Socrates is an autonomous AI SOC analyst designed to transform your case investigations, operating both inside individual cases and across cases in your workspace.

Socrates works in three distinct modes: in-case conversations, autonomous case investigation that runs a predefined Actionplan, and Socrates as an always-available investigation surface—whether or not a case exists.

Start a conversation with Socrates outside the scope of a specific case. Any signal you have—an alert, an observable, or any other finding or query—can immediately become the starting point for a conversation. Socrates can draw on full workspace context, including existing cases and observables, to help SecOps teams investigate, operate, and take action across the tech stack—powering Torq’s vision for an AI-augmented security operations platform.

A conversation with Socrates operates across the entire workspace, enhancing your threat investigations by enabling you to explore alerts, analyze data, and take action beyond the boundaries of a single case.

Start your conversation with Socrates by going to the Socrates page. Enter your prompt, or use one of the curated suggestions by hovering over the Response, Hunting or SOC Posture buttons.

The conversations are collaborative—multiple analysts can view, contribute, and take action while maintaining full visibility into Socrates’ responses and executions. They are also public by default: every user with access to the Socrates page can see all active or past conversations in the workspace.

Like case conversations, workspace-level conversations use a variety of built-in and custom tools that can be executed on any unrestricted cases in the workspace.

When Socrates uses a built-in tool to perform an action, a chip with the tool’s icon and name appears in the conversation. The chip indicates the tool’s state (executing, failed, succeeded), and you can click on the chip to open the Execution Log and see the tool’s input and output.

Scope socrates.investigations.read enables listing and reading the content of conversations.

Scope socrates.investigations.write allows initiating and participating in conversations.

Both scopes are available to all roles except for Viewer roles.

To start, edit, or delete a conversation with Socrates, navigate to the Socrates page.

Socrates only uses available existing tools and capabilities in conversations. It cannot execute built-in tools in restricted cases.

To start a new conversation:

Similar to case conversations, the name of the conversation is automatically selected following Socrates's first response. It can be edited on the Socrates page.

To rename a Socrates conversation:

To delete a Socrates conversation:

Socrates can query for indicators across Torq observables and cases, as well as across different threat intelligence feeds and platforms you may be integrated with. Use this capability to quickly and interactively investigate threats.

For example, check if there are any threats associated with a particular indicator and get details about where it is hosted and if it is associated with a known domain.

Socrates can natively interact with cases and observables in your workspace, search for them, and break them down by specific criteria. This can be used to understand your SOC posture and take corrective actions if needed.

For example, search for cases matching specific criteria, assign them to an analyst, and send a Slack notification with case details.

What permissions do I need to conduct workspace-level investigations with Socrates?

You need the socrates.investigations.write scope to start or participate in a Socrates conversation. Users with socrates.investigations.read permissions can only view and read conversation content.

Do I need HyperSOC to start a Socrates conversation?

Yes, Socrates is only available to Case Management customers.

Does Socrates store or share workspace data?

No. All data remains private within your workspace. Socrates processes context locally and never exposes data beyond the workspace.