One of the Torq Hyperautomation platform’s superpowers is its ability to integrate with anything. By partnering with top security vendors like Wiz, Torq empowers SOC teams to automate and streamline critical cloud security workflows, dramatically improving security posture while freeing up analyst time.

Wiz is known for delivering rich context and visibility into cloud risk. Torq takes those alerts and turns them into real-time action. Together, they help security teams address high-priority issues and the long tail of medium- and low-priority vulnerabilities that often slip through the cracks.

With Torq and Wiz, SecOps teams can build fully automated or human-on-the-loop remediation flows for tasks like expired secrets, unused privileged access keys, or public S3 buckets. These cloud security automations are more flexible and powerful than legacy SOAR platforms offer.

Below are three key examples of how to automate cloud security with Torq and Wiz.

Handle Wiz Alerts For Public AWS S3 Bucket With Sensitive Data

Looking for a simpler way to deal with Wiz alerts for when public AWS S3 buckets contain sensitive data? You’re in luck.

This workflow receives an alert from Wiz when an AWS S3 bucket with sensitive personal data is found to be exposed to the public. The alert triggers on Wiz ID wc-id-1264.

When the trigger is received, the workflow pulls the bucket’s public access settings and tags and looks for an owner tag. If one is not found, it sets notifications to a specific Slack channel.

From there, it checks the public settings on the S3 bucket to see if the issue was resolved before the alert from Wiz was triggered. If it is still publicly accessible, it will ask to limit access to the bucket. 

Once the user agrees, the bucket settings are updated, and the Wiz alert is moved to in progress. If the user does not agree or the question times out, a Jira issue is opened to track the issue, and the issue ID will be added to the Wiz alert.

It’s important to note that this workflow will set the public block settings on the S3 bucket to “true” and block all public access. Your application may need a more granular update to the JSON policy to block the existing access; the existing policy will be provided in the Slack message.

The bottom line: 2-4 hours of time saved per alert. 

Depending on your existing process, the time it currently takes to find the questionable S3 bucket manually, assess the data sensitivity, verify public access, dig through logs or tags to identify the bucket owner, and finally adjust the public access setting when the owner responds may vary. With Hyperautomation, however, the entire process can be executed in minutes. 

The risk of allowing sensitive data to live in a public AWS S3 bucket is high and incredibly time sensitive, making it the perfect use case for hyperautomation. The longer sensitive data is publicly exposed, the higher the probability of it leaking into the wrong hands. 

Pairing Torq with Wiz ensures immediate, efficient, and accurate response, reducing the organization’s overall risk and saving analysts from spinning tires on these high-volume alerts.

Enable AWS S3 Bucket Encryption On Alert From Wiz

This workflow is a simple and effective way to ensure encryption is turned on for an AWS S3 bucket. 

First, the workflow receives an alert from Wiz and is triggered by an event with the control name “S3 bucket default encryption disabled.” If the owner tag is found, the owner will be contacted or notified in the Slack channel about the issue. 

This workflow then checks the bucket’s encryption status to see if it is still disabled and suggests remediation by enabling the default AES256 encryption on the bucket. 

If the user or Slack channel rejects the notification, the workflow collects a reason, opens a follow-up ticket, and updates the notes on the Wiz issue. 

The bottom line: 30-60 minutes of time saved per alert. 

While seemingly a simpler workflow than the previous public access to sensitive data risk, manually handling this high-volume, low-complexity Wiz alert requires context, attention to detail, and switching back and forth between a few different platforms.

Ensuring encryption is turned on for an ASW S3 bucket is more of a proactive security measure. It is often a risk factor deprioritized, forgotten, or inconsistently enforced across the cloud environment. Again, a perfect scenario to let Hyperautomation take the reins. 

There is still a significant risk associated with an unencrypted AWS S3 bucket. If a data breach or successful ransomware attack were to occur, gaining access to the unencrypted data would be a walk in the park for the bad actor, and likely one of the first places they would look.

Using Wiz to identify this risk in your cloud environment and Torq to Hyperautomate the remediation ensures consistent and efficient encryption across all AWS S3 buckets, records a clear audit trail for compliance, and prevents SOC analysts from burning out by eliminating mundane, repetitive, and low-risk alerts. 

Remediate AWS EC2 Instance With Open SSH Access From Wiz Alert

This workflow receives an alert from Wiz and is triggered by an event with the control name “Instances with open SSH to the world in AWS.”

If an owner tag is found, the user will be looked up in Slack; otherwise, the Slack channel will be updated. The user or channel is then asked to remediate the instance by shutting it down or removing the open SSH rule in the Security Group and adding a specific network rule allowing SSH from a corporate-owned network.

The user or channel will also have the option to open a Jira issue instead of doing the remediation. A Jira issue is opened for any process issue and will be added to the issue notes in Wiz.

The bottom line: 1-3 hours of time saved per alert.

The most time-consuming part of investigating an AWS EC2 instance with open SSH access is communicating with the developer or system owner. The risk here is high and urgent, and it needs to be handled immediately, but also with care and precision, as incorrectly disrupting a critical production instance could significantly negatively impact the business. 

This could make analysts hesitant to take action without additional context, extending the length of the investigation and the potential risk. Worse, the instance owner could push back, claiming that the access is intentional and required (Don’t worry; we have an answer for this, too… See Bonus use case! below). 

Hyperautomation not only handles the communication on behalf of the security team but also takes action immediately upon response, reducing the time it takes for the security analyst to find the system owner, wait for the reply, and modify the access in the AWS console. Together, Wiz and Torq ensure contextual remediation strategies are presented to the correct stakeholders and take rapid action in response to a critical threat without disrupting business as usual.

Bonus Use Case! 

While leaving SSH open to the world is a significant security risk and generally discouraged, there are still a few niche reasons why a developer may push back against shutting down access for a legitimate business reason. Even still, these use cases should be considered an exception to the rule and handled with care. 

Hyperautomation offers a better, more secure alternative through self-service just-in-time (JIT) access. This allows only certain users to gain temporary SSH access for only a short period of time — rather than opening the flood gates completely — controlling who has permissions through IAM policies and minimizing risk to the organization.   

These are just three of the myriad ways that Wiz and Torq partner to help SOC teams achieve smarter, faster cloud defense.

Wiz + Torq is the Future of Cloud Security Automation

With Wiz delivering deep cloud visibility and Torq translating that insight into real-time remediation, security teams can respond to threats faster, smarter, and more consistently. 

Together, they provide a proactive, efficient defense posture that legacy SOAR tools simply can’t match. Whether it’s public S3 buckets, disabled encryption, or open SSH ports, every second counts. By combining Wiz and Torq, you gain precision, speed, and control — hallmarks of a truly modern cloud security strategy.

Ready to transform your cloud security strategy? Watch our demo with Wiz.

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We combine forces with leading security vendors to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

Torq Hyperautomation integrates seamlessly with Recorded Future to take your threat intelligence workflows from manual and reactive to fully automated and autonomous. 

Whether you’re enriching IOCs, sandboxing suspicious files, detecting phishing, or spotting impossible logins, Torq makes it easy to turn Recorded Future threat intel into real-time security action — without writing a single line of code.

Why Integrate Recorded Future with Torq?

Recorded Future is one of the most powerful threat intelligence platforms available, collecting, analyzing, and delivering high-fidelity data on threat actors, tactics (TTPs), and indicators of compromise (IOCs). But using it effectively still requires:

• Manual triage of alerts and indicators
• Context switching between tools
• Analyst time to trigger remediation

By connecting Recorded Future’s API to Torq’s no-code, AI-driven Hyperautomation platform, you can:

• Automate IOC enrichment and validation
• Trigger real-time auto-remediation workflows across your stack
• Share intelligence instantly across SecOps, IT, and cloud teams
• Reduce MTTR by moving from “intel to action” in seconds

Top Torq + Recorded Future Automations

Here are four high-impact automations that combine the power of Torq’s orchestration with Recorded Future’s threat data.

1. Analyze URLs and Files in Recorded Future Sandbox

Eliminate the manual back-and-forth of investigating suspicious URLs and files by letting Torq handle ingestion, validation, and sandbox submission.

Workflow example:

1. Torq receives a list of potentially malicious links or file download URLs from any source — SIEM, email, chat, or manual input.
2. URLs in the urls_list are sent for Recorded Future website analysis; file links in the files_url_list are downloaded and submitted for file analysis.
3. Invalid or malformed URLs are automatically filtered out to avoid false positives and wasted cycles.
4. Recorded Future’s sandbox verdicts (malicious, suspicious, clean) are returned in real time and pushed to the requesting team via Slack, email, or ticketing systems.

SOC teams get actionable verdicts in seconds with zero analyst touch time, drastically reducing triage delays.

2. Enrich Hashes, CVEs, and IP Addresses via Slack

Make threat intelligence instantly available where analysts collaborate, removing the need to pivot between multiple tools.

Workflow example:

1. A user drops a SHA256 hash, CVE ID, or suspicious IP into a Slack message or SOC request channel.
2. Torq automatically extracts IOCs, confirms the input with the requester, and queries Recorded Future for enrichment.
3. Threat context, severity scores, and related intelligence are instantly posted back into the same Slack thread for transparency.

Analysts never leave Slack to check an IOC, reducing investigation times from minutes to seconds and minimizing workflow disruptions.

3. Monitor Outlook Mailboxes for Phishing

Automatically process and classify suspected phishing emails without analyst intervention.

Workflow example:

1. Torq watches a specific Outlook folder (e.g., “Not-Scanned”) for new submissions from users.
2. Torq extracts URLs, attachments, and IPs from the email body and headers.
3. The platform runs those IOCs through Recorded Future’s intelligence platform and sandbox.
4. It applies labels like Investigated, Suspicious, Malicious, or Phishing directly to the mailbox and notifies the reporter of the findings.

End-to-end phishing triage — from user submission to final verdict — happens in minutes, not hours, with zero manual file or URL lookups

4. Detect Impossible Travels in Okta Logins

Identify impossible travel anomalies and respond to compromised accounts in real time using behavioral and geolocation analysis.

Workflow example:

1. Torq ingests successful login events from Okta.
2. It then compares the login’s IP geolocation to the last known login location for the same user.
3. The platform flags logins that occur in physically impossible timeframes (“impossible travel”) for review.
4. It queries Recorded Future for IP reputation to confirm risk.
5. If suspicious, automatically resets the user’s password, logs them out of active sessions, and sends an alert to both the user and the SOC.

Immediately contain account takeover attempts before malicious actors can escalate privileges or exfiltrate data.

Enrich Your Threat Intel Workflow with Hyperautomation

Recorded Future gives security teams deep, contextual intelligence on the threats that matter most — but intelligence alone doesn’t stop attacks. Without the right orchestration layer, valuable data can sit idle in an inbox, SIEM queue, or analyst’s to-do list.

Torq Hyperautomation ensures that every IOC, every alert, and every piece of context moves seamlessly from insight to action — at scale and without manual intervention.

With Recorded Future’s API feeding into Torq workflows, you can:

• Automate IOC processing: Eliminate manual copy-paste and data re-entry by automatically ingesting hashes, IPs, domains, and CVEs from any source — chat, email, SIEM, or threat feed — and routing them directly into Recorded Future for analysis.
• Enrich data at scale: Combine Recorded Future’s rich threat context with data from internal CMDBs, cloud logs, EDR telemetry, and other intel feeds to build a 360° profile of each IOC, enabling faster and more confident decisions.
• Trigger precise, policy-driven responses: Automatically execute targeted playbooks, such as quarantining an infected endpoint, blocking a malicious domain at the firewall, or disabling a compromised account, all within seconds of detection.
• Eliminate silos across the SOC: Push enriched intel and recommended actions into every relevant system, ensuring all teams have the same, real-time picture of the threat.

Threat data is instantly operationalized by combining Recorded Future’s intelligence with Torq’s Hyperautomated workflows. The result is faster MTTR, fewer missed threats, and a security team that can scale without adding headcount.

From Intelligence to Action — Automatically

Pairing Recorded Future integrations with Torq turns threat intelligence into outcomes: you collect data from technical sources via API, enrich IOCs with TTPs, and orchestrate precise actions across endpoints — all surfaced in shared dashboards. This approach facilitates faster triage and lowers MTTR by moving what’s collected into real decisions and responses in seconds, not hours. 

Whether you’re piloting or pushing to GA, Torq operationalizes your intel pipeline end-to-end — so your analysts spend time resolving threats, not copy-pasting between tools.

Don’t let valuable threat data sit idle. Read our Don’t Die, Get Torq manifesto to see how your SOC can eliminate Tier-1 grind and focus on what matters most.