Security operations teams have always dealt with a staffing and resource problem. There are never enough people, and the ones you have spend a lot of time on work that doesn’t require much judgment—monitoring alerts, maintaining workflows, keeping integrations running. Torq is trying to change how much of that burden falls on the engineers.
The company announced Agentic Builder this week, a new capability within the Torq AI SOC Platform. I had an opportunity to talk with the Torq team ahead of the announcement, and also sat in on a demo with Leonid Belkind, co-founder and CTO. The idea is straightforward: security engineers describe the outcome they want in plain language, and the platform builds, tests, and validates the workflow for them.
Torq describes the approach using the Cursor analogy—the AI coding tool that lets developers describe what they want rather than write every line themselves. The argument is that Cursor made software development more accessible by shifting the work from syntax to intent, and that security operations are ready for a similar shift. It’s a fair comparison at the conceptual level, though how it plays out across the variety of enterprise environments that real SOC teams operate in is harder to say from a demo.
One of the more candid things the Torq team said is that workflow-building is essentially technical debt. You’re not solving security problems when you’re stitching integrations together and managing playbooks—you’re just keeping the lights on. That’s not a new criticism of the SOAR market, but it’s the right framing for what Agentic Builder is trying to address.
How Agentic Builder Works
In the demo, Belkind walked through a common SOC use case: identifying and deactivating dormant user accounts. Rather than requiring an engineer to define every step, the system asks clarifying questions first—inactivity threshold, whether deactivation needs an approval step—then proposes a workflow architecture, builds it, and tests it against sample accounts before anything goes to production. Belkind made the point that the real cost of security automation isn’t the initial build.
“Not only the cost of development, which was the original challenge everybody set out to solve, but the whole cost of ownership—technology changes, version updates, model lifecycle management—it all becomes about the outcomes you want,” Belkind said.
According to Torq, Agentic Builder operates through Torq Socrates, the platform’s orchestration layer, which monitors workflows after deployment and adjusts them as conditions change. Those are the vendor’s claims; evaluating them properly requires looking at how the platform performs outside of a controlled demo environment.
A Customer’s Perspective
I also had an opportunity to chat with Corey Kaemming, Senior Director and CISO at Valvoline, who has been a Torq customer for a little over a year. His team moved to the platform during a corporate divestiture that significantly reduced his headcount. He needed a way to maintain security coverage with fewer people. He said automating email security validation and alert triage reduced manual work by roughly six to seven hours a day—his estimate based on his team’s experience.
On the question of how much to trust AI-driven automation before letting it run independently, Kaemming was measured in his expectations. “I compare it to when I hire a security analyst as an intern. I’m not going to throw him or her directly into running a level one, level two, level three workflow.” His approach has been to start with lower-stakes use cases, test the results, and expand from there. He said that process is still ongoing.
Kaemming also raised the knowledge concentration problem that comes up a lot with legacy SOAR deployments. The engineer who built the workflows usually understood them. When that person left, the understanding went with them. He described inheriting a previous setup where the workflows were essentially a black box—nobody still on the team knew how they worked or what to do when they failed. A plain-language approach at least means the intent behind a workflow is legible to whoever comes next, provided the original prompts were written clearly.
Putting It in Context
There’s a reasonable case that automating the repetitive workflow frees analysts for higher-judgment tasks—threat analysis, strategy, and cross-team coordination. Whether that actually happens depends more on how teams are managed than on the technology.
The AI-powered SOC space is crowded, and a lot of vendors are making similar claims right now. The pitch—faster, less manual, more autonomous—is not unique to Torq. What matters more is whether it actually works in production. Torq points to named enterprise customers, including LEGO, Marriott, and Prudential, as evidence. That’s worth noting, with the caveat that the people I spoke with have an obvious interest in how this story gets told.
On governance, Torq says Agentic Builder keeps humans in the loop before deployment—engineers can review what an agent will do and tune it before it runs. That’s the right design principle. Whether organizations maintain that level of oversight as the platform becomes more familiar and as time pressure increases is a different question.
The problem Torq is going after is real. Security engineers spend too much time on workflow maintenance and not enough time on actual security work. If Agentic Builder delivers on its promise consistently at enterprise scale, that’s useful. The next year or two of customer deployments will be a better indicator than any demo.
Torq is demonstrating Agentic Builder at RSAC 2026, Booth #527 in the South Expo Hall, from March 23–26.
- The Attack Surface Changed but the Fundamentals Didn’t - May 7, 2026
- What the Breach Reveals That the Budget Never Did - April 30, 2026
- When Science Becomes a Runway for Faith - April 30, 2026
