The Torq AI SOC Platform combines agentic AI and automation to achieve speed and scale that manual SOC operations cannot match. It is a different operating model — designed to carry security work from the moment an alert enters the system through to resolution, without losing context between phases.
Traditional SOCs rely on powerful point-specific tools, yet those tools often operate in isolation. Analysts manually stitch together alerts, enrichment, investigation notes, and response actions across disconnected systems. Context is lost at every handoff. In contrast, Torq maintains decision continuity across all phases. Agentic reasoning is fully documented and transparent. Agentic actions happen under the control and supervision of your human staff. The level of automation is configurable — as your team builds confidence in the system's decisions, they can expand what runs autonomously.
The AI SOC operating model
The Torq AI SOC Platform operates as a coordinated system across four phases:
Ingest: Telemetry is aggregated, normalized, and contextualized so AI can reason over it at scale.
Triage: AI separates false positives from true positives and distinguishes benign activity from malicious threats. Every alert receives a verdict.
Investigate: Cases are automatically opened for confirmed threats; AI assembles evidence, builds timelines, and recommends response actions while maintaining full human oversight.
Respond: Containment and remediation agents take action within defined guardrails, doing only what your team has authorized. Agentic action operates in two modes: human-in-the-loop (the agent consults an analyst before acting) or human-on-the-loop (the agent acts and notifies the analyst). All actions are logged.
What distinguishes this model from a fragmented SOC is not the presence of individual capabilities. It is decision continuity: context and decisions carry forward across all four phases.
The Torq AI SOC Platform drives progress rather than handing it off. The platform does not stop at recommendations — it carries decisions through to execution, within governance guardrails defined by the organization
Phase 1: Ingest
When alerts enter the Torq AI SOC, they are not processed as raw data. The ingest phase prepares alerts for accurate AI reasoning.
Torq data connectors receive and normalize alerts into OCSF (Open Cybersecurity Schema Framework). Key observables are extracted from each alert: IP addresses, domains, file hashes, usernames, and hostnames. This structured input is what enables the AI to reason across alerts consistently, rather than evaluating each one in isolation.
Normalization ensures that decisions downstream are based on clean, structured inputs. Raw, inconsistent data from each source tool does not reach the AI.
Phase 2: Auto Triage
Auto Triage is the front-door decision engine of the AI SOC. It evaluates incoming alerts and produces a structured verdict before any analyst time is consumed.
Auto Triage processes each alert through a six-step flow:
Ingest and normalize:
Torq normalizes each incoming alert and extracts key observables.
Enrich with external and internal context:
External intelligence includes threat intelligence feeds, malware analysis, vulnerability databases, and reputation services. Internal context includes asset management data, historical cases, organization-specific guidance, and tuning rules. Together, these signals allow Auto Triage to reason about an alert relative to the specific environment, not just against generic threat patterns.
Analyze and assign a verdict:
Auto Triage evaluates the combined signals and produces a verdict, including a severity assignment and supporting reasoning. The goal is a confident, context-aware decision, not a raw severity score. Every verdict includes justification and supporting context so analysts can understand and verify each decision.
Apply deterministic rules:
Governance guardrails are applied before the verdict is finalized. Known priorities are never left to probabilistic reasoning. For example, alerts involving critical assets or high-value users are always treated as critical, regardless of the AI's probabilistic assessment. These rules encode business truth directly into the triage process.
Verdict-based outcomes:
Each alert produces a structured verdict package containing:
True Positive or False Positive classification
Urgency
Risk score
Supporting evidence
MITRE ATT&CK mapping
Suggested response actions
Analyst override option
Malicious alerts are automatically promoted to cases in Case Management. Non-malicious alerts can trigger Hyperautomation to perform detection-tuning operations without analyst involvement.
Closed-loop feedback:
Analysts can confirm or change any verdict. These outcomes, along with case resolution histories, are captured as SOC Memory and feed back into how Auto Triage evaluates future similar alerts. See SOC Memory for details.
For a detailed walkthrough of Auto Triage configuration and setup, see Auto Triage.
Phase 3: Investigate
When Auto Triage confirms a true positive, the alert is automatically promoted to a case. The investigation phase begins with a full triage context already attached: observables, enrichment data, verdicts, and suggested actions. Analysts and AI do not start from a blank slate.
Case Management
Case Management is the investigation workspace. Each case is a structured, living thread that captures evidence, timelines, tasks, and analyst actions in one place rather than scattering them across tools.
Cases support:
Categorization, custom SLA timers, and review lifecycle management
A natural language interface for analyst interaction
Investigation runbooks that define the response process
Operational dashboards and SLA tracking for visibility across investigations
Case Management is not a ticketing layer. It is an operational governance system for security investigations.
Socrates and AI Agents
Socrates and Torq AI Agents accelerate investigation within the case thread.
Torq AI Agents are specialized investigation units configured for repeatable tasks, such as enrichment, classification, threat actor research, and the generation of detection logic. AI Agents are customizable — each is configured with defined instructions, a specific set of integrations, and behavior scoped to the organization's environment. Every step is logged and auditable.
Socrates is the agentic manager. It orchestrates casework across the investigation, including the work of specialized AI Agents, into a cohesive whole. Socrates can follow the same runbooks, use the same tools, and execute the same processes as human analysts. Cases can be assigned to Socrates directly, allowing the SOC to work alerts autonomously when appropriate.
Socrates operates within the case thread. Its actions are visible, its reasoning is transparent, and analysts can review, redirect, or take over at any point.
Phase 4: Respond
Response in the Torq AI SOC is not a separate process appended after investigation. It operates within the case thread, with full investigation context intact.
Response executes across three modes:
Automated: AI-driven actions and Hyperautomation execute containment, remediation, and communication steps in accordance with policy thresholds and defined guardrails.
User-assisted: Analysts provide approvals or guided inputs at defined checkpoints. Quick Actions in the case interface execute response actions backed by Hyperautomation.
Manual: Analysts execute and document actions directly within the case, capturing lessons learned for future reference.
All three modes operate inside the same case thread. Context does not break between investigation and response.
Hyperautomation supports over 300 integrations and 4,000+ pre-built steps. It combines deterministic automation, which requires reliability, with AI Agents, which require adaptability. Governance guardrails define what can execute autonomously, under what conditions, and with what approval requirements.
SOC Memory: The feedback loop
SOC Memory is the mechanism by which the Torq AI SOC improves over time. It captures outcomes from analyst activity and case resolutions and feeds them back into Auto Triage as tuning signals.
Signals that contribute to SOC Memory include:
Analyst confirmations of Auto Triage verdicts
Analyst overrides and the reasons provided
Case closure reasons (benign, duplicate, remediated, escalated)
Escalation paths taken
Resolution actions applied
Historical investigation patterns
When an analyst confirms a verdict, it reinforces how similar alerts will be handled in the future. When an analyst changes a verdict, that correction is captured as a signal, ensuring similar alerts are handled consistently in future triage.
The result is a system that improves over time without requiring manual rule-writing or playbook maintenance. Decisions become more consistent across analysts, unnecessary escalations decrease, and time-to-investigation improves for confirmed threats.
Human oversight
The Torq AI SOC expands SOC handling capacity and accelerates investigations. Analysts remain in control throughout.
At every phase, analysts can:
Review and override decisions: Any Auto Triage verdict can be confirmed or changed, with reasoning captured for future tuning.
Apply business and environmental context: Analysts add knowledge that the system cannot infer automatically, such as ongoing projects, authorized activity, or evolving threat conditions.
Feed outcomes back into the system: Analyst decisions are not discarded after use. They become signals that improve the quality of future triage and investigation.
The response path includes a human escalation step. High-impact or ambiguous actions require analyst approval before execution. The system does not operate outside the organization's governance boundaries.
What changes in the Torq AI SOC is not whether humans are involved. It is where their involvement is most needed. Analysts move from sorting alerts to investigating confirmed threats and governing AI decisions.
The Torq AI SOC carries work forward, not hands it off, so that each phase benefits from everything the previous one produced. Each phase builds on the previous one: from enriched triage to structured investigation to governed response. The result is a SOC that operates as a continuous system rather than a sequence of handoffs.