AI

AI SOC, Explained: How AI-Powered SOCs Transform SecOps

By Torq

April 29, 2025

9 Minute Read

Security Operations Centers (SOCs) are the command center of an organization’s frontline cybersecurity defenses — responsible for monitoring threats, prioritizing alerts, and orchestrating remediation. However, today’s SOCs are facing an existential crisis: an overwhelming volume of increasingly complex and sophisticated threats combined with a shortage of skilled analysts. This perfect storm is pushing SOCs to their breaking point, burning out their teams and leaving their organizations vulnerable.

Legacy security automation solutions struggled to keep up with the evolving threat landscape, especially at scale. The rise of artificial intelligence (AI) has been hailed as a game-changer for SOCs, offering the potential for unprecedented efficiency gains.

But what does effective use of AI in the SOC look like? Below, we show top use cases for leveraging AI in the SOC and explore how AI is transforming security operations.

What is an AI SOC?

An AI-powered SOC is a security operations center that leverages artificial intelligence to automate processes, enhance threat detection, accelerate incident response, provide contextual insights, and optimize resource allocation — resulting in greater efficiency and accuracy, improved decision-making, faster time to remediation, and a more proactive security posture.

The Technical Foundations of an AI-Powered SOC

Security automation has evolved way past SOAR — with Hyperautomation and AI Agents forming the new cornerstones of the modern autonomous SOC.

AI-driven Hyperautomation: By seamlessly integrating your security stack and instantly automating any security process using thousands of pre-built integration steps and AI-generated workflows, Hyperautomation offloads routine tasks, reduces analyst burnout, and accelerates threat response.
Multi-Agent System: Specialized AI Agents automate incident response by interpreting natural language instructions and collaborating to autonomously execute tasks such as alert triage, containment, and remediation actions. Human analysts can interface with the AI agents using natural language for accelerated enrichment, investigation, and recommended next steps.

What’s the Difference? All the AI in the SOC, Explained

This new landscape of AI in the SOC comes with a LOT of similar-but-different terminology. GenAI, AI Agents, OmniAgents, agentic AI, multi-agent systems — we get it, it can be confusing.
Here’s a breakdown of all the AI powering modern security operations, what each one does, and how Torq HyperSOC™ puts them all to work.

Term	Definition	What It Does	How Torq HyperSOC™ Uses It
GenAI	GenAI creates content, code, text, images, or predictions in response to natural language prompts	Enhances SOC operations with automated case summaries, enrichment, and workflow generation	Drafts incident summaries, generates workflow templates, and speeds up case documentation
Agentic AI	Agentic AI is autonomous, goal-driven AI that plans, adapts, and executes multi-step security workflows across time and tools	Powers AI agents with autonomy and adaptability to handle tasks like detection, triage, and response in real-time	Socrates, the AI SOC Analyst, coordinates and makes workflow decisions autonomously without human-triggered actions
AI Agent	An AI Agent is a single AI entity that independently handles a specialized task	Performs specific security tasks such as isolating endpoints, locking accounts, or enriching threat intelligence based on predefined triggers	Powers single-task automations: pulling threat intel, scanning suspicious emails, updating ServiceNow or Jira tickets
Multi-Agent System (MAS)	A Multi-Agent System is composed of multiple autonomous AI agents that collaborate to achieve complex goals	Deploys specialized AI agents in parallel across the SOC to handle triage, investigation, containment, and case management	MAS architecture: Runbook Agent, Investigation Agent, Remediation Agent, and Case Management Agent, all coordinated by Socrates
OmniAgent	An OmniAgent acts as a “Super Agent” orchestrating the activities and interactions between specialized AI Agents in a MAS	Uses sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously through the coordination of multiple AI Agents	Socrates identifies prioritizes, and remediates threats across the entire organization by controlling and coordinating the Runbook, Investigation, Remediation, and Case Management Agents

Top Use Cases for AI in the SOC

By analyzing vast amounts of data from across your security stack and executing intelligent automations, AI unlocks efficiency gains across SOC functionalities such as:

Incident investigation: Analyze massive volumes of alerts to identify patterns, suppress low-fidelity alerts, and automate triage and validation, accelerating the investigation process from start to resolution.
Case management: Streamline the process of prioritizing, tracking, and managing security incidents by intelligently enriching and automating cases.
Workflow generation: Prompt AI with a natural language description of your use case to instantly build security automation workflows — no code required.
Case summarization: Analyze all relevant data points associated with a security alert to provide easy-to-digest, evidence-backed summaries of complex security cases, improving SOC analysts’ efficiency and collaboration.
Documentation: Automatically generate documentation for complex automated processes, increasing both efficiency and accuracy from shift-handovers to compliance audits.
Executive reporting: Prompt the system to generate case info in the right tone and level of information for a specific persona, such as for a non-technical executive or board member.
Team collaboration: Automatically alert Slack or Teams channels when a case is created, escalated, resolved and more.
Resource optimization: Use AI to assign cases to an available analyst based on workload and shift schedules.

Data correlation: Combine and correlate data from all of the tools in your security stack, providing a holistic view of your security environment.
Threat response: Automate tasks like threat detection and containment for faster incident resolution.

How Do AI-Powered SOCs Transform Traditional Security Operations?

Scaling SOC operations: AI agents can handle an influx of security events: triaging, investigating, and remediating the majority of Tier-1 and Tier-2 alerts. This frees up analyst bandwidth to focus on urgent incidents and strategic projects, enabling SOCs to efficiently scale their operations without increasing headcount (which is vital amidst today’s shortage of skilled cybersecurity talent).

Shifting to a proactive security posture: Agentic AI goes beyond just detecting and counteracting attacks by applying real-time intelligence to identify patterns and detect emerging threats. This allows SOCs to adopt a less reactive, more preemptive approach to address vulnerabilities before they can be exploited or breached.

Reducing alert fatigue and analyst burnout: By autonomously triaging alerts and reducing false positives, AI agents reduce the number of irrelevant alerts that analysts must wade through. And, by automating tedious, repetitive tasks and auto-remediating most low-level alerts, AI-driven Hyperautomation helps senior analysts gain back the time and capacity to focus on more rewarding work like strategic projects.

Speeding up MTTR: All of the efficiency gains from leveraging AI in the SOC translates to more alerts resolved, faster.

Will AI Replace Humans in the SOC?

Adopting AI in the SOC is not about replacing human SOC analysts — it’s about augmenting and empowering them. With a looming 4 million+ cybersecurity talent shortage, organizations must not only retain their existing analysts, but also help them work more efficiently. On top of that, organizations are recognizing that human-only defenses are inadequate to counter the evasive and persistent threats posed by AI-driven attacks.

AI reduces analyst burnout: A multi-agent system can reduce the strain on SOC teams by offloading rote tasks, auto-remediating the majority of Tier 1 tickets, and upleveling the skills of junior analysts. This frees up senior analysts to focus their expertise on critical threats and strategic projects, helping their organization achieve a stronger overall security posture.

Human expertise must remain the final line of defense: Done the right way, AI-powered SOCs keep humans “in the loop” as the ultimate decision-makers for high-stakes threats following rigorous, multi-tiered AI evaluation and case enrichment that helps human analysts take informed, decisive action.

“By 2028, multiagent AI in threat detection and incident response will rise from 5% to 70% of AI implementations to primarily augment — not replace — staff..”
Source: Gartner Inc.

How Torq’s AI Capabilities Supercharge SecOps

Torq has been very deliberate in how we’ve extended the capabilities of the Torq platform using AI to solve real problems for SOCs with products and features like:

Socrates, the OmniAgent AI SOC Analyst: Socrates intelligently automates alert triage, incident investigation, and response, extending your SOC teams’ capabilities and improving response times across the board. Socrates coordinates a full Multi-Agent System (MAS) — planning, investigating, remediating, and managing security cases with human-like decision-making and machine-speed execution.

Socrates can auto-remediate 95% of cases within minutes. For critical cases that require human intervention, your analysts can collaborate with Socrates using natural language to summarize case details, enrich cases with additional investigation and threat intelligence, and trigger remediation workflows
AI Workflow Builder: Simply describe your desired security automation workflow in natural language, and Torq’s AI Workflow Builder will generate a tailored solution in seconds. Rather than spending hours manually building workflows from scratch, your team is freed up to focus on more strategic security initiatives.
AI Case Summaries: Help your team make the right decisions quickly by presenting them with a concise, insightful, and verifiable AI-generated summary of each case. No more wading through pages of logs and incident details! The easy-to-read summaries empower SOC teams to work faster, make informed decisions with confidence, and seamlessly transition between shifts by giving the incoming team clear case context backed by citations.
AI Data Transformation: Simplify complex data manipulation for security operations by easily transforming complex JSON data using natural language — no coding required. Each transformation is broken down into precise, testable micro-transformations that users can edit, validate, and modify individually.
Runbook Execution: Intelligently plan customized investigation and response strategies based on the organization’s historical outcomes and adapt to new threat vectors, ensuring faster containment.
Deep Research Investigations: Uncover hidden attack patterns across disparate data sources, perform detailed root cause analyses, and dynamically assess threat impact — giving SOC teams context previously out of reach without hours of manual digging.

Torq now has multi-agent RAG (Retrieval-Augmented Generation) incorporated into HyperSOC™ which has supercharged its ability to do deep research, analyze threats, and coordinate responses at machine speed — and is the first autonomous security platform to support a Model-Context Protocol (MCP) natively in its architecture. These advancements make our latest HyperSOC release our most autonomous model to date and the first truly agentic SecOps platform.

The Future of the SOC: Better, Faster Human Decision-Making Through AI Automation and Insights

When deployed effectively, AI in the SOC extends and enhances the capabilities of your existing staff so they can make better decisions faster.

So, what does the future of SOC automation look like? Sophisticated multi-agent AI continuously learns from historical data and real-time incidents to generate insights and recommendations, automate routine security tasks, and auto-remediate the majority of alerts, with a top layer of human analysts providing strategic oversight for critical cases. This means faster, more proactive responses to threats and vulnerabilities — and a more secure future for organizations everywhere.

Want to learn how to deploy AI in the SOC the right way? Read the AI or Die Manifesto to learn CISO considerations, fake AI red flags, and evaluation questions.

Get the Manifesto

HyperSOC-2o: The Game-Changing, Analyst-Validated Autonomous SOC

By Bob Boyle

April 23, 2025

10 Minute Read

The autonomous SOC is here. It is no longer a distant reality, it’s not a pipe dream, and it’s certainly not just another cybersecurity buzzword. According to IDC’s latest report exploring the evolution from generative AI to agentic AI in cybersecurity, the autonomous SOC is “heaven on earth…everyone should want it.”

And with the release of Torq HyperSOC-2o, now everyone can have it.

WTF is HyperSOC-2o?

HyperSOC-2o is the latest release of Torq HyperSOC™ — our most autonomous model to date and the first truly agentic SecOps platform.

Torq HyperSOC™ was first released in April 2024 as a purpose-built solution that harnesses the power of the AI-driven Torq Hyperautomation™ platform to automate, manage, and monitor critical SOC responses at machine speed. At the time of initial launch, IDC had this to say:

“Every day, IDC is engaged with SOC professionals who communicate the existential challenges they’re facing, both in terms of keeping up with ever-escalating threat complexity and volume, and the incredible burden that places on the shoulders of their teams.

Torq HyperSOC is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We are also impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”
Chris Kissel, Vice President, Security & Trust Products, IDC Research, Achieving Machine Speed Detection and Response

A lot has changed since HyperSOC was first released, but SOC challenges remain the same. In a recent Emerging Techscape for Detection and Response Startups report, Gartner notes that as cybersecurity threats grow in volume and complexity, SOC teams continue to experience increasingly heavy workloads. While the surge in AI-supported threats demands more resources, more attention, and puts significant pressure on SOC teams to respond to threats effectively, Gartner says “AI agents are emerging as a critical solution to enhance efficiency, reduce burnout, and enable teams to focus on strategic initiatives.”

SOC teams are still struggling to keep up with increasingly complex threats, utilizing the limited resources available to them. According to IDC’s report, “Agentic AI is the next step toward a more autonomous SOC, but there must also be a bridge where local decisions have to become extensible to the greater network.” That bridge is HyperSOC-2o.

The Need for the Autonomous SOC

SOCs have been using AI, machine learning (ML), and large language models (LLMs) to collect information, assess risk, and prioritize alerts for some time now. These common GenAI use cases perform the first stages of security event triage, enabling security teams to interact and guide investigations through a natural language interface — significantly reducing the detection and response time to alerts. So why do we need the autonomous SOC?

An AI-influenced SOC, supported by a GenAI digital assistant, is still reliant on the ability and capacity of a human analyst to instruct and guide remediation actions. While security automation plays a significant role in the real-time response to these threats at machine speed — certainly faster than a human analyst could triage, investigate, and respond without GenAI augmentation — the truth is that GenAI and automation alone is still a reactive security posture.

What good are AI-driven, triaged, enriched, and prioritized comprehensive security cases that sit there waiting for a human to press the big red remediate button, if SOC analysts are still drowning in so-called “high priority” alerts? AI is supposed to reduce a SOC analyst’s workload, not create more manual tasks to watch over and approve.

Moving from the Aspirational to the Inspirational in SOC Processes

Agentic AI is different. The IDC report explains that “[agentic AI] can solve problems, adapt to its environment, and make complex decisions based on goals and available information. It does this in real time without constant human supervision. Agentic AI is self acting and self deterministic.” The promise is that agentic AI will become as effective on the prevention side as its GenAI predecessor has become in detection and response.

“By 2026, AI will increase SOC efficiency by 40% compared with 2024 efficiency, beginning a shift in SOC expertise toward AI development, maintenance and protection. AI and ML are revolutionizing proactive defense security by adding preemption and enhancing detection and response capabilities.”
Gartner, Emerging Tech: Techscape for Detection and Response Startups, March 2025

IDC goes on to state that the next leap towards the autonomous SOC is fusing the MTTD and MTTR improvements of GenAI with the human-like decision making of agentic AI to produce the following improved SOC outcomes:

Agentic AI becomes the mastermind of every incident: AI agents will handle over 95% of manual case triage, investigation, and enrichment without requiring constant human intervention — shifting from human-in-the-loop to human-on-the-loop. This supervisory model means humans will get involved much later in the case management lifecycle, if at all — likely only when the AI agent deems a case critical enough to require human oversight.

The incident detection and response life cycle will have embedded compliance and governance: Blackbox decision making from AI solutions does not suffice. Agentic AI records the deterministic logic and reasoning behind its decision-making in real-time for a security case, reducing the manual burden and risk of human error associated with case management documentation today.

The threat detection and response life cycle greatly improves a company’s proactive cybersecurity posture: The three key pillars that define agentic AI and allow it to solve complex problems and make human-like decisions are semantic memory, episodic memory, and procedural memory. As a result, agentic AI can apply what it’s learned from managing similar incidents in the past to improve future response processes and adapt to the latest emerging threats.

Fully automated responses will be nearly ubiquitous in the SOC: AKA… achieving the autonomous SOC. Together, GenAI and agentic AI will eliminate 95% of Tier-1 security tasks as most SOC processes become fully automated.

Agentic AI has enormous potential in security operations because of its ability to process and solve problems like a human SOC analyst. Alone, however, agentic AI still isn’t enough to achieve autonomy — Hyperautomation becomes the key to holding it all together. To truly achieve the autonomous SOC, security teams must use agentic AI to combine and contextualize relevant security event data in an instant, then leverage Hyperautomation to take remediation action as quickly as possible, without the delay of human intervention.

“Torq’s Hyperautomation capabilities can help improve the efficacy of security teams now and with an eye to the future. Hyperautomation is a type of glue logic that binds static entities, such as logs, directories, and applications, creating usable correlations for observation, detection and response, and remediation. Torq is working on all SOC fronts while improving MTTD, MTTR, threat hunting, and remediation actions impactfully. The agentic AI architecture is disruptive.”
Chris Kissel, Vice President, Security & Trust Products, IDC Research

The unique combination of GenAI, agentic AI, and Hyperautomation is why IDC recognizes Torq alone to have established the most important building blocks needed to achieve the autonomous SOC.

HyperSOC-2o: Achieving the Autonomous SOC

Last week Torq announced HyperSOC-2o — the world’s first truly autonomous SOC.

This latest version of Torq HyperSOC™ expands Torq’s Multi-Agent System (MAS) by incorporating cutting-edge Retrieval Augmented Generation (RAG) technology into existing agentic AI functionality. RAG allows Torq AI Agents to reference massive amounts of data and produce extremely specific outputs that are highly contextual, continuously improving in accuracy and enabling game-changing deep research capabilities.

Socrates, the agentic AI SOC Analyst, sits at the helm of HyperSOC-2o, acting as an OmniAgent responsible for controlling and collaborating with four new RAG-enabled micro-agents. These agents are trained in specific areas of expertise and capable of using sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously. The four micro-agents are:

Runbook Agent: Plans highly customized agentic threat investigations and responses based on its ability to learn from past incident outcomes, recognize similar attack patterns, and adapt to emerging threat vectors.
Investigation Agent: Uncovers hidden attack patterns across disparate data sources, performs detailed root cause analysis, and accurately assesses threat impact to help HyperSOC-2o effectively prioritize responses.
Remediation Agent: Takes action across the security stack either completely autonomously, or by intelligently escalating critical cases for human-in-the-loop remediation, reducing MTTR and enabling SOC analysts to trigger complex actions at machine speed.
Case Management Agent: Delivers faster access to real-time and historical data through AI-generated case summaries, enabling more accurate threat identification, dynamic case prioritization, and streamlined decision-making by eliminating irrelevant noise.

Think of Socrates like the head coach of a football team. The head coach is surrounded by specialists — an offensive coordinator, a defensive coordinator, a special teams coordinator, assistant coaches, and so on. While it is the head coach’s responsibility to make the final play calls on game day, they rely heavily on their specialists to study the opponent’s game film, design the plays, and make real-time adjustments on the fly.

This is exactly how Socrates operates. When a case is assigned to Socrates for auto-remediation — Socrates calls on the Runbook Agent to formulate the most efficient investigation and response strategy. When a SOC analyst asks Socrates to analyze the observables of a case — Socrates employs the Investigation Agent to correlate third-party threat intelligence and find the relevant event data.

And when a threat needs immediate containment, Socrates works through the Remediation Agent to trigger the appropriate hyperautomation workflow — whether that is using Crowdstrike to isolate an endpoint, Okta to reset a password, or Abnormal to remove a phishing attack from an end user inbox.

“Torq HyperSOC makes the potential of AI in a SOC attainable and sustainable by connecting AI with the SOC’s full range of tools and processes. With Torq HyperSOC, you can automate more than 95% of Tier-1 analyst tasks and significantly reduce the burden on existing SOC teams. Torq HyperSOC is a huge game-changer for enterprises.”
Francis Odum, Software Analyst, Cyber Research

Don’t Just Change the Game — Flip the Gameboard

In security, the odds are always stacked against the defender. The attacker has the element of surprise, access to the same AI and security tooling, and room to fail over and over and over again — biding their time until that one successful breach.

To stay ahead, we need to empower SOC teams to act as quickly, accurately, and proactively as they possibly can. HyperSOC-2o gives teams that fighting chance — leveraging AI agents and Hyperautomation to reduce investigation times by up to 90%, increasing the SOC’s capacity to handle 3-5x more alerts with no added headcount, and remediating over 95% of security threats — completely autonomously.

Dive deeper into IDC’s exploration of agentic AI as the next leap in the autonomous SOC.

Get the Report

Torq HyperSOC™ is the First Autonomous SOC Platform with Native Model-Context Protocol (MCP) Support

By Leonid Belkind, Co-Founder and CTO

April 22, 2025

9 Minute Read

Innovation in cybersecurity technology, particularly in security operations, is advancing at an incredible pace. The past few months have seen a surge in announcements of Agentic AI solutions and SOC Analyst AI Agents, transforming the landscape rapidly. At BlackHat USA 2023, Torq pioneered this space by introducing Socrates, the first AI Agent SOC Analyst. This highlights the remarkable acceleration of AI adoption in cybersecurity and the significant advancements made in a relatively short period.

Socrates, our Agentic AI SOC Analyst, has been up and running for a solid year and a half, which is pretty impressive for this kind of tech. It’s dealing with thousands of real security issues every hour for major companies. Since the initial release of Socrates, Torq has expanded our agentic AI portfolio by launching a comprehensive Multi-Agent System (MAS), as well as the latest version of Torq HyperSOC™ powered by Retrieval-Augmented Generation (RAG) technology.

Even as new entrants jump on the AI-in-SOC bandwagon, Torq continues to push the envelope — Socrates keeps learning and evolving, and Torq remains steps ahead in the Autonomous SOC space.

Today, Torq is proud to announce another ‘first’ in the Autonomous Security Operations field: the first platform to support a Model-Context Protocol (MCP) natively in its architecture. This groundbreaking advancement unlocks a new realm of possibilities in security operations, enabling powerful and exciting outcomes that were previously unattainable. By integrating MCP into its core framework, Torq is paving the way for more intelligent, adaptive, and efficient security solutions, setting a new standard for the industry.

What is Model-Context Protocol?

Model-Context Protocol (MCP) is an open protocol designed to standardize how applications provide context to Large Language Models (LLMs) and AI Agents to retrieve contextual information from applications and systems.

When a security operations process is orchestrated by an AI Agent, native integration with MCP Servers delivers outcomes far greater than static lists of tools and actions, or even extensions with APIs and workflows. This dynamic integration accelerates Security Operations outcomes by improving detection and triage accuracy, and reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Torq as a Model-Context Protocol Host: Endless Extensibility

Torq HyperSOC-2o acts as an Model-Context Protocol Host, meaning it can natively interface with MCP servers to both fetch context and execute actions. The flexibility of MCP makes integrations with corporate systems and cloud services more agile than ever.

Your AI agent isn’t operating with a fixed toolbox — it can seamlessly tap into real-time data sources, internal databases, SaaS applications, cloud workloads, and more, all through standardized MCP connections. This extensibility ensures your autonomous SOC is always armed with the most up-to-date information and capabilities, leading to more intelligent and effective security operations.

Today, during the early days of Model-Context Protocol adoption, most MCP Servers available for use require self-hosting, making it extremely important to provide an enterprise-grade security for the transport and access layers in order to benefit from the capabilities without compromising the underlying data or operations.

Torq provides unique benefits by leveraging its secure communications infrastructure used for a scalable Hyperautomation of hybrid cloud environments.

Torq platform natively extends its automation and orchestration capabilities to become Model-Context Protocol hosts, allowing access to both self-hosted and cloud-hosted MCP servers in an intelligent and secure manner.

The schematics above depicts how the Torq platform natively extends its automation and orchestration capabilities to become Model-Context Protocol hosts, allowing access to both self-hosted and cloud-hosted MCP servers in an intelligent and secure manner.

Key advantages of Torq’s native MCP Host capability include:

Real-Time Contextual Awareness: AI-driven investigations can pull in live context (user details, asset data, threat intel, etc.) exactly when needed, rather than relying on stale or predefined inputs. This leads to smarter decisions and fewer false positives.
Unlimited Extensibility: Thanks to MCP’s open standard, any new tool or data source that supports MCP can be plugged into your SOC workflows instantly. Torq HyperSOC-2o transforms into a plug-and-play powerhouse, adapting as your environment evolves.
Faster, Smarter Response: Dynamic context enables higher-fidelity alerts and faster root-cause analysis. Early users have seen significant improvements in detection precision and response times, cutting down the investigative workload on analysts.
Enterprise-Grade Security: All MCP interactions through Torq are encrypted, authenticated, and audited. You can safely connect to self-hosted knowledge bases or third-party MCP services, confident that communications meet your security and compliance standards.

Torq as an MCP Server: New Ways to Access Your Processes

Torq’s native Model-Context Protocol architecture opens up an exciting paradigm where Torq workflows, steps, and integrations can be securely utilized as tools and actions within other MCP Hosts. This enables a significant increase in productivity for both security professionals and organizational information employees.

By providing secure, managed, and monitored organizational processes as context to external LLM applications such as Claude Desktop and various IDEs, Torq facilitates seamless integration and enhances the capabilities of these platforms. This approach ensures that sensitive organizational processes are handled with the utmost security while empowering users with advanced AI-driven functionalities.

Imagine an organization embracing self-service processes for various IT and Security functions as a means for increasing organizational efficiency. Torq Hyperautomation has been the hub for such activities since its inception, and now these processes can be accessed in a completely new way, through the organization’s chosen and adopted AI tools.

Torq MCP Server provides access from the organization’s chosen AI tools to Torq workflows, steps, and integrations, increasing the efficiency of leveraging various organization-approved security operational practices natively.

The schematics above depict how a Torq MCP Server provides access from the organization’s chosen AI tools to Torq workflows, steps, and integrations, increasing the efficiency of leveraging various organization-approved security operational practices natively.

For example, a security analyst using a chatbot interface like Anthropic’s Claude or a developer working in an IDE with an AI coding assistant can simply ask their AI agent to perform a task, “Hey AI, scan this newly reported IP across our logs and threat intel sources.” Behind the scenes, the AI agent invokes a Torq workflow (exposed via MCP) that conducts a multi-step investigation across all your tools, then returns the result directly into the chat or IDE. The person didn’t need to switch consoles or manually run any script; the AI, powered by Torq, handled it instantly.

Torq HyperSOC-2o makes this scenario a reality by providing a secure, managed, and monitored way for external AI applications (from chatbots to SIEMs to custom AI assistants) to leverage your organization’s existing Torq automations as first-class actions. Importantly, all of this is done with the utmost security and control.

Torq’s permissioning and audit logs extend into the MCP domain, ensuring that any action an external AI triggers is authorized and tracked. Your sensitive processes remain protected, even as they become more accessible and useful to your teams via AI.

In short, Torq as an MCP server turns the AI tools your team already uses into powerful gateways for your automated SOC workflows — dramatically increasing efficiency and accessibility without sacrificing security.

Security Operations Data as MCP Resources

The above examples of Torq’s innovation in natively adopting the Model-Context Protocol framework are just the beginning. The potential of MCP resources and prompts opens up an exciting avenue for creating native user experiences for navigating and analyzing security events and case data. By leveraging MCP, any AI tool can be transformed into a powerful threat hunting and digital forensics orchestration environment, providing unparalleled capabilities for security professionals. This advancement allows for deeper insights and more effective responses to security incidents, significantly enhancing an organization’s overall security posture.

Consider what this could mean: Analysts will be able to navigate and analyze security events through natural language via their AI assistants, with Torq feeding the relevant data on demand. An AI agent could correlate an ongoing incident with past cases, highlight patterns, or even suggest remediation steps by drawing from your organization’s entire trove of security knowledge — all in seconds, all within the AI’s conversational or analytical environment.

This kind of seamless, context-rich interaction provides unparalleled capabilities for security professionals. It leads to deeper insights, more proactive threat hunting, and ultimately more effective responses to incidents. By breaking down data silos and making institutional knowledge available in real time through MCP, Torq HyperSOC-2o significantly enhances an organization’s overall security posture. It’s not just about doing things faster; it’s about empowering humans and AI to collaborate on tasks that were previously impossible.

Stay Tuned: This is Just The Beginning

“An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense intuitive linear view”, said Ray Kurtzweil in “The law of accelerating returns” in 2021. Almost a quarter of a century later, this statement, which in itself can be seen as a generalization of Moore’s Law from 1965, is being proven as true time after time.

Torq’s journey with AI and automation in security is a testament to this acceleration. We went from conceptualizing an AI SOC analyst to having one in production within months, and now to enabling an open protocol that can fundamentally change how AI systems interact with security tools and data. And we’re far from done.

Torq HyperSOC-2o’s introduction of native Model-Context Protocol support is just the first chapter in an exciting new era of autonomous security operations. Torq will continue to innovate and lead as technology races forward, ensuring our customers stay ahead of the curve. We are privileged to be part of this revolution – and we’re committed to driving it.

Stay tuned for more updates as we continue to expand what’s possible in the SOC. The future of security operations is unfolding now, and with Torq, you’re not just witnessing it — you’re leading it alongside us. Let’s embrace this future together and redefine what a truly autonomous SOC can achieve.

All Gas, No Brakes: The Autonomous SOC Revolution is Here

By Ofer Smadari, CEO & Co-Founder

April 15, 2025

5 Minute Read

As CEO of Torq, I’ve had a front-row seat to this transformation. In speaking with countless CISOs and analysts, one theme rings loud and clear: We can’t fight modern threats with yesterday’s tools. SOC teams today are wilting under an onslaught of alerts and “busywork,” creating an existential crisis in security operations. It’s time for a bold leap forward.

Leading the Charge: Torq HyperSOC-2o and the Revrod Leap

Earlier this month, we took a decisive step into the future by launching Torq HyperSOC-2o, fresh on the heels of our acquisition of Revrod — a stealth-mode Israeli AI startup with advanced multi-agent AI expertise. This move isn’t just about adding features; it positions Torq at the forefront of the autonomous SOC revolution.

Torq HyperSOC-2o is built around a comprehensive OmniAgent that can identify, prioritize, and remediate threats across the entire organization. By integrating Revrod’s cutting-edge multi-agent RAG (Retrieval-Augmented Generation) technology, we’ve supercharged our platform’s ability to do deep research, planning, and generative reasoning in the SOC. In plain terms: HyperSOC-2o can analyze threats and coordinate responses with near-human-level insight and precision at machine speed.

This isn’t hype — it’s happening now. Torq was recently named an “AI Startup to Watch” by Business Insider, recognizing the momentum and innovation behind our approach. With Revrod’s team now part of Torq, that momentum accelerates.

“Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations.”

I can confidently say Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations. Revrod’s technology “fundamentally changes what’s possible in a SOC,” and by weaving it into HyperSOC-2o, we’re giving our customers the ability to operate faster and smarter than ever. In demos at RSA Conference, attendees will see firsthand that the autonomous SOC isn’t a distant vision — it’s here, and Torq is leading it.

Beyond Legacy SOAR: A Generational Leap in SOC Automation

To understand why this leap matters, consider the tools many SOCs have relied on until now: legacy SOAR platforms like Palo Alto’s Cortex XSOAR (Demisto), Splunk Phantom, or Siemplify. These systems were pioneering in their day, but they were built for a different era and a different scale. Traditional SOAR demanded extensive coding and constant maintenance to keep up with new threats and systems.

In contrast, Torq HyperSOC is built on an agentic architecture where AI agents actively collaborate, reason, and take initiative across the full security stack. We’ve developed an OmniAgent that can orchestrate a team of specialized AI agents, each with its own focus area, dynamically working together like a human SOC team.

Compared to the rigid, one-track automations of legacy SOAR, Torq’s multi-agent brain represents a generational leap. It’s the difference between a scripted assistant and an autonomous colleague. It auto-calibrates its response playbooks and tools on the fly to mitigate threats faster and more accurately than any static playbook could.

Inside Torq HyperSOC-2o: AI Agents on the Front Lines

Rather than a monolithic black box, Torq HyperSOC-2o is an ensemble of intelligent agents working in concert — a “virtual SOC team” that never gets tired. Here’s a closer look at the AI agents powering HyperSOC-2o:

Investigation Agent — Performs deep-dive investigations in seconds, uncovering hidden patterns across disparate data sources and tools to pinpoint root causes and assess threat impact.
Case Management Agent — Gathers real-time and historical data, organizes case timelines, highlights key indicators, and reprioritizes incidents based on evolving information.
Runbook Agent — Autonomously executes and adapts incident response runbooks with institution-specific knowledge built-in.
Remediation Agent — Executes remediation actions autonomously, closing the loop with verifiable outcomes, operating in orchestrated or human-in-the-loop configurations.

Together, these agents function as an AI-powered SOC unit: ingesting alerts, investigating, collaborating, and remediating as a cohesive intelligence.

Real Results: Faster Responses, Greater Scale, Happier Analysts

Fortune 500 companies have already deployed Torq’s agentic SOC platform. In early deployments, organizations saw:

Up to 90% reduction in investigation time.
3–5× increase in alert handling capacity with no added headcount.
95%+ of Tier-1 security tasks automated.
Significant improvements in key SOC KPIs like MTTR (mean time to respond).

Security leaders can now shift from a reactive stance to a proactive strategy. They can spend more time on strategic initiatives because the AI agents have their backs on the front lines.

The Road Ahead: How AI Agents Will Redefine Cybersecurity Operations

The introduction of intelligent, collaborative AI agents into the SOC is not just an incremental improvement — it’s a tectonic shift. Security operations will never be the same.

Organizations will be able to achieve a level of security posture and responsiveness previously limited to only the most well-staffed enterprises — not by hiring armies of analysts, but by deploying intelligent agents that work like armies of analysts.

The autonomous SOC is here, and it’s here to stay.

The Fast Eat the Slow: AI Adoption for Survival in Modern Cybersecurity

By John "JQ" Quinsey

April 14, 2025

4 Minute Read

Don’t Play Checkers While Attackers Play Chess

Security teams today face an overwhelming number of alerts, many of which result from harmless Internet activity. With countless alerts pouring in daily, identifying the real threats becomes incredibly difficult, and serious vulnerabilities can go unnoticed amid the noise. This is where AI in the SOC comes in.

AI has become essential for detecting and stopping sophisticated threats at scale. By rapidly filtering out irrelevant traffic, an AI SOC analyst can give human analysts a clear head start. Capable of tirelessly sifting through millions of data points, auto-remediating the majority of Tier-1 alerts, and intelligently escalating critical cases, an AI SOC analyst enables human analysts to tackle high-priority threats in real time.

This combination of AI-driven anomaly detection and response with human-led investigation for critical events is essential in today’s cybersecurity landscape, where attackers are constantly evolving their tactics. Relying on traditional methods to defend your organization against a modern attack is akin to playing checkers while the bad guys play chess.

The Early Adopter Advantage in the Age of AI

A few years ago, embracing an early adopter mindset in IT and security operations was considered risky, a gamble on unproven technology. Today, AI adoption in the SOC has become a necessity to combat existential threats. Organizations that are slow to adopt AI run the risk of being eaten alive.

The new cutting edge in AI for SecOps is agentic AI, a paradigm shift that empowers autonomous SOC operations. Agentic AI can coordinate specialized AI agents to autonomously handle cases, build workflows, write case summaries and reports, transform data, and more.

Making the shift to an early adopter mindset for AI in SecOps involves more than just deploying new tools. It requires investment in training so that security teams are equipped to leverage AI effectively and responsibly. It also requires a strategic approach to building trust in AI systems through transparency, explainability, and guardrails, ensuring that AI-driven decisions are reliable and aligned with organizational objectives.

‘The Best Practical Use of AI From Any Vendor’

Torq has GenAI and agentic AI embedded throughout our platform. We use it to help with integrations, to help build workflow automations, and to improve the quality of life of human analysts. By automating routine tasks and providing enriched insights, AI adoption in the SOC frees human analysts to focus on the most critical threats, enabling faster and more effective responses.

I was recently on a call with the CISO at a Fortune 500 company that has been a customer for over a year. She said, and I quote, “Torq has the best practical use of AI I’ve seen from any vendor.”

Ready to turbocharge your SOC with AI so you don’t get eaten alive? Get the AI or Die Manifesto to learn how to deploy AI the right way, so your SOC — and the humans in it — survive.

Get the Manifesto

Insights News

Evolution Equity Partners’ Portfolio Companies Tackle a Cyber Crisis

By Patrick “PO” Orzechowski

April 7, 2025

4 Minute Read

Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

I recently took part in a cyber crisis simulation event which showcased Evolution Equity Partners’ portfolio companies and made Torq’s real-world value strikingly clear.

The simulation presented a realistic scenario: a data breach at a fictional wealth management firm, with the attack’s progression followed through detection, investigation, response, and resolution. Participating companies included Torq, Sweet Security, Oleria, Halcyon, and Cytactic.

This cyber simulation reinforced the need for proactive security: automation, robust identity management, and agile cloud response. It also underscored the importance of having a crisis management system in place for simulating a live event — so when the inevitable happens, all teams, stakeholders, and external parties that need to be involved in resolving a major incident are included from the beginning.

A Cyber Crisis Simulation Unfolds

1. Detecting the Impossible Alert

The initial attack factor in the simulation was a compromised credential initially identified by an “impossible journey” detection in Torq’s AI-native Hyperautomation platform. Torq was able to identify this impossible travel through authentication logs that contained geographical source login information.

The targeted financial services company had several layers in place to detect and respond to these types of attacks, so the incident was kicked off through the initial case management system in Torq.

Through its AI-powered automated response capabilities, Torq’s platform triaged, enriched, and investigated the alert, ultimately determining that it required escalation.

Inside Torq’s platform, this event could then be tracked by the SOC throughout the incident lifecycle until being handed off to Legal, PR, and potentially cyber-insurance and external incident response partners.

2. Confronting the Extortion

After the initial attack, it was determined that the user did in fact access sensitive information contained in an S3 bucket, which was detected by Sweet Security’s unified detection and response platform.

Once the attacker procured the data, they sent an extortion threat letter to the company which included screenshots of contracts and other sensitive information. At this point, management had to:

Decide whether or not to disclose the breach
Determine whether or not the breach was “material”
Assess if they need to contact their customer base.

From there, Oleria identity security platform discovered the attacker had gained access to an insecure SharePoint site, but only accessed a limited amount of sensitive data.It was determined that the SharePoint site needed to be secured and, due to the limited data exposure, a negotiation team was brought in. They then found that the attacker was attempting to move laterally through the company’s systems.

3. Stopping Ransomware Escalation

From there, the company deployed Halcyon’s ransomware defense solution to determine if ransomware was active. Halcyon successfully detected and blocked infections on the systems where it was installed, but the attacker was able to begin encryption on systems where it was not.

The company then engaged Halcyon’s Professional Services to attempt to decrypt what the attacker was encrypting without having to pay for the keys.he keys.

Minimal Damage, Maximum Defense

In the end, the company was able to handle the incident without a breach disclosure and minimal impact to customer operations. This event could have been much worse if the services company did not have advanced detection and response capabilities already deployed within its security stack.

Torq streamlined detection and initial investigation through SOC automation and integration with the entire security stack.
Sweet Security correlated alerts and prevented exfiltration attempts in the cloud.
Oleria uncovered user account activities and assessed breach scope.
Halcyon blocked ransomware escalation and secured endpoints.
Cytactic enhanced tracking and decisionmaking capabilities for incident response.

Learn how Torq and Sweet Security operationalize cloud security automation >

Building Cyber Resilience through Proactive Simulation

This “impossible journey” simulation demonstrated the critical importance of establishing effective cybersecurity strategies and deploying innovative security solutions.

Proactive cyber crisis simulations enable businesses to build resilience and minimize the impact of potential attacks by:

Identifying vulnerabilities.
Improving mean time to detect and respond
Testing incident response plans
Improving decision-making under pressure
Understanding the impact of cyberattacks
Facilitating learning and continuous improvement

Want to learn more about leveling up your SOC’s automation and autonomous response capabilities? Read the SOC Automation Pyramid of Pain.

Read the Pyramid of Pain

Unleash a Multi-SIEM Strategy with Hyperautomation

By Torq

April 3, 2025

5 Minute Read

What is a SIEM?

A SIEM (Security Information and Event Management) is a cybersecurity solution that collects, analyzes, and correlates security data from across an organization’s IT environment to detect threats, monitor activity, and support incident response and compliance. A SIEM can:

Ingest logs from sources like firewalls, endpoints, and applications
Correlate data to spot suspicious activity
Generate alerts for potential threats
Provide dashboards to help analysts investigate

What is SIEM Integration?

SIEM integration means connecting your SIEM to an orchestration and automation layer that amplifies its value without replacing it. Integrating an AI-driven Hyperautomation platform like Torq with your SIEM allows you to automate alerts, enforce policy-driven responses at machine speed, and orchestrate actions across your entire security stack.

The SIEM Struggle is Real

In The Evolution of the Modern Security Data Platform by Francis Odom and Josh Trup, legacy SIEM costs are largely indexed to data volume — meaning the more you ingest, the more you pay. This outdated pricing model is one of the biggest blockers to scaling detection across modern environments.

SIEMs were also built for an on-prem world, not the cloud-native environments we operate in today. As more and more technologies shift to the cloud and SaaS sprawl grows, the volume of logs, events, and alerts increases exponentially.

Top SIEM challenges include:

Excessive operational cost tied to ingestion and retention
Alert fatigue and time-consuming manual triage due to excessive noise
Tool sprawl and integration complexity
Difficulty scaling across hybrid and multi-cloud environments
Log retrieval penalties that make data migration expensive

Yet, despite these issues, most teams are not abandoning their SIEMs. Why? Because the cost and compliance risk of a rip-and-replace approach are even higher. This is where the multi-SIEM strategy emerges.

The Rise of the Multi-SIEM SOCs

Rather than choosing one SIEM to rule them all, forward-thinking SOC teams are embracing a multi-SIEM or hybrid SIEM architecture. Sometimes, this shift is born out of necessity, such as after mergers and acquisitions, where multiple SIEMs are bundled with the deal. At other times, it’s driven by a decline in trust in legacy SIEM innovation following industry shakeups and buyouts.

Legacy SIEMs charge by the byte, and with data volumes exploding, the cost to ingest, store, and retrieve logs has become unsustainable. Instead of a risky rip-and-replace, teams strategically minimize what they send to legacy platforms and route the rest elsewhere.

To solve this, a wave of cloud-native, next-gen SIEM alternatives and data platforms has emerged: ETL orchestrators, cloud security data lakes, and multi-data SIEMs. These tools cleanse, normalize, and route logs more intelligently. Some even decouple analytics from storage to power faster, cheaper real-time detection across hybrid environments.

Even for organizations that keep regulated data on-premises, new logs are increasingly routed to more flexible, lower-cost systems. It’s a smart move — but only if you have a way to connect and orchestrate it all.

Hyperautomation Makes SIEMs Better

Hyperautomation is the key to unlocking the full potential of a modern SIEM strategy. Torq Hyperautomation™ is the AI-driven orchestration layer that sits above your entire SIEM ecosystem. Whether you use one SIEM or several, Torq can connect the dots across tools, teams, and workflows to transform disparate data into actionable intelligence and automated responses.

Once integrated, Torq can:

Run parallel workflows across multiple SIEMs
Automate triage, investigation, and response across platforms
Reduce alert fatigue without disrupting existing operations
Build and deploy SIEM automations with drag-and-drop or natural language
Use Torq HyperSOC™ to auto-generate and resolve 95% of Tier-1 cases with agentic AI

Check Point SIEM and Torq Hyperautomation Integration Story

Check Point’s security team was in alert overload — not due to a lack of tooling, but because their SIEM was generating more noise than their lean SOC could handle. With a 30–40% manpower gap, traditional triage and manual response weren’t sustainable.

Unlike legacy SOAR tools, Torq didn’t require Check Point to overhaul its SIEM or change how data was collected. Instead, Torq integrated directly into its existing SIEM infrastructure, ingesting and analyzing alerts. Within days, Check Point had deployed more than two dozen automated playbooks that operate natively across its security stack.

With Torq’s intelligent orchestration layer acting on SIEM-generated alerts — from triggering MFA to locking suspicious accounts — Check Point transformed a high-volume, high-fatigue environment into a streamlined, autonomous SOC.

“With Torq HyperSOC, we can react automatically to problems before they become security incidents.”
Jonathan Fischbein, CISO, Check Point

Read Check Point’s full SOC transformation story here >

The Future: Autonomous SOCs Powered by AI + SIEM

The SIEM space is evolving fast. But legacy contracts, compliance requirements, and data gravity aren’t going away tomorrow. The future isn’t about replacing your SIEM. It’s about operationalizing it with AI.

With Torq, you can:

Connect any SIEM (or all of them)
Orchestrate security automation across platforms
Transform log overload into real-time response
Move toward an autonomous SOC without sacrificing control

Want to learn more about adopting AI in the SOC? Get the AI or Die manifesto to learn how to think strategically about AI in SecOps — from data privacy to AI hallucinations.

Get the Manifesto

Generative AI Cybersecurity: What It Is, What It Isn’t, and What Comes Next

By Torq

April 3, 2025

7 Minute Read

How Can Generative AI Be Used in Cybersecurity?

GenAI is built on deep learning, a subset of machine learning, using large neural networks known as transformers. These transformers are trained on billions of data points and optimized to understand and mimic language, behavior, and structure.

Many GenAI systems are modeled after GPT (Generative Pretrained Transformer), which has learned how to respond to prompts in human-like ways by identifying patterns across massive data sets.

Here are some ways Generative AI can be used in cybersecurity:

Triage and enrichment: GenAI can automatically triage incoming alerts, enrich data from SIEM, EDR, and other sources, and generate clear, concise summaries.
Threat detection: Trained on historical attack data and threat patterns, GenAI models can identify indicators of compromise (IOCs) and anticipate emerging tactics.
Case documentation: Generative AI can produce case reports, threat timelines, and case summaries. These auto-generated insights reduce the need for manual documentation and simplify compliance reporting.
Threat hunting: Security analysts can use GenAI to query threat intelligence databases and data lakes using natural language prompts. This simplifies threat hunting workflows and empowers junior analysts to work at a higher level.
Workflow design: GenAI allows users to describe desired automations in natural language, which the system then converts into executable workflows. This eliminates the need for manual scripting and accelerates automation adoption across teams.

All of this helps analysts move faster — but it’s still reactive. It still requires humans in the loop. And it’s still just the beginning.

Challenges of Using Generative AI Alone

Without the right guardrails, GenAI in cybersecurity comes with serious risks:

Accuracy issues: GenAI can hallucinate. That means it can produce outputs that are confidently wrong. And in cybersecurity, that’s dangerous. An inaccurate summary of a threat, a misidentified IOC, or a fabricated correlation can derail an investigation, waste valuable analyst time, or worse, lead to improper remediation actions.
Data privacy: GenAI models are only as good as the data they’re trained on and how that data is handled. Feeding sensitive logs, incident data, or user information into GenAI without proper controls can lead to unintentional exposure of private data or regulatory violations. This is especially risky in regulated industries (finance, healthcare, etc.), where compliance failures come with heavy penalties.
Infrastructure overhead: Running LLMs requires serious computing, storage, and ongoing management. Even when using APIs from providers, the costs of integrating, fine-tuning, and securing the system can add up quickly. Without a well-architected platform, organizations often end up with fragile, expensive prototypes that don’t scale.
Threat actor access: You’re not the only one using GenAI. Threat actors are, too. From auto-generating phishing emails and malware variants to simulating voices or bypassing MFA with deepfakes, adversaries are industrializing their attacks with the same tools defenders are exploring.

This is why GenAI alone doesn’t cut it. It enhances the SOC — but it doesn’t free it. It still relies on humans to verify outputs, make decisions, and connect the dots. To truly transform security operations, you need more than content generation — you need contextual understanding, autonomous action, and real-time orchestration.

That’s why Torq goes beyond GenAI — combining it with agentic AI, Hyperautomation, and RAG-powered microagents to deliver a self-sustaining, intelligent SOC.

IDC: GenAI is Just the Beginning

A recent IDC Spotlight Report reinforces what leading cybersecurity teams already suspect: Generative AI is only the beginning. The real transformation happens with agentic AI.

Although only 7% of organizations are using agentic AI today, 60% expect it to impact their SOC operations within the next 18 months significantly. The benefits are tangible: organizations embracing this shift are seeing a 50% reduction in mean time to detect (MTTD), automated response for 90% of alerts, and a 35% lower risk of major breaches.

Torq’s HyperSOC platform, powered by agentic microagents, delivers exactly the kind of automation and intelligence IDC highlights — and it’s already available today.

Torq’s Take: From Generative AI to Autonomous Cybersecurity

At Torq, generative AI in cybersecurity was just the beginning. We combine GenAI with agentic AI, Hyperautomation, and Retrieval-Augmented Generatio n (RAG) to create what no one else in the market has: a truly autonomous SOC.

Agentic AI: Thinks Like a Human Analyst

Agentic AI is the brain behind the operation. Torq’s multi-agent system, led by Socrates, understands context, makes decisions, and learns from experience. How?

It uses semantic memory to understand relationships between threats, assets, and users.
It applies episodic memory to recall past incidents and resolutions.
It executes using procedural memory, adapting workflows in real-time based on its growing knowledge base.

Unlike GenAI, which waits for a prompt, agentic AI acts independently. It triages alerts, investigates root causes, and escalates only when necessary — moving SOCs from a human-in-the-loop to a human-on-the-loop approach. That means analysts step in only when they’re truly needed.

Hyperautomation: Machine-Speed Response Across Your Stack

Torq’s Hyperautomation engine seamlessly orchestrates your entire security ecosystem — across EDR, SIEM, IAM, email security, ticketing systems, cloud platforms, and beyond.

These AI-driven workflows:

Automatically isolate compromised endpoints
Revoke credentials and enforce MFA
Trigger alert suppressions and log escalations
Sync case updates across your tools of record

Hyperautomation connects all the dots — transforming detection into response with zero delay.

RAG-Enabled Microagents: Smarter Agents

Retrieval-augmented generation (RAG) enhances our specialized AI Agents with memory, precision, and real-time data access. Each microagent is trained on a specific domain, like investigation, remediation, or case management, and uses RAG to:

Pull in relevant threat intel, logs, and past incidents
Filter out noise and focus only on actionable data
Generate concise, accurate case summaries and recommendations

Think of them as subject matter experts inside your AI-powered SOC — each one armed with a knowledge base that updates every second.

Defending Against GenAI Security Threats

Adversaries are using GenAI too — for phishing, deepfakes, malware variants, and more. That’s why Torq’s defense stack includes:

Behavioral detection: We spot the telltale signs of GenAI-generated attacks such as weird phrasing, impossible travel, or AI-crafted obfuscation.
Automated response: The second a threat is flagged, Torq acts. Endpoints isolated. Credentials locked. Sessions terminated. Tickets opened. Teams alerted. No hesitation.
Adaptive workflows: Attackers adapt. So do we… automatically. Torq’s workflows update themselves based on real-time threat intel, evolving tactics, and active defense insights. What was a one-off attack yesterday becomes a blocked pattern today.

Go Beyond GenAI Cybersecurity with Torq

Generative AI in cybersecurity got us started — summarizing alerts, drafting playbooks, and answering questions. But Torq takes it further.

With agentic AI, Torq’s platform went from suggestion to autonomous decision-making. With Hyperautomation, Torq executes those decisions instantly across your entire stack. And with RAG-enabled microagents, every move is precise, contextual, and based on real-time intelligence.

That’s how you build a truly autonomous SOC.

Want to go beyond GenAI cybersecurity? Get the AI or Die Manifesto.

Get the Manifesto

Operationalize Data Security Automation with Cyera and Torq

By Torq

April 1, 2025

4 Minute Read

Once data insights are uncovered, SOC teams must take swift and consistent action. Torq’s platform operationalizes Cyera’s data security intelligence, organizing remediation and policy enforcement with machine-speed efficiency. Together, Cyera and Torq enable SOCs to protect sensitive data and intellectual property quickly, precisely, and accurately.

Solving Data Security’s Greatest Challenges

Today’s landscape has opened a paradox. Organizations rely on data for business to thrive, yet the more data is generated, the harder it is to secure. Sensitive information is being spread everywhere, stored in cloud buckets, shared across SaaS apps, and accessed by a growing number of users and systems. SOC teams are tasked with protecting this sprawling landscape, but the sheer volume of alerts and manual processes makes it nearly impossible to keep up.

Cyera cuts through this noise, giving teams a clear view of what sensitive data exists, where the data lives, who (or what) has access to it, and the risks the data faces. Cyera’s approach is rooted in clarity — mapping the attack surface and delivering insights needed to protect critical assets.

This is where Torq comes in. By integrating with Cyera, Torq automates the actions required to secure data, eliminating inefficiencies and enabling SOC teams to instantly respond to data risks.

Data Security Automation at Work

When Cyera identifies a risk, such as an exposed cloud storage bucket or an anomalous data transfer, Torq acts immediately to execute tailored workflows, automating everything from remediation to stakeholder notifications. Here’s how Cyera and Torq work together:

Comprehensive Data Discovery: Cyera scans your environment to identify sensitive data, classify it, and assess its risk profile.

Real-Time Insights: When Cyera detects an anomaly or identifies a risk, it triggers an event and passes the data insights along to Torq

Automated Orchestration: Torq picks up the baton, automatically launching workflows tailored to the specific alert, whether that’s notifying the right stakeholders, enforcing security controls, or triggering remediation actions.

Continuous Improvement: Cyera and Torq enable SOC teams to refine processes iteratively, reducing noise and improving response efficiency over time.

For example:

Cyera flags a misconfigured cloud storage bucket as containing sensitive PII. Torq automatically executes a remediation workflow, closing the bucket’s exposure and notifying relevant teams.
Cyera identifies an anomalous data transfer from a high-risk location. Torq not only alerts analysts but also enriches the alert with context and executes automated containment actions.

Cyera and Torq: Better Together

What makes Cyera and Torq a revolutionary pair is the shared commitment to scalability, speed, and precision. Cyera’s intelligence provides a clear path forward, while Torq delivers the power to act quickly and precisely.

Everyone in cyber knows speed is no longer an option. Manual processes simply can’t keep pace with the breakneck pace of today’s security landscape. Torq and Cyera together turn hours of work into seconds, automating everything from alert triage to remediation. Cyera provides 95% precision classification, while data security automation workflows from Torq ensure every response is consistent, reliable, and error-free, even under the pressure of an escalating incident.

As your organization grows, so do your risks. Cyera and Torq scale effortlessly, adapting to evolving needs and protecting data across clouds, Saas platforms, and beyond.

Elevate Your SOC

The integration of Cyera and Torq sets the new standard for what SOC teams can achieve with data security automation. By combining Cyera’s data-first approach with Torq’s automation expertise, organizations gain the tools to move faster, act smarter, and confidently secure data.

Request a demo today to see how Cyera and Torq can transform your SOC.

See It in Action

How to Turn a SOAR Migration into SOC Transformation

By Torq

March 24, 2025

5 Minute Read

1. Don’t Just Switch Platforms — Optimize

One of the first — and most striking — realizations for companies logging into the Torq platform for the first time is just how easy it is to build SOC workflow automations. For those who previously used code-heavy automation tools and had to manage thousands of lines of Python, Torq’s intuitive, drag-and-drop workflow designer and AI workflow builder is game-changing — enabling security teams to build and deploy Hyperautomated workflows faster than ever before. Users can also test each step of their workflow in real-time, gaining instant feedback and making adjustments on the fly.

With Torq, even customizing integrations with APIs or configuring various data sources becomes accessible to those without advanced dev skills, by using AI agents with expert coding logic and syntax for script writing, CLI, and data manipulation.

When migrating existing workflows to Torq, the ease of use and robust scalability of the platform provides the opportunity to do things that simply weren’t possible with legacy SOAR. To escape tech debt and inefficient and outdated processes, Torq encourages new customers to think beyond a “lift and shift” mentality so they can optimize SOC processes, rather than replicating them exactly as they were. The result is a true SOC transformation, not just a platform change.

The Torq team has seen it all and has a vast store of expertise and experience to recommend best practices for optimizing security processes. Torq Hyperautomation makes it much simpler to combine traditional workbooks into seamless workflows that take advantage of the platform’s strengths, such as AI-driven remediation and dynamic case management.

Most Torq customers are able to consolidate security processes during the migration — achieving the same outcomes with significantly fewer and much more efficient automations.

2. Reclaim Control Over Your Security Stack

During Torq Proof of Concepts (POCs), new users consistently highlight the same recurring challenges with their legacy SOAR platforms: limited integrations and difficulty connecting to essential data within existing tech stacks. This often forced their teams to resort to extensive, time-consuming Python coding, a painful and difficult-to-scale process.

In contrast, Torq enables rapid, limitless integrations. Companies can connect their entire security stack in record time by using AI to generate integrations in seconds, or they can maintain granular control with draggable, low-code or full-code capabilities. Even if your third-party API or data format changes (a recipe for disaster in legacy SOAR platforms), real-time API monitoring ensures none of your integrations are at risk of breaking, so your stack always stays connected for uninterrupted automation.

In one example Mark shared, a customer needing specific SIEM technology functions — which were previously inaccessible through their SOAR platform — achieved their goal in minutes by simply copying an API command into Torq’s intuitive workflow builder canvas, eliminating the need to wait months for a team to develop custom code to create the connection.

3. Accelerate Adoption and Time-to-Value

“Whenever we talk to customers or to the folks that are POCing Torq and getting into the platform for the first time, there’s one word that comes up in every single engagement: intuitive.”

– Mark Carosella, Sales Engineering Manager, Torq

Building security automation workflows in Torq’s drag-and-drop and AI-assisted interface is highly intuitive, which means teams quickly grasp the fundamentals to get up and running during onboarding. Mark shared that within a day or two, new users are often independently building custom automation workflows. This can feel like a major “aha” moment for users who came in with the perception of automation as a complex, code-heavy experience in legacy SOAR platforms.

One Torq user shared, “My favorite thing about Torq is that concepts go from my head to a working reality in just a few hours, instead of a few weeks, largely in part to the no-code functionality.”

This ease of use empowers any user, regardless of their coding skills, to rapidly implement workflows and adapt their security operations, accelerating time to value.

Transform Your SOC: Get the SOAR Migration Guide

If you’re ready to finally pull the plug on your SOAR, get the Kill Your SOAR Migration Guide to plan ahead. It covers the big picture of what you need to know going into a migration, plus a migration success story from a leading security company, advice from a SOC manager who made the switch, and the top 3 POC use cases.

With Torq, your migration isn’t just about switching platforms — it’s an opportunity to transform your security operations.

Get the Guide

Ready for SOC transformation? Get the Kill Your SOAR migration guide.

Contents

What is an AI SOC?

The Technical Foundations of an AI-Powered SOC

What’s the Difference? All the AI in the SOC, Explained

Top Use Cases for AI in the SOC

How Do AI-Powered SOCs Transform Traditional Security Operations?

Will AI Replace Humans in the SOC?

How Torq’s AI Capabilities Supercharge SecOps

The Future of the SOC: Better, Faster Human Decision-Making Through AI Automation and Insights

Related Articles

Squish the Phish: 6 Automated Phishing Response Strategies

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

Contents

WTF is HyperSOC-2o?

The Need for the Autonomous SOC

Moving from the Aspirational to the Inspirational in SOC Processes

HyperSOC-2o: Achieving the Autonomous SOC

Don’t Just Change the Game — Flip the Gameboard

Related Articles

Squish the Phish: 6 Automated Phishing Response Strategies

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

Contents

What is Model-Context Protocol?

Torq as a Model-Context Protocol Host: Endless Extensibility

Torq as an MCP Server: New Ways to Access Your Processes

Security Operations Data as MCP Resources

Stay Tuned: This is Just The Beginning

Related Articles

Squish the Phish: 6 Automated Phishing Response Strategies

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

Contents

Leading the Charge: Torq HyperSOC-2o and the Revrod Leap

Beyond Legacy SOAR: A Generational Leap in SOC Automation

Inside Torq HyperSOC-2o: AI Agents on the Front Lines

Real Results: Faster Responses, Greater Scale, Happier Analysts

The Road Ahead: How AI Agents Will Redefine Cybersecurity Operations

Related Articles

Squish the Phish: 6 Automated Phishing Response Strategies

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

Contents

Don’t Play Checkers While Attackers Play Chess

The Early Adopter Advantage in the Age of AI

‘The Best Practical Use of AI From Any Vendor’

Related Articles

The AI or Die Manifesto

The Dawn of Agentic AI in the SOC

40 Questions to Ask AI SOC Vendors

Contents

A Cyber Crisis Simulation Unfolds

1. Detecting the Impossible Alert

2. Confronting the Extortion

3. Stopping Ransomware Escalation

Minimal Damage, Maximum Defense

Building Cyber Resilience through Proactive Simulation

Related Articles

Squish the Phish: 6 Automated Phishing Response Strategies

SecOps Automation: How Lean Teams Can Achieve Enterprise-Level Security

The AI SOC Analyst That Offloads 90%+ of Tier-1 Cases — Meet Socrates

Contents

What is a SIEM?

What is SIEM Integration?

The SIEM Struggle is Real

The Rise of the Multi-SIEM SOCs

Hyperautomation Makes SIEMs Better

Check Point SIEM and Torq Hyperautomation Integration Story

The Future: Autonomous SOCs Powered by AI + SIEM

Related Articles

Detect and Respond to Threats Faster with Torq and Anvilogic

IDC Validates Torq HyperSOC™: A Game-Changer for SOC Analysts

How to End SOC Alert Fatigue (Before It Ends Your Team)

Contents

How Can Generative AI Be Used in Cybersecurity?

Challenges of Using Generative AI Alone

IDC: GenAI is Just the Beginning

Torq’s Take: From Generative AI to Autonomous Cybersecurity

Agentic AI: Thinks Like a Human Analyst