Gal Peretz is Head of AI & Data at Torq. Gal accelerates Torq’s AI and data initiatives, applying his deep learning and natural language processing expertise to advance AI-powered security automation. He also co-hosts the LangTalks podcast, which discusses the latest AI and LLM technologies.

To stay ahead of today’s threats, you must do more than keep pace — you need to equip your team with tools that enable smarter, faster responses. For SOC analysts, runbooks in case management systems are essential guides for handling security alerts step-by-step. The prospect of automating these runbooks with AI is enticing, promising to streamline daily operations and free up time for more critical tasks.

However, some are rightfully skeptical. They worry that AI automation could introduce unexpected issues without careful planning and collaboration, potentially hindering productivity and increasing risk. This blog explores how collaborating with AI during planning and setting AI guardrails can enhance predictability, transparency, and trust in AI automation.

The Importance of Runbooks in Security Operations

Runbooks are structured, step-by-step guides enabling SOC analysts to respond to security incidents consistently and accurately. They are particularly crucial for Tier 1 analysts, who often serve as the first line of defense against a high volume of alerts. 

These runbooks provide clear instructions for the following:

• Triaging alerts
• Investigating potential threats
• Determining when to escalate issues

By standardizing responses, runbooks reduce human error and ensure efficient handling of all incidents, even in high-pressure situations. Automating runbooks with AI presents an appealing option for scaling operations, accelerating repetitive tasks, and allowing analysts to focus on more complex, high-stakes cases.

The Need for AI Guardrails in Runbook Automation

While automating runbooks with AI is a game-changer, granting AI too much freedom can quickly backfire. Most runbooks are designed with human readers in mind, presenting step-by-step guides that make sense to analysts but can be confusing for AI. 

When left to interpret these text-based instructions independently, AI might:

• Misinterpret steps
• Make unexpected decisions
• Produce unintended results

AI can become unpredictable without a structured plan and human alignment, risking accuracy and eroding your team’s trust in automation. A collaborative planning phase to ensure AI guardrails is crucial as it provides SOC analysts visibility into how the AI “interprets” the runbook and plans to automate it. This transparency allows analysts to refine the AI’s approach, ensuring the plan aligns with real-world needs before execution begins.

Collaborative Planning: Aligning AI and Analysts

To understand the value of Torq’s approach to runbook automation, let’s consider a common SOC runbook for investigating phishing reports. Such runbooks guide analysts through tasks like checking attachments, analyzing email headers, and escalating incidents when certain conditions are met.

Automating these tasks with AI is more complex than simply running through the steps. Many runbooks are written for human understanding and involve actions that may be ambiguous or beyond direct AI capabilities. Torq’s plan-and-execute approach addresses this challenge by separating the process into distinct planning and execution phases, giving analysts more control and visibility over the AI’s actions.

1. Planning Phase

In this phase, the AI:

1. Reads through the runbook
2. Converts instructions into a structured, transparent plan
3. Break down each instruction into clear, atomic steps
4. Identifies steps it can automate and those requiring human intervention
5. Highlights gaps where it lacks necessary tools or access

This transparency allows SOC analysts to modify the plan, choosing where the AI should pause for guidance or where additional human-defined workflows are needed. In scenarios where full automation isn’t feasible, such as in highly secure or restricted environments, this collaborative planning ensures that the AI aligns closely with human intent and avoids unnecessary errors.

2. Execution Phase

Once the analyst reviews and approves the plan, execution follows this carefully vetted blueprint. 

This approach:

• Strips ambiguity and indeterminism from the execution
• Provides transparency and reliability
• Fosters trust in the automation process

Analysts can be confident that AI will follow the exact plan, making the automation more efficient and dependable without sacrificing control or accuracy.

To reinforce the concept further, let’s consider how Socrates, our AI SOC analyst, would function without the ability to add tags while focusing on his communication skills and resistance to AI hallucination.

Socrates, even without the capability to add tags, would still demonstrate its effectiveness in several ways:

Clear communication of limitations: When faced with a task it cannot perform, such as adding a tag, Socrates would explicitly state its limitations. For example, it might say, “I’m unable to add the tag ‘Malicious IOC’ as I don’t have that capability. This step requires human intervention.”

Requesting user input: Socrates pauses the process and asks for user input when the necessary tools or permissions are lacking. This demonstrates its ability to recognize boundaries and seek assistance when needed.

Proceeding with available tools: For steps where Socrates has the required capabilities, it would continue to execute them efficiently. These actions would be marked as completed or “green” in the process.

Detailed explanations: Throughout its analysis and decision-making process, Socrates provides clear, thorough explanations of his reasoning, helping analysts understand its thought process even when it couldn’t perform specific actions.

Suggesting alternatives: When unable to perform a specific action, Socrates might suggest alternative approaches or provide information that could help the human analyst complete the task manually.

Focusing on these aspects can highlight Socrates’ ability to communicate effectively, recognize its own limitations, and resist AI hallucination by not claiming capabilities it doesn’t have. This approach emphasizes AI’s role as a collaborative tool that enhances human decision-making in the SOC rather than attempting to replace human judgment entirely. See what this looks like below:

Strengthening Security Through Transparent AI Collaboration

Trust and transparency are fundamental to building an effective security strategy in today’s rapidly evolving threat landscape. Torq’s AI capabilities prioritize collaboration and clarity, transforming how SOC teams handle automation. By structuring automation as a two-phase process — planning and execution — Torq ensures that AI usage is efficient, bounded by AI guardrails, and aligned with human oversight and intent.

This collaborative approach allows human SOC analysts to:

• Maintain control over automated processes
• Reduce uncertainty in AI actions
• Trust in the predictability and reliability of AI-driven tasks

Fostering a security environment where AI and human expertise work together can strengthen organizations’ SOC capabilities and enhance overall security posture. See Torq’s AI in action — schedule a demo.

Learn more about building trust in AI and how structured, evidence-backed summaries generated by AI enable seamless SOC shift transfers.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. GigaOm applies proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation, empowering enterprises to successfully compete in a changing business atmosphere.

GigaOm recognizes Torq as the only Hyperautomation vendor capable of delivering true autonomy to the SOC without vendor lock-in.

For years, security teams have grappled with relentless alert fatigue and burnout, exacerbated by disjointed security tools like SIEMs and SOARs. Legacy security vendors have tried to address this by cramming disconnected solutions into “all-encompassing” SecOps platforms, and many have now falsely tacked on “autonomous SOC” and “Hyperautomation” claims to their products. 

Security teams can’t afford to invest in another expensive, hard-to-maintain platform that doesn’t deliver on its promise of autonomy and automation — so where should they turn?

GigaOm’s newly-released Autonomous SOC Radar Report confirms: Torq Hyperautomation is the clear frontrunner in realizing the autonomous SOC vision and delivering the autonomy SOC teams have long been promised.

What is an Autonomous Security Operations Center (SOC)?

While legacy vendors now claim to offer SOC autonomy, true autonomy isn’t achieved by locking users into rigid, all-in-one platforms. These legacy solutions contributed to the very burnout problem that led to a talent shortage of 4 million security professionals. Their proposed solution? Dump more cash into the same outdated platforms.

A genuinely autonomous SOC leverages advanced automation and AI to handle manual and routine security tasks, accelerating response times, enhancing threat management, and ultimately safeguarding the well-being of SOC analysts. The most efficient path to this goal involves breaking down silos between security tools, enabling seamless communication and streamlined security operations across a modern, best-of-breed tech stack.

Simply put, it isn’t possible to achieve an autonomous SOC without automation. Torq is the only vendor solely dedicated to empowering security teams to automate more, faster.

“Torq is the only vendor positioned in the Innovation/Feature Play quadrant, as it is the only non-SIEM solution featured in the report, which also explains its differentiated position.“

– Andrew Green, Research Analyst for Networking & Security, GigaOm

Torq is the Only Hyperautomation Vendor Listed in GigaOm’s Autonomous SOC Report

Hyperautomation is the next evolution in scalable autonomous security operations. By definition, Hyperautomation requires enterprise-grade scalability, availability, and connectivity — essentially solving the challenges caused by these large legacy vendors. While the idea of the autonomous SOC is centered around the ability to automate everything, similarly, Hyperautomation is built on a foundational ability to integrate with anything. 

Torq’s recognition as the only Hyperautomation vendor in GigaOm’s Autonomous SOC Radar report underscores that unique position in the security operations landscape. 

Frameworks coming into law, such as DORA in the EU and CCSPA in Canada, spotlight the need for vendor diversity to reduce single points of failure and enable redundancy. Torq is the only autonomous SOC vendor enabling organizations to seamlessly integrate best-of-breed solutions — free from vendor lock-in.

Torq combines this vendor-agnostic approach with advanced technologies like purpose-built AI and Hyperautomation, engineered to create intelligent end-to-end solutions for security processes.

And GigaOm isn’t alone in recognizing Torq as the leader of autonomous SOC — industry analysts across the board are taking note.

“Torq is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We’re impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”

– Chris Kissel, Vice President, Security & Trust Products, IDC Research

By choosing Torq, organizations are embracing the future of security operations, as recognized by industry experts — with an approach that’s creating a more agile, effective, and strategic security operation.

Leveraging AI to Drive SOC Autonomy 

Torq integrates purpose-built AI capabilities such as generative AI and large language models (LLMs) to evolve SOC operations fundamentally and deliver on the promise of an autonomous SOC. This enables security teams to focus their efforts on proactive security measures, resulting in greater efficiency and accuracy in decision-making processes.

“80% of our security alerts are assisted and accelerated by Torq workflows. To analyze, enrich, and also autonomously respond to alerts is a paradigm shift that brings unprecedented efficiencies.″

– Joshua Blackwater, Deputy CISO, SentinelOne

Socrates, Torq’s AI SOC Analyst, exemplifies this by automating 90% of Tier-1 tasks through AI-powered triage and investigation. Socrates accelerates analyst response times by summarizing case data and providing immediate insights. It also automates 95% of security cases from investigation to response, intelligently assigning critical cases to human analysts when necessary. This augmentation empowers analysts at all levels to achieve machine-speed response times while supporting ongoing learning and skills development. 

The Sole Winner: Torq’s Unique Position

GigaOm’s report highlights the critical importance of AI-powered autonomous SOCs. As the sole Hyperautomation solution free from platform constraints, Torq provides the agility and innovation necessary for modernizing security operations in an increasingly demanding environment. 

For organizations seeking to enhance their SOC capabilities without sacrificing flexibility or risking vendor lock-in, Torq offers the only comprehensive solution designed to meet these challenges head-on. Schedule a demo to see it in action.

Security Operations Centers (SOCs) are the command center of an organization’s frontline cybersecurity defenses — responsible for monitoring threats, prioritizing alerts, and orchestrating remediation. However, today’s SOCs are facing an existential crisis: an overwhelming volume of increasingly complex and sophisticated threats combined with a shortage of skilled analysts. This perfect storm is pushing SOCs to their breaking point, burning out their teams and leaving their organizations vulnerable.

Legacy security solutions struggled to keep up with the evolving threat landscape, especially at scale. The rise of artificial intelligence (AI) has been hailed as a game-changer for SOCs, offering the potential for unprecedented efficiency gains.

But what does effective use of AI in the SOC look like? Below, we show top use cases for leveraging AI in the SOC and explore how AI is transforming security operations.

The technical foundations of an AI-powered SOC

Security automation has evolved way past SOAR — with Hyperautomation and AI integration forming the new cornerstones of the modern autonomous SOC. Core components of AI used in SOC operations include:

• Generative AI (GenAI) and Large Language Models (LLMs): These technologies can process vast amounts of security data to intelligently generate deeper threat insights, remediation recommendations, contextual case summaries, and new security workflows.
• AI-driven Hyperautomation: By seamlessly integrating your security stack and instantly automating any security process using thousands of pre-built integration steps and AI-generated workflows, Hyperautomation offloads routine tasks, reduces analyst burnout, and accelerates threat response.
• Natural Language Agents: AI SOC analysts can automate incident response by interpreting natural language instructions in security playbooks to execute tasks such as alert triage, containment, and remediation actions. Human analysts remain in charge of the processes and outcomes and can interface with AI agents using natural language for additional enrichment, investigation, and recommended next steps.

Top use cases for AI in the SOC

By analyzing vast amounts of data from across your security stack and executing intelligent automations, AI unlocks efficiency gains across SOC functionalities such as:

• Incident investigation: Analyze massive volumes of alerts to identify patterns, suppress low-fidelity alerts, and automate triage and validation, accelerating the investigation process from start to resolution. 
• Case management: Streamline the process of prioritizing, tracking, and managing security incidents by intelligently enriching and automating cases.
• Workflow generation: Prompt AI with a natural language description of your use case to instantly build security automation workflows — no code required.
• Case summarization: Analyze all relevant data points associated with a security alert to provide easy-to-digest, evidence-backed summaries of complex security cases, improving SOC analysts’ efficiency and collaboration.
• Documentation: Automatically generate documentation for complex automated processes.
• Executive reporting: Prompt the system to generate case info in the right tone and level of information for a specific persona, such as for a non-technical executive or board member. 
• Team collaboration: Automatically alert Slack channels when a case is resolved.
• Resource optimization: Use AI to assign cases to an available analyst based on workload and shift schedules. 
• Data correlation: Combine and correlate data from all of the tools in your security stack, providing a holistic view of your security environment.
• Threat response: Automate tasks like threat detection and containment for faster incident resolution.

How do AI-powered SOCs transform traditional security operations? 

Scaling SOC operations: AI can handle an influx of security events: triaging, investigating, and remediating the majority of Tier-1 and Tier-2 alerts. This frees up analyst bandwidth to focus on urgent incidents and strategic projects, enabling SOCs to efficiently scale their operations without increasing headcount (which is vital amidst today’s shortage of skilled cybersecurity talent).

Shifting to a proactive security posture: AI goes beyond just detecting and counteracting attacks by applying real-time intelligence to identify patterns and detect emerging threats. This allows SOCs to adopt a less reactive, more preemptive approach to address vulnerabilities before they can be exploited or breached. 

Reducing alert fatigue and analyst burnout: By autonomously triaging alerts and reducing false positives, AI reduces the number of irrelevant alerts that analysts must wade through. And, by automating tedious, repetitive tasks and auto-remediating most low-level alerts, AI helps senior analysts gain back the time and capacity to focus on more rewarding work like strategic projects. 

Speeding up MTTR: All of the efficiency gains from leveraging AI in the SOC translates to more alerts resolved, faster. 

Will AI replace humans in the SOC?

Adopting AI in the SOC is not about replacing human SOC analysts — it’s about augmenting and empowering them. With a looming 4 million+ cybersecurity talent shortage, organizations must not only retain their existing analysts, but also help them work more efficiently. On top of that, organizations are recognizing that human-only defenses are inadequate to counter the evasive and persistent threats posed by AI-driven attacks.

AI reduces analyst burnout: AI can reduce the strain on SOC teams by offloading rote tasks, auto-remediating the majority of Tier 1 tickets, and upleveling the skills of junior analysts. This frees up senior analysts to focus their expertise on critical threats and strategic projects to help their organization achieve a stronger security posture overall.

Human expertise must remain the final line of defense: Done the right way, AI-powered SOCs keep humans “in the loop” as the ultimate decision-makers for high-stakes threats following rigorous, multi-tiered AI evaluation and case enrichment that helps human analysts take informed, decisive action.

“By 2028, AI in threat detection and incident response will rise from 5% to 70%, to primarily augment, not replace staff.” 

Source: Gartner Inc.

How Torq’s AI capabilities supercharge SecOps

Torq has been very deliberate in how we’ve extended the capabilities of the Torq platform using AI to solve real problems for SOCs with products and features like:

• AI Workflow Builder: Simply describe your desired security automation workflow in natural language, and Torq’s AI Workflow Builder will generate a tailored solution in seconds. Rather than spending hours manually building workflows from scratch, your team is freed up to focus on more strategic security initiatives.

• AI Case Summaries: Help your team make the right decisions quickly by presenting them with a concise, insightful, and verifiable AI-generated summary of each case. No more wading through pages of logs and incident details! The easy-to-read summaries empower SOC teams to work faster, make informed decisions with confidence, and seamlessly transition between shifts by giving the incoming team clear case context backed by citations.

• Socrates, the AI SOC Analyst: Socrates intelligently automates alert triage, incident investigation, and response, extending your SOC teams’ capabilities and improving response times across the board. Socrates can autonomously execute runbooks written in natural language, auto-remediating 95% of cases within minutes. For critical cases that require human intervention, your analysts can collaborate with Socrates using natural language to summarize case details, enrich cases with additional investigation and threat intelligence, and trigger remediation workflows.
• AI Data Transformation: Simplify complex data manipulation for security operations by easily transforming complex JSON data using natural language — no coding required. Each transformation is broken down into precise, testable micro-transformations that users can edit, validate, and modify individually.

The future of the SOC: Better, faster human decision making through AI automation and insights

When deployed effectively, AI in the SOC extends and enhances the capabilities of your existing staff so they can make better decisions, faster. 

So, what does the future of SOC automation look like? Sophisticated AI technology continuously learning from historical data and real-time incidents to generate insights and recommendations, automate routine security tasks, and auto-remediate the majority of alerts, with a top layer of human analysts providing strategic oversight for critical cases. This means faster, more proactive responses to threats and vulnerabilities — and a more secure future for organizations everywhere.

Want to learn how Torq transforms SOC operations with AI-driven Hyperautomation? Explore HyperSOC.