Torq, a provider of security hyper-automation solutions, today announced the launch of Torq Socrates, an AI agent specifically designed for security operations. The company said that by utilizing large language models (LLMs), Socrates hyper-automates critical security activities to alleviate alert fatigue, false positives and job burnout for security analysts.

The company says that Socrates empowers cybersecurity teams with automated contextual alert triaging, incident investigation and response capabilities. The AI agent harnesses intelligence signals from diverse security ecosystems to autonomously drive remediation actions.

Socrates continuously learns and evolves as it accumulates and analyzes security events, acting as an extension for Security Operations Center (SOC) teams. By prioritizing and categorizing potential threats, the AI agent aims to enable SOC analysts to concentrate on handling critical security incidents.

“Socrates is the industry’s first AI agent built to perform complex multi-phase tasks related to triage, containment and remediation of security issues,” Leonid Belkind, cofounder and CTO of Torq, told TechForgePulse. “The LLMs present in the architecture are capable of interpreting and analyzing tasks described in natural language, with enterprise-grade security hyperautomation.”

Belkind said that the AI agent can integrate with any infrastructure, security, communication and other tools in an organization’s IT stack.

“I anticipate 90% of Tier-1 and Tier-2 tickets will be resolved autonomously. This represents a complete shift in how the industry thinks about SecOps,” Ofer Smadari, CEO and cofounder of Torq, said in a statement. “It goes far past the typical AI augmentation approach by enabling SecOps to replace significant parts of its Tier-1 and Tier-2 response approach with AI, enabling security professionals to focus on big picture strategic impacts and outcomes.”

The foundation of Socrates lies in the ReAct (Reason + Act) LLM approach, which combines AI-based reasoning with actionable methodologies derived from organizations’ unique SOC playbooks. Torq’s human-in-the-loop automation ensures that sensitive decisions and actions remain under the control of human operators, thereby promoting responsible AI adoption.

Belkind claims that this integration empowers security analysts to remain in control of processes and outcomes, benefiting from well-documented responses and success criteria that inform future decision-making.

The LLM empowers the model to semantically dissect guidelines into desired actions and analyze the outcomes of performed actions to compare them with guidelines, driving the logical flow of follow-ups. “The ‘Reasoning’ part of the ReAct AI agent is based on the semantic analysis of directives and action outcomes, while the ‘Acting’ part of the AI relies on a set of ‘tools’ provided to the agent, each capable of performing specific activities with defined parameters,” Belkind explained.

Streamlining Tier-1 security issues for SOC teams

Belkind highlighted the repetitive nature of tasks performed by security analysts, particularly Tier-1 / Level-1 analysts responsible for security event triage. Analysts execute many predefined operational practices, often called runbooks or playbooks, to ensure consistency in their actions. 

However, Belkind contends that this leaves little room for creativity and human ingenuity, typically reserved for more experienced specialists handling higher tiers of security events beyond the triage stage.

Belkind says this creates an environment where “alert fatigue” and job burnout are rampant, especially considering the understaffed state of many security operations organizations. Additionally, the adoption of hybrid cloud technologies by organizations to stay competitive has led to a constant increase in incoming security events requiring analysis.

“Under these circumstances, upskilling security analysts and enabling them to focus on strategic and proactive activities becomes exceedingly challenging, as they are overwhelmed by the constant influx of alerts. This is precisely where Socrates comes to the rescue,” said Belkind. “Designed as a horizontally scalable cloud-native orchestrator, our AI agent can handle tasks related to security processes. Each task can be executed with various isolation levels, either within organizational networks or in the cloud.”

Ensuring responsible AI development 

Belkind emphasized that the Torq Socrates AI agent’s “acting” part optimally utilizes the infrastructure. Each tool accessible to the agent functions as a Torq workflow, allowing connection to unlimited distributed assets. 

This approach enables the agent to execute multiple actions simultaneously, scaling horizontally to efficiently process a substantial volume of events and data sources within the guaranteed service level agreement (SLA).

“The core principle of Torq’s responsible AI architecture is ensuring that Torq Socrates can only trigger Torq workflows. These workflows carry out data queries across various data sources and pre-process, filter and tokenize data before returning it to semantic analysts,” he added. “This mechanism guarantees that the agent cannot bypass the privacy controls integrated into these workflows, as it lacks access privileges to the data sources themselves.”

Belkind further clarified that the agent is restricted to invoking complete workflows, which “mask” the data source and potentially parts of the data. The “sandboxed” architecture confines all actions to a predefined allow-list while establishing an immutable audit trail for every action.

“Being a company established by security practitioners, we firmly believe that the ‘proof of value’ for any technological breakthrough we deliver is strictly in the field and not in our labs,” said Belkind. “We are collaborating with Enterprise and MSSP organizations that expose Torq Socrates to incoming real-life events (in their environments) and provide it with operational guidelines available today to their SOC/SecOps teams.”

Torq announced that Socrates is now available on a limited availability basis to select enterprise organizations. 

TechForgePulse's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.