR platforms offer.

Below are three key examples of how to automate cloud security with Torq and Wiz.

Handle Wiz Alerts For Public AWS S3 Bucket With Sensitive Data

Looking for a simpler way to deal with Wiz alerts for when public AWS S3 buckets contain sensitive data? You’re in luck.

This workflow receives an alert from Wiz when an AWS S3 bucket with sensitive personal data is found to be exposed to the public. The alert triggers on Wiz ID wc-id-1264.

When the trigger is received, the workflow pulls the bucket’s public access settings and tags and looks for an owner tag. If one is not found, it sets notifications to a specific Slack channel.

From there, it checks the public settings on the S3 bucket to see if the issue was resolved before the alert from Wiz was triggered. If it is still publicly accessible, it will ask to limit access to the bucket.

Once the user agrees, the bucket settings are updated, and the Wiz alert is moved to in progress. If the user does not agree or the question times out, a Jira issue is opened to track the issue, and the issue ID will be added to the Wiz alert.

It’s important to note that this workflow will set the public block settings on the S3 bucket to “true” and block all public access. Your application may need a more granular update to the JSON policy to block the existing access; the existing policy will be provided in the Slack message.

The bottom line: 2-4 hours of time saved per alert.

Depending on your existing process, the time it currently takes to find the questionable S3 bucket manually, assess the data sensitivity, verify public access, dig through logs or tags to identify the bucket owner, and finally adjust the public access setting when the owner responds may vary. With Hyperautomation, however, the entire process can be executed in minutes.

The risk of allowing sensitive data to live in a public AWS S3 bucket is high and incredibly time sensitive, making it the perfect use case for hyperautomation. The longer sensitive data is publicly exposed, the higher the probability of it leaking into the wrong hands.

Pairing Torq with Wiz ensures immediate, efficient, and accurate response, reducing the organization’s overall risk and saving analysts from spinning tires on these high-volume alerts.

Enable AWS S3 Bucket Encryption On Alert From Wiz

This workflow is a simple and effective way to ensure encryption is turned on for an AWS S3 bucket.

First, the workflow receives an alert from Wiz and is triggered by an event with the control name “S3 bucket default encryption disabled.” If the owner tag is found, the owner will be contacted or notified in the Slack channel about the issue.

This workflow then checks the bucket’s encryption status to see if it is still disabled and suggests remediation by enabling the default AES256 encryption on the bucket.

If the user or Slack channel rejects the notification, the workflow collects a reason, opens a follow-up ticket, and updates the notes on the Wiz issue.

The bottom line: 30-60 minutes of time saved per alert.

While seemingly a simpler workflow than the previous public access to sensitive data risk, manually handling this high-volume, low-complexity Wiz alert requires context, attention to detail, and switching back and forth between a few different platforms.

Ensuring encryption is turned on for an ASW S3 bucket is more of a proactive security measure. It is often a risk factor deprioritized, forgotten, or inconsistently enforced across the cloud environment. Again, a perfect scenario to let Hyperautomation take the reins.

There is still a significant risk associated with an unencrypted AWS S3 bucket. If a data breach or successful ransomware attack were to occur, gaining access to the unencrypted data would be a walk in the park for the bad actor, and likely one of the first places they would look.

Using Wiz to identify this risk in your cloud environment and Torq to Hyperautomate the remediation ensures consistent and efficient encryption across all AWS S3 buckets, records a clear audit trail for compliance, and prevents SOC analysts from burning out by eliminating mundane, repetitive, and low-risk alerts.

Remediate AWS EC2 Instance With Open SSH Access From Wiz Alert

This workflow receives an alert from Wiz and is triggered by an event with the control name “Instances with open SSH to the world in AWS.”

If an owner tag is found, the user will be looked up in Slack; otherwise, the Slack channel will be updated. The user or channel is then asked to remediate the instance by shutting it down or removing the open SSH rule in the Security Group and adding a specific network rule allowing SSH from a corporate-owned network.

The user or channel will also have the option to open a Jira issue instead of doing the remediation. A Jira issue is opened for any process issue and will be added to the issue notes in Wiz.

The bottom line: 1-3 hours of time saved per alert.

The most time-consuming part of investigating an AWS EC2 instance with open SSH access is communicating with the developer or system owner. The risk here is high and urgent, and it needs to be handled immediately, but also with care and precision, as incorrectly disrupting a critical production instance could significantly negatively impact the business.

This could make analysts hesitant to take action without additional context, extending the length of the investigation and the potential risk. Worse, the instance owner could push back, claiming that the access is intentional and required (Don’t worry; we have an answer for this, too… See Bonus use case! below).

Hyperautomation not only handles the communication on behalf of the security team but also takes action immediately upon response, reducing the time it takes for the security analyst to find the system owner, wait for the reply, and modify the access in the AWS console. Together, Wiz and Torq ensure contextual remediation strategies are presented to the correct stakeholders and take rapid action in response to a critical threat without disrupting business as usual.

Bonus Use Case!

While leaving SSH open to the world is a significant security risk and generally discouraged, there are still a few niche reasons why a developer may push back against shutting down access for a legitimate business reason. Even still, these use cases should be considered an exception to the rule and handled with care.

Hyperautomation offers a better, more secure alternative through self-service just-in-time (JIT) access. This allows only certain users to gain temporary SSH access for only a short period of time — rather than opening the flood gates completely — controlling who has permissions through IAM policies and minimizing risk to the organization.

These are just three of the myriad ways that Wiz and Torq partner to help SOC teams achieve smarter, faster cloud defense.

Wiz + Torq is the Future of Cloud Security Automation

With Wiz delivering deep cloud visibility and Torq translating that insight into real-time remediation, security teams can respond to threats faster, smarter, and more consistently.

Together, they provide a proactive, efficient defense posture that legacy SOAR tools simply can’t match. Whether it’s public S3 buckets, disabled encryption, or open SSH ports, every second counts. By combining Wiz and Torq, you gain precision, speed, and control — hallmarks of a truly modern cloud security strategy.

Ready to transform your cloud security strategy? Watch our demo with Wiz.

Ready to automate everything?

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kaemming, Senior Director of InfoSec

“Torq HyperSOC offers unprecedented protection and drives extraordinary efficiency for RSM and our customers.”

Todd Willoughby, Director

“Torq saves hundreds of hours a month on analysis. Alert fatigue is a thing of the past.”

Phillip Tarrant, SOC Technical Manager

“The only limit Torq has is people’s imaginations.”

Gai Hanochi, VP Business Technologies

“Torq Agentic AI now handles 100% of Carvana’s Tier-1 security alerts.”

Dina Mathers, CISO

“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work.”

Yossi Yeshua, CISO

Get a Demo

Contents

Get a Personalized Demo

What Is Incident Response Automation?

What Are Automated Workflows in Incident Response?

Core Components of Automated Incident Response

Why Manual Incident Response Falls Short

Benefits of Automated Incident Response

Examples of Automated Incident Response in Action

Phishing Attacks

Malware Containment

IAM Security

Cloud Detection and Response

How to Automate Incident Response with SentinelOne and Torq

1. Auto-Enrich SentinelOne Incidents with Intezer

2. Threat Hunt for SHA1 Signatures Across SentinelOne Endpoints

3. Enrich SentinelOne Findings with Advanced Threat Intelligence

Incident Response Automation with Torq

FAQs

Related Articles

How AI Should Actually Work in Your SOC

The AI SOC Org Chart for 2026 and Beyond

API Authentication 101: Methods, Pitfalls, and the Power of Real-Time Monitoring

Ready to automate everything?

Contents

Get a Personalized Demo

The Automation Imperative in Finance and Bank Security Operations

Top 5 Bank SOC Challenges Solved by Hyperautomation

1. Phishing Alert Analysis

2. Ransomware Case Creation and Categorization

3. Automated Threat Analysis and Enrichment

4. Case Management

5. Fraud Detection

Case Study: Automating Zelle Fraud Detection and Lockdown from End to End

Related Articles

How AI Should Actually Work in Your SOC

The AI SOC Org Chart for 2026 and Beyond

API Authentication 101: Methods, Pitfalls, and the Power of Real-Time Monitoring

Ready to automate everything?

Contents

Get a Personalized Demo

What is Spear Phishing?

Highly Targeted Emails with Personal Details

Uses Social Engineering to Build Trust

Common Goals: Credential Theft, Malware Delivery, Account Access

What is Whaling?

CEO/CFO/General Counsel Impersonation or Targeting

Usually Involves High-Value Requests: Wire Transfers, Sensitive Data

Tactics Include Urgency, Authority, and Spoofed Domains

Spear Phishing vs. Whaling: Key Differences

5 Ways to Detect and Prevent Spear Phishing and Whaling Attacks

1. Employee and Executive Phishing Awareness Training

2. Email Authentication (DMARC, SPF, DKIM)

3. Suspicious Email Flagging and Sandboxing

4. AI-Powered Phishing Detection Tools

5. Workflow-Based Phishing Response Automation with Hyperautomation

How Phishing Attempts Lead to SOC Burnout and Alert Fatigue

How Torq Detects and Eliminates All Phishing Threats

Hyperautomate Your Phishing Defenses

FAQs

Related Articles

How AI Should Actually Work in Your SOC

The AI SOC Org Chart for 2026 and Beyond

API Authentication 101: Methods, Pitfalls, and the Power of Real-Time Monitoring

Ready to automate everything?

Contents

Get a Personalized Demo

What is SOAR?

Why SOAR Failed to Automate the SOC

Introducing Hyperautomation: The Only AI SOAR Alternative

Hyperautomation + AI Agents = A Happy SOC

Leading Analysts Agree: SOAR is Dead

Real-World Impact: AI SOAR in Action

Valvoline: Saving 7 Analyst Hours Daily After Legacy SOAR Failed

Bloomreach: Scaling Automation Enterprise-Wide After Traditional SOAR Stalled

Why Torq HyperSOC™ is the Definitive SOAR Replacement

The Torq Difference: What Sets Us Apart from SOAR Vendors

SOAR is Dead: Long Live Hyperautomation

FAQs

Related Articles

How AI Should Actually Work in Your SOC

Why Torq Wins in High-Stakes Financial Environments