Torq roared into RSAC 2025 in our usual style: all gas, no brakes. Our team traveled in from around the world to set up an unmissable, unforgettable booth featuring Grave Digger that instantly became the talk of the show. (We also unleashed our Junior Media Intern, Trevor, on San Francisco, for which we apologize). But the real game-changer was our unveiling of new agentic AI innovations in Torq HyperSOC™ — with the demo that set RSAC on fire.
Here are all the best moments.
Torq Steals the Pre-Show Spotlight
In the lead-up to RSAC, Torq announced the acquisition of stealth Israeli startup Revrod, whose multi-agent RAG (Retrieval-Augmented Generation) advancements are now incorporated into HyperSOC™. This latest release makes HyperSOC-2o our most autonomous model to date and the first truly agentic SecOps platform.
This was followed by the announcement of another Torq “first” for autonomous security operations: becoming the first platform to support a Model-Context Protocol (MCP) natively in its architecture.
Torq was also featured in the latest “new and notable” Microsoft Sentinel integrations ahead of RSAC. Rounding out the pre-conference press blitz, Forbes published an article detailing how Torq stands out in cybersecurity thanks to “bold branding and a fearless aesthetic… bringing edge, energy and authenticity to an industry known for playing it safe.”
“What really sets Torq apart is its effort to blend cultural relevance and brand identity with technical innovation.”
Yes, we really put all 12,000 pounds of the iconic Grave Digger monster truck in our booth. LinkedIn post after LinkedIn post declared it “the best booth at RSAC,” and the hype was electric.
Forbes hailed the Torq booth’s visual elements as “more reminiscent of streetwear brands and music festivals than typical enterprise security vendors.” Security Weekly said that Torq “pulled out ALL THE STOPS MONSTER TRUCK LASER SKULLS F*&CK YEAH, that’s how you do it!” Chainsaw through the noise? Check.
The Demo That Set RSAC on Fire
While Grave Digger drew people in, it was Torq’s technology that kept hundreds of security pros around our booth for demo after demo.
Leading up to RSAC, HyperSOC’s agentic AI innovation was validated by industry analysts, with IDC’s new report stating: “Torq is working on all SOC fronts while improving MTTD, MTTR, threat hunting, and remediation actions impactfully. The agentic AI architecture is disruptive.”
We also got a shout-out ahead of RSAC from Cyber Research Analyst Francis Odum, who stated: “Torq HyperSOC makes the potential of AI in a SOC attainable and sustainable by connecting AI with the SOC’s full range of tools and processes. Torq HyperSOC is a huge game-changer for enterprises.”
To top it all off, mid-conference, Torq won the 2025 SC Media Award for Best Emerging Tech by SC Media for our platform’s agentic AI capabilities, which were described as “the forefront of next-gen security automation.”
“Everyone says ‘agentic AI,’ but that’s the first demo I’ve seen actually working live.” – Heard at RSAC
Beyond the Moscone Center
On the first night of the conference, two of Torq’s co-founders — CTO Leonid Belkind and CINO Eldad Livni — hosted an exclusive Founders’ Dinner at Michelin-star restaurant Boulevard with CISOs and security leaders from major brands around the globe.
Moving into day three of RSAC, Torq CMO Don Jeter sat down with George Kamide and George Al-Koura from the Bare Knuckles & Brass Tacks podcast to talk through how Torq’s marketing blew up from a small 10×10 booth RSAC just a few years ago to this year’s monster display. When the Georges asked how Torq built such “a fundamentally cool brand”, Don shared that it all started with the fierce belief that SOAR is dead and then telling that story boldly — which hit a community nerve to create “something that people want to be a part of.”
Unleashing the Most Feral Channel Program in Cybersecurity
During the conference, Sheldon Muir, Torq’s AVP of Global Channels, spoke with MSSP Alert about how our disruptive partner program prioritizes customer outcomes — driving results, incentives, and value for our partners. More on this coming soon!
“Great tech — which I obviously believe Torq has — has to be met by great marketing. And the third leg of the stool is you gotta have something disruptive on the channel side.”
Thousands of steps logged, energy drinks downed, and Bone Bucks handed out later, the Torq team said goodbye to the Moscone Center, but that’s not the end of the road for Torq + Grave Digger. Torq has partnered with Monster Jam® for a 6-city tour this summer. Find your city and save your seat here.
Want to see the HyperSOC demo that set RSAC on fire? Request a demo.
gRPC-web: Using gRPC in Your Front-End Application
By Konstantin Ostrovsky
May 1, 2025
7 Minute Read
Contents
This blog was originally published in October 2021. It was last updated in May 2025.
At Torq, the AI-native autonomous SOC and security Hyperautomation leader, we use gRPC as our one and only synchronous communication protocol. Internally, microservices communicate with each other using gRPC. Externally, our frontend application uses gRPC-Web to communicate with the backend APIs via an API Gateway.
While gRPC offers many benefits, its adoption in frontend development lags behind REST API and GraphQL. This disparity can pose challenges for front-end developers accustomed to using the built-in Chrome Network Inspector for traffic analysis.
Originally published over three years ago, this blog post now addresses the introduction of ConnectRPC, a new protocol for frontend-to-backend communication via gRPC. ConnectRPC resolves certain limitations of gRPC-Web and offers enhanced code generators for TypeScript and JavaScript.
Importantly, adopting these new generators does not necessitate a complete switch of transport protocols, as the generated client and server code provide support for both gRPC-Web and the newer ConnectRPC protocol. We switched to using those code generators at Torq and are extremely pleased with the improved developer experience.
This article explains how to enable communication between a frontend application and a gRPC backend using the gRPC-Web protocol, demonstrated by leveraging the connect-es proto plugin generated for the client.
What is gRPC-Web?
gRPC-Web is a JavaScript client library that enables web applications to directly communicate with gRPC services. It allows browser-based applications to leverage the benefits of gRPC’s efficient protocol buffers serialization, bidirectional streaming, and HTTP/2-based transport, despite browsers not fully supporting HTTP/2 bidirectional streaming. gRPC-Web implements a compatibility layer that translates between browser HTTP/1.1 requests and gRPC’s HTTP/2 protocol.
Backed by the CNCF community, gRPC stands out as a popular and active project. It offers official support for over ten programming languages and well-defined best practices, making it an excellent option for API development. These characteristics aligned perfectly with Torq’s needs when selecting an API protocol.
gRPC offers a straightforward approach to service definition. Developers define services and methods using proto files. Subsequently, the proto compiler facilitates the generation of server and client interfaces compatible with various programming languages. This includes TypeScript and Go, the primary languages employed internally at Torq.
From a technical perspective, gRPC-Web requires a proxy (like Envoy or Caddy) that sits between the web client and the gRPC server to handle protocol translation. The client generates JavaScript code from the same .proto service definitions used by the backend, but uses a slightly different wire format and doesn’t support all gRPC features (like full bidirectional streaming). It supports both binary protobuf and JSON serialization formats, and can work with modern frontend frameworks like React, Angular, and Vue.
What is ConnectRPC?
Connect is a suite of libraries designed to create APIs compatible with both browsers and gRPC. It offers a JSON-based protocol as an alternative to native gRPC, supporting features like streaming, trailers, and error details.
The ConnectRPC project launched a new protocol along with multiple proto-compilers for major programming languages. The resulting code is not only compatible with this new protocol but also maintains full interoperability with existing gRPC and gRPC-Web implementations.
Connect-es, its proto compiler, produces high-quality code, offering frontend developers an excellent experience through language-native gRPC interfaces both in the backend and the browser.
ConnectRPC introduces a JSON-based text protocol over HTTP, addressing gRPC challenges such as caching.
A Quick Overview of Our Architecture
We use a microservice architecture at Torq. Our backend APIs are accessible by an API Gateway (Backend for Frontend), which is built in Go and provides services such as:
Smart routing to internal services
Aggregator pattern that allows combining data coming from multiple internal services into a single response
gRPC-Gateway proxy, which we use to allow REST API access to our public APIs
gRPC-Web proxy that translates requests coming from the frontend application using the grpc-web protocol to gRPC requests.
Our application utilizes an API Gateway as the sole entry point for all external traffic. This gateway centralizes API access and comprises a collection of gRPC services. The continuous integration (CI) process for the API Gateway repository includes the automatic generation of TypeScript client libraries.
Building gRPC-Web Clients Using Connect-es Plugin
As mentioned above, at Torq, we generate TypeScript clients for all our external APIs as part of our CI (GitHub Actions) continuous integration build process, which is a component of the API Gateway service.
We previously used a bash script for pre-installing proto compiler plugins and running the protoc command. Over the last two years, we transitioned to the Buf CLI tool, which has streamlined the process. Buf allows us to define proto-generation rules in a single YAML file, eliminating the need for local protoc plugin installations.
For our gRPC-Web client, we utilize the Connect-es protoc plugin to generate TypeScript files. These files are then packaged as an npm package and published to the GitHub package repository. Our frontend applications integrate this package using the standard `npm install` command.
Go Server, VueJS, and gRPC-Web client example
Below is the gRPC service definition:
This gRPC service defines a simple TimeService. It provides a method for getting the current time via the GetCurrentTime rpc method. The time is returned in the ISO 8601 format.
Generating Clients and Servers
To generate client and server code from the proto file, we will utilize the Buf CLI tool. While the `protoc` compiler could also be used, Buf CLI streamlines this process by reducing friction. We will employ the Go and TypeScript proto-compilers to generate code for these specific languages.
To generate the code, we will use the following `buf.gen.yaml` file:
The generated files for go will be placed under ./time/goclient and the JavaScript ones will be in /frontend-ts/src/jsclient.
gRPC in the Backend
Our backend is a very basic Go server implementation. We spin up the gRPC server listening on 0.0.0.0:8080. It implements the TimeServiceServer interface and returns time.Now().Format(time.RFC3339) for each request
gRPC in the Frontend
Using the Connect-ES library, calling gRPC-Web endpoints is straightforward. Simply initialize the client with the gRPC-Web server address and then invoke its methods.
For easier debugging of gRPC web traffic in your browser, consider installing the gRPC-Web Devtools Chrome extension. This tool provides an inspection capability similar to Chrome’s built-in Network Activity Inspector.
Envoy Configuration
gRPC-Web requires a proxy for gRPC translation. Envoy offers built-in support, as demonstrated by the provided configuration. A frequent issue is CORS configuration. The example below shows a permissive wildcard domain setting, which is not recommended for production. However, it can be adapted for specific production needs with minor adjustments.
A Five Year Perspective on gRPC-Web
This blog post aims to provide an accessible introduction to gRPC-Web, a valuable technology for those already invested in gRPC. Since the original publication, the gRPC-Web ecosystem has matured considerably with the introduction of powerful tools. Notably, the Buf CLI has streamlined the command-line interface and configuration for compiling proto files into client and server-side code. Furthermore, the Connect-ES proto compiler plugin enhances the development experience by generating more natural and intuitive client-side code.
Our team has leveraged gRPC-Web for five years, appreciating the advancements in tooling that have emerged during this time. For further exploration, the source code referenced in this article is accessible here.
Want to learn more about Torq? Watch our 4-minute video to see how Torq’s AI–driven Hyperautomation platform helps security teams automate more, faster.
AI SOC, Explained: How AI-Powered SOCs Transform SecOps
By Torq
April 29, 2025
9 Minute Read
Contents
Security Operations Centers (SOCs) are the command center of an organization’s frontline cybersecurity defenses — responsible for monitoring threats, prioritizing alerts, and orchestrating remediation. However, today’s SOCs are facing an existential crisis: an overwhelming volume of increasingly complex and sophisticated threats combined with a shortage of skilled analysts. This perfect storm is pushing SOCs to their breaking point, burning out their teams and leaving their organizations vulnerable.
Legacy security automation solutions struggled to keep up with the evolving threat landscape, especially at scale. The rise of artificial intelligence (AI) has been hailed as a game-changer for SOCs, offering the potential for unprecedented efficiency gains.
But what does effective use of AI in the SOC look like? Below, we show top use cases for leveraging AI in the SOC and explore how AI is transforming security operations.
What is an AI SOC?
An AI-powered SOC is a security operations center that leverages artificial intelligence to automate processes, enhance threat detection, accelerate incident response, provide contextual insights, and optimize resource allocation — resulting in greater efficiency and accuracy, improved decision-making, faster time to remediation, and a more proactive security posture.
AI-driven Hyperautomation: By seamlessly integrating your security stack and instantly automating any security process using thousands of pre-built integration steps and AI-generated workflows, Hyperautomation offloads routine tasks, reduces analyst burnout, and accelerates threat response.
Multi-Agent System: Specialized AI Agents automate incident response by interpreting natural language instructions and collaborating to autonomously execute tasks such as alert triage, containment, and remediation actions. Human analysts can interface with the AI agents using natural language for accelerated enrichment, investigation, and recommended next steps.
What’s the Difference? All the AI in the SOC, Explained
This new landscape of AI in the SOC comes with a LOT of similar-but-different terminology. GenAI, AI Agents, OmniAgents, agentic AI, multi-agent systems — we get it, it can be confusing. Here’s a breakdown of all the AI powering modern security operations, what each one does, and how Torq HyperSOC™ puts them all to work.
Term
Definition
What It Does
How Torq HyperSOC™ Uses It
GenAI
GenAI creates content, code, text, images, or predictions in response to natural language prompts
Enhances SOC operations with automated case summaries, enrichment, and workflow generation
Drafts incident summaries, generates workflow templates, and speeds up case documentation
Agentic AI
Agentic AI is autonomous, goal-driven AI that plans, adapts, and executes multi-step security workflows across time and tools
Powers AI agents with autonomy and adaptability to handle tasks like detection, triage, and response in real-time
Socrates, the AI SOC Analyst, coordinates and makes workflow decisions autonomously without human-triggered actions
AI Agent
An AI Agent is a single AI entity that independently handles a specialized task
Performs specific security tasks such as isolating endpoints, locking accounts, or enriching threat intelligence based on predefined triggers
A Multi-Agent System is composed of multiple autonomous AI agents that collaborate to achieve complex goals
Deploys specialized AI agents in parallel across the SOC to handle triage, investigation, containment, and case management
MAS architecture: Runbook Agent, Investigation Agent, Remediation Agent, and Case Management Agent, all coordinated by Socrates
OmniAgent
An OmniAgent acts as a “Super Agent” orchestrating the activities and interactions between specialized AI Agents in a MAS
Uses sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously through the coordination of multiple AI Agents
Socrates identifies prioritizes, and remediates threats across the entire organization by controlling and coordinating the Runbook, Investigation, Remediation, and Case Management Agents
Top Use Cases for AI in the SOC
By analyzing vast amounts of data from across your security stack and executing intelligent automations, AI unlocks efficiency gains across SOC functionalities such as:
Incident investigation: Analyze massive volumes of alerts to identify patterns, suppress low-fidelity alerts, and automate triage and validation, accelerating the investigation process from start to resolution.
Workflow generation: Prompt AI with a natural language description of your use case to instantly build security automation workflows — no code required.
Case summarization: Analyze all relevant data points associated with a security alert to provide easy-to-digest, evidence-backed summaries of complex security cases, improving SOC analysts’ efficiency and collaboration.
Documentation: Automatically generate documentation for complex automated processes, increasing both efficiency and accuracy from shift-handovers to compliance audits.
Executive reporting: Prompt the system to generate case info in the right tone and level of information for a specific persona, such as for a non-technical executive or board member.
Team collaboration: Automatically alert Slack or Teams channels when a case is created, escalated, resolved and more.
Resource optimization: Use AI to assign cases to an available analyst based on workload and shift schedules.
Data correlation: Combine and correlate data from all of the tools in your security stack, providing a holistic view of your security environment.
Threat response: Automate tasks like threat detection and containment for faster incident resolution.
How Do AI-Powered SOCs Transform Traditional Security Operations?
Scaling SOC operations: AI agents can handle an influx of security events: triaging, investigating, and remediating the majority of Tier-1 and Tier-2 alerts. This frees up analyst bandwidth to focus on urgent incidents and strategic projects, enabling SOCs to efficiently scale their operations without increasing headcount (which is vital amidst today’s shortage of skilled cybersecurity talent).
Shifting to a proactive security posture: Agentic AI goes beyond just detecting and counteracting attacks by applying real-time intelligence to identify patterns and detect emerging threats. This allows SOCs to adopt a less reactive, more preemptive approach to address vulnerabilities before they can be exploited or breached.
Reducing alert fatigue and analyst burnout: By autonomously triaging alerts and reducing false positives, AI agents reduce the number of irrelevant alerts that analysts must wade through. And, by automating tedious, repetitive tasks and auto-remediating most low-level alerts, AI-driven Hyperautomation helps senior analysts gain back the time and capacity to focus on more rewarding work like strategic projects.
Speeding up MTTR: All of the efficiency gains from leveraging AI in the SOC translates to more alerts resolved, faster.
Will AI Replace Humans in the SOC?
Adopting AI in the SOC is not about replacing human SOC analysts — it’s about augmenting and empowering them. With a looming 4 million+ cybersecurity talent shortage, organizations must not only retain their existing analysts, but also help them work more efficiently. On top of that, organizations are recognizing that human-only defenses are inadequate to counter the evasive and persistent threats posed by AI-driven attacks.
AI reduces analyst burnout: A multi-agent system can reduce the strain on SOC teams by offloading rote tasks, auto-remediating the majority of Tier 1 tickets, and upleveling the skills of junior analysts. This frees up senior analysts to focus their expertise on critical threats and strategic projects, helping their organization achieve a stronger overall security posture.
Human expertise must remain the final line of defense: Done the right way, AI-powered SOCs keep humans “in the loop” as the ultimate decision-makers for high-stakes threats following rigorous, multi-tiered AI evaluation and case enrichment that helps human analysts take informed, decisive action.
“By 2028, multiagent AI in threat detection and incident response will rise from 5% to 70% of AI implementations to primarily augment — not replace — staff..”
Socrates, the OmniAgent AI SOC Analyst:Socrates intelligently automates alert triage, incident investigation, and response, extending your SOC teams’ capabilities and improving response times across the board. Socrates coordinates a full Multi-Agent System (MAS) — planning, investigating, remediating, and managing security cases with human-like decision-making and machine-speed execution.
Socrates can auto-remediate 95% of cases within minutes. For critical cases that require human intervention, your analysts can collaborate with Socrates using natural language to summarize case details, enrich cases with additional investigation and threat intelligence, and trigger remediation workflows
AI Workflow Builder:Simply describe your desired security automation workflow in natural language, and Torq’s AI Workflow Builder will generate a tailored solution in seconds. Rather than spending hours manually building workflows from scratch, your team is freed up to focus on more strategic security initiatives.
AI Case Summaries: Help your team make the right decisions quickly by presenting them with a concise, insightful, and verifiable AI-generated summary of each case. No more wading through pages of logs and incident details! The easy-to-read summaries empower SOC teams to work faster, make informed decisions with confidence, and seamlessly transition between shifts by giving the incoming team clear case context backed by citations.
AI Data Transformation: Simplify complex data manipulation for security operations by easily transforming complex JSON data using natural language — no coding required. Each transformation is broken down into precise, testable micro-transformations that users can edit, validate, and modify individually.
Runbook Execution: Intelligently plan customized investigation and response strategies based on the organization’s historical outcomes and adapt to new threat vectors, ensuring faster containment.
Deep Research Investigations: Uncover hidden attack patterns across disparate data sources, perform detailed root cause analyses, and dynamically assess threat impact — giving SOC teams context previously out of reach without hours of manual digging.
Torq now has multi-agent RAG (Retrieval-Augmented Generation) incorporated into HyperSOC™ which has supercharged its ability to do deep research, analyze threats, and coordinate responses at machine speed — and is the first autonomous security platform to support a Model-Context Protocol (MCP) natively in its architecture. These advancements make our latest HyperSOC release our most autonomous model to date and the first truly agentic SecOps platform.
The Future of the SOC: Better, Faster Human Decision-Making Through AI Automation and Insights
When deployed effectively, AI in the SOC extends and enhances the capabilities of your existing staff so they can make better decisions faster.
So, what does the future of SOC automation look like? Sophisticated multi-agent AI continuously learns from historical data and real-time incidents to generate insights and recommendations, automate routine security tasks, and auto-remediate the majority of alerts, with a top layer of human analysts providing strategic oversight for critical cases. This means faster, more proactive responses to threats and vulnerabilities — and a more secure future for organizations everywhere.
Want to learn how to deploy AI in the SOC the right way? Read the AI or Die Manifesto to learn CISO considerations, fake AI red flags, and evaluation questions.
Artificial Intelligence in Case Management for Security Teams
By Torq
April 25, 2025
5 Minute Read
Contents
Case management for modern SOCs can be a maze of endless alerts, overwhelming data, and intense pressure. Legacy solutions often exacerbate these issues with rigid workflows, limited automation capabilities, and a lack of real-time adaptability, leaving teams ill-equipped to handle the growing complexity of threats. The volume of cases, manual workflows, and processes leave analysts overwhelmed, exhausted, and struggling to keep pace. Traditional approaches just don’t cut it and leave teams feeling stuck in a constant state of frustration.
How Agentic AI Helps With Case Management
Torq HyperSOC is an AI-driven case management solution crafted by industry veterans with decades of experience leading SOC transformations and developing cutting-edge security solutions. With a deep understanding of operational pain points, Torq built a robust platform to address these challenges. By Hyperautomating mundane, time-consuming case management tasks, Torq’s system of AI Agents acts as a reliable team of analysts who never tire.
This AI-driven approach to case management cuts through the noise, prioritizes what truly matters, and speeds up the entire security operations lifecycle so human analysts can redirect their energy toward strategic thinking and complex investigations.
Torq’s Agentic AI, combined with the power of Hyperautomation, turns traditional case management chaos into a coordinated, manageable effort.
Here’s How:
Socrates, the AI SOC Analyst
Socrates, Torq’s AI SOC Analyst, follows your organization’s established runbooks and remediation protocols to orchestrate critical tasks such as endpoint quarantines and account lockdowns. Socrates analyzes historical case data, enriches cases with third-party threat intelligence, and autonomously handles 95% of Tier-1 cases.
For critical cases that do require human-in-the-loop remediation, Socrates coordinates your subject matter experts, escalates cases through the appropriate collaboration channels, and eliminates operational silos to streamline decision-making.
This seamless integration of Agentic AI into the DNA of your case management strategy ensures swift and coordinated responses, so nothing slips through the cracks, like having a trusted colleague who never sleeps and is always ready to jump in and handle the heavy lifting at machine speed.
AI-Generated Case Summaries
With so many incidents to handle, digging through endless lines of raw data can be overwhelming — especially when time is of the essence. Through AI-generated case summaries, Torq’s Case Management Agent distills intricate datasets into concise, actionable insights.
These AI case summaries quickly give analysts the essence of complex incidents without having to sift through mountains of logs, IOCs, and other event data linked to the case. By organizing and contextualizing case details into a consistent structure — i.e., “what”, “when”, “impact”, and “key indicators” — these summaries drastically reduce the time it takes for a human analyst to get caught up and take decisive response action, especially in situations like SOC shift transfers. It’s like having a seasoned mentor beside you, simplifying complicated cases so anyone, from a Tier-1 to a Tier-3 analyst, can make high-impact decisions more quickly and confidently.
Event Ingestion and Correlation
Imagine a security tool that consolidates over 300 data sources. Torq HyperSOC does just that. It gathers massive amounts of information in seconds and synthesizes data from your SIEM, EDR, IAM, and more while creating contextual cases at scale — without impacting the availability or usability of the case management platform.
This intelligent aggregation not only speeds up the discovery of threats but also dynamically updates existing cases as incidents unfold. AI-driven case management prioritizes what matters, filtering out the noise so analysts can focus on pressing issues without being bogged down by irrelevant data.
Achieving Autonomous Case Management
By combining Agentic AI with a powerful Hyperautomation engine, applied to a purpose-built case management platform, Torq HyperSOC automates routine triage and remediation processes with surgical precision.
Consider a simple but common headache of handling phishing responses. Torq’s AI swiftly analyzes suspicious emails, flags malicious links, and employs URL sandboxing to neutralize threats within seconds. Torq also automates account remediation, ensuring that compromised accounts are contained quickly to prevent further damage. By doing so, Torq frees up analysts to concentrate on more complex, high-stakes challenges, reducing manual workload and minimizing fatigue.
What Does AI Case Management Mean for the Future of Security Operations?
Torq’s AI-driven case management capabilities remove security teams from a constant reactive mode. It does so by leveraging historical data and real-time analysis to detect anomalies that might signal trouble ahead. Maybe a sneaky vulnerability is lurking in your network, or a misconfiguration is about to open the door to bad actors — AI can spot these issues instantly, sometimes even before anyone else does.
By embedding AI into every case management stage, Torq HyperSOC transforms security teams’ operations, enabling human analysts to step in only when their experience is truly needed. Tasks that once took days are done in seconds, human errors shrink, and teams can finally breathe a little easier knowing the Autonomous SOC is within their reach.
Curious how this works in action? Schedule a demo and see firsthand how AI case management can speed up SOC operations, reduce stress, and make dealing with cybersecurity threats more manageable.
HyperSOC-2o: The Game-Changing, Analyst-Validated Autonomous SOC
By Bob Boyle
April 23, 2025
10 Minute Read
Contents
IDC, Gartner, and Cyber Research Analyst Francis Odum validate Torq HyperSOC-2o for establishing the important building blocks for achieving the autonomous SOC.
The autonomous SOC is here. It is no longer a distant reality, it’s not a pipe dream, and it’s certainly not just another cybersecurity buzzword. According to IDC’s latest report exploring the evolution from generative AI to agentic AI in cybersecurity, the autonomous SOC is “heaven on earth…everyone should want it.”
And with the release of Torq HyperSOC-2o, now everyone can have it.
WTF is HyperSOC-2o?
HyperSOC-2o is the latest release of Torq HyperSOC™ — our most autonomous model to date and the first truly agentic SecOps platform.
Torq HyperSOC™ was first released in April 2024 as a purpose-built solution that harnesses the power of the AI-driven Torq Hyperautomation™ platform to automate, manage, and monitor critical SOC responses at machine speed. At the time of initial launch, IDC had this to say:
“Every day, IDC is engaged with SOC professionals who communicate the existential challenges they’re facing, both in terms of keeping up with ever-escalating threat complexity and volume, and the incredible burden that places on the shoulders of their teams.
Torq HyperSOC is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We are also impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”
A lot has changed since HyperSOC was first released, but SOC challenges remain the same. In a recent Emerging Techscape for Detection and Response Startups report, Gartner notes that as cybersecurity threats grow in volume and complexity, SOC teams continue to experience increasingly heavy workloads. While the surge in AI-supported threats demands more resources, more attention, and puts significant pressure on SOC teams to respond to threats effectively, Gartner says “AI agents are emerging as a critical solution to enhance efficiency, reduce burnout, and enable teams to focus on strategic initiatives.”
SOC teams are still struggling to keep up with increasingly complex threats, utilizing the limited resources available to them. According to IDC’s report, “Agentic AI is the next step toward a more autonomous SOC, but there must also be a bridge where local decisions have to become extensible to the greater network.” That bridge is HyperSOC-2o.
The Need for the Autonomous SOC
SOCs have been using AI, machine learning (ML), and large language models (LLMs) to collect information, assess risk, and prioritize alerts for some time now. These common GenAI use cases perform the first stages of security event triage, enabling security teams to interact and guide investigations through a natural language interface — significantly reducing the detection and response time to alerts. So why do we need the autonomous SOC?
An AI-influenced SOC, supported by a GenAI digital assistant, is still reliant on the ability and capacity of a human analyst to instruct and guide remediation actions. While security automation plays a significant role in the real-time response to these threats at machine speed — certainly faster than a human analyst could triage, investigate, and respond without GenAI augmentation — the truth is that GenAI and automation alone is still a reactive security posture.
What good are AI-driven, triaged, enriched, and prioritized comprehensive security cases that sit there waiting for a human to press the big red remediate button, if SOC analysts are still drowning in so-called “high priority” alerts? AI is supposed to reduce a SOC analyst’s workload, not create more manual tasks to watch over and approve.
Moving from the Aspirational to the Inspirational in SOC Processes
Agentic AI is different. The IDC report explains that “[agentic AI] can solve problems, adapt to its environment, and make complex decisions based on goals and available information. It does this in real time without constant human supervision. Agentic AI is self acting and self deterministic.” The promise is that agentic AI will become as effective on the prevention side as its GenAI predecessor has become in detection and response.
“By 2026, AI will increase SOC efficiency by 40% compared with 2024 efficiency, beginning a shift in SOC expertise toward AI development, maintenance and protection. AI and ML are revolutionizing proactive defense security by adding preemption and enhancing detection and response capabilities.”
Gartner, Emerging Tech: Techscape for Detection and Response Startups, March 2025
IDC goes on to state that the next leap towards the autonomous SOC is fusing the MTTD and MTTR improvements of GenAI with the human-like decision making of agentic AI to produce the following improved SOC outcomes:
Agentic AI becomes the mastermind of every incident: AI agents will handle over 95% of manual case triage, investigation, and enrichment without requiring constant human intervention — shifting from human-in-the-loop to human-on-the-loop. This supervisory model means humans will get involved much later in the case management lifecycle, if at all — likely only when the AI agent deems a case critical enough to require human oversight.
The incident detection and response life cycle will have embedded compliance and governance: Blackbox decision making from AI solutions does not suffice. Agentic AI records the deterministic logic and reasoning behind its decision-making in real-time for a security case, reducing the manual burden and risk of human error associated with case management documentation today.
The threat detection and response life cycle greatly improves a company’s proactive cybersecurity posture: The three key pillars that define agentic AI and allow it to solve complex problems and make human-like decisions are semantic memory, episodic memory, and procedural memory. As a result, agentic AI can apply what it’s learned from managing similar incidents in the past to improve future response processes and adapt to the latest emerging threats.
Fully automated responses will be nearly ubiquitous in the SOC: AKA… achieving the autonomous SOC. Together, GenAI and agentic AI will eliminate 95% of Tier-1 security tasks as most SOC processes become fully automated.
Agentic AI has enormous potential in security operations because of its ability to process and solve problems like a human SOC analyst. Alone, however, agentic AI still isn’t enough to achieve autonomy — Hyperautomation becomes the key to holding it all together. To truly achieve the autonomous SOC, security teams must use agentic AI to combine and contextualize relevant security event data in an instant, then leverage Hyperautomation to take remediation action as quickly as possible, without the delay of human intervention.
“Torq’s Hyperautomation capabilities can help improve the efficacy of security teams now and with an eye to the future. Hyperautomation is a type of glue logic that binds static entities, such as logs, directories, and applications, creating usable correlations for observation, detection and response, and remediation. Torq is working on all SOC fronts while improving MTTD, MTTR, threat hunting, and remediation actions impactfully. The agentic AI architecture is disruptive.”
Chris Kissel, Vice President, Security & Trust Products, IDC Research
The unique combination of GenAI, agentic AI, and Hyperautomation is why IDC recognizes Torq alone to have established the most important building blocks needed to achieve the autonomous SOC.
This latest version of Torq HyperSOC™ expands Torq’s Multi-Agent System (MAS) by incorporating cutting-edge Retrieval Augmented Generation (RAG) technology into existing agentic AI functionality. RAG allows Torq AI Agents to reference massive amounts of data and produce extremely specific outputs that are highly contextual, continuously improving in accuracy and enabling game-changing deep research capabilities.
Socrates, the agentic AI SOC Analyst, sits at the helm of HyperSOC-2o, acting as an OmniAgent responsible for controlling and collaborating with four new RAG-enabled micro-agents. These agents are trained in specific areas of expertise and capable of using sophisticated iterative planning and reasoning to solve complex, multi-step problems autonomously. The four micro-agents are:
Runbook Agent: Plans highly customized agentic threat investigations and responses based on its ability to learn from past incident outcomes, recognize similar attack patterns, and adapt to emerging threat vectors.
Investigation Agent: Uncovers hidden attack patterns across disparate data sources, performs detailed root cause analysis, and accurately assesses threat impact to help HyperSOC-2o effectively prioritize responses.
Remediation Agent: Takes action across the security stack either completely autonomously, or by intelligently escalating critical cases for human-in-the-loop remediation, reducing MTTR and enabling SOC analysts to trigger complex actions at machine speed.
Case Management Agent: Delivers faster access to real-time and historical data through AI-generated case summaries, enabling more accurate threat identification, dynamic case prioritization, and streamlined decision-making by eliminating irrelevant noise.
Think of Socrates like the head coach of a football team. The head coach is surrounded by specialists — an offensive coordinator, a defensive coordinator, a special teams coordinator, assistant coaches, and so on. While it is the head coach’s responsibility to make the final play calls on game day, they rely heavily on their specialists to study the opponent’s game film, design the plays, and make real-time adjustments on the fly.
This is exactly how Socrates operates. When a case is assigned to Socrates for auto-remediation — Socrates calls on the Runbook Agent to formulate the most efficient investigation and response strategy. When a SOC analyst asks Socrates to analyze the observables of a case — Socrates employs the Investigation Agent to correlate third-party threat intelligence and find the relevant event data.
And when a threat needs immediate containment, Socrates works through the Remediation Agent to trigger the appropriate hyperautomation workflow — whether that is using Crowdstrike to isolate an endpoint, Okta to reset a password, or Abnormal to remove a phishing attack from an end user inbox.
“Torq HyperSOC makes the potential of AI in a SOC attainable and sustainable by connecting AI with the SOC’s full range of tools and processes. With Torq HyperSOC, you can automate more than 95% of Tier-1 analyst tasks and significantly reduce the burden on existing SOC teams. Torq HyperSOC is a huge game-changer for enterprises.”
Francis Odum, Software Analyst, Cyber Research
Don’t Just Change the Game — Flip the Gameboard
In security, the odds are always stacked against the defender. The attacker has the element of surprise, access to the same AI and security tooling, and room to fail over and over and over again — biding their time until that one successful breach.
To stay ahead, we need to empower SOC teams to act as quickly, accurately, and proactively as they possibly can. HyperSOC-2o gives teams that fighting chance — leveraging AI agents and Hyperautomation to reduce investigation times by up to 90%, increasing the SOC’s capacity to handle 3-5x more alerts with no added headcount, and remediating over 95% of security threats — completely autonomously.
Dive deeper into IDC’s exploration of agentic AI as the next leap in the autonomous SOC.
Torq HyperSOC™ is the First Autonomous SOC Platform with Native Model-Context Protocol (MCP) Support
By Leonid Belkind, Co-Founder and CTO
April 22, 2025
9 Minute Read
Contents
Innovation in cybersecurity technology, particularly in security operations, is advancing at an incredible pace. The past few months have seen a surge in announcements of Agentic AI solutions and SOC Analyst AI Agents, transforming the landscape rapidly. At BlackHat USA 2023, Torq pioneered this space by introducing Socrates, the first AI Agent SOC Analyst. This highlights the remarkable acceleration of AI adoption in cybersecurity and the significant advancements made in a relatively short period.
Socrates, our Agentic AI SOC Analyst, has been up and running for a solid year and a half, which is pretty impressive for this kind of tech. It’s dealing with thousands of real security issues every hour for major companies. Since the initial release of Socrates, Torq has expanded our agentic AI portfolio by launching a comprehensive Multi-Agent System (MAS), as well as the latest version of Torq HyperSOC™ powered by Retrieval-Augmented Generation (RAG) technology.
Even as new entrants jump on the AI-in-SOC bandwagon, Torq continues to push the envelope — Socrates keeps learning and evolving, and Torq remains steps ahead in the Autonomous SOC space.
Today, Torq is proud to announce another ‘first’ in the Autonomous Security Operations field: the first platform to support a Model-Context Protocol (MCP) natively in its architecture. This groundbreaking advancement unlocks a new realm of possibilities in security operations, enabling powerful and exciting outcomes that were previously unattainable. By integrating MCP into its core framework, Torq is paving the way for more intelligent, adaptive, and efficient security solutions, setting a new standard for the industry.
What is Model-Context Protocol?
Model-Context Protocol (MCP) is an open protocol designed to standardize how applications provide context to Large Language Models (LLMs) and AI Agents to retrieve contextual information from applications and systems.
When a security operations process is orchestrated by an AI Agent, native integration with MCP Servers delivers outcomes far greater than static lists of tools and actions, or even extensions with APIs and workflows. This dynamic integration accelerates Security Operations outcomes by improving detection and triage accuracy, and reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Torq as a Model-Context Protocol Host: Endless Extensibility
Torq HyperSOC-2o acts as an Model-Context Protocol Host, meaning it can natively interface with MCP servers to both fetch context and execute actions. The flexibility of MCP makes integrations with corporate systems and cloud services more agile than ever.
Your AI agent isn’t operating with a fixed toolbox — it can seamlessly tap into real-time data sources, internal databases, SaaS applications, cloud workloads, and more, all through standardized MCP connections. This extensibility ensures your autonomous SOC is always armed with the most up-to-date information and capabilities, leading to more intelligent and effective security operations.
Today, during the early days of Model-Context Protocol adoption, most MCP Servers available for use require self-hosting, making it extremely important to provide an enterprise-grade security for the transport and access layers in order to benefit from the capabilities without compromising the underlying data or operations.
The schematics above depicts how the Torq platform natively extends its automation and orchestration capabilities to become Model-Context Protocol hosts, allowing access to both self-hosted and cloud-hosted MCP servers in an intelligent and secure manner.
Key advantages of Torq’s native MCP Host capability include:
Real-Time Contextual Awareness: AI-driven investigations can pull in live context (user details, asset data, threat intel, etc.) exactly when needed, rather than relying on stale or predefined inputs. This leads to smarter decisions and fewer false positives.
Unlimited Extensibility: Thanks to MCP’s open standard, any new tool or data source that supports MCP can be plugged into your SOC workflows instantly. Torq HyperSOC-2o transforms into a plug-and-play powerhouse, adapting as your environment evolves.
Faster, Smarter Response: Dynamic context enables higher-fidelity alerts and faster root-cause analysis. Early users have seen significant improvements in detection precision and response times, cutting down the investigative workload on analysts.
Enterprise-Grade Security: All MCP interactions through Torq are encrypted, authenticated, and audited. You can safely connect to self-hosted knowledge bases or third-party MCP services, confident that communications meet your security and compliance standards.
Torq as an MCP Server: New Ways to Access Your Processes
Torq’s native Model-Context Protocol architecture opens up an exciting paradigm where Torq workflows, steps, and integrations can be securely utilized as tools and actions within other MCP Hosts. This enables a significant increase in productivity for both security professionals and organizational information employees.
By providing secure, managed, and monitored organizational processes as context to external LLM applications such as Claude Desktop and various IDEs, Torq facilitates seamless integration and enhances the capabilities of these platforms. This approach ensures that sensitive organizational processes are handled with the utmost security while empowering users with advanced AI-driven functionalities.
Imagine an organization embracing self-service processes for various IT and Security functions as a means for increasing organizational efficiency. Torq Hyperautomation has been the hub for such activities since its inception, and now these processes can be accessed in a completely new way, through the organization’s chosen and adopted AI tools.
The schematics above depict how a Torq MCP Server provides access from the organization’s chosen AI tools to Torq workflows, steps, and integrations, increasing the efficiency of leveraging various organization-approved security operational practices natively.
For example, a security analyst using a chatbot interface like Anthropic’s Claude or a developer working in an IDE with an AI coding assistant can simply ask their AI agent to perform a task, “Hey AI, scan this newly reported IP across our logs and threat intel sources.” Behind the scenes, the AI agent invokes a Torq workflow (exposed via MCP) that conducts a multi-step investigation across all your tools, then returns the result directly into the chat or IDE. The person didn’t need to switch consoles or manually run any script; the AI, powered by Torq, handled it instantly.
Torq HyperSOC-2o makes this scenario a reality by providing a secure, managed, and monitored way for external AI applications (from chatbots to SIEMs to custom AI assistants) to leverage your organization’s existing Torq automations as first-class actions. Importantly, all of this is done with the utmost security and control.
Torq’s permissioning and audit logs extend into the MCP domain, ensuring that any action an external AI triggers is authorized and tracked. Your sensitive processes remain protected, even as they become more accessible and useful to your teams via AI.
In short, Torq as an MCP server turns the AI tools your team already uses into powerful gateways for your automated SOC workflows — dramatically increasing efficiency and accessibility without sacrificing security.
Security Operations Data as MCP Resources
The above examples of Torq’s innovation in natively adopting the Model-Context Protocol framework are just the beginning. The potential of MCP resources and prompts opens up an exciting avenue for creating native user experiences for navigating and analyzing security events and case data. By leveraging MCP, any AI tool can be transformed into a powerful threat hunting and digital forensics orchestration environment, providing unparalleled capabilities for security professionals. This advancement allows for deeper insights and more effective responses to security incidents, significantly enhancing an organization’s overall security posture.
Consider what this could mean: Analysts will be able tonavigate and analyze security events through natural language via their AI assistants, with Torq feeding the relevant data on demand. An AI agent could correlate an ongoing incident with past cases, highlight patterns, or even suggest remediation steps by drawing from your organization’s entire trove of security knowledge — all in seconds, all within the AI’s conversational or analytical environment.
This kind of seamless, context-rich interaction provides unparalleled capabilities for security professionals. It leads to deeper insights, more proactive threat hunting, and ultimately more effective responses to incidents. By breaking down data silos and making institutional knowledge available in real time through MCP, Torq HyperSOC-2o significantly enhances an organization’s overall security posture. It’s not just about doing things faster; it’s about empowering humans and AI to collaborate on tasks that were previously impossible.
Stay Tuned: This is Just The Beginning
“An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense intuitive linear view”, said Ray Kurtzweil in “The law of accelerating returns” in 2021. Almost a quarter of a century later, this statement, which in itself can be seen as a generalization of Moore’s Law from 1965, is being proven as true time after time.
Torq’s journey with AI and automation in security is a testament to this acceleration. We went from conceptualizing an AI SOC analyst to having one in production within months, and now to enabling an open protocol that can fundamentally change how AI systems interact with security tools and data. And we’re far from done.
Torq HyperSOC-2o’s introduction of native Model-Context Protocol support is just the first chapter in an exciting new era of autonomous security operations. Torq will continue to innovate and lead as technology races forward, ensuring our customers stay ahead of the curve. We are privileged to be part of this revolution – and we’re committed to driving it.
Stay tuned for more updates as we continue to expand what’s possible in the SOC. The future of security operations is unfolding now, and with Torq, you’re not just witnessing it — you’re leading it alongside us. Let’s embrace this future together and redefine what a truly autonomous SOC can achieve.
All Gas, No Brakes: The Autonomous SOC Revolution is Here
By Ofer Smadari, CEO & Co-Founder
April 15, 2025
5 Minute Read
Contents
The era of static playbooks and reactive security is over. A new generation of AI-driven security operations is emerging — one that combines cloud-native scale with intelligent, agentic automation to redefine how Security Operations Centers (SOCs) work.
As CEO of Torq, I’ve had a front-row seat to this transformation. In speaking with countless CISOs and analysts, one theme rings loud and clear: We can’t fight modern threats with yesterday’s tools. SOC teams today are wilting under an onslaught of alerts and “busywork,” creating an existential crisis in security operations. It’s time for a bold leap forward.
Leading the Charge: Torq HyperSOC-2o and the Revrod Leap
Earlier this month, we took a decisive step into the future by launching Torq HyperSOC-2o, fresh on the heels of our acquisition of Revrod — a stealth-mode Israeli AI startup with advanced multi-agent AI expertise. This move isn’t just about adding features; it positions Torq at the forefront of the autonomous SOC revolution.
Torq HyperSOC-2o is built around a comprehensive OmniAgent that can identify, prioritize, and remediate threats across the entire organization. By integrating Revrod’s cutting-edge multi-agent RAG (Retrieval-Augmented Generation) technology, we’ve supercharged our platform’s ability to do deep research, planning, and generative reasoning in the SOC. In plain terms: HyperSOC-2o can analyze threats and coordinate responses with near-human-level insight and precision at machine speed.
This isn’t hype — it’s happening now. Torq was recently named an “AI Startup to Watch” by Business Insider, recognizing the momentum and innovation behind our approach. With Revrod’s team now part of Torq, that momentum accelerates.
“Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations.”
I can confidently say Torq is at least 18 months ahead of the pack in delivering true autonomy for security operations. Revrod’s technology “fundamentally changes what’s possible in a SOC,” and by weaving it into HyperSOC-2o, we’re giving our customers the ability to operate faster and smarter than ever. In demos at RSA Conference, attendees will see firsthand that the autonomous SOC isn’t a distant vision — it’s here, and Torq is leading it.
Beyond Legacy SOAR: A Generational Leap in SOC Automation
To understand why this leap matters, consider the tools many SOCs have relied on until now: legacy SOAR platforms like Palo Alto’s Cortex XSOAR (Demisto), Splunk Phantom, or Siemplify. These systems were pioneering in their day, but they were built for a different era and a different scale. Traditional SOAR demanded extensive coding and constant maintenance to keep up with new threats and systems.
In contrast, Torq HyperSOC is built on an agentic architecture where AI agents actively collaborate, reason, and take initiative across the full security stack. We’ve developed an OmniAgent that can orchestrate a team of specialized AI agents, each with its own focus area, dynamically working together like a human SOC team.
Compared to the rigid, one-track automations of legacy SOAR, Torq’s multi-agent brain represents a generational leap. It’s the difference between a scripted assistant and an autonomous colleague. It auto-calibrates its response playbooks and tools on the fly to mitigate threats faster and more accurately than any static playbook could.
Inside Torq HyperSOC-2o: AI Agents on the Front Lines
Rather than a monolithic black box, Torq HyperSOC-2o is an ensemble of intelligent agents working in concert — a “virtual SOC team” that never gets tired. Here’s a closer look at the AI agents powering HyperSOC-2o:
Investigation Agent — Performs deep-dive investigations in seconds, uncovering hidden patterns across disparate data sources and tools to pinpoint root causes and assess threat impact.
Case Management Agent — Gathers real-time and historical data, organizes case timelines, highlights key indicators, and reprioritizes incidents based on evolving information.
Runbook Agent — Autonomously executes and adapts incident response runbooks with institution-specific knowledge built-in.
Remediation Agent — Executes remediation actions autonomously, closing the loop with verifiable outcomes, operating in orchestrated or human-in-the-loop configurations.
Together, these agents function as an AI-powered SOC unit: ingesting alerts, investigating, collaborating, and remediating as a cohesive intelligence.
Real Results: Faster Responses, Greater Scale, Happier Analysts
Fortune 500 companies have already deployed Torq’s agentic SOC platform. In early deployments, organizations saw:
Up to 90% reduction in investigation time.
3–5× increase in alert handling capacity with no added headcount.
95%+ of Tier-1 security tasks automated.
Significant improvements in key SOC KPIs like MTTR (mean time to respond).
Security leaders can now shift from a reactive stance to a proactive strategy. They can spend more time on strategic initiatives because the AI agents have their backs on the front lines.
The Road Ahead: How AI Agents Will Redefine Cybersecurity Operations
The introduction of intelligent, collaborative AI agents into the SOC is not just an incremental improvement — it’s a tectonic shift. Security operations will never be the same.
Organizations will be able to achieve a level of security posture and responsiveness previously limited to only the most well-staffed enterprises — not by hiring armies of analysts, but by deploying intelligent agents that work like armies of analysts.
The autonomous SOC is here, and it’s here to stay.
The Fast Eat the Slow: AI Adoption for Survival in Modern Cybersecurity
By John "JQ" Quinsey
April 14, 2025
4 Minute Read
Contents
John Quinsey (also known as “JQ”) is a regional director at Torq with 25 years in software and SaaS sales, solving business problems with disruptive technologies. He firmly believes AI has the power to revolutionize modern security operations.
Just five years ago, the average dwell time for a ransomware attack was seven months. Today, it’s five days and shrinking. Lateral movement breakout times have also accelerated significantly, dropping from 62 minutes to 48 minutes, with the fastest recorded breakout happening in just 51 seconds.
Why? Among other reasons, the bad guys are now leveraging AI to increase both the speed and breadth of their attacks. To put it bluntly, they’ve gotten a hell of a lot faster — and SOCs are struggling to keep up.
Don’t Play Checkers While Attackers Play Chess
Security teams today face an overwhelming number of alerts, many of which result from harmless Internet activity. With countless alerts pouring in daily, identifying the real threats becomes incredibly difficult, and serious vulnerabilities can go unnoticed amid the noise. This is where AI in the SOC comes in.
AI has become essential for detecting and stopping sophisticated threats at scale. By rapidly filtering out irrelevant traffic, an AI SOC analyst can give human analysts a clear head start. Capable of tirelessly sifting through millions of data points, auto-remediating the majority of Tier-1 alerts, and intelligently escalating critical cases, an AI SOC analyst enables human analysts to tackle high-priority threats in real time.
This combination of AI-driven anomaly detection and response with human-led investigation for critical events is essential in today’s cybersecurity landscape, where attackers are constantly evolving their tactics. Relying on traditional methods to defend your organization against a modern attack is akin to playing checkers while the bad guys play chess.
The Early Adopter Advantage in the Age of AI
A few years ago, embracing an early adopter mindset in IT and security operations was considered risky, a gamble on unproven technology. Today, AI adoption in the SOC has become a necessity to combat existential threats. Organizations that are slow to adopt AI run the risk of being eaten alive.
The new cutting edge in AI for SecOps is agentic AI, a paradigm shift that empowers autonomous SOC operations. Agentic AI can coordinate specialized AI agents to autonomously handle cases, build workflows, write case summaries and reports, transform data, and more.
Making the shift to an early adopter mindset for AI in SecOps involves more than just deploying new tools. It requires investment in training so that security teams are equipped to leverage AI effectively and responsibly. It also requires a strategic approach to building trust in AI systems through transparency, explainability, and guardrails, ensuring that AI-driven decisions are reliable and aligned with organizational objectives.
‘The Best Practical Use of AI From Any Vendor’
Torq has GenAI and agentic AI embedded throughout our platform. We use it to help with integrations, to help build workflow automations, and to improve the quality of life of human analysts. By automating routine tasks and providing enriched insights, AI adoption in the SOC frees human analysts to focus on the most critical threats, enabling faster and more effective responses.
I was recently on a call with the CISO at a Fortune 500 company that has been a customer for over a year. She said, and I quote, “Torq has the best practical use of AI I’ve seen from any vendor.”
Ready to turbocharge your SOC with AI so you don’t get eaten alive? Get the AI or Die Manifesto to learn how to deploy AI the right way, so your SOC — and the humans in it — survive.
Evolution Equity Partners’ Portfolio Companies Tackle a Cyber Crisis
By Patrick “PO” Orzechowski
April 7, 2025
4 Minute Read
Contents
Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.
I recently took part in a cyber crisis simulation event which showcased Evolution Equity Partners’ portfolio companies and made Torq’s real-world value strikingly clear.
The simulation presented a realistic scenario: a data breach at a fictional wealth management firm, with the attack’s progression followed through detection, investigation, response, and resolution. Participating companies included Torq, Sweet Security, Oleria, Halcyon, and Cytactic.
This cyber simulation reinforced the need for proactive security: automation, robust identity management, and agile cloud response. It also underscored the importance of having a crisis management system in place for simulating a live event — so when the inevitable happens, all teams, stakeholders, and external parties that need to be involved in resolving a major incident are included from the beginning.
A Cyber Crisis Simulation Unfolds
1. Detecting the Impossible Alert
The initial attack factor in the simulation was a compromised credential initially identified by an “impossible journey” detection in Torq’s AI-native Hyperautomation platform. Torq was able to identify this impossible travel through authentication logs that contained geographical source login information.
The targeted financial services company had several layers in place to detect and respond to these types of attacks, so the incident was kicked off through the initial case management system in Torq.
Through its AI-powered automated response capabilities, Torq’s platform triaged, enriched, and investigated the alert, ultimately determining that it required escalation.
Inside Torq’s platform, this event could then be tracked by the SOC throughout the incident lifecycle until being handed off to Legal, PR, and potentially cyber-insurance and external incident response partners.
2. Confronting the Extortion
After the initial attack, it was determined that the user did in fact access sensitive information contained in an S3 bucket, which was detected by Sweet Security’s unified detection and response platform.
Once the attacker procured the data, they sent an extortion threat letter to the company which included screenshots of contracts and other sensitive information. At this point, management had to:
Decide whether or not to disclose the breach
Determine whether or not the breach was “material”
Assess if they need to contact their customer base.
From there, Oleria identity security platform discovered the attacker had gained access to an insecure SharePoint site, but only accessed a limited amount of sensitive data.It was determined that the SharePoint site needed to be secured and, due to the limited data exposure, a negotiation team was brought in. They then found that the attacker was attempting to move laterally through the company’s systems.
3. Stopping Ransomware Escalation
From there, the company deployed Halcyon’s ransomware defense solution to determine if ransomware was active. Halcyon successfully detected and blocked infections on the systems where it was installed, but the attacker was able to begin encryption on systems where it was not.
The company then engaged Halcyon’s Professional Services to attempt to decrypt what the attacker was encrypting without having to pay for the keys.he keys.
Minimal Damage, Maximum Defense
In the end, the company was able to handle the incident without a breach disclosure and minimal impact to customer operations. This event could have been much worse if the services company did not have advanced detection and response capabilities already deployed within its security stack.
Building Cyber Resilience through Proactive Simulation
This “impossible journey” simulation demonstrated the critical importance of establishing effective cybersecurity strategies and deploying innovative security solutions.
Proactive cyber crisis simulations enable businesses to build resilience and minimize the impact of potential attacks by:
Identifying vulnerabilities.
Improving mean time to detect and respond
Testing incident response plans
Improving decision-making under pressure
Understanding the impact of cyberattacks
Facilitating learning and continuous improvement
Want to learn more about leveling up your SOC’s automation and autonomous response capabilities? Read the SOC Automation Pyramid of Pain.
Generative AI Cybersecurity: What It Is, What It Isn’t, and What Comes Next
By Torq
April 3, 2025
7 Minute Read
Contents
Generative AI (GenAI) uses large language models (LLMs) to generate new content, synthesize data, and make context-aware decisions. In a cybersecurity organization, this means GenAI can help triage alerts, enrich threats, write playbooks, and assist analysts in real time.
But here’s the problem: Most SOCs are only scratching the surface of how generative AI can be used in cybersecurity. They’re using GenAI to summarize logs or generate scripts, which still requires human oversight and remains reactive. Did you know you could take your AI so much further?
How Can Generative AI Be Used in Cybersecurity?
GenAI is built on deep learning, a subset of machine learning, using large neural networks known as transformers. These transformers are trained on billions of data points and optimized to understand and mimic language, behavior, and structure.
Many GenAI systems are modeled after GPT (Generative Pretrained Transformer), which has learned how to respond to prompts in human-like ways by identifying patterns across massive data sets.
Here are some ways Generative AI can be used in cybersecurity:
Triage and enrichment: GenAI can automatically triage incoming alerts, enrich data from SIEM, EDR, and other sources, and generate clear, concise summaries.
Threat detection: Trained on historical attack data and threat patterns, GenAI models can identify indicators of compromise (IOCs) and anticipate emerging tactics.
Case documentation: Generative AI can produce case reports, threat timelines, and case summaries. These auto-generated insights reduce the need for manual documentation and simplify compliance reporting.
Threat hunting: Security analysts can use GenAI to query threat intelligence databases and data lakes using natural language prompts. This simplifies threat hunting workflows and empowers junior analysts to work at a higher level.
Workflow design: GenAI allows users to describe desired automations in natural language, which the system then converts into executable workflows. This eliminates the need for manual scripting and accelerates automation adoption across teams.
All of this helps analysts move faster — but it’s still reactive. It still requires humans in the loop. And it’s still just the beginning.
Challenges of Using Generative AI Alone
Without the right guardrails, GenAI in cybersecurity comes with serious risks:
Accuracy issues: GenAI can hallucinate. That means it can produce outputs that are confidently wrong. And in cybersecurity, that’s dangerous. An inaccurate summary of a threat, a misidentified IOC, or a fabricated correlation can derail an investigation, waste valuable analyst time, or worse, lead to improper remediation actions.
Data privacy: GenAI models are only as good as the data they’re trained on and how that data is handled. Feeding sensitive logs, incident data, or user information into GenAI without proper controls can lead to unintentional exposure of private data or regulatory violations. This is especially risky in regulated industries (finance, healthcare, etc.), where compliance failures come with heavy penalties.
Infrastructure overhead: Running LLMs requires serious computing, storage, and ongoing management. Even when using APIs from providers, the costs of integrating, fine-tuning, and securing the system can add up quickly. Without a well-architected platform, organizations often end up with fragile, expensive prototypes that don’t scale.
Threat actor access: You’re not the only one using GenAI. Threat actors are, too. From auto-generating phishing emails and malware variants to simulating voices or bypassing MFA with deepfakes, adversaries are industrializing their attacks with the same tools defenders are exploring.
This is why GenAI alone doesn’t cut it. It enhances the SOC — but it doesn’t free it. It still relies on humans to verify outputs, make decisions, and connect the dots. To truly transform security operations, you need more than content generation — you need contextual understanding, autonomous action, and real-time orchestration.
That’s why Torq goes beyond GenAI — combining it with agentic AI, Hyperautomation, and RAG-powered microagents to deliver a self-sustaining, intelligent SOC.
IDC: GenAI is Just the Beginning
A recent IDC Spotlight Report reinforces what leading cybersecurity teams already suspect: Generative AI is only the beginning. The real transformation happens with agentic AI.
Although only 7% of organizations are using agentic AI today, 60% expect it to impact their SOC operations within the next 18 months significantly. The benefits are tangible: organizations embracing this shift are seeing a 50% reduction in mean time to detect (MTTD), automated response for 90% of alerts, and a 35% lower risk of major breaches.
Torq’s HyperSOC platform, powered by agentic microagents, delivers exactly the kind of automation and intelligence IDC highlights — and it’s already available today.
Torq’s Take: From Generative AI to Autonomous Cybersecurity
Agentic AI is the brain behind the operation. Torq’s multi-agent system, led by Socrates, understands context, makes decisions, and learns from experience. How?
It uses semantic memory to understand relationships between threats, assets, and users.
It applies episodic memory to recall past incidents and resolutions.
It executes using procedural memory, adapting workflows in real-time based on its growing knowledge base.
Unlike GenAI, which waits for a prompt, agentic AI acts independently. It triages alerts, investigates root causes, and escalates only when necessary — moving SOCs from a human-in-the-loop to a human-on-the-loop approach. That means analysts step in only when they’re truly needed.
Hyperautomation: Machine-Speed Response Across Your Stack
Torq’s Hyperautomation engine seamlessly orchestrates your entire security ecosystem — across EDR, SIEM, IAM, email security, ticketing systems, cloud platforms, and beyond.
Hyperautomation connects all the dots — transforming detection into response with zero delay.
RAG-Enabled Microagents: Smarter Agents
Retrieval-augmented generation (RAG) enhances our specialized AI Agents with memory, precision, and real-time data access. Each microagent is trained on a specific domain, like investigation, remediation, or case management, and uses RAG to:
Pull in relevant threat intel, logs, and past incidents
Filter out noise and focus only on actionable data
Think of them as subject matter experts inside your AI-powered SOC — each one armed with a knowledge base that updates every second.
Defending Against GenAI Security Threats
Adversaries are using GenAI too — for phishing, deepfakes, malware variants, and more. That’s why Torq’s defense stack includes:
Behavioral detection: We spot the telltale signs of GenAI-generated attacks such as weird phrasing, impossible travel, or AI-crafted obfuscation.
Automated response: The second a threat is flagged, Torq acts. Endpoints isolated. Credentials locked. Sessions terminated. Tickets opened. Teams alerted. No hesitation.
Adaptive workflows: Attackers adapt. So do we… automatically. Torq’s workflows update themselves based on real-time threat intel, evolving tactics, and active defense insights. What was a one-off attack yesterday becomes a blocked pattern today.
Go Beyond GenAI Cybersecurity with Torq
Generative AI in cybersecurity got us started — summarizing alerts, drafting playbooks, and answering questions. But Torq takes it further.
With agentic AI, Torq’s platform went from suggestion to autonomous decision-making. With Hyperautomation, Torq executes those decisions instantly across your entire stack. And with RAG-enabled microagents, every move is precise, contextual, and based on real-time intelligence.
That’s how you build a truly autonomous SOC.
Want to go beyond GenAI cybersecurity? Get the AI or Die Manifesto.
