Torq (Hyperautomation)

Overview

Torq is a security hyperautomation platform — a SOAR tool, in traditional terms, but Torq is insistent about the "hyperautomation" branding, and after using the product, we understand why. The platform goes beyond traditional SOAR's focus on incident response playbooks to enable automation across the entire security operations lifecycle: alert triage, threat hunting, vulnerability management, compliance checks, user access reviews, and anything else that involves repetitive decisions and API calls. Founded in 2020 by former members of the Israeli intelligence community, Torq has raised over $170 million and has been growing rapidly in the mid-market and enterprise segments.

What distinguishes Torq from traditional SOAR platforms (Splunk SOAR, XSOAR, Swimlane) and even from newer competitors like Tines is the emphasis on scale and AI-driven decision-making. Torq is built to handle millions of automation events per day — the kind of volume that traditional SOAR tools choke on — and it bakes AI (specifically LLM-based reasoning) into the automation engine itself, rather than offering it as an add-on action. Their "Socrates" AI agent can triage alerts, make routing decisions, and even execute multi-step response workflows with minimal human supervision.

The product is ambitious, and the execution is further along than you might expect for a company of this age. Torq is not an early-stage startup selling vapor — the platform works at production scale, the integrations are solid, and the customers we spoke with are running meaningful automation volumes. But the ambition also means there's a lot of surface area to evaluate, and some modules are more polished than others.

How It Works

Torq's architecture is built around a workflow engine that processes events at high throughput. Workflows are built in a visual canvas (similar to Tines) with drag-and-drop actions: HTTP requests, conditional logic, loops, data transformations, human-in-the-loop approval steps, and AI reasoning actions. The platform handles execution, error handling, retries, and parallel processing. The engine is cloud-native and auto-scales, which is how Torq handles the "millions of events per day" claim — it's not running workflows sequentially on a single server like some SOAR tools effectively do.

The integration library is extensive. Torq ships with pre-built connectors for hundreds of security tools, cloud platforms, IT service management products, and communication tools. Each connector handles authentication, common API calls, and data mapping, which accelerates workflow building. You can also make raw HTTP requests to any API, so you're not limited to pre-built connectors. The connector quality varies — major integrations (CrowdStrike, SentinelOne, Okta, Jira, Slack) are well-maintained, while some of the long-tail integrations feel like they were built once and not updated.

Torq's AI engine, Socrates, is the differentiator they're betting the company on. Socrates can be inserted into workflows as a decision-making step that uses LLM reasoning to classify, prioritize, and route events. But Torq goes further than just AI-as-an-action: Socrates can operate as an autonomous agent that monitors your alert queues, triages incoming alerts, investigates using connected tools, and executes response actions — all with configurable guardrails that determine how much autonomy the AI has. The guardrails range from "recommend actions and wait for approval" to "execute up to severity-3 responses autonomously and escalate severity-1 and -2 to humans."

The case management module is a recent addition that handles the other half of SOC operations — tracking investigations, managing incidents, maintaining evidence chains, and reporting on metrics. It's less mature than dedicated ITSM tools but sufficient for most security team workflows, and having it in the same platform as the automation engine eliminates the integration overhead of connecting a separate case management system.

What We Liked

The automation performance is in a different league from traditional SOAR. We built a workflow that takes a SIEM alert, enriches it with five different threat intelligence sources, checks the affected user against the identity provider, runs the AI classifier, and routes to either auto-remediation or human review. Traditional SOAR tools we've used take 30-60 seconds to execute a similar workflow. Torq completed it in 3-4 seconds. When you're processing hundreds or thousands of alerts per day, that execution speed is the difference between keeping up and falling behind.

Socrates, despite our initial skepticism about autonomous AI agents in security, impressed us. We configured it to autonomously triage and respond to phishing alerts — pulling the reported email, analyzing it with AI, enriching URLs and attachments, and either closing the alert as a false positive or quarantining the email and notifying the user. Over a two-week trial, Socrates correctly handled 89% of phishing reports without human intervention. The 11% it escalated were genuinely ambiguous cases that humans also disagreed on. The key is the guardrail system: we could precisely define what actions Socrates could take autonomously and what required human approval, which gave us comfort that the AI wasn't going to quarantine the CEO's legitimate emails.

The workflow builder is polished and fast. Torq has clearly invested in the developer experience — the canvas is responsive, the action configuration panels are well-designed, and the testing/debugging tools let you run workflows with sample data and inspect the output of each step. We built a complete vulnerability remediation workflow (take findings from Qualys, create Jira tickets for critical findings, post to Slack, and schedule rescan) in about 45 minutes. The builder feels like a modern software product rather than an enterprise tool that was last redesigned in 2015.

The surprise for us was the SOC metrics and reporting. Torq tracks automation performance metrics — mean time to respond, automation rate, false positive rate, workflow execution times — and presents them in dashboards that are ready for executive consumption. After years of manually building SOAR metrics in Splunk dashboards, having this built into the platform felt like a luxury. The metrics make it easy to demonstrate automation ROI and identify workflows that need optimization.

What Fell Short

The pricing is aggressive. Torq positions itself as a premium product, and the pricing reflects that. For a mid-size security team, annual costs typically start at $150,000 and can exceed $300,000 for larger deployments with high automation volume. This is at or above the cost of traditional SOAR tools, which undermines one of the arguments for newer platforms (lower cost). The value proposition needs to be "we automate more and better" rather than "we automate cheaper," and while that's true, the sticker shock is real for teams comparing against Tines or even XSOAR's licensing.

The Socrates AI agent, while impressive in our controlled testing, requires careful configuration and ongoing oversight. During our first week, before we'd properly tuned the guardrails, Socrates auto-closed three alerts that should have been escalated — they were technically classified correctly as low-severity, but the context (they all related to the same user during an unusual time window) should have triggered escalation. The AI doesn't yet reason about correlation across alerts the way a human analyst would. It treats each alert independently, which means attack patterns that span multiple low-severity events can slip through. Torq is aware of this and working on correlation-aware AI reasoning, but it's not there yet.

The case management module is adequate but not remarkable. If you're coming from ServiceNow or a dedicated SOAR with strong case management (Swimlane, for example), Torq's case management will feel basic. The evidence chain tracking, SLA management, and compliance reporting features are all functional but lack the depth and configurability of purpose-built tools. For teams that can live with "good enough" case management, it's fine. For teams in regulated industries with strict incident documentation requirements, you may still need an external case management system.

Pricing and Value

Torq pricing is based on a combination of user seats and automation volume (measured in workflow runs). Entry-level pricing for a small team starts around $100,000/year, with typical mid-market deployments running $150,000-$300,000/year. Enterprise deployments with high automation volumes can exceed $400,000/year. These are premium prices for the SOAR category, and Torq justifies them with the performance, AI capabilities, and built-in analytics that traditional SOAR tools lack.

The ROI calculation is similar to other SOAR tools but amplified by Torq's higher automation throughput and the Socrates AI agent's ability to handle alerts autonomously. If Socrates handles 89% of your phishing alerts without human intervention (consistent with our testing), and your SOC processes 50 phishing reports per day, that's 44 analyst interactions eliminated daily. At 15 minutes per interaction, that's 11 analyst-hours per day, or roughly 1.5 full-time analysts. Whether that justifies the premium over a cheaper SOAR tool depends on your alert volume and analyst costs.

Who Should Use This

Torq is built for security teams that are serious about automation at scale. If your SOC processes thousands of alerts per day and you've outgrown (or been frustrated by) traditional SOAR tools, Torq's performance and AI capabilities are a meaningful upgrade. It's also a good fit for organizations that want to deploy autonomous AI for low-risk alert triage — the Socrates guardrail system makes this practical in a way that "just connect ChatGPT to your alerts" approaches don't. Teams of 8-30 analysts in organizations with significant alert volumes are the sweet spot.

It's over-engineered for small security teams (under 5 people) who don't have the alert volume to justify the cost or the complexity. It's also not the right choice if your primary need is case management or compliance-driven incident documentation — buy a dedicated tool for that. And if your automation needs are modest (a few playbooks for common incident types), Tines will get you there for significantly less money.

The Bottom Line

Torq is the SOAR platform that takes the "what if we just automated everything?" question seriously and builds the infrastructure to actually do it. The performance is real, the AI agent is more capable than we expected, and the workflow builder is a pleasure to use. We do think it's overpriced for what most mid-market teams need, and the case management won't satisfy regulated industries without supplementation. But for high-volume SOCs that have hit the ceiling on their current SOAR platform, Torq is the obvious next step — it's built for the scale and speed that traditional SOAR tools were never engineered to handle. Whether that scale describes your organization's needs is the only question that matters.