AI Hyperautomation News & Events

Black Hat 2025: Grave Digger, Agentic AI, and… SOC Goblins?

By Britt Wittfeldt
August 7, 2025
5 Minute Read
A roundup of highlights from Black Hat 2025

Contents

Torq’s mission at Black Hat 2025 was simple: go big or go EVEN BIGGER. 

Yes, Grave Digger was in the booth again — but the real show-stopper that kept attendees around was our agentic AI-driven Torq HyperSOC™ demo. Oh yeah, and our Junior Media Intern Trevor was seen wandering around Las Vegas with a new furry, yellow frenemy…. more on that later.

Here are all the Black Hat highlights. 

The Pre-Show Buzz: AMP, AI Internships & Fortune Top 50

Torq kicked off the week before Black Hat with a big reveal: a new Alliance & Momentum Partner (AMP) Program, with launch partners including Google Cloud Platform, Wiz, NVIDIA, Zscaler, Astrix, Intezer, Panther, Sweet Security, and more. Forget pay-to-play tiers and red tape. The Torq AMP program provides the go-to-market muscle, marketing firepower, and joint solution innovation to move beyond basic integrations and create the world’s leading ecosystem of agentic AI cybersecurity expertise.

“For years, integrations were treated as check-the-box activities, such as basic API connectors or one-way data flows. But security teams don’t need more connectors. They need outcomes. That’s where Torq AMP comes in. It gives partners a direct path to operationalizing agentic AI through real-world solutions, not just theoretical ideas.”

Eldad Livni, Torq Co-Founder and CIO, in Channel Futures

Torq also announced a new nationwide AI internship program in partnership with AI4ALL. The program pairs underrepresented college students with hands-on experience in real-world cybersecurity and AI projects at Torq. Forbes described how “it goes beyond just job shadowing or résumé building. Interns will be mentored by Torq’s R&D and AI leadership teams while contributing directly to product innovation.”

To top off the pre-show spotlight, Torq was named one of Fortune’s Top 50 Cybersecurity Companies of 2025.  

LinkedIn Votes: Best Booth at Black Hat 2025

What does a monster truck have to do with security operations? NOTHING AT ALL, BUT WHO CARES? IT’S FREAKIN’ GRAVE DIGGER! Oh, and also because Torq is on tour nationwide with Monster Jam® — RSVP for your city here!

The LinkedIn-osphere lit up with post after post after post calling Torq “the best booth at Black Hat”. (And “wicked”, “coolest”, “my first stop”, “killer”, “awesome”, and “the bomb”… We could keep going but we’re already blushing.) 

The Hottest Demo in Cybersecurity

Grave Digger may have turned heads, but it was our demo that kept security pros hanging around Torq’s booth.

Torq HyperSOC™ is the AI-native autonomous SOC purpose-built to crush the SOC’s biggest challenges and pain points. HyperSOC integrates with your full security stack to automate, manage, and monitor critical SOC responses at machine speed to clear out Tier-1 grunt work and free your team to focus on critical threats. 

The Torq platform was recognized as one of the “most feature-rich platforms” in Software Analyst Cyber Research’s comprehensive new 2025 AI SOC Industry Report from Francis Odum and Rafal Kitab. Torq stood head and shoulders above for delivering “notable improvements in detection and response” with an “extensive feature set” that goes beyond traditional SOC scope. (Francis loved our Black Hat booth ❤️, BTW.)

Want to see Torq HyperSOC in action and ask all your questions? Attend our half-hour live virtual demo. Save your spot. 

Hyper-AUTO-Mation: Why Carvana’s CISO Bet on Agentic AI for 5X SOC Efficiency

Dina Mathers, CISO at Carvana, joined Torq’s Field CISO Patrick “PO” Orzechowski on stage to discuss her experience in applying Carvana’s AI-first mindset to the SOC “not just in talk but in actual execution” by becoming an early adopter of Torq HyperSOC.

Carvana CISO Dina Mathers and Torq Field CISO Patrick Orzechowski speaking at Black Hat 2025

With a lean team, Dina knew her SOC couldn’t afford the analyst burnout that comes with the mundane, repetitive low-level work of triaging alerts and hopping across screens to respond. “Who wants to spend their time doing that?” she asked the audience.

Dina explained how the Fortune 500 company “now legitimately has 100% of our Tier-1 and Tier-2 security events triaged by our [Torq] AI SOC Analyst that’s basically an extension of our team” — dramatically reducing costs and boosting team morale by allowing them to focus on strategic work. Ultimately, Dina’s message to other CISOs was simple: “Let’s not be the Department of ‘No’. Lean into AI. Try it out.”

“Leveraging AI seemed to me like a no-brainer…. We have materially improved our operations. We’ve dramatically reduced the cost of operating a security operations center to the point where we can reallocate those funds to different technologies that we need.”

– Dina Mathers, Carvana CISO

WTF Was That Furry, Yellow Thing?

Meet the SOC Goblin of Black Hat 2025

Did you see the SOC Goblin at Black Hat and wonder “what the heck is that?” Turns out, 96% of security operation centers have a SOC Goblin lurking in the corner slowing down MTTR and burning out analysts — and they don’t even know it. Luckily, Torq can make SOC Goblins ✨disappear✨. Learn how

This particular SOC Goblin was kickin’ it at Black Hat 2025 with our Junior Media Intern Trevor as he tried to get a SOC du Soleil show off the ground. (Don’t ask). Check out their misadventures from traveling across the country in a van to arriving in Vegas to causing a scene

Agentic AI in the SOC That’s Real

Agentic AI was THE buzzword of Black Hat 2025 and it seems like every vendor has their own AI Agent for SecOps. But there’s a big difference between marketing hype and actual AI in production handling real-world use cases in Fortune 500 environments. Torq Co-Founder and CEO Ofer Smadari recently sat down for a video interview with BankInfoSecurity to share how Torq’s autonomous AI agents accurately resolve threats at scale.

Want to see Torq’s agentic AI in action? Request a demo. And learn more about how Torq HyperSOC saves your SOC with our new manifesto.

Get a Demo
Get the Manifesto
Share

Related Articles

Security Automation 101 Use Cases

What is a Whaling Phishing Attack? How to Prevent One with Automation

By Torq
August 6, 2025
6 Minute Read
Learn what whaling phishing attacks are and effective strategies to protect your business.

Contents

The biggest cybersecurity threats often arrive quietly, disguised as something users trust — and they go straight for the top. Whaling phishing attacks are precision strikes crafted to target senior executives, exploiting their authority to steal money or critical data. 

Below, we share strategies to recognize and prevent whaling phishing attacks before they reach your leadership team.

Whaling Phishing Attacks Explained

Whaling Phishing Attacks

Whaling is a highly sophisticated and targeted form of phishing that zeroes in on high-profile executives, like the CEO, CFO, or other senior leaders. While a standard phishing attack might try to trick an unsuspecting employee into clicking a malicious link, a whaling attack uses carefully crafted emails that are made to look like they’re from a trusted source, such as a colleague or a vendor.

What makes whaling unique is the level of detail and personalization used to deceive recipients. Attackers research company structure, executive behavior, and industry-specific language to make their fraudulent messages convincing. Their goal is to request sensitive data transfers or financial transactions, or steal confidential information — all under the authority of the executive they’re impersonating.

The impact of a single successful whaling attack can be catastrophic. The FBI’s Internet Crime Complaint Center (IC3) reported that business email compromise (BEC) and email account compromise (EAC) scams, which include whaling, resulted in over $2.7 billion in losses in 2022 alone. In one infamous case, a company lost over $46 million to a whaling scam over a period of several years. This isn’t a small-time email scam — it’s a high-stakes, high-reward scheme that can sink a company.

How to Identify Whaling Phishing Attacks: 4 Warning Signs

Whaling emails are often subtle, but there are clear red flags that security teams and employees can watch for. Recognizing these warning signs is the first step in neutralizing an attack before it succeeds.

Social Engineering

Attackers carefully research the organization’s hierarchy, ongoing projects, and executive routines to craft messages that feel authentic. These emails may reference real initiatives, use company jargon, or mimic internal communication styles to build trust and lower suspicion.

Impersonating Company Executives

Attackers pose as senior leaders like CEOs, CFOs, or board members. By spoofing or using lookalike email addresses, attackers exploit authority and urgency, making employees more likely to comply without question.

Fake “Urgent” Messages from Fake Email Addresses

Many whaling attempts use urgency to pressure quick decisions. Subject lines such as “Immediate Action Required” or “Confidential Transaction Approval Needed” create stress and encourage recipients to move quickly without verifying the request, increasing the chance of a costly mistake.

Sending Strange or Unidentified URLs

Links included in these emails may look legitimate at first glance, but redirect to malicious sites or credential-harvesting pages. Subtle misspellings in domain names (e.g., micros0ft.com instead of microsoft.com) and unfamiliar file attachments are clear indicators of a potential attack.

6 Ways to Prevent Whaling Phishing Attacks

1. Employee Training and Awareness

Executives and their support staff must undergo specialized phishing awareness training, including signs of whaling phishing attacks. Teach them to spot common tactics, validate requests, and report suspicious activity.

2. Multi-Factor Authentication (MFA)

Enforce MFA across all accounts, particularly executive-level accounts. Even if credentials are stolen, MFA makes it much harder for attackers to gain access.

3. Advanced Email Filtering

Use email security tools that scan for domain spoofing, suspicious metadata, and malicious attachments before they reach inboxes.

4. Anti-Phishing Software

Deploy software that uses behavioral analytics to detect anomalies in communication patterns — especially important for high-risk roles like finance and legal.

5. Real-Time Threat Intelligence

Staying ahead of attackers requires live intelligence. By integrating global threat feeds, organizations can block known malicious domains and adapt to emerging attack patterns instantly.

6. Security Automation

Manual detection and response are too slow for modern whaling threats. Security automation ensures that suspicious emails are quarantined, alerts are prioritized, and responses are orchestrated without human delay.

Why Threat Intelligence and Automation Are Critical

Manual phishing response is a losing battle. Analysts burn hours pivoting between tools, validating IOCs, and remediating inboxes — time attackers exploit. Torq Hyperautomation eliminates that grind by automatically enriching alerts with threat intelligence integrations such as VirtusTotal to determine if URLs, attachments, and other indicators are malicious. This provides the context for faster, more informed decisions and helps quickly weed out false positives before a security case is even created.

With prebuilt workflows, phishing alerts can be automatically triaged, validated, and remediated in minutes instead of hours, slashing noise and reducing human error.

At Lennar, one of the largest U.S. homebuilders, Torq cut phishing resolution time from hours to minutes by automating investigation and remediation, freeing analysts to focus on more complex investigations.

How Hyperautomation Powers Your Defense and “Squishes” Phishers

Torq’s Hyperautomation platform empowers security teams to build end-to-end phishing defenses without adding complexity. It integrates across your entire security stack — email gateways, identity platforms, EDRs, SIEMs, and more — to detect, investigate, and neutralize phishing attempts at machine speed.

When a phishing alert is triggered — say, from Microsoft 365 — Torq instantly takes over the triage process. It automatically extracts URLs, attachments, and headers in parallel, then validates them against multiple threat intelligence feeds like VirusTotal. This weeds out false positives and confirms true threats within seconds. All artifacts are consolidated into a structured dataset, which Torq uses to automatically create or escalate a case. From there, auto-remediation workflows — such as blocking senders, quarantining endpoints, or resetting credentials — can be launched without analyst intervention.

Torq Hyperautomation™ changes the game by:

  • Automating phishing and whaling triage. Torq instantly extracts IOCs (URLs, hashes, headers), checks them against threat intel, and validates alerts without analyst intervention.
  • Orchestrating remediation. Auto-remediation workflows block senders, reset credentials, quarantine endpoints, and remove malicious emails from inboxes automatically.
  • Empowering end users. Chatbot integrations in Slack, Teams, and email give employees a one-click way to self-report phishing, while automation handles the rest.

By automating repetitive workflows and augmenting analysts with agentic AI, Torq helps organizations detect, prioritize, and respond to phishing scams and whaling attacks faster than attackers can act. The result: reduced human error, stronger executive protection, and maximized SOC efficiency.

Winning the Phishing War

Generative AI has made phishing faster, cheaper, and harder to detect — meaning that phishing and whaling attacks will only grow more sophisticated, more frequent, and more damaging. Relying on human vigilance and manual triage won’t be enough.

The only sustainable path forward is automation: uniting threat intelligence, AI-driven detection, and orchestrated response into one seamless defense layer. By eliminating manual bottlenecks and supercharging SOC efficiency, Torq ensures that phishing — even whaling-level attacks — never has the chance to sink your business.

Learn the keys to building a more efficient SOC, straight from Torq’s Field CISO.

Get the SOC Efficiency Guide

FAQs

What is an example of whaling?

A classic example of whaling is when an attacker impersonates a CEO or CFO to trick an employee into authorizing a wire transfer. In one real-world case, attackers posed as executives and convinced employees to transfer $46.7 million to fraudulent overseas accounts. This shows how whaling phishing attacks exploit executive authority to carry out high-value fraud.

What are the three types of phishing attacks?

The three most common types of phishing attacks are:

  1. Standard Phishing Attacks – Bulk, generic emails sent to many users in hopes of tricking someone into clicking a malicious link or opening an infected file.
  2. Spear Phishing Attacks – Highly targeted phishing attacks that use personal or organizational details to tailor the message to a specific individual or small group.
  3. Whaling Phishing Attacks – A specialized form of spear phishing aimed at high-profile executives, such as CEOs or CFOs, often involving financial fraud or sensitive data theft.
What does it mean if someone is whaling?

In cybersecurity, “whaling” refers to attackers targeting “the big fish” — senior leaders or executives within an organization. The goal is to exploit their authority and access to approve high-value financial transactions or disclose sensitive company information.

What is the difference between impersonation and whaling?

Impersonation is a tactic: attackers pretend to be someone trusted (e.g., a colleague, vendor, or executive) to trick the victim. It can be used in many types of phishing.

Whaling is a strategy: it specifically targets senior executives. Whaling almost always involves impersonation, but with a narrower and higher-value focus than general phishing.

Share

Related Articles

Customers Hyperautomation MSSP

The MSSP Hyperautomation Playbook: How HWG Sababa Doubled SOC Output

By Torq
July 29, 2025
4 Minute Read
MSSP SOC automation success with HWG Sababa and Torq Hyperautomation

Contents

Most MSSPs know the drill: more clients, more tools, more alerts — and somehow, fewer people. The traditional playbook of hiring your way out or custom-scripting every integration just doesn’t work anymore. It’s slow and impossible to maintain across dozens of environments. 

HWG Sababa — an Italy-based MSSP — realized this early. Rather than patching the same old processes, they tore up the traditional playbook and rebuilt their MSSP SOC with Hyperautomation as the foundation.

The Top 4 MSSP SOCs Challenges 

  1. Scaling security without scaling headcount: Manual processes and custom scripting don’t scale. MSSPs need fast, flexible, and repeatable security automation without needing to code every use case from scratch.
  2. Supporting disjointed customer environments: Each customer brings their own security stack. Integrating dozens of SIEMs, EDRs, and threat intel tools quickly (and securely) is critical to onboarding and retention.
  3. Keeping analysts productive and engaged: Burnout is real. If your SOC analysts are stuck in Tier-1 alert queues all day, you’ll lose them fast — and with them, your operational effectiveness.
  4. Delivering and proving ROI: MSSPs must justify their value with quantifiable outcomes. Response speed, automation rates, and time savings matter just as much as detection quality.

Hyperautomation: The Solution to MSSP SOC Challenges

HWG Sababa, a leading Italian MSSP serving customers across Europe, the Middle East, and Central Asia, found themselves at a crossroads. Their custom-coded automation system had become a bottleneck — too slow and too dependent on developer resources.

To scale their SOC, they needed a new solution that was:

  • Easy for analysts to use; no specialized coding skills required
  • Fast to implement and scale across environments
  • Seamless to integrate with each customer’s existing security stack
  • Designed to eliminate repetitive manual tasks at every stage

They chose Torq Hyperautomation™. And the impact was immediate.

HWG Sababa: SOC Automation Results in Just Weeks

Automating 55% of Monthly Alerts

By focusing first on automating the repetitive, manual Tier-1 tasks that consumed analyst time, HWG Sababa rapidly automated over half (55%) of their total monthly alert volume. 

Torq’s AI-driven enrichment and automated remediation reduced Mean Time to Investigate (MTTI) and Mean Time to Respond (MTTR) by 95% for low-to-medium-priority cases and by 85% for high-priority threats, enabling analysts to handle incidents in minutes rather than hours.

Productivity and Operational Capacity Nearly Doubled

Automating the heavy-lift processes immediately boosted MSSP SOC productivity and efficiency, effectively doubling the team’s operational capacity. SOC analysts moved away from repetitive tasks, shifting focus to complex and strategic cybersecurity analysis.

Enhanced Analyst Morale and Retention

Reducing repetitive workload drastically improved analyst engagement. Automating tasks with Torq freed their SOC analysts to focus on deeper, more strategic cybersecurity work, improving job satisfaction significantly.

Reduced Customer-Side Effort

HWG Sababa also used Torq to automate customer-side actions that previously required manual effort, dramatically reducing their clients’ workloads. 

Marco Fattorelli, Head of Innovation, highlighted that Torq allowed HWG Sababa to deliver automated threat detection, containment, and remediation directly within their customers’ environments. This capability eliminated hours of manual effort for clients and significantly improved overall customer satisfaction.

Strategic Adoption Across the Organization

Torq quickly became a critical strategic tool for MSSP SOC operations and other departments. Teams across the organization began adopting Hyperautomation for their own workflows, leading to widespread efficiency gains. This cross-functional adoption underscores Torq’s usability and immediate, tangible benefits.

Hyperautomation: A Clear MSSP SOC Differentiator

Torq Hyperautomation has become a competitive differentiator for MSSPs across the world. Prospective customers immediately recognize the value of significantly reduced response times, precise alert handling, and quantifiable operational efficiency.

  • No-code/low-code workflows: Analysts — not just engineers — can own and evolve automations.
  • Vendor-agnostic integrations: Connect instantly with customer tech stacks, avoiding lock-in and delays.
  • AI-powered case management: Handle repetitive alerts automatically, while enriching and escalating what matters.
  • Quantifiable ROI: Track every automated action and turn it into clear business value, both for your SOC and your customers.

Looking Forward: A Hyperautomation-First Mindset

With Torq fully embedded into their operational DNA, MSSPs like HWG Sababa are able to evaluate every new tool, technology, or process first through the lens of automation. Hyperautomation isn’t just a technology choice — it’s central to a long-term operational strategy.

By moving away from manual scripting and legacy automation, MSSPs can dramatically increase their operational scale and responsiveness. Torq Hyperautomation transforms managed SOCs, doubles productivity, cuts response times to mere minutes, and delivers measurable value to MSSP customers.

The results for HWG Sababa speak for themselves: a stronger security posture, empowered analysts, happier customers, and a decisive competitive edge.

Ready to Scale Your MSSP SOC?

Torq helps MSSPs differentiate, accelerate, and deliver with unmatched speed and efficiency.

Want to see exactly how HWG Sababa scaled their MSSP SOC, doubled analyst productivity, and delivered measurable ROI with Torq?

Read the Case Study
Share

Related Articles

Integrations News & Events

Get AMP’d: Introducing the Torq Alliance & Momentum Partner Program

By Chris Coburn
July 29, 2025
4 Minute Read
Torq AMP Partner Program launch announcement

Contents

Chris Coburn is the Senior Director of Technology Alliances at Torq

Chris Coburn is the Senior Director of Technology Alliances at Torq, where he leads strategic partnerships that fuel innovation and growth. With experience scaling alliance programs at cybersecurity leaders like Recorded Future, he brings an execution-first mindset to ecosystem development. He’s the architect of Torq’s AMP program, redefining how partners integrate, collaborate, and win together.

At Torq, we don’t believe in playing by the old rules. That’s why we’ve launched the Torq Alliance and Momentum Partners (AMP) program. It’s a bold new take on what a cybersecurity partnership can and should be. AMP is designed to accelerate SecOps innovation, eliminate red tape, and empower partners of all sizes to build, integrate, and grow.

We’re thrilled to welcome launch partners like Google Cloud Platform, Wiz, NVIDIA, Zscaler, Astrix, Intezer, Panther, Sweet Security, and more to the AMP ecosystem. Together, we’re building an alliance program that puts ideas, effort, and impact above everything else.

What Makes Torq AMP Different

Let’s be honest: most partner programs feel like gated clubs. Rigid tiers, “pay-to-play” models, and success metrics built for giants, not innovators. 

With Torq AMP, there’s no tiering. No mandatory customer thresholds. No barriers to entry. What you build and how much effort you put into it matters. Whether you’re a two-person startup with a cool idea or an established leader reshaping a category, AMP gives you the tools and exposure to make it matter.

We’re looking for partners building the coolest, most impactful solutions and putting in the work to bring them to life.

Why Join AMP?

AMP is an ecosystem where innovation meets action. We’ve created a program that aligns technical creativity with meaningful business momentum, including:

  • Fast-track integration: You get your own Torq instance, hands-on support, and a clear path to go from concept to integration without unnecessary overhead.
  • Go-to-market that actually goes somewhere: From joint demos and field events to aligned sales plays and enablement, we work side-by-side to drive real pipeline.
  • Marketing with muscle: AMP partners tap into the full reach of the Torq brand, from strategic social promotion to presence in campaigns, solution briefs, the Torq platform, and yes, even custom swag.

And the best part? AMP is a living program. We don’t stop at launch. We keep building together — more use cases, content, and mutual value. The more you invest, the more you get back.

AMP in Action

Google Cloud + Torq: Powering Cloud-Scale Hyperautomation

Torq’s integration with AMP Partner Google Cloud Platform (GCP) empowers customers to build workflows across Gmail, Drive, Workspace, and more. Google Cloud and Torq accelerate processes with seamless orchestration, rapid threat detection, and automated remediation at scale, making it easier than ever for SecOps teams to protect their cloud environments.


Wiz + Torq: Accelerating Cloud Risk Response

Torq’s integration with Wiz enables cloud-native security teams to automate proactive risk management with ease. Through Torq AMP, joint customers can trigger workflows directly from Wiz alerts and use no-code automation to remediate vulnerabilities, update issue statuses, and correlate cloud risk data with broader security operations. Together, Torq and Wiz accelerate threat detection and response across complex multi-cloud environments.

Get AMP’d

Cybersecurity innovation doesn’t need more red tape; it needs more momentum. That’s exactly what Torq AMP delivers.

If you’re building technology that could transform how SOC teams work, we want to hear from you. Let’s build it, ship it, and wow our mutual customers — together.

Explore the Torq AMP program and get ready to integrate with the most-talked-about company in cybersecurity. 

Apply for AMP
Share

Related Articles

Hyperautomation Security Engineering

Torq + SSDLC: Where Secure Automation Begins

By Torq
July 23, 2025
5 Minute Read
Automated testing within Torq SSDLC framework

Contents

Legacy SOAR solutions emerged in an era of traditional, static on-premises networks with fewer sophisticated threats. But today’s cybersecurity landscape is dramatically different — attack surfaces rapidly evolve, threats are multifaceted, and cybersecurity talent is increasingly scarce. 

As organizations struggle with sprawling security stacks and burned-out SOC teams, legacy SOAR solutions reveal their significant limitations. One of the most critical weaknesses is their lack of support for the Secure Software Development Lifecycle (SSDLC).

The Evolution from SDLC to SSDLC

Every software application, from mobile apps to intricate enterprise solutions, follows a structured development process called the Software Development Lifecycle (SDLC). SDLC provides a systematic approach, covering requirement analysis, design, coding, testing, deployment, and maintenance. While it allows for systematic steps to ensure software quality and reliability, traditional SDLC often sidelines security until late stages in the software development process.

The growth of sophisticated cyber threats underscores the limitations of traditional SDLC. To address these gaps, the Secure Software Development Lifecycle emerged, embedding security practices at every stage of the development lifecycle. Unlike traditional SDLC, which prioritizes functionality and performance, SSDLC proactively addresses vulnerabilities and significantly reduces risk.

The Importance of Integrating SSDLC into Modern Development

Integrating SSDLC is essential for any organization serious about maintaining digital trust. Cyber threats continue to rise in complexity and frequency, making a security-first approach non-negotiable. The proactive, integrated model of SSDLC dramatically reduces vulnerability risks compared to traditional SDLC methods, which often rely on reactive, late-stage patching and inefficient security tests.

Transitioning to SSDLC signifies more than just a technical shift; it represents an organizational commitment to embedding security deeply into the culture and software development lifecycle, driving resilience, compliance, and long-term trust.

Where Legacy SOAR Fails: Lack of SSDLC Integration

SSDLC ensures that security considerations are seamlessly integrated throughout the entire software development lifecycle and automation workflows, reducing vulnerabilities before they become expensive, high-risk issues in production. However, legacy SOAR solutions typically:

  • Lack integrated tools and features specifically designed for SSDLC
  • Require substantial manual effort to verify that workflows meet security and compliance standards
  • Leave workflows vulnerable to potential security threats due to inadequate built-in security testing and checks

These gaps force organizations to invest considerable resources — both human and financial — to ensure automation workflows remain secure and compliant, resulting in higher operational costs and increased exposure to data breaches.

How Torq Hyperautomation Integrates SSDLC by Design

Unlike traditional SOAR solutions, Torq Hyperautomation™ inherently integrates SSDLC principles throughout its platform, ensuring security is embedded into every aspect of workflow development.

Built-in SSDLC Framework

Torq’s Hyperautomation platform offers a comprehensive framework that covers planning, software development, testing, deployment, and maintenance phases. Embedding secure software development into every step of automation ensures robust, compliant workflows.

Automated Testing and Continuous Validation

With Torq, rigorous automated testing is built into the workflow development process. These comprehensive tests check for:

  • Vulnerabilities: Continuous scanning and mitigation of security flaws.
  • Performance assessments: Ensuring security measures don’t degrade functionality.
  • Compliance adherence: Automatic checks aligned with industry standards and regulations.

Unlike legacy solutions, Torq’s automated tests are ongoing, not isolated to specific phases. This continuous validation ensures all workflow changes and updates remain secure and adhere strictly to best practices. Torq also integrates seamlessly with existing development tools, creating a unified and efficient workflow environment.

Environment Segmentation: Development, Staging, and Production

Torq allows security teams to separate workflow development into clearly defined staging and production environments. This enables controlled testing and refinement before workflows ever touch a live environment. By isolating workflows this way, Torq dramatically reduces the risk of security incidents and ensures smooth deployments.

Torq Hyperautomation also implements robust role-based access control (RBAC) by default. These stringent access controls ensure only authorized personnel can interact with specific functions, preserving workflow integrity and security.

Agile Workflow Development with Enhanced Security

Torq doesn’t just secure your automation workflows — it accelerates their development. Its intuitive, user-friendly interface empowers users of all technical skill levels to prototype, test, and refine workflows rapidly.

Torq’s iterative, agile-driven development process incorporates continuous feedback, ensuring automations remain effective and adaptive to evolving security requirements. This agile process far surpasses the capabilities of legacy SOAR platforms, enabling your organization to respond swiftly and confidently to new threats.

Hyperautomation is Essential for SSDLC

The future of software security demands an integrated, continuous SSDLC approach that seamlessly fits into an organization’s overall development strategy. Traditional SDLC approaches that defer security considerations are no longer viable in today’s rapidly evolving threat landscape.

Organizations adopting Torq’s Hyperautomation platform can confidently build security into the core of their development processes, ensuring their automation workflows remain robust and resilient against evolving threats. This continuous, integrated security approach positions organizations to maintain compliance, build digital trust, and sustainably mitigate risks.

Legacy SOAR solutions simply can’t keep up with modern cybersecurity demands. Their lack of built-in SSDLC support leaves critical gaps, resulting in higher costs, increased risks, and significant manual overhead. In contrast, Torq’s Hyperautomation platform is built from the ground up with security-first principles.

With automated SSDLC support, rigorous security checks, robust environment segmentation, and agile workflow development, Torq ensures automations are secure, compliant, and ready to handle today’s dynamic threat landscape.

Secure your organization’s future with Torq’s integrated SSDLC and Hyperautomation capabilities.

How to Migrate from SOAR to Torq
Share

Related Articles

AI Hyperautomation MSSP

The 5 Hidden Costs of SOAR for MSSPs — And What to Do Instead

By Torq
July 21, 2025
5 Minute Read
Hidden costs of SOAR for MSSPs

Contents

Managed security is a margin game. MSSPs live under strict SLAs and relentless alert volume — usually without proportional headcount growth. Traditional SOAR promised relief, but at multi-tenant scale it often becomes a cost center. 

Industry reality backs this up: 80% of security pros say legacy SOAR is too complex, costly, and time-consuming, 92% say it demands scripting skills, and 90% say it needs heavy up-front investment to build playbooks. Meanwhile, the average enterprise runs 76 security tools — and MSSPs are expected to integrate with all of them for every customer.

What’s the fix? A scalable security automation platform that consolidates enrichment, correlation, case management, and automated remediation. With Torq Hyperautomation, instead of pouring hours into brittle playbooks and manual triage, you can standardize cross-tenant workflows, automate Tier-1 at scale, and keep integrations healthy without constant rework. SLAs improve, analyst touches drop, and margins rise even as alert volume and tool sprawl grow. 

Below, we expose five hidden SOAR costs that quietly erode MSSP margins and how Hyperautomation changes the economics from reactive and expensive to proactive and profitable.

Why Legacy SOAR Breaks MSSP Economics

Before we fix the margin math, we need to start by understanding why SOAR for MSSPs strains economics in the first place. Traditional SOAR platforms weren’t built for the scale and variability MSSPs face. Their monolithic architectures force every tenant to feel like a one-off deployment: custom environments, unique connectors, and per-client playbooks. 

Growth means redeploying and maintaining entire stacks — not just scaling the parts that matter. This results in rising maintenance hours, higher change risk, surprise downtime, and shrinking gross margins per tenant. 

If the operating model is the problem, the remedy is architectural. Enter Hyperautomation built for multi-tenant scale.

What Replaces SOAR: Hyperautomation for MSSPs

Torq Hyperautomation was built for MSSPs: multi-tenant by design, horizontally scalable, and event-driven. It delivers limitless integrations, intelligent case automation and prioritization, shared workflow libraries, and a team of AI Agents that can handle the grunt work. Tier-1 work is fully automated, Tier-2 becomes supervised (i.e. one-click approvals in chat), and high-risk actions stay human-in-the-loop — all with complete auditability.

The results are proven: 18× faster onboarding, 10× faster workflow creation, and up to 95% of Tier-1 alerts auto-investigated and enriched.

Most importantly, Hyperautomation shifts MSSP economics. With Torq, SOC leaders can directly track and improve MTTR/MTTA, alert suppression rates, analyst touches per case, onboarding hours per tenant, connector uptime, SLA credits, and gross margin per customer. The curves bend immediately: fewer manual touches, faster time-to-resolution, and consistently stronger SLA performance.

Let’s map how each hidden cost of SOAR shows up in the real world — and how Hyperautomation can fix it.

Hidden Cost #1: SLA Exposure and Penalties

SOAR was sold as “faster response,” yet MSSPs still juggle fragmented alerts, manual pivots, and rework. Every extra touch burns analyst time and risks SLA penalties. Missed MTTA/MTTR targets lead to SLA penalties and eroded customer trust, often caused by manual approvals and inconsistent response times.

How Torq helps: Resolution time is key to minimizing costly service penalties and increasing SOC efficiency. Torq automates Tier-1 triage, enrichment, and safe containment for everyday alerts — phishing, commodity malware, suspicious process trees, and impossible travel. Playbooks include timers, retries, and just-in-time approvals baked in, while every step and artifact is logged for defensible SLA reporting. MSSPs can quickly turn their top SLA pain points into automated flows that act instantly and escalate only when risk exceeds defined thresholds.

Hidden Cost #2: Legacy Security Environments

Every new tenant brings a unique blend of on-prem firewalls, legacy AV, multiple clouds, and niche SaaS. Onboarding devolves into endless script writing and one-off exceptions — “temporary” customizations become permanent snowflakes. 

How Torq helps: Torq enables a template-first design approach, letting MSSPs build runbooks with tenant-specific variables and policy toggles. Hybrid connectivity options — from agentless APIs and secure tunnels to UI automation where APIs are missing — ensure MSSPs can onboard even the most complex tenant environments quickly and consistently.

Hidden Cost #3: Integration and Maintenance Tax

With SaaS security products multiplying, MSSPs struggle to keep integrations current, draining time and resources while limiting their ability to deliver baseline SOAR operations across global tenants.

How Torq helps: Torq’s native integrations, no-code customization, and containerized connectors eliminate integration bottlenecks. MSSPs can connect to virtually any system — internal or external — and scale orchestration across tenants without the ongoing integration tax of custom development and maintenance.

Hidden Cost #4: Alert Volume and Manual Triage

Scaling alert queues with more analysts is expensive and unsustainable. Relying on humans for every triage decision drags down ROI and creates inconsistent service delivery.

How Torq helps: Torq automates over 95% of Tier-1 alert handling, reducing manual workloads and slashing mean time to detect and respond. By eliminating repetitive triage tasks, MSSPs cut labor costs, improve gross margins, and give analysts space to focus on high-value investigations and customer needs.

Hidden Cost #5: Continuous Optimization and Reporting

Clients expect MSSPs not just to meet obligations, but to continually improve detection and response — while also delivering unified reporting across complex environments. This creates constant pressure to re-tune playbooks and validate workflows.

How Torq helps: Torq enables continuous optimization through Hyperautomation. MSSPs can orchestrate cross-tool workflows that evolve as client needs change, without requiring costly rebuilds or periodic manual evaluations. Reporting is built-in and mapped to compliance frameworks, giving clients the visibility they demand while reducing operational drag.

The Bottom Line for MSSPs

Legacy SOAR for MSSPs wasn’t built for today’s multi-tenant, API-driven, high-SLA reality. Its hidden costs show up as onboarding delays, brittle integrations, analyst burnout, and margin leakage you can’t explain away at QBRs. 

Hyperautomation changes the SOC narrative: correlate once, enrich once, execute safely at scale, then repeat that win across every tenant without spawning “snowflake” workflows. The result is tighter MTTA/MTTR, fewer analyst touches per case, healthier SLA performance, and gross margins that improve as you grow, not the other way around.

Ready to retire SOAR and grow margin?

Get the Managed Services Manifesto
Share

Related Articles

AI Customers Hyperautomation

How Valvoline Hyperautomated Their SOC in Just One Week

By Brittney Wittfeldt
July 17, 2025
4 Minute Read
Retail automation success with Torq at Valvoline SOC

Contents

Retail cybersecurity teams face a perfect storm: high-volume, low-signal alerts, a massive surface area across stores, POS systems, cloud apps, and third-party vendors, and an environment where any delay in response can lead to reputational and revenue damage.

Yet most retail SOCs are held back by aging infrastructure and brittle tools. Alert fatigue, false positives, and manual workflows turn shifts into chaos. Legacy SOARs aren’t helping; they’re often the problem.

To survive and scale, retail SOCs need automation that’s fast to deploy, easy to use, and flexible enough to handle diverse systems and real-world incident volume. That’s Torq Hyperautomation™. Valvoline faced these exact challenges — and overcame them — by replacing their brittle legacy SOAR with Torq, transforming their SOC in just one week.

Retail SOC Cybersecurity Challenges

Retailers handle massive volumes of customer data, making them prime targets for cybercriminals. At the same time, they face growing IT complexity across stores, e-commerce platforms, and third-party vendors. Legacy systems, minimal in-house resources, and constant alert fatigue make defending against modern threats increasingly difficult.

Top retail threats include:

  • Phishing and social engineering: Used to steal customer credentials or launch broader attacks.
  • Ransomware: Often triggered by phishing, disrupting business operations and demanding costly ransoms.
  • Third-party & IoT risks: Unsecured vendors and smart devices expand the attack surface dramatically.
  • Credential attacks: From fake accounts to credential stuffing, bots wreak havoc on authentication systems.
  • DDoS and web exploits: Automated attacks can bring down retail systems and erode customer trust.

To stay resilient, modern retail SOCs need security automation that neutralizes threats faster than attackers can exploit them, without increasing analyst burden.

Hyperautomation: A Better Way to Automate the Retail Industry

When Corey Kenning became Senior Director of InfoSec at Valvoline, he inherited a challenge familiar to many security leaders: Legacy SOAR that broke more than it built. His SOC had been cut in half during a major divestiture, and their deeply customized, brittle SOAR couldn’t keep up. Only a few SMEs could operate it, and everyone else was blocked.

“We needed a platform that didn’t require hard-to-find coding skills. Our SOAR was slowing us down, not scaling us up,” Corey shared. What followed was a full transformation of Valvoline’s security operations — one powered by Torq Hyperautomation™ for automation in retail.

How Valvoline Hyperautomated Their SOC

Valvoline put Torq to the test in a head-to-head proof of value. Within 48 hours, they were live. Within a week, they were running real automation in production.

  • Their Rapid7 integration, which had stalled for hundreds of hours in their SOAR, was live in less than a week in Torq.
  • Phishing triage, once eating up to 12 hours per day, became a fully automated workflow, slashing workload by 6–7 analyst hours daily.
  • Containment actions — password resets, session terminations, and more — became automatic, logged, and auditable via Torq’s built-in case management.
  • Non-developers could use no-code/low-code drag-and-drop workflows, which made it easy for anyone on the team to contribute.

“Torq takes the vision that’s in your head and actually puts it on paper and into practice.”

Corey Kenning, Senior Director of InfoSec at Valvoline

From Reactive to Proactive: The SOC of the Future

With Torq, retail companies like Valvoline can move from reactive response to a strategic focus.

  • Anyone can build: Drag-and-drop workflows let even non-developers create automation.
  • Analysts reclaim their time: Repetitive Tier-1 tasks became automated, eliminating alert fatigue.
  • Response becomes instant: Clicking a malicious link now triggers a fully automated incident response workflow — no manual intervention required.
  • Case management got smarter: Built-in automation tracks every action and provides rich incident metrics.

Why Retail SOCs Are Turning to Hyperautomation

Torq isn’t just a better product — it’s a better partner.

From onboarding to enablement, SOC teams are supported by a dedicated Customer Success Manager, Solutions Architect, and content resources at every step. And because Torq is built for scale, Valvoline is now expanding automation to adjacent teams like identity and fraud.

What once took weeks or months now takes days. The Valvoline team is delivering more value with fewer resources — and doing it without waiting on developers or vendors.

Torq Hyperautomation gave Valvoline the speed, flexibility, and confidence they needed to scale security without scaling burnout. Within 48 hours, they were live. Within a week, they were automated. And, they’re just getting started with all that they can do with Torq.

See how Valvoline replaced legacy SOAR, automated phishing triage, and transformed their retail SOC in just one week with Torq Hyperautomation.

Read the Case Study
Share

Related Articles

Research Security Automation 101

Security Operations Center Best Practices to Boost Security & Automate Smarter

By Patrick “PO” Orzechowski
July 16, 2025
10 Minute Read
Learn security operations center best practices from Torq’s Field CISO, who’s been in the SOC trenches

Contents

Torq Field CISO Patrick "PO" Orzechowski, SOC leader and expert

Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

Running a SOC isn’t for the faint of heart. I should know. Late nights, understaffed teams, endless alerts, and jumping from tool to tool — all fueled by a probably unhealthy amount of energy drinks? Yeah, I’ve been right there in the trenches. And let’s face it: the old SecOps playbooks can’t scale in the face of modern SOC challenges.

The SOC best practices below are the hard-won lessons that separate the security operations centers that struggle to keep up from the ones that position themselves as strategic value centers.

Level Up Your SOC: Best Practices to Stay Sharp and Secure

A Security Operations Center (SOC) brings together people, processes, and technology to manage and improve an organization’s security posture. Put simply, it’s the command center for protecting a business from cyber risk and threats.

In a world where a single data breach can cost millions, an efficient SOC isn’t a luxury — it’s a core business function. An effective security operations center can significantly reduce an organization’s risk by identifying, analyzing, and responding to cybersecurity incidents in near real-time, or better yet, finding and mitigating vulnerabilities before they ever become an incident.

When I ask security operations center leaders the “why” behind the way they built their SOC, most mention that it’s to:

  • Proactively prevent cybersecurity incidents by detecting and fixing vulnerabilities, security monitoring, and gathering threat intelligence on known threats.
  • Minimize the impact of data breaches by rapidly containing incidents and minimizing their impact on the organization.
  • Ensure business continuity by protecting critical assets and data so business operations can continue without interruption.

At the end of the day, all of these drive up to the ultimate goal of a SOC: reducing risk to the business. 

5 Most Common SOC Challenges

If you run an SOC, these challenges probably keep you up at night. They’re not just headaches — they’re fundamental risks to your security posture.

1. Alert Fatigue

Alert fatigue is more than just “too many alerts” — it’s a soul-crushing onslaught of low-fidelity noise and false positives that buries the critical alerts that matter. While the cybersecurity industry is a bit of a broken record around alert fatigue, it doesn’t change the fact that most teams are still struggling with it — more than half of security teams say false positives are a huge problem, and nearly two-thirds are overwhelmed by sheer data volume. Alert fatigue burns out already stretched-thin SOC teams, delays threat detection and incident response, and increases the risk of missed threats.

2. Tool Overload

Too many security operation centers I see have sprawling security stacks of disconnected tools that don’t play nice. Security analysts waste precious time swiveling between different UIs and even writing clunky PowerShell or Python scripts to gather information, trying to solve a puzzle with pieces from different boxes. 

3. Manual Processes

In 2025, there’s simply no need for human SOC analysts to be manually copy-pasting information from one tool to another to build a case. These repetitive, mind-numbing tasks are slow, prone to human error, and a complete waste of your team’s valuable expertise.

4. Talent Shortage

Finding and retaining top-tier security talent is brutally competitive. The shortage is real, and it means you can’t just throw more people at the problem (especially when budgets are lean). You have to make the team you have exponentially more effective.  A crucial part of that is keeping your SOC analysts engaged — automating mundane tasks takes tedious work off their plates, which directly increases morale, boosts productivity, and gives your best talent a reason to stay.

5. Scalability Issues

The volume of data from cloud environments, SaaS applications, and distributed endpoints is exploding, and the security perimeter is larger than ever. A SOC built on manual processes and disjointed tools simply cannot scale to meet this demand. As your business operations — and your attack surface — grows, your security coverage will fall further and further behind unless you start automating.

6. The Ransomware Time-Bomb

Today, every organization of any size is a target for ransomware, and ransomware operators are moving at unprecedented speed, with a median time from initial breach to business-ending payload of less than 24 hours. This breakneck pace demands an immediate and flawless response that is nearly impossible to deliver with manual processes.

7 Security Operation Center Best Practices

Since I started at Torq, I’ve heard the same story from CISOs over and over — they’ve finally reached a tipping point with tech sprawl. They’re looking at unwieldy, expensive security stacks and asking the hard questions: Are these dozens of tools actually making us more secure, or are they just burning out our security analysts and our budget?

This is leading to a massive push for real SOC transformation. The smartest leaders I talk to are no longer content with running a reactive cost center that just cleans up messes. They’re determined to build a proactive, data-driven value center that anticipates cyber threats and demonstrates clear ROI, often by replacing ten disjointed tools with three or four that work together. But getting there requires a fundamental shift in strategy.

The following security operations center best practices are the playbook for that transformation.

1. Build a Strong Foundation with the Right People and Processes

Stop hiring bodies and start building a team. Move from generalized security playbooks to methodical runbooks that combine your security analysts’ expertise with strategic automation and AI augmentation. 

2. Prioritize Threat Detection and Response to Your Business Needs

It’s key to shift your team’s focus from managing alerts to actively hunting cyber threats. But with the sheer volume of today’s alerts pinging from sprawling stacks and an explosion of endpoints, the only way to free them up is by leveraging automation and AI to handle the majority of your Tier-1 alerts. 

3. Automate the Mundane, Focus on the Critical

Automating repetitive and time-consuming tasks allows your limited resource of human expertise to be focused on more strategic activities, such as threat hunting and investigating complex and critical cases.

4. Embrace Continuous Improvement

The most overused wording in cybersecurity think pieces is probably “the constantly evolving threat landscape,” but the truth still stands. To keep up, SOCs must continuously improve their processes and technologies, which means regularly reviewing and updating security policies, tools, processes, and procedures, tracking and reporting KPIs, and being able to slice and dice case data to pinpoint problem areas.

5. Measure Everything

If you can’t measure it, you can’t fix it. Mean time to investigate, respond, and remediate aren’t vanity metrics — they are the vital signs of a SOC. When you can show your CISO that Hyperautomation slashed MTTI from hours to minutes (like this top 30 U.S. bank did), you’re no longer talking about a cost center; you’re talking about tangible, provable ROI.

6. Be Strategic About AI

AI is the biggest buzzword in security right now, with every vendor promising it can solve all of your problems. But it’s not a magic wand — and there’s a whole lot of AI-washed marketing out there right now. The real power of AI in the SOC is leveraging it to automate away the noise and grunt work and accelerate incident response, so your human SOC analysts can hunt cyber threats and handle complex incidents. And if an AI solution can’t prove its logic with evidence, it’s a black box that will kill trust and has no place in your SOC. See how to deploy AI in the SOC the right way.

7. Consolidate and Optimize 

True optimization isn’t a “lift and shift” of your old, inefficient workflows to a new platform — it’s about fundamentally transforming your processes. Torq helps customers escape the tech debt of legacy SOAR by replacing dozens of brittle, code-heavy workflows with a handful of powerful and efficient automations built easily in Torq.

When migrating off a SOAR, Torq customers consistently consolidate their processes, achieving the same outcomes with significantly fewer and more efficient automations, often slashing their workflow count by 30% or more. Get the SOAR migration guide.

The Best SOC Tools

You can’t win today’s fight with yesterday’s technology. What’s the core solution you need to build a modern, autonomous SOC

Torq HyperSOC

HyperSOC™ is the AI-driven platform I wish I had years ago. Designed specifically to crush the biggest challenges SOCs face, HyperSOC uses powerful, no-code automation to become the connective tissue for your entire security stack, so your cases are managed out of a single interface, and agentic AI autonomously handles 90% of Tier-1 case work.

Here’s how HyperSOC incorporates critical SOC best practices, built in:

  • Automates alert triage: HyperSOC ingests the flood of alerts across your stack, using automation and AI to add context, dismiss false positives, and group related alerts into a single, actionable case. It cuts through the noise so your team only sees what truly matters.
  • Connects your security tools: Torq has hundreds of pre-built integrations to instantly connect your SIEM, endpoint detection and response (EDR), threat intelligence, ticketing, and communication platforms into seamless, automated workflows.
  • Uses no-code, low-code, and AI-generated workflows: With Torq, you don’t need a team of developers to build complex automations. Torq’s drag-and-drop and AI-generated workflow-building capabilities mean anyone can create automations to handle everything from phishing investigation to endpoint containment.
  • Supports human-in-the-loop actions: Any AI deployed in the SOC needs to be transparent to be trustworthy. Torq makes it easy to inject human decision points into any AI workflow. Torq’s AI SOC Analyst Socrates can automatically investigate and enrich a case, then present it to a security analyst in Slack or Teams for a final decision on a critical action.

The Foundation for Transformation: Why SOC Best Practices Matter

The days of running a SOC on manual processes and sheer willpower are over. The only way to win against fast, AI-powered adversaries is to fight back with smarter, faster automation. By following security operations center best practices like prioritizing automation, empowering your team with the right tools, and quantifying outcomes through metrics, you can transform your SOC into a strategic value center.

Torq HyperSOC was designed specifically to automate and orchestrate modern SOC operations at scale. Want to learn more about how HyperSOC can help your security operations center get a whole lot more done, a whole lot faster? 

Get the SOC Efficiency Guide packed with insights from my years in the trenches as a SOC leader.

Get the Guide
Share

Related Articles

Hyperautomation Security Automation 101 Use Cases

MTTD vs. MTTR: Definition, Differences, & Why They Matter

By Torq
July 15, 2025
6 Minute Read
MTTD vs MTTR metrics comparison

Contents

When a cyberattack occurs, every second counts. Metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are critical benchmarks in cybersecurity, helping organizations evaluate the effectiveness of their Security Operations Centers (SOCs). But what’s the difference between MTTD vs MTTR, and why do they matter?

Understanding and improving these metrics through strategic investments in security automation can significantly elevate your security posture, minimize damage, and keep your organization safe from threats.

MTTD vs. MTTR in Cybersecurity

Mean Time to Detect and Mean Time to Respond are both fundamental KPIs in cybersecurity, but each measures something distinct.

  • MTTD (Mean Time to Detect) measures the average time it takes your team to identify that a security incident has occurred. This metric primarily evaluates your monitoring and detection capabilities. A lower MTTD indicates your security stack can quickly recognize anomalies and suspicious activity.
  • MTTR (Mean Time to Respond) (sometimes called Mean Time to Resolve) tracks the average time required to respond to and resolve an incident fully. Speed matters; a recent SANS survey found that 33% of teams take hours to respond to threats. That’s too long. A shorter MTTR reflects strong incident response procedures and an agile, responsive security team.

MTTR often involves people and a series of steps that are needed to fix the issue. While MTTD may measure how well an automated alert system performs, MTTR often measures both your systems and the people you depend on to jump into action after an incident.

Together, these metrics illustrate your SOC’s maturity and operational effectiveness. Optimizing MTTD and MTTR directly reduces risk and overall damage from cybersecurity incidents.

How Automation Improves MTTD and MTTR

Security automation plays a pivotal role in dramatically enhancing both MTTD and MTTR, empowering security teams to scale detection and response effectively by:

  • Improving detection: Automated systems like SIEM, EDR, and XDR can swiftly correlate vast data sets, instantly surfacing anomalous activities. Automation reduces reliance on manual log analysis, ensuring immediate, accurate threat identification.
  • Accelerating response: Automation streamlines and accelerates incident response workflows. Tasks like enrichment, analysis, and containment that typically consume significant analyst time become nearly instantaneous. Automation eliminates the manual “grunt work,” allowing analysts to focus solely on complex or high-risk situations.
  • Reducing human error: With agentic AI handling the automation, repetitive tasks become consistently executed according to predefined procedures, drastically reducing the potential for mistakes and inconsistencies in handling security incidents.
  • Seamless integration: Hyperautomation platforms integrate seamlessly with SIEM, EDR, and XDR tools, delivering rapid data exchange, correlation, and enriched context. This tight integration creates an end-to-end, automated security ecosystem.

In short, automation significantly shrinks the time between detecting a threat and mitigating its impact, providing an immediate, measurable boost to your SOC performance.

How to Measure MTTD & MTTR (with Formulas)

Quantifying your incident response effectiveness requires clear measurement methods. Here’s how you calculate each:

Below is some practical guidance for measuring MTTD and MTTR:

  • Consistent tracking: Record timestamps at every key incident stage (i.e., detection, acknowledgment, investigation, and resolution).
  • Aggregate metrics: Regularly aggregate these timings to spot trends or inefficiencies in your process.
  • Benchmarking: Establish baseline metrics to evaluate the impact of new tools, processes, or automation investments.

MTTD and MTTR don’t exist in isolation. They are part of a broader landscape of incident response metrics that security teams should be tracking, including:

  1. MTBF (Mean Time Between Failures): MTBF measures the average time between system failures. It’s useful for evaluating the reliability of security systems and predicting when future incidents might occur. A higher MTBF indicates stable security operations.
  2. MTTF (Mean Time to Failure): MTTF tracks the average lifespan of a security tool or system component before a failure occurs. It’s commonly used to assess product reliability and helps organizations schedule proactive maintenance or upgrades.
  3. MTTA (Mean Time to Assignment): MTTA is the average time it takes for an incident to be assigned to a specific analyst or team member after detection. Lower MTTA reduces response latency and enables teams to tackle threats more efficiently.
  4. MTTI (Mean Time to Investigate): MTTI represents the average time taken from initial detection until the investigation is completed. Faster MTTI means threats can be understood and contained sooner, limiting potential damage.
  5. MTTx (Mean Time to “Anything”): MTTx is a flexible metric used at Torq to track the average time to complete any defined security operation or workflow. It helps SOC teams measure efficiency across custom actions, automations, or specific tasks unique to their security processes.

Understanding these related metrics provides deeper insight into your security operations and helps identify specific bottlenecks or areas for improvement.

Key Incident Response Metrics Explained

Illustration showing MTTD vs MTTR metrics comparison

The Hyperautomation Domino Effect in Incident Response

Improving MTTD and MTTR isn’t just about moving faster; it’s about removing the friction between each phase of the incident response lifecycle. Torq Hyperautomation connects the dots across the entire workflow — from detection to assignment, investigation to remediation — creating a seamless chain reaction of automation that compounds every efficiency. Here’s how that automation domino effect plays out in practice:

Faster detection (MTTD): Torq reduces noise by automatically filtering out low-priority alerts and surfacing real threats faster. This shrinks MTTD and ensures analysts aren’t wasting time chasing false positives.

Faster assignment (MTTA): Once a threat is detected, a case is immediately built and assigned to the right resource within Torq’s intelligent case management dashboard. Torq decides in real time whether Socrates — the AI SOC analyst that offloads 90%+ of Tier-1 cases — or a human should take the lead, dynamically reassigning ownership if the threat escalates. That means alerts don’t sit in limbo, waiting to be noticed.

Faster investigation (MTTI): By the time an analyst gets involved, much of the work is already done. Torq HyperSOC automatically enriches and correlates incident data, while AI agents generate case summaries and assign relevant case runbooks. This allows analysts to dive straight into meaningful analysis, not manual triage.

Faster response (MTTR): Response time is reduced by how quickly and efficiently action is taken. Analysts can trigger remediation with a single click or let Socrates respond autonomously in milliseconds. Whether isolating a device, disabling a user, or launching a complex remediation strategy, action happens at machine speed.

Each improvement compounds the next, like dominoes falling one after another. The faster a threat is detected and assigned to the appropriate resource, the faster those resources can be actioned. With Torq Hyperautomation, every second saved is multiplied across the incident lifecycle, delivering exponential gains in speed, accuracy, and scale.

Reduce Your MTTD and MTTR with Torq Hyperautomation

Effectively managing cybersecurity threats requires fast detection and even faster responses. Clearly differentiating MTTD vs. MTTR and understanding related metrics like MTBF, MTTF, MTTA, and MTTI enables SOC teams to target improvements strategically.

The Torq Hyperautomation™ platform offers a proven way to dramatically lower both MTTD and MTTR through real-time incident detection, streamlined automated workflows, and reduced analyst workload. Torq helps organizations minimize alert fatigue, decrease caseload per analyst, and improve overall compliance and efficiency.

Ready to drastically reduce your MTTx? Get practice advice from our Field CISO on how to make your SOC more efficient.

Get the Guide
Share

Related Articles

AI Autonomous SOC Hyperautomation

How AI is Redefining SOC Architecture 

By Bob Boyle
July 14, 2025
8 Minute Read

Contents

If you’ve been in cybersecurity longer than five minutes, you know one thing: legacy SOC architecture isn’t just showing its age — it’s creaking under the weight of today’s threats. 

Cybersecurity analyst Francis Odum nailed it when presenting at Torq’s SKO 2025: “Legacy SOAR assumed everything starts in the SIEM. Now, teams connect automation directly to EDR, email, and identity systems.”.

This antiquated SOC architecture model, where every alert and log file is funneled into a Security Information and Event Management (SIEM) solution for analysis, is too slow, too rigid, and creates too many bottlenecks to support today’s exploding security event and data pipeline. Modern SOCs need speed, scalability, and a level of intelligence that legacy architecture simply cannot provide. They need a new approach that is purpose-built for the AI era. 

What is AI SOC Architecture?

AI SOC Architecture

AI SOC architecture is a modern, AI-augmented design for SOCs that decentralizes data processing, automates low-level tasks, and enables agentic systems to proactively investigate, triage, and respond to threats. 

AI SOC architecture is not just about adding AI to the stack — it’s about re-architecting the stack around AI. The traditional SOC model relies on aggregating data into a centralized point of analysis before taking action. In contrast, the AI SOC places agentic, AI-powered Hyperautomation at the center of operations — integrating directly with data lakes, security tools, and workflows to create a unified, AI-native control plane. This architecture ensures a single source of AI truth, distributed evenly across the entire security stack.

Shifting the SOC Foundation

“Architecture is changing. Automation tools like Torq are being plugged directly into FDR and identity systems — not after the SIEM, but before it.”

Francis Odum, Software Analyst Cyber Research

For years, the SOC has been centered around the SIEM. Disparate security vendor solutions would feed hundreds of thousands of logs, events, and alerts into the SIEM for security analysts to manually parse through, correlate, and eventually return to the respective point solution(s) to begin the remediation process. This model created a lot of friction, leading to several chronic problems, including: 

  • Process debt: This process would cause what we in the biz call “swivel chair syndrome,” as it often isn’t as simple as a single straight line from detection to SIEM to remediation. Instead, the lengthy investigation had analysts swiveling back and forth between the SIEM and security tools several times before reaching a conclusion hours later. 
  • Central bottlenecks: While a centralized approach to security event management once seemed favorable, SIEM solutions were not designed for the volume of data produced by the multi-cloud environments that organizations have built — let alone the deployment of AI to help alleviate the manual filtering of that data. This creates a massive data bottleneck and, worse, a single point of failure for the SOC to rely upon. 
  • Reactive, delayed response: In addition to scalability concerns, this is also a largely reactive approach, requiring analysts to use the SIEM to begin the manual investigation process long after an incident occurs. This slows down critical SOC reporting metrics like Mean-Time-To-Detection (MTTD) and Mean-Time-To-Response (MTTR). Legacy SOAR solutions attempted to solve this problem but did not promise faster orchestration or response times due to limited and inflexible automation playbooks. 

Between sifting through an overwhelming amount of logs in a centralized SIEM solution and battling the manual efforts of legacy SOAR automation, security analysts find themselves drowning in disconnected alerts and burning out at an alarming rate. 

An AI SOC architecture flips this on its head, shifting the SIEM further left in the security event lifecycle, particularly as many organizations continue to adopt a multi-SIEM strategy to offset increasing storage costs from legacy SIEM vendors. 

Gartner’s recent Reference Architecture Brief: SIEM-Centric Security Operations report points out that as the industry largely shifts away from legacy SOAR solutions, it is seeing more advanced capabilities come from platforms centered around AI SOC Analysts, which produce stronger outcomes for analyst augmentation and security automation. 

What Does AI-Native SOC Architecture Look Like? 

In the same report, Gartner breaks down the Security Operations Center architecture into two distinct components: Security Operations Tools (e.g., SIEM and Detection-as-Code solutions) and SOC Actions (e.g., manual triage, investigation, threat hunting, and response via the SOC Team). Gartner calls out SecOps Workflow Automation, which consists of third-party automation and AI SOC analysts, bridging the gap between these two pillars of the SOC. 

This is the heart of the AI-native SOC Architecture — a foundation of agentic AI and Hyperautomation built for the modern cloud-first SOC environment and designed for simplicity, extensibility, and scale.

Torq unifies security tools with AI SOC analysts and Hyperautomated workflows — streamlining triage, case management, and incident response.

Agentic AI

Agentic AI sits at the core of the AI SOC architecture. Rather than burdening human analysts with manually piecing together thousands of logs and events, an AI-native SOC leverages a multi-agent system (MAS) to handle up to 90% of Tier-1 security analysts’ tasks. These specialized AI agents have a deep understanding of the SOC environment, allowing them to plan incident response, make complex decisions, and take remediation actions autonomously. 

Hyperautomation

Hyperautomation is the engine that drives autonomous response and the glue that connects agentic AI with the rest of the SOC solutions to bridge the gap between Security Operations Tools and SOC actions. With limitless no-code or AI-generated integrations, the Hyperautomation engine is the delivery system allowing agentic AI to take action, automating anything from simple alert triage to complex, multi-step incident responses. 

Enterprise-Grade Security Architecture

Unlike monolithic legacy SIEM and SOAR solutions, an AI-native SOC architecture is built for cloud-first scalability and flexibility. Underpinned by an extensible security architecture, horizontal and elastic scalability allows the SOC to dynamically process and prioritize hundreds of thousands of events from various data sources, ensuring the most critical information is surfaced without interruption.

Torq’s AI SOC Architecture

Torq is built for this moment. It’s not about retrofitting AI into a legacy architecture — Torq is an enterprise-ready, AI-native platform purpose-built from the ground up to solve existential SOC challenges like alert fatigue, tech sprawl, and analyst burnout. 

Torq’s AI SOC architecture begins with the ability to integrate with any solution across the entire security stack and beyond — whether it’s EDR, IAM, email phishing, threat intelligence, collaboration and communication tools, and more. 

This direct integration enables agentic AI to not only take autonomous remediation actions across Tier-1 and Tier-2 security use cases but also allows AI agents to retrieve and enrich data directly from the source, regardless of what data may be missing (or difficult to find manually) from SIEM logs. As the modern SOC scales to produce tens of thousands of alerts per day, Torq’s AI-SOC architecture can seamlessly handle massive alert volumes without creating single-point bottlenecks. 

HyperSOC™ 

Torq HyperSOC, the AI-powered autonomous SOC solution, was also explicitly designed to support AI deployment across the modern SOC. While legacy SOAR solutions have bolted-on workarounds to handle case management once an analyst has manually pulled the relevant data from a SIEM tool, Torq HyperSOC is comprised of intelligent case management and Socrates, the agentic AI SOC Analyst, embedded directly in each security case. Socrates summarizes key findings, suggests next steps, and analyzes case runbooks for autonomous remediation. 

The Multi-Agent System 

Socrates coordinates Torq’s multi-agent system, a team of AI Agents that can autonomously handle the vast majority of Tier-1 and Tier-2 use cases, reduce human analysts’ workload by over 95% from initial investigation to final remediation, and enable SOC teams to tackle up to 5x more security cases in a single day without adding headcount.

Socrates leads Torq’s multi-agent AI system, autonomously resolving cases, reducing analyst workload by 95%, and enabling SOC teams to handle 5x more incidents daily.
Socrates leads Torq’s multi-agent AI system, autonomously resolving cases, reducing analyst workload by 95%, and enabling SOC teams to handle 5x more incidents daily.

Model Context Protocol

To help Torq’s system of AI agents communicate reliably across a limitless amount of integrated security tools and other AI solutions deployed in the SOC, Torq’s AI SOC architecture also natively supports Model Context Protocol (MCP), an open protocol designed to standardize how applications provide context to AI Agents to retrieve contextual information from applications and systems. 

Human-on-the-Loop AI Guardrails

Finally, this entire AI architecture is designed with the appropriate AI guardrails that provide the explainability, audibility, and control organizations require. These guardrails ensure there is always a human on the loop to avoid AI hallucinations and so SOC teams remain in control of critical decisions.

From AI-Enabled to AI-Architected

Legacy SOC architecture isn’t just outdated — it’s actively holding organizations back. True AI-native SOC architecture, like Torq HyperSOC, breaks through these barriers. It offers immediate, measurable outcomes, dramatically improving analyst effectiveness, reducing costs, and transforming security postures from reactive to proactive.

In Francis Odum’s words: “The market is ready for next-gen, AI-powered solutions. These aren’t future-state ideas; they’re delivering real-world results right now.”

The future of cybersecurity isn’t just AI-enabled; it’s AI-architected. 

Get the AI or Die Manifesto to learn strategic considerations and evaluation criteria for deploying AI in the SOC from the ground up.

Get the Manifesto

Share

Related Articles

See Torq in Action

Get a demo to see how Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?