Torq Auto Triage is an AI-driven triage engine that applies tier 1/2 analyst-level reasoning to alerts within the Torq platform.
It uses business and environmental context, along with external information, to improve verdict accuracy and help prioritize alerts that require investigation, so security analysts can spend less time cleaning up noise and more time focusing on what matters.
Auto Triage is not enabled by default and requires separate enablement. To get access, contact Torq Support.
The challenge: SOC teams are drowning in alerts
Most SOC teams tell the same story:
False positives overwhelm analysts, leading to high-severity and critical alerts being missed or delayed.
The average time to detect and contain real incidents remains high.
Security teams need a way to eliminate noise while still understanding and trusting the process by which every decision is made.
The Torq answer: Auto Triage as part of a unified SecOps platform
Torq Auto Triage delivers autonomous, transparent, and self-improving alert triage:
Identifies alerts likely to be false positives
Shows why each verdict and severity was set
Feeds case investigation outcomes back into Auto Triage for continuous improvement
Auto Triage is actively expanding to support additional alert sources and new use cases beyond EDR, including CSPM, IAM, phishing, and others.
How Auto Triage works
1. Ingest and normalize
Security alerts are received from the source via the Torq data connector.
Torq normalizes alerts into a consistent internal event format and extracts observables (such as IP addresses, domains, file hashes, and users).
Alerts are enriched based on observable types and attack context. For example, enrichments can include threat intelligence, user/identity context when a user is involved, URL and file sandboxing results, and past case history, giving the Auto Triage engine additional context.
To learn more, see: Alert streaming.
2. Context‑aware autonomous triage
An LLM autonomously assigns severity and a verdict to each alert based on alert data, configuration, and available context.
This evaluation takes into account Guidance, which captures environment-specific context such as:
Organizational policies (for example, approved software or access patterns)
Operational behavior (for example, VPN usage or remote work)
Scheduled testing or expected security activity
Triage preferences, such as aggressive or conservative handling
Guidance is one of the primary mechanisms for shaping autonomous decision-making without reducing transparency or control.
To learn more, see: Guidance.
3. Deterministic rules for known patterns
After triage completes, Rules can enforce a final severity or verdict when conditions match. This is especially useful for scenarios involving crown-jewel assets, high-risk users, and similar situations. For example:
Force a True Positive – Malicious verdict when activity involves a critical asset, such as an Active Directory server.
Force the severity to Critical when a VIP user, such as an executive or finance staff member, is involved.
Rules differ from Guidance in that they deterministically enforce outcomes when conditions match, rather than influencing how risk is interpreted.
To learn more, see: Rules.
4. Post-triage actions configuration
After Auto Triage assigns a verdict and severity, Configuration determines the action to be taken for alerts from each source.
Configuration is defined per workspace and per alert source, and maps final verdicts to one of the following actions:
Open case – Automatically create a Torq case so analysts can continue the investigation from the Cases page.
Trigger workflow – Generate an Alert triaged system event that can be used by automation in the workspace.
Do nothing – Take no action after triage, while retaining the alert for visibility and reporting.
These actions allow teams to automate routine handling, route high-risk alerts into investigation, and reduce manual effort without losing visibility.
To learn more, see: Configuration.
5. Full analyst visibility and control
Auto Triage’s engine applies expert-level reasoning, continuously enhanced by Torq’s security expertise and industry best practices, using all available context to set verdicts, severities, and recommended next steps.
To maximize transparency, all alerts appear in the Alerts view, where analysts can see:
Alert summary and source information
Observables and MITRE ATT&CK mapping
Justification for the verdict and severity
A detailed alert audit log
Rules and Guidance evaluation
Analysts can confirm or change the verdict and provide additional context regarding these actions. Their decisions are recorded and used to improve future triage decisions.
This view allows teams to understand not only the final decision but also which inputs — including Guidance and Rules — influenced it.
To learn more about working with alerts, see the Alerts.
Verdict and severity decision logic
Auto Triage evaluates alerts using a combination of alert data, observables, organizational context, threat intelligence, and historical case outcomes to determine severity and verdict.
Severity represents potential impact, while verdict reflects the most likely interpretation of the activity based on available evidence.
Historical case outcomes, drawn from your workspace's entire case library,
serve as contextual input during triage. When an alert is evaluated, Auto Triage
can identify relevant precedents by referencing past cases from your workspace,
showing how similar activity was previously classified or resolved. This gives
the engine an additional signal alongside threat intelligence and organizational
context, helping align verdicts with your team's established patterns.
For a detailed explanation of how these decisions are made, see: Verdict and severity logic.
Transparent triage and analyst control
Torq Auto Triage provides decision transparency and keeps your team in control.
Explainable decisions – All alerts are listed. Every alert includes a clear justification for its verdict and severity.
Dashboard with drill‑down – The Auto Triage Dashboard shows:
Noise reduction
MTTA (Mean Time to Acknowledge)
MTTT (Mean Time to Triage)
Auto Triage verdict accuracy
Alert volume over time and alert flows
Tuning, not guessing – You can adjust guidance and rules and see how they affect results. Verdicts can be confirmed or changed for further tuning.
To learn more about using the dashboard and interpreting these metrics, see the Auto Triage Dashboard.
Torq AI SOC platform: one place for SecOps
Torq delivers a comprehensive SecOps solution in a single platform:
Auto Triage – Autonomous, transparent alert triage that removes noise and escalates what matters.
Case management – Full investigation process in which cases can be automatically created from alerts and handled by analysts or Socrates.
Hyperautomation – Automates both event handling and case management processes, reducing manual steps across the entire lifecycle.
With Torq, alerts can be prioritized so that analyst attention is focused where it is most needed. Your SOC achieves maximum efficiency and maximum security — without sacrificing visibility or control.