AI

Maximizing AI Autonomy: Achieving Reliable AI Execution Through Structure and Guardrails

By Gal Peretz
January 21, 2025
5 Minute Read

Contents

Gal Peretz, Head of AI & Data at Torq

Gal Peretz is the former Head of AI & Data at Torq. Gal accelerates Torq’s AI and data initiatives, applying his deep learning and natural language processing expertise to advance AI-powered security automation. He also co-hosts the LangTalks podcast, which discusses the latest AI and LLM technologies.

Our previous blog post explored how planning with AI systems can set the stage for smooth collaboration between humans and machines. However, a solid plan alone isn’t enough. The next step is orchestrating the execution — ensuring that the AI system can carry out tasks autonomously while maintaining guardrails that prevent errors, hallucinations, or false actions.

The Challenge of Direct Execution: LLMs Alone Aren’t Enough

Moving from a free-text runbook to execution without a structured schema is where most AI implementations fail. While large language models (LLMs) are powerful, they continue to struggle with AI autonomy due to:

  • Hallucinations: Making incorrect assumptions or executing invalid steps.
  • Ambiguity: Choosing the wrong tools or extracting incorrect arguments from the execution context to pass to the next step.
  • Lack of Determinism: Struggling to execute tasks consistently without a clear structure, often leading to indeterministic execution where the AI agent may jump between steps out of order or skip them altogether.

Simply put, letting the LLM orchestrate execution without structure and guardrails lacks the precision needed for a reliable execution process.

Streamlining the Execution of a Clear and Reliable Plan

To address this, Torq implements a concrete structured execution scheme that ensures Torq’s AI system performs tasks deterministically and without ambiguity. Once the high-level plan is developed, the AI extracts each step as an atomic unit — clear, precise, and sequential. 

This structured approach eliminates the risks of indeterministic execution, where the AI agent might skip steps, go out of order, select incorrect tools, or misinterpret arguments due to vague instructions. 

Think of it like following a recipe step by step: after deciding to ‘make dinner,’ you break your activities into clear, sequential micro-tasks like ‘bring water to a boil’, then ‘add pasta to the water.’ 

Similarly, Torq built our AI to execute a detailed plan one micro task at a time, in the right order. This allows Torq’s AI system to analyze and break down instructions and examples for each step, ensuring the AI completes the overarching task accurately. By eliminating ambiguity, the structured execution guides the AI to select the right tools and arguments at every stage, delivering consistent and reliable results.

AI Guardrails: Balancing AI Autonomy and Control

While we aim to maximize AI autonomy, balancing it with guardrails is critical to ensuring its safe and reliable execution. These guardrails act as safety nets that prevent the AI from taking false or unintended actions, ensuring human oversight remains available when necessary.

The key is for the AI to be able to break down the execution process into atomic steps that it can handle precisely. The system then focuses on clear micro-tasks for each step, reducing ambiguity and enabling the AI to perform confidently. 

However, when the AI encounters uncertainty — such as ambiguous context, missing tools, or incomplete arguments — it pauses execution and escalates the decision to a human operator. This human-in-the-loop mechanism mitigates the risks of hallucinations or incorrect tool usage, providing a safety checkpoint before the AI proceeds.

By combining structured execution with these dynamic guardrails, we can push the boundaries of AI autonomy. This allows the AI to operate efficiently and autonomously in most cases, saving significant time and resources while ensuring that safety and accuracy are never compromised.

Screenshot showing an example of an AI system seamlessly delegating control to a human when it lacks permission to execute a critical task, demonstrating how AI autonomy and human oversight work together seamlessly.
Figure 1: Example of an AI system seamlessly delegating control to a human when it lacks permission to execute a critical task, demonstrating how AI autonomy and human oversight work together seamlessly.

Reliable AI-Powered Execution at Scale

Orchestrated execution unlocks AI’s full potential by combining precision, autonomy, and control. By leveraging a step-by-step structure, AI can focus on atomic tasks, ensuring consistency and reliability at every stage. This approach streamlines workflows requiring constant human intervention, enabling AI to act efficiently while remaining grounded in a structured plan.

For Security Operations Center (SOC) teams, this translates to faster and more reliable execution of security runbooks at scale. This reduces the need to micromanage AI-powered SOC processes or perfect the prompts to control the AI, giving SOC teams more time for higher-value tasks while ensuring confidence in the AI’s structured execution.

The Future of AI Autonomy in the SOC

Choosing solutions that orchestrate AI execution with appropriate guardrails is critical for building trust, efficiency, and precision in today’s SOC operations. AI that structures execution as a series of deterministic micro steps and balances AI autonomy with human oversight allows SOC teams to confidently rely on AI systems to streamline their workflows.

This collaborative approach enables SOC analysts, engineers, and managers to:

  • Maintain control over automated processes
  • Trust in AI’s reliability for step-by-step execution
  • Focus on higher-value work while reducing uncertainty

The result is a stronger, more efficient autonomous SOC environment where human expertise and AI capabilities work seamlessly together. Schedule a demo today.

Read the rest of Gal’s blog series about AI in the SOC:

Share

Related Articles

Hyperautomation Product Use Cases

Impossible Travel Detection with Torq: Defend Against the Most Prominent and Expensive Breach

By Brian Higgins
January 13, 2025
5 Minute Read

Contents

With widespread remote work and global access, organizations face mounting challenges in securing user identities against sophisticated threats. One critical identity risk signal is impossible travel, where a user appears to log in from two unrecognized, geographically distant locations within an unrealistic timeframe, indicating the possibility of compromised credentials or session hijacking.

Identity is the New Security Perimeter

According to IBM, stolen or compromised credentials account for up to 40% of malicious incidents in Fortune 500 companies. These breaches also rank among the most expensive, adding over $1 million in costs per incident. Despite best practices like multi-factor authentication (MFA) and employee security training, the human element remains the weakest link — 68% of breaches stem from social engineering or user error.

To address identity-driven threats efficiently, organizations must shift from reactive security models to automated, identity-centric operations (IdentityOps). Torq enables security teams to detect and remediate compromised credentials in real time without adding operational burden.

Automating Identity Threat Detection with Torq

To save security analysts from legacy systems and alert fatigue, Torq created an Impossible Travel Detection workflow to eliminate reliance on legacy, manual security processes. Torq automates Impossible Travel Detection with your existing best-of-breed toolstack. 

With 300+ integrations, this workflow can integrate with Okta, Microsoft Entra (Azure AD), Google IAM, and other leading identity providers, leveraging geolocation, user behavior analytics, and AI-driven security automation to identify and block suspicious logins instantly.

How To Detect Impossible Travel

Torq autonomously triggers its detection workflow based on successful login events from your identity access management (IAM) provider of choice (i.e., Okta, Microsoft Entra, Google IAM, etc.) and follows this streamlined identity-centric process:

  1. Login Event Capture → Activates the workflow when a user logs into Okta (or another IAM solution).
  2. Geolocation Analysis → Determines the IP address’s physical location via integrated intelligence tools.
  3. Historical User Behavior Comparison → Compares the login’s geolocation with previous locations stored as identity baselines.
  4. Distance & Speed Calculation → Uses the Haversine formula to determine the travel distance and computes implied travel speed.
  5. Anomaly Detection → Flags logins that exceed a predefined speed threshold (e.g., 1,000 km/h).
  6. Risk Scoring & Identity Context Awareness → Incorporates additional risk intelligence to minimize false positives.

By analyzing real-time user behavior and risk signals, Torq enables automated, intelligent decision-making to determine whether a login attempt is legitimate or an identity-based attack.

Beyond Geolocation: Intelligent Identity Threat Analysis

The power of IdentityOps lies in your ability to integrate across the security ecosystem — leveraging multiple threat intelligence and user behavior signals to detect, assess, and remediate compromised identities dynamically.

Advanced Risk Signals Integrated into Torq’s IdentityOps Workflow

Torq enriches Impossible Travel Detection with best-in-class security integrations, ensuring high-fidelity threat identification through:

  • IP Reputation Enrichment → Queries VirusTotal, Recorded Future, or CrowdStrike to determine if the login originates from a known malicious or suspicious source.
  • User Behavior Profiling → Establishes a historical baseline of each user’s login habits to detect anomalous patterns.
  • Context-Aware Decisioning → Analyzes additional identity context, VPN usage, corporate IP addresses, and cloud service access patterns to reduce false positives.

These multi-layered identity security checks ensure precision threat detection while maintaining a seamless user experience.

User Verification and Automated Remediation

With this workflow, Torq detects potential takeovers. Then, Torq automatically engages users and security teams for real-time resolution.

Step 1: User Notification & Verification

When a potentially suspicious login is detected, Torq immediately alerts the user with a contextual security challenge:

🚨 Suspicious Login Detected

We noticed a suspicious login to your account from [Geo IP City]; your last login was from [Cache Geo IP City].

📍 Distance between logins: [Calculated Distance]

❓ Do you recognize this login as yours? [Yes] / [No]

This proactive approach serves three key purposes:

  1. Alerts the user of potential credential compromise.
  2. Provides contextual insight into login activity.
  3. Engages users in real-time identity verification.

Step 2: Adaptive, Automated Remediation

If the login is verified as legitimate, Torq updates the user’s location history, adds a security audit log, and continues normal operations.

If the login is denied (or is ignored or times out), Torq automatically initiates remediation by:

  1. Forcing an immediate password reset.
  2. Sending a secure password reset link to the user via email.
  3. Notifying the security team via Slack, SIEM, or ITSM.
  4. Creating an incident ticket for tracking and investigation.

Optional: AI-Driven Investigation & Escalation

If a high-risk event is detected, Torq triggers an escalation workflow that can automate additional security responses — such as disabling the account, revoking OAuth sessions, or requiring reauthentication through step-up MFA.

IdentityOps with Complete Flexibility & Customization

Torq is a highly flexible, fully integrated no-code/low-code solution that allows security teams to tailor IdentityOps workflows to exact requirements with:

Organizations can fine-tune Impossible Travel Detection to align with their unique security policies, compliance needs, and identity protection strategy.

Bringing IdentityOps to Life with Torq

By shifting to IdentityOps automation, security teams can radically transform how they detect, manage, and respond to identity threats. Torq’s Impossible Travel Detection workflow offers a scalable, intelligent, and automated approach to protecting user accounts — reducing incident response times, analyst workloads, and security gaps.

Instead of relying on reactive security controls and manual investigations, Torq proactively enforces identity security at scale — ensuring only trusted users access your most sensitive resources. 

Sign up for a demo to see it in action. Current users can start customizing the workflow template today.

Share

Related Articles

AI

Cut Through the Hype: Tips for Evaluating AI Solutions for an Autonomous SOC

By Torq
January 9, 2025
6 Minute Read
What are the best AI cybersecurity tools for achieving an autonomous SOC? Learn how to evaluate Agentic AI for SecOps.

Contents

As C-suites and boards are bombarded with headlines about AI revolutionizing cybersecurity, it’s no wonder they’re putting pressure on SOC leaders to adopt AI. The promise of AI in the SOC is rightfully alluring. An AI-native autonomous SOC has the potential to create a world where AI Agents collaborate with each other to take care of repetitive tasks and handle the majority of low-level alerts, freeing your human team up for strategic, proactive work. 

The hurdle? The AI cybersecurity landscape is swarming with vendors — and new ones are seemingly popping up out of stealth mode every day with shiny marketing and grand claims. 

This leaves SOC leaders wading through the noise to figure out which tools are overexaggerated AI-washed vaporware and which ones are truly operational, integrated, and trustworthy. Below are some tips for cutting through the hype to find the right AI solutions to help build an autonomous SOC. 

Start with the End Goal in Mind — and Think Big Picture

How do useful AI cybersecurity tools impact operational outcomes, functional goals, and strategic objectives?

Step back and start with the big picture. To avoid “scattergun” AI adoption in the SOC that leads to a flood of AI-generated alerts with no context or prioritization, begin by defining clear AI objectives aligned with your overarching security strategy. Before you dive into the AI vendor pool, take a moment to reflect on your SOC’s practical needs. What are your biggest pain points? Where could AI make the biggest impact? Are your analysts drowning in a sea of alerts? Or are they having to spend too much time on tedious tasks? Prioritize AI solutions that directly address these day-to-day challenges.

“I believe the successful use of AI in SOC operations shows up in practical outcomes. With Torq Agentic AI, the answer is ‘yes’ to questions such as: Are analysts happier? Are they sticking around? Do they have time to focus on more interesting and complex investigations? Are MTTM and MTTR lower? Torq Agentic AI extends and enhances our team so it can make better decisions more quickly — resulting in stronger security all around.”

– Mick Leach, Field CISO, Abnormal Security

Leverage AI for tasks where human limitations — such as fatigue and information overload — lead to inefficiencies. Generative AI-powered AI Agents are adept at tasks involving natural language processing and the creation of logical workflows. This makes AI ideal for automating repetitive, monotonous tasks, intelligently triaging alerts and autonomously handling incidents, and providing real-time insights and recommended next steps to speed up human decision-making. In turn, human analysts are freed up to focus on strategic activities and make faster, more informed decisions, significantly improving overall efficiency and effectiveness.

Think holistically to maximize the value of your investment. One-off AI tools from different vendors can’t add up to an autonomous SOC because they can’t connect security signals across your stack and provide meaningful, context-rich insights. Prioritize investing in a centralized automation platform with enterprise-grade scalability and the ability to integrate with every solution in your security environment. Purpose-built AI Agents for the SOC built on this foundation can work as a unifying force at the heart of your security stack to correlate disparate event data, uncover deep, contextual insights, and accelerate efficiency gains across your security operations.

Stay ahead of threats by keeping up with autonomous SOC advancements. Hyperautomation is now table stakes for Security Operations, demanding platforms with native, fully embedded AI capabilities rather than bolted-on GPT wrappers. Agentic AI,  the new frontier for delivering on the promise of the autonomous SOC, is now a reality. Torq just announced a groundbreaking Multi-Agent System for security operations with specialized AI Agents that collaborate, plan, and reason to autonomously analyze and resolve security threats. 

“SecOps organizations that adopt GenAI-based Hyperautomation will benefit from the most advanced LLMs ever, enabling analysts to auto-analyze more events and identify novel threats at the beginning of their cascade of potential impact, rather than after they’ve had a chance to create serious damage. GenAI will also further democratize SecOps, so employees at all levels are able to deploy, manage, and monitor Hyperautomation systems.”

– Leonid Belkind, Torq CTO and Co-Founder | 2025 Predictions: How GenAI and Hyperautomation Will Reshape SecOps and Threat Landscapes

Tips for Evaluating AI Cybersecurity Tools for the SOC

Establish your evaluation criteria: Given the potential risks associated with AI solutions, careful third-party risk management is crucial.  Collaborate with IT teams, business leaders, and legal to ensure alignment with company-wide AI usage policies. Below are some key considerations when choosing a vendor for AI in the SOC:

  • Flexibility and integration: Make sure the AI solution you choose can easily integrate with your existing security stack and ingest and intelligently transform data in any format. A flexible platform that can adapt to your evolving needs is essential so you don’t get locked in. 
  • Security and privacy: Any solution deployed in your SOC should meet enterprise-grade security standards and have tiers of controls to protect data confidentiality. 
  • Transparency: One of the most crucial elements for building trust in AI is to ensure the model can explain why it made the decisions it made and how it came to the conclusions it did. 
  • Human-AI collaboration: Effective AI Agents in the SOC facilitate a collaborative, back-and-forth relationship with the human analysts they work with, clearly communicating its capabilities and limitations. When encountering roadblocks, the AI should seek human input or validation.

Ask the right questions: Overexaggerated,  misleading, and outright false claims about AI capabilities are all too common. We’ve got a list of 40 questions to help you understand a vendor’s AI capabilities, integrations, and more, such as:

  1. Is all customer data encrypted in transit? Is stored data encrypted on disk? Is data stored in vendor data centers or only in memory? 
  2. What countermeasures does the solution have in place to prevent AI hallucinations?
  3. Does the system keep immutable records of all inputs and outputs for AI-driven actions?
  4. Does the solution have robust and versatile role-based access controls? 

Refine your shortlist: Use your evaluation criteria to narrow down your list of potential vendors. Consider factors like cost, features, and vendor reputation. Conduct thorough research and request demos from your shortlisted vendors. 

Test before you invest: The proof of whether an AI solution is vaporware or truly operational is in the POC. Ask for demos and conduct a proof-of-concept for a key use case to see the AI solution in action in a controlled environment. Pay attention to the scalability, ease of use, and overall performance. 

Consider long-term partnerships: Build strong relationships with vendors who can provide ongoing support and innovation. Ask about their AI product roadmap.

40 Questions to Ask AI SOC Vendors

To help you sharpen your evaluation of AI solutions for the SOC, we’ve put together this list of 40 critical questions to ask vendors. Cut through the noise of “AI-washed” marketing and dig into the AI’s operational and integration capabilities to ensure you get real value.

Get the List
Share

Related Articles

Integrations

Simplifying Non-Human Identity Security with Torq and Clutch Security

By Torq
December 18, 2024
3 Minute Read
Learn how Clutch Security and Torq are reshaping non-human identity management and security — extending Zero Trust to NHIs as your attack surface expands.

Contents

The rise of Non-Human Identities (NHIs) — think APIs, bots, service accounts, and machine identities — has expanded the attack surface in ways we’re only beginning to understand. NHIs now outnumber human identities in enterprise environments, often by a staggering ratio. While they streamline processes, enable scalability, and facilitate automation, these identities also present significant security risks.

The Growing Importance of Non-Human Identity Management & Security

Traditional approaches struggle to address the dynamic nature of NHIs, especially when it comes to:

  • Lifecycle governance: Stale or orphaned accounts are often left unchecked, creating vulnerabilities and increasing the risk of unauthorized access.
  • Contextual visibility: A lack of insight into what non-human identities are doing and why they are being used leaves security teams in the dark.
  • Zero Trust alignment: Continuously validating the usage of non-human identities is critical to enforcing least-privilege policies and maintaining security.

Security teams are left grappling with blind spots, operational inefficiencies, and increasing exposure to breaches. This is not just a challenge — it’s a mandate for change.

Enter Torq and Clutch Security: a partnership reshaping how security teams tackle the complexity of non-human identity management and security. 

Empowering SOC Teams with Seamless Zero Trust and Incident Response 

Clutch delivers visibility into NHI activity, offering deep insights into how these identities are created, used, and misused. Torq enhances this visibility with AI-driven Hyperautomation that transforms insights into action. When used together, SOCs are given the power to:

  1. Simplify complexity: Automatically ingest and contextualize Clutch’s NHI inventory into Torq workflows, enabling real-time decision making.
  2. Enhance Zero Trust: Dynamically enforce least-privilege policies for NHIs with automated remediation.
  3. Accelerate incident response: Detect NHI misuse through Clutch, then trigger Torq workflows to contain and remediate threats instantly.
  4. Future-proof security: Transition to ephemeral identities without operational friction, ensuring NHIs always align with your Zero Trust goals.

Real-World Implementation, From Detection to Resolution

Consider a common scenario: a temporary service account is created for a one-off task but inadvertently granted excessive permissions. Without the right tools, detecting and remediating the issue might take hours or even days. With Torq and Clutch, this process becomes seamless:

  1. Detection: Clutch identifies the account’s risky behavior in real time, flagging it for immediate review.
  2. Automation: Torq triggers a workflow to revoke the account’s excessive permissions, notify the SOC, and autonomously document the event for compliance.
  3. Prevention: Clutch provides recommendations for transitioning the account to an ephemeral identity, which Torq enforces automatically.

In short, this partnership enables security teams to do what they do best: defend their organizations with precision and confidence.

Ready to Transform Your Non-Human Identity Management and Security?

If you’re ready to bring Zero Trust to your NHIs and revolutionize your SOC, explore the Clutch-Torq integration today. Together, we’re setting a new standard for how enterprises secure their most overlooked — but most critical — identities.

Share

Related Articles

AI Hyperautomation Insights

What Is Auto-Remediation in Security? (And Why Your SOC Can’t Survive Without It)

By Torq
December 7, 2024
5 Minute Read
Auto-remediation in the Torq platform resolves security threats automatically

Attackers aren’t waiting around while your team manually investigates every alert, updates every firewall rule, or sends out those “please reset your password” emails. If you’re still relying on human intervention for every step in your incident response process, you’re already behind.

That’s where auto-remediation comes in — your SOC’s not-so-secret weapon for quickly remediating threats, reducing burnout, and eliminating manual busywork once and for all.

What Is Auto-Remediation?

Auto-remediation, also known as automated remediation, is the process of automatically detecting, triaging, and resolving security incidents with minimal human intervention. Leveraging AI and automation in the SOC, auto-remediation swiftly addresses threats, operational issues, and compliance violations before they escalate.

Compared to manual processes, auto-remediation delivers greater speed, consistency, and scalability — critical elements for modern SOC success.

How Does Auto-Remediation Work?

In a typical SOC, auto-remediation involves four key stages:

  1. Detection: A system flags a suspicious login or abnormal behavior.
  2. Triage: Your platform checks context. Is this a known issue? Is this user legit?
  3. Remediation: If the threat meets the right criteria, your auto-remediation playbook kicks off: isolate the asset, notify the user, reset the password, and update relevant tools.
  4. Documentation: Every step is logged, so your audit trail stays clean.

Five Key Benefits of Automated Remediation

  1. Rapid response: The longer a threat lingers, the greater the damage. Auto-remediation slashes your mean time to response (MTTR) and gets you back on offense.
  2. Reduced analyst burnout: Alert fatigue is a thing. Offloading repetitive tasks frees up your team to focus on real, strategic work.
  3. Consistent uutcomes: Security automation ensures precise, repeatable responses without human error or oversight, following defined protocols every time.
  4. Scalable operations: As alerts multiply, automation scales effortlessly, allowing your SOC to manage larger volumes without adding headcount.
  5. Improved compliance: Automated remediation enforces security standards (e.g., PCI-DSS, GDPR) by rapidly detecting and correcting policy violations, with thorough documentation for auditors.

Everyday Use Cases for Auto-Remediation

Phishing containment: Automatically isolate compromised inboxes, revoke access to malicious emails, block phishing URLs, and notify users.

Malware-infected host quarantine: Detect malware, isolate the endpoint from the network, trigger EDR scans, and escalate the issue if necessary.

IAM policy violations: Spot privilege escalations or inactive admin accounts and auto-revoke access, enforce MFA, or disable the account, keeping identity sprawl in check.

Cloud misconfigurations: When CSPM detects risky S3 buckets or open ports, auto-remediation can tag the asset, log the fix, and alert the team.

Failed login brute force attacks: Identify login abuse patterns, block IPs, lock targeted accounts, and update firewall rules automatically, before damage is done.

Autonomous Remediation with Torq HyperSOC™

Torq HyperSOC™ takes auto-remediation from automated to autonomous. With powerful agentic AI,  HyperSOC enables the automatic detection, triage, and resolution of security incidents, eliminating the need for human intervention. Powered by Socrates — the AI SOC Analyst — and a suite of specialized AI micro-agents, HyperSOC auto-remediates over 95% of Tier-1 security operations. Here’s how it works.

Always On Detection and Triage

Torq integrates with your entire security stack: EDR, SIEM, email, IAM, cloud, and more. When a threat is detected, Torq Socrates immediately pulls in relevant data to triage the alert, determine its legitimacy, and assess severity.

Auto-Remediation with Agentic AI

Each agent within Torq’s Multi-Agent System (MAS) specializes in a different SecOps task, like investigation, enrichment, or containment. Once an alert is confirmed, these agents autonomously execute a pre-validated remediation path, such as:

  • Blocking compromised accounts in Okta or Azure AD
  • Quarantining infected endpoints via EDR tools like CrowdStrike
  • Revoking malicious OAuth tokens
  • Killing malicious processes or containers in cloud environments
  • Auto-closing resolved tickets in platforms like Jira or ServiceNow

Zero-Code, Full Oversight

Even with fully autonomous operations, Torq gives analysts total visibility. They can supervise AI remediation workflows, approve actions, and modify runbooks in natural language — no coding needed.

Unmatched Speed and Scale

HyperSOC enables SOCs to process and remediate 3–5x more alerts without expanding the team, reduce investigation time by up to 90%, and eliminate 95% of Tier-1 tasks — entirely autonomously.

Torq + Abnormal: An IRL Example 

Torq HyperSOC brings autonomous remediation to life in the real world with Abnormal Security email security. When Abnormal Security flags suspicious behavior, whether it’s an account takeover attempt, credential phishing, or post-delivery malware, Torq instantly kicks off a no-code auto-remediation workflow. That means the second a threat is detected, action is already underway.

Torq pulls in context from identity systems like Okta, security tools like CrowdStrike or SentinelOne, and communication platforms like Slack or Teams to automatically lock accounts, revoke sessions, isolate endpoints, delete malicious emails, and notify impacted users. 

Torq’s workflows can dynamically engage users to confirm suspicious activity, add decision branches based on user role or device posture, and escalate to humans only when needed.

TL;DR: Your SOC Can’t Survive Without Auto-Remediation

Auto-remediation is the engine behind scalable, resilient, and efficient security operations. By integrating automated remediation into your security operations, you transition from reactive firefighting to a proactive, autonomous SOC. With threats growing increasingly sophisticated, your SOC can’t afford manual inefficiencies.

Make auto-remediation a central part of your security strategy. Let Torq’s agentic AI-driven automation handle threats at machine speed, empowering your analysts to focus on strategic security initiatives.

Thinking about adding AI to your SOC? Get the inside scoop on what CISOs are considering, top use cases, and the key questions to ask vendors for a successful deployment.

Get the Manifesto
Share

Related Articles

News Product

New to the Torq Library: Analyze Files, Manage Identity, and More

By Brian Higgins
December 5, 2024
3 Minute Read
Discover the new workflow templates, smarter integrations, and utility steps in the Torq Hyperautomation Platform.

Contents

This month, we’ve continued to expand Torq’s offerings. Discover the new workflow templates, intelligent integrations, and utility steps — all meticulously crafted to streamline security operations and amplify your team’s impact.

New Workflow Templates

Analyze Files with CrowdStrike Falcon Sandbox or Retrieve Cached Results
Put a stop to redundant file analyses. This template checks cached results for files analyzed in the last 24 hours, delivering instant insights when available. Need fresh data? The workflow submits the file for analysis, returning a detailed report featuring MITRE TTPs, related hashes, and more.

Synchronize Torq Runbooks with GitHub Automatically
Keep your runbooks effortlessly in sync. This automation updates your Torq runbooks whenever changes are committed to your GitHub repository. As a result, you can maintain up-to-date runbooks without lifting a finger.

Create Torq Cases from Proofpoint Clicks Permitted
Phishing attacks keep on coming, but this workflow has your back. It scans Proofpoint for “clicks permitted” events, enriches URLs with VirusTotal data, and automatically opens Torq cases.

Intelligent Automation Integrations

Your favorite tools are amplified with new Torq steps.

Seven new steps for the Abnormal integration provide deeper visibility into activities like employee logins and vendor actions:

  • Get Vendor Activity
  • Get Employee Login Details
  • Get Vendor Case Details
  • List Vendor Cases
  • Get Employee Analysis
  • Get Employee Information
  • Get Vendor Details

Gain more control with several new steps in the Elastic integration:

  • Upgrade Elastic Agent version
  • Unenroll Elastic Agent from Fleet
  • Get Agent Details by ID
  • Get Agent Details by Query

The new “Get a Pull Request” step for the GitHub integration simplifies code review workflows.

Manage identity and access with enhanced options for the Okta integration:

  • Reset User Password
  • Create Policy Rule
  • Get Policy
  • List Policies
  • Set Policy Rule Status
  • Revoke API Token
  • List API Tokens
  • List Policy Rules

New Utility Steps for Seamless Operations

Smarter tools for transforming data and processes.

Output Utils: Effortlessly transform your data and turn complex logs into actionable information with the simplicity and elegance you expect.

  • CLF to JSON: Seamlessly convert Common Log Format (CLF) logs into JSON, ready for integration with SIEMs, EDRs, XDRs, and beyond.
  • CEF to JSON: Easily transform Common Event Format (CEF) data into JSON, unlocking enriched analysis and compatibility across your tools.

Utils: Discover new possibilities with tools that bring clarity to network data.

  • DNS Resolution: Instantly resolve IP addresses into domain names, transforming raw data into meaningful insights. Connect malicious IPs to their domains for faster detection and response, and enrich your threat intelligence with actionable details.
  • CIDR Validation: Validate IPv4 addresses effortlessly, ensuring they fall within authorized ranges. Automate access controls and dynamic firewall rules and flag unexpected traffic outside defined ranges to protect your most sensitive systems — even blocking entire regions or countries with precision and ease.

Stay Ahead with Torq

This month’s updates are just scratching the surface. With new workflow templates, smarter steps, and expanded integrations, Torq continuously improves to equip your security team to get more done, faster and strategically.

Now, you can do even more with the top-tier tools you trust, such as SecurityScorecard, Autotask, BitSight, CrowdStrike, Jamf Protect, Jira Cloud, Palo Alto Networks Cortex XDR, SentinelOne, Sumo Logic, ThreatConnect, urlscan.io, and Wazuh.

Want to see it all? Dive into the Full Content Digest for details.

Share

Related Articles

Insights

5 Secrets of a SOC Leader Turned Field CISO

By Patrick “PO” Orzechowski
December 2, 2024
8 Minute Read
Learn 5 lessons from a SOC leader turned CISO for modern SOC success.

Contents

Torq is thrilled to have Patrick Orzechowski (also known as “PO”) on board as our new Field CISO, bringing his expertise and years of experience as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. By way of introduction, below he shares his five top pieces of advice for SOC leaders facing today’s security challenges.

When I say I’ve been in your shoes as a SOC leader, I mean it! I’ve spent around 25 years in the trenches of cybersecurity and security operations centers (SOCs). I’ve dealt with alert fatigue, managed incidents where our team didn’t sleep for days, and searched far and wide for an automation solution that can truly help SOC teams collaborate better and gain deeper insights into incident data.

I started my journey in a SOC at RipTech, which was acquired by Symantec. From there, I worked in the U.S. defense and intelligence communities as both a Blue Teamer and a Red Teamer, building SOCs and leading forensics and incident response as well as doing penetration testing for the U.S. government. My focus then shifted towards data analytics in security operations, and I held roles at telecom giants like TW Telecom and Level 3. 

Ten years ago, I co-founded a Managed Detection and Response (MDR) service called Deepwatch, where I built the SOC infrastructure to run and handle over 250 customers — and which is where I first came across Torq Hyperautomation as the answer to our SOC scaling challenges.

Today, as Field CISO at Torq, I’m applying my experiences as a security practitioner to help organizations navigate the complexities of modern cybersecurity. You’ll find me speaking at security conferences and events around the world, sharing my expertise in Torq content, and leading independent research projects to explore topics like SOC efficiency and case management effectiveness. 

I have seen firsthand that the old ways of doing things in cybersecurity are going away and need to be left in the dust. I truly believe Torq’s AI-driven Hyperautomation is an unprecedented solution for helping SOC leaders stay ahead of this evolution and the main reason why I am so excited to be here now. To pay it forward, below are my 5 top pieces of advice for SOC leaders facing today’s challenges.

5 Keys to Modern SOC Success

1. Evolve for the Expanding Attack Surface

The combination of cloud hyperscalers (such as AWS, Azure, GCP, etc.), legacy apps, on premise requirements, remote work, and SaaS solutions present a very complex problem set for SOC leaders. As the attack surface expands and gets more complex, attackers will have the competitive advantage of targeting disparate systems that do not talk to each other.

Therefore, as vulnerabilities and entry points multiply and digital transformation and AI adoption accelerate, security teams will need systems that become the “glue” that ties together the systems themselves (i.e., automation), the data they produce (i.e., SIEM and search), and event-driven case management

The sheer volume of data gives attackers an advantage as SOCs struggle to sift through the noise. Torq HyperSOC can process and triage high volumes of events to close out false positives more quickly and prioritize responses more efficiently, helping reduce alert fatigue and and intelligently escalating high-priority cases to security analysts so that nothing slips through the cracks.

2. Embrace the AI Revolution, Strategically

We are in a security AI arms race. While AI is undoubtedly a game-changer, it’s a double-edged sword because attackers are also leveraging AI — and they’ll always have the advantage over a defense team that has to worry about compliance, privacy, and red tape. 

It’s daunting to know that attackers can scale everything they do through AI and automation — and that it’s throwing traditional cyber defense rules out the window. For example, every phishing training for the last 15 years told users to “look for grammar errors or weird punctuation”, but a phishing email written with AI can look like a perfectly written email from a legitimate person. 

Deflating the AI fear factor requires strategically automated defenses that can match attackers’ AI-powered speed and scale. With Torq’s AI-powered Hyperautomation, SOC teams can automate repetitive tasks to free up analysts for complex incidents and proactive threat hunting, and can accelerate incident response through auto-remediation and AI-enhanced investigations. Torq’s platform is fully battle-tested to handle the immense data output of the modern SOC’s cloud-native security stack.

It’s crucial to remember that AI is a tool, not a magic bullet. We still need skilled analysts to make informed decisions based on AI insights. Additionally, any AI solution deployed in the SOC should be able to explain how it arrived at its conclusions and provide citations to original forensic evidence so that you can understand and verify its logic.

Get the AI or Die manifesto for advice for deploying AI the right way as a SOC leader.

3. Focus on Security Operations Transformation

Security Operations rationalization is a critical component of any long-term strategy for CISOs and security leadership. While cybersecurity is now recognized as a key business risk, the era of the “blank check” from the C-suite and board to buy whatever technology you want is over. SOC leaders now have to justify your budget and show value and ROI.

Throwing money at the problem by purchasing the newest, shiniest security tools or simply increasing headcount won’t solve your problems anyway. Instead, focus on fundamentally transforming your security operations by investing in automation for routine tasks, streamlining processes, and consolidating data insights from across your stack so you can eliminate analyst burnout and empower your existing team.

4. Overcome Security Data Assumptions

The classic notion of the SOC triad has proven to fail against threat actors who have time and resources. Legacy SIEM, SOAR, EDR, and network controls are not enough to operationalize and automate detection and prevention in an era where attackers are getting faster and faster thanks to AI.

The idea of a singular SIEM to gather, correlate, and alert on all data across the enterprise needs to go extinct. As we move to the new arena of SOC automation, we need scalable, flexible systems that can interconnect not just traditional security stacks but all data sources, including traditional IT systems, HR, Accounting, Sales, and Finance.

5. Don’t Forget the Fundamentals

There’s a lot out there to distract SOC leaders, but maintaining strong cyber hygiene remains crucial. Following basic security practices like zero trust or the NIST cybersecurity framework can never fall by the wayside. 

Additionally, your SOC team’s wellbeing remains central to your security wellbeing. Many SOC challenges are people challenges. Sleep deprivation during major incidents, challenges in effective collaboration, and an inability to access data insights from across different solutions, all add up to frustrated, tired, and checked out analysts — which means a weaker defense. 

When you automate menial, routine tasks and auto-remediate the majority of low-level alerts, you free up analysts to focus on more engaging and rewarding work while also cutting down on alert fatigue. I truly believe all SOCs should be measuring “analyst happiness” as a KPI that reflects the health of security operations.

A Real-World SOC Transformation: Torq + Deepwatch

I know first-hand what happens when a solution like Torq comes in and changes not just technology, but also SOC processes to bring about a more strategic approach.

At Deepwatch, our first foray into automation was with legacy SOAR — but hosting 250 SOAR instances became very expensive, very fast. The platform we were using proved to be costly to scale and extracting critical KPIs like mean time to response (MTTR) was difficult. This hindered our ability to demonstrate value to both internal stakeholders and external customers.

To address these limitations, Deepwatch embarked on a transformative journey with Torq Hyperautomation. The stress test we ran on the Torq platform during the POC was my “aha” moment — and it only impressed me more from there. The Torq platform’s ability to handle high-volume workloads, the simplicity of Torq’s integrations, and the speed and flexibility at which the team could build new workflows accelerated Deepwatch’s analysis, triage, validation, and response. 

Read the full Deepwatch case study here >

Moving Forward, Faster Than Ever

What worked in the SOC a few years ago is often obsolete today, making the ability to adapt rapidly key to survival in the modern security landscape. But this gets harder every day as attackers’ arsenal of technology and tactics gets more complex, sophisticated, and lethal. Somehow, SOC leaders have to keep evolving their tech, people, and processes to combat these evolving threats. It’s not easy, as I know first-hand.

At Torq, we’re revolutionizing the ability of the SOC to quickly move past the challenges that once left SOC leaders in a tar pit of despair. 

Want to chat about the practicalities of transforming your SOC? Let’s talk. 

Share

Related Articles

AI Hyperautomation

Building Powerful CrowdStrike Automations: Insights from Fal.Con 2024

By Brian Higgins
November 25, 2024
4 Minute Read

Contents

“If I take Torq out, I lose three people.”

This sentiment expressed by Fiverr’s VP of Business Technologies perfectly reflected the energy at the Fal.Con 2024 Torq booth and struck a chord with security teams using CrowdStrike’s powerful tools. Detection isn’t the problem — CrowdStrike excels at that. The challenge lies in automating what happens next.

A Problem-First Approach to Security Automation

Security teams quickly discovered how to reimagine CrowdStrike operations from manual to automated, from reactive to proactive. The challenge was universal — while CrowdStrike excels at detection, teams struggle to scale their response processes. 

Torq’s problem-first approach resonated deeply with the crowd at Fal.Con. By focusing on solving real security challenges through intelligent automation and AI rather than adding more tools to the stack, Torq is trusted by organizations across the globe to complete 5.2 million Torq-CrowdStrike automation actions annually.

CrowdStrike Automation Templates to Tailored Solutions

The Torq platform’s featured EDR workflow (NIST-800-535-PM-16) demonstrates this philosophy. It starts with a foundational five-step process that automatically:

  1. Receives CrowdStrike detection events
  2. Decodes detection IDs and pulls detailed information
  3. Loops through resources and behaviors found in the detection
  4. Checks SHA256 signatures with VirusTotal
  5. Updates block lists across connected security tools

With Torq, security teams can use pre-built CrowdStrike automation templates as a launch pad and modify them as needed or use natural language prompts in AI Workflow Builder for limitless possibilities. Need to add custom enrichment sources? Want to implement team-specific notification procedures? Looking to integrate additional threat intelligence platforms? Simply describe what you need in natural language, and let Torq’s AI help turn your requirements into sophisticated automation in seconds.

Cross-Platform Intelligence

For organizations using Splunk alongside CrowdStrike, we showcased how teams implement seamless correlation and then leverage Socrates, the AI SOC Analyst. When CrowdStrike detections appear in Splunk, the powerful combination of Hyperautomation, Socrates, and AI can automatically help create and enrich cases, take action, and maintain detailed documentation throughout the investigation lifecycle.

Furthermore, two foundational examples handled IOC management — one for individual detections and another for incidents. Each validates files with threat intelligence and updates global block lists, ensuring consistent response across your security infrastructure.

Optimized Security Operations

CrowdStrike integration capabilities extended further with Hyperautomated use cases include:

Beyond Basic Automation

What sets these integrations apart is Torq Socrates’ ability to maintain context across the entire investigation lifecycle. Every action by the AI SOC Analyst, from initial detection to final resolution, is documented with clear reasoning and next steps. This transforms shift handovers from potential security gaps into seamless transitions.

When teams customize automation in Torq, they don’t need to start from scratch or learn complex coding. AI Workflow Builder understands the context of security operations and can transform natural language instructions into sophisticated workflows. Want to add conditional logic based on threat severity? Need to implement custom enrichment procedures? Simply describe what you need in natural language.

The Power of Official Partnership

Technical discussions at Fal.Con confirmed what security teams already know — CrowdStrike provides industry-leading detection capabilities, but the real power comes from intelligent automation. Starting with CrowdStrike automation templates and expanding through AI-powered customization, teams will:

  • Revamp CrowdStrike alerts into automated actions
  • Ensure consistent response procedures across global teams
  • Maintain comprehensive documentation without manual effort
  • Scale CrowdStrike operations without adding headcount

Looking Forward

With 325+ million workflows executed annually, Torq’s integrations demonstrate how teams can maximize their CrowdStrike investments through intelligent automation. The possibilities are limitless, whether starting with pre-built templates, creating new workflows through custom builds, or leveraging natural language instructions.

Discover how quickly you can accelerate from reactive to proactive, manual to automated, and overwhelmed to efficient. Schedule a demo or if you’re already a Torq user, explore the CrowdStrike template library.

Share

Related Articles

AI

Planning with AI: Minimizing Uncertainty, Maximizing Trust

By Gal Peretz
November 21, 2024
6 Minute Read

Contents

Gal Peretz, Head of AI & Data at Torq

Gal Peretz is the former Head of AI & Data at Torq. Gal accelerates Torq’s AI and data initiatives, applying his deep learning and natural language processing expertise to advance AI-powered security automation. He also co-hosts the LangTalks podcast, which discusses the latest AI and LLM technologies.

To stay ahead of today’s threats, you must do more than keep pace — you need to equip your team with tools that enable smarter, faster responses. For SOC analysts, runbooks in case management systems are essential guides for handling security alerts step-by-step. The prospect of automating these runbooks with AI is enticing, promising to streamline daily operations and free up time for more critical tasks.

However, some are rightfully skeptical. They worry that AI automation could introduce unexpected issues without careful planning and collaboration, potentially hindering productivity and increasing risk. This blog explores how collaborating with AI during planning and setting AI guardrails can enhance predictability, transparency, and trust in AI automation.

The Importance of Runbooks in Security Operations

Runbooks are structured, step-by-step guides enabling SOC analysts to respond to security incidents consistently and accurately. They are particularly crucial for Tier 1 analysts, who often serve as the first line of defense against a high volume of alerts. 

These runbooks provide clear instructions for the following:

  • Triaging alerts
  • Investigating potential threats
  • Determining when to escalate issues

By standardizing responses, runbooks reduce human error and ensure efficient handling of all incidents, even in high-pressure situations. Automating runbooks with AI presents an appealing option for scaling operations, accelerating repetitive tasks, and allowing analysts to focus on more complex, high-stakes cases.

The Need for AI Guardrails in Runbook Automation

While automating runbooks with AI is a game-changer, granting AI too much freedom can quickly backfire. Most runbooks are designed with human readers in mind, presenting step-by-step guides that make sense to analysts but can be confusing for AI. 

When left to interpret these text-based instructions independently, AI might:

  • Misinterpret steps
  • Make unexpected decisions
  • Produce unintended results

AI can become unpredictable without a structured plan and human alignment, risking accuracy and eroding your team’s trust in automation. A collaborative planning phase to ensure AI guardrails is crucial as it provides SOC analysts visibility into how the AI “interprets” the runbook and plans to automate it. This transparency allows analysts to refine the AI’s approach, ensuring the plan aligns with real-world needs before execution begins.

Collaborative Planning: Aligning AI and Analysts

To understand the value of Torq’s approach to runbook automation, let’s consider a common SOC runbook for investigating phishing reports. Such runbooks guide analysts through tasks like checking attachments, analyzing email headers, and escalating incidents when certain conditions are met.

Example SOC investigation runbook for User Phishing Reports
Example SOC investigation runbook for User Phishing Reports

Automating these tasks with AI is more complex than simply running through the steps. Many runbooks are written for human understanding and involve actions that may be ambiguous or beyond direct AI capabilities. Torq’s plan-and-execute approach addresses this challenge by separating the process into distinct planning and execution phases, giving analysts more control and visibility over the AI’s actions.

1. Planning Phase

In this phase, the AI:

  1. Reads through the runbook
  2. Converts instructions into a structured, transparent plan
  3. Break down each instruction into clear, atomic steps
  4. Identifies steps it can automate and those requiring human intervention
  5. Highlights gaps where it lacks necessary tools or access

This transparency allows SOC analysts to modify the plan, choosing where the AI should pause for guidance or where additional human-defined workflows are needed. In scenarios where full automation isn’t feasible, such as in highly secure or restricted environments, this collaborative planning ensures that the AI aligns closely with human intent and avoids unnecessary errors.

2. Execution Phase

Once the analyst reviews and approves the plan, execution follows this carefully vetted blueprint. 

This approach:

  • Strips ambiguity and indeterminism from the execution
  • Provides transparency and reliability
  • Fosters trust in the automation process

Analysts can be confident that AI will follow the exact plan, making the automation more efficient and dependable without sacrificing control or accuracy.

To reinforce the concept further, let’s consider how Socrates, our AI SOC analyst, would function without the ability to add tags while focusing on his communication skills and resistance to AI hallucination.

Socrates, even without the capability to add tags, would still demonstrate its effectiveness in several ways:

Clear communication of limitations: When faced with a task it cannot perform, such as adding a tag, Socrates would explicitly state its limitations. For example, it might say, “I’m unable to add the tag ‘Malicious IOC’ as I don’t have that capability. This step requires human intervention.”

Requesting user input: Socrates pauses the process and asks for user input when the necessary tools or permissions are lacking. This demonstrates its ability to recognize boundaries and seek assistance when needed.

Proceeding with available tools: For steps where Socrates has the required capabilities, it would continue to execute them efficiently. These actions would be marked as completed or “green” in the process.

Detailed explanations: Throughout its analysis and decision-making process, Socrates provides clear, thorough explanations of his reasoning, helping analysts understand its thought process even when it couldn’t perform specific actions.

Suggesting alternatives: When unable to perform a specific action, Socrates might suggest alternative approaches or provide information that could help the human analyst complete the task manually.

Focusing on these aspects can highlight Socrates’ ability to communicate effectively, recognize its own limitations, and resist AI hallucination by not claiming capabilities it doesn’t have. This approach emphasizes AI’s role as a collaborative tool that enhances human decision-making in the SOC rather than attempting to replace human judgment entirely. See what this looks like below:

Example of an email analysis workflow generated by the Torq AI SOC Analyst that outlines 11 automated steps for security checks, with green checkmarks indicating executable actions except for two manual breaks serving as AI guardrails by requiring human intervention for tagging “Malicious IOC” and “VIP” cases.
Example of an email analysis workflow generated by the Torq AI SOC Analyst that outlines 11 automated steps for security checks, with two manual breaks that serve as AI guardrails.

Strengthening Security Through Transparent AI Collaboration

Trust and transparency are fundamental to building an effective security strategy in today’s rapidly evolving threat landscape. Torq’s AI capabilities prioritize collaboration and clarity, transforming how SOC teams handle automation. By structuring automation as a two-phase process — planning and execution — Torq ensures that AI usage is efficient, bounded by AI guardrails, and aligned with human oversight and intent.

This collaborative approach allows human SOC analysts to:

  • Maintain control over automated processes
  • Reduce uncertainty in AI actions
  • Trust in the predictability and reliability of AI-driven tasks

Fostering a security environment where AI and human expertise work together can strengthen organizations’ SOC capabilities and enhance overall security posture. See Torq’s AI in action — schedule a demo.

Learn more about building trust in AI and how structured, evidence-backed summaries generated by AI enable seamless SOC shift transfers.

Share

Related Articles

AI Product

Take Control with Torq’s AI Data Transformation

By Brian Higgins
November 15, 2024
3 Minute Read
c

Contents

Data interoperability is the backbone of building reliable and efficient hyperautomated workflows. However, manipulating and formatting massive amounts of data from various sources — especially in complex JSON files — can feel overwhelming and consume significant time and resources, particularly for those still gaining technical expertise. Teams often lack or have maxed out dedicated resources to wrangle this data.

Today, we’re introducing AI Data Transformation, a powerful AI-accelerated operator that simplifies complex data transformation. It provides the testability, flexibility, and control required to manage enterprise-level workflows without writing a single line of code.

Why Data Transformation is Crucial

In hyperautomated workflows, seamless data flow between steps is crucial for optimal performance. AI Data Transformation achieves this with maximum efficiency by intelligently manipulating data as it flows to downstream steps. This powerful capability enables smooth operations by efficiently handling critical tasks such as attribute mapping, filtering, conditional statements, and aggregation functions — proactively addressing data compatibility between steps. In short, Data Transformation keeps workflows running at peak efficiency.

How AI Data Transformation Helps Security Teams

Torq’s AI translates natural language prompts into JQ commands, simplifying and democratizing JSON transformations. For those savvy in JQ, there’s full flexibility in modifying individual instructions and the generated code. Torq’s approach stands out for:

  • Customizability: Edit or rewrite any command to suit your needs.
  • Testability and Reproducibility: Test transformations and validate results for precise control.
  • Flexibility: Easily tweak transformations without disrupting your workflow.
  • Visibility: See prompts, code, and results at every step — zero guesswork.

While other solutions leave you in the dark, using monolithic parsing that makes it challenging to edit or troubleshoot, Torq keeps you in control through micro-transformations. Every transformation in Torq is testable, customizable, and modified with just a click, ensuring your automation runs precisely as intended.

Gif showing AI Data Transformation in action

Get Started

Transforming data is simple:

  1. Drag the transform operator into your workflow.
  2. Input the contextual JSON data you intend to transform, then click define transformation.
  3. Enter your prompt in natural language (e.g., “extract vulnerabilities”).
  4. Review the AI-generated JQ code and the output. Validate and edit if needed by fine-tuning with dynamic code generation or direct code editing.
  5. Transform your data with complete visibility and control.
  6. Save your work and reuse transformations as custom plans in the future.

Example Prompts

Need ideas? Here are a few natural language prompts and the associated JQ commands the Data Transformation operator could generate:

Natural Language PromptAI Translated JQ CommandSecurity Impact
“Extract all high severity vulnerabilities”.vulnerabilities[] | select(.severity == “high”)Quickly prioritize critical security threats
“Group alerts by source IP”group_by(.source_ip)Identify potential attack patterns or compromised assets
“Calculate the average CVSS score”[.[].cvss_score] | add / lengthAssess the overall vulnerability landscape

Read more about AI Data Transformation in Torq’s documentation or schedule a demo to see how it works.

Share

Related Articles

See Torq in Action

Get a demo to see how Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?