torq.io, one of the louder voices in our category, recently shipped a manifesto - the
"AI SOC Apocalypse" - with 20 questions any AI SOC vendor needs to answer. We took
the challenge, answered all 20, and added five of our own to challenge back.
Most of the twenty questions quietly assume the case is the unit of work. For us
the unit is the threat -
however many alerts it happens to fan out into. Keep that in mind; it's where one or two
answers land somewhere the question didn't expect.
// Same 1,000 alerts, two operating models
Case-per-alertindustry default
1,000 tickets
Threat-centricTandemTrace
~10 cases
The ~1% that actually deserved a human. The other 99% never became work.
// Let's answer torq's 20 questions and see if TandemTrace is truly an AI SOC platform :-)
01
Integration & unified data foundation
1Does the platform integrate with your existing stack as a unified orchestration and case-management layer instead of forcing a rip-and-replace?
// TandemTraceYes. TandemTrace ships with its own case-management layer for collaboration across teams - and it also integrates with whatever you already run: ServiceNow, Atlassian, and, if you insist, Torq. No rip-and-replace, either direction.
2Can the platform correlate signals, context, threat intelligence, and historical activity across SIEM, EDR, identity, cloud, email, and other security systems?
// TandemTraceWe have customers running 15 data sources at once - a classic shape is Elastic as SIEM, CrowdStrike for EDR, Proofpoint for email, Netskope for ZTNA, Entra for identity. Collecting the alerts is the easy part. The hard part is autonomously enriching each one with context drawn from every source, plus alert history, prior investigations, and business context, to reach a verdict without an analyst touching the keyboard.
3Does the platform maintain a continuously updated context model or "single source of truth" for the SOC environment?
// TandemTraceA unified data layer holds all investigation state and context, so every agent begins a new investigation already current - no re-hydration step, no stale snapshot.
4Does the solution provide native case management, investigation timelines, and cross-tool evidence correlation?
// TandemTraceTandemTrace installs as an all-in-one SOC or slots in alongside what you already run. The AI does enough of the work that the analyst is left with the two things that actually need a human - decision and response. Agents are reachable directly through our MCP server, so you don't have to be a query expert anymore.
02
Memory & continuous learning
5Can the AI reference prior investigations, analyst decisions, and case outcomes when evaluating new alerts?
// TandemTraceEvery new alert is evaluated against old alerts, analyst comments, and prior decisions. And unlike a SOAR, you don't hand-engineer a pipeline for each process - the entire underlying data pipeline ships built in, out of the box.
6Does the platform maintain persistent organizational memory so analyst decisions improve future investigations and verdicts?
// TandemTraceAnalyst judgment is stored and reused across every AI pipeline. Nobody re-types the same comment and the same conviction on every new investigation - the platform carries it forward.
7Can the AI explain which prior cases, decisions, or historical patterns influenced a recommendation or verdict?
// TandemTraceOur agents connect the dots autonomously on every investigation. The philosophy isn't to wait for an analyst to ask - it's to answer the question before they think to ask it. Proactive follow-up is one prompt away through the AI modules.
8Does the platform learn from analyst feedback, verdict changes, investigation outcomes, and case resolutions to calibrate confidence and improve future decisions?
// TandemTraceYes - 24/7 autonomous loops calibrated on history, context, and both old and new investigations. Feedback isn't a quarterly retraining event; it's the running state of the system.
03
Autonomy & automated response
9Does the platform go beyond triage to autonomously investigate, contain, remediate, and close incidents?
// TandemTraceAll of it - but the bigger shift is that we're not bound to the one-incident-at-a-time paradigm. The new paradigm is to contain a threat autonomously whether it shows up as one alert or a hundred, whether it's hunting-driven or analyst-driven. Response plugs into whatever you run - identity management, XDR, and the rest.
10Can the AI dynamically update cases in real time, adapting a plan from autonomy to escalation on the fly when a threshold is met?
// TandemTraceSame machinery as above - thresholds are evaluated continuously against history and context, and a plan escalates the moment one is crossed. There's no batch window between "autonomous" and "hand it to a human."
11Does the platform enable "human-on-the-loop" operations, where analysts intervene only when needed instead of manually driving every workflow?
// TandemTraceBy default, TandemTrace is fully autonomous for investigation and hunting - the point is to give analysts back their cognitive bandwidth and refocus the SOC on decision and response. Human-in-the-loop is configurable per scenario; that's the team's call, not ours.
12Does the platform support adjustable autonomy levels based on severity, confidence, business context, or risk tolerance?
// TandemTraceFull fine-tuning. Run it read-only for investigations, or in full response mode for autonomous mitigation - set per scenario, per severity, per your risk tolerance.
// TandemTraceYou can tune the operational behavior - and there's a dedicated security AI pipeline underneath it, built specifically to prevent fatal-analysis and hallucination failure modes. Customization doesn't come at the cost of guardrails.
14Can analysts use natural language to build and customize AI agents, workflows, permissions, and objectives?
// TandemTraceYes - ad-hoc or permanent agent workflows for hunting and investigation, built in natural language.
15Can AI agents access only the systems, data, and tools explicitly authorized by administrators?
// TandemTraceEach connected data source has its own scope boundary. Every API is rate-limited so we never impact your production systems, and every API and data request has an option for full visibility.
16Does the platform include enterprise-grade RBAC, governance controls, approval workflows, and policy guardrails?
// TandemTraceFull RBAC, granular user permissions, and local / OAuth / SAML authentication.
05
Transparency & auditability
17Can the AI explain its reasoning for every verdict, recommendation, escalation, and action?
// TandemTraceFull visibility into the AI's thinking and its results - rendered differently depending on who's looking - with proactive follow-up on tap if you want the agent to dig further into any step.
18Are all AI actions, reasoning chains, overrides, and outputs captured in immutable audit logs?
// TandemTraceThe system can be configured for full local logging and observability, enterprise-grade - the reasoning chain and every action are captured, not just the final verdict.
06
Enterprise scale & proven impact
19Can the platform reliably operate at enterprise scale - high alert volumes, real-time response, multi-tenancy, segmentation, and data residency?
// TandemTraceCustomers worldwide, tens of thousands of endpoints, genuinely complex production networks, and a long tail of security-product integrations running side by side. Scale isn't a roadmap item.
20Can the platform prove operational impact - MTTR reduction, case closure rates, analyst time recovered, false-positive elimination - with the metrics a CISO takes to the board?
// TandemTraceMTTD / MTTR and whatever other metrics the SOC wants to track, surfaced in the UI and in reports built for exactly that board conversation.
+5
Five questions the checklist skips
Torq's twenty are good. They're also, conveniently, twenty questions a mature-sounding
vendor can answer "yes" to in a boardroom without committing to a number. Here are five more
we'd hand any buyer - the ones where a vague answer and a real one sound completely
different. Ours come with the figures attached.
21What does one full autonomous investigation cost - and how fast, end to end, when 20 related alerts collapse into a single case?
// TandemTraceOn average, TandemTrace clusters a full storm of related alerts into a single investigation and returns a cited verdict in under two minutes, for about $0.10. Ask every vendor for per-investigation cost and end-to-end latency in writing - most will quote you a seat price instead, because the per-verdict economics don't always survive daylight.
// How 20 alerts become one verdict
20 raw alerts
correlated
1 investigation
→ one cited verdict
// Per full autonomous investigation
~$0.10
model cost
<2 min
alerts → verdict
Ask any vendor for these two numbers in writing. Most will quote a seat price instead.
22How long from POC to full production - and how much engineer and operator time does it actually take?
// TandemTraceZero to one in under two hours: multiple sources connected and the AI agents fully live in production mode. No quarter-long pipeline-engineering project, no professional-services line item standing between you and the first verdict.
23Can it be installed on-premise? Private cloud? Public cloud?
// TandemTraceAll three. TandemTrace is environment-agnostic - deploy it on-premise, in your private cloud, or run it as SaaS on our managed cloud. Same product; you decide where the data lives.
24Can it work with different AI models - one or several at once, on your own inference?
// TandemTraceYes. Point it at your own LLM API and inference, and configure multiple providers as a hot-swap interface for backup and failover. You're not welded to a single model, or to one vendor's rate limits and outages.
25Out-of-the-box AI threat hunting, or only proactive tools an analyst has to drive?
// TandemTraceHundreds of adaptive AI threat-hunting scenarios that fire off the data in the environment - not hunts a SOC analyst has to launch by hand. The system hunts on its own, continuously, and shapes each hunt to what it's actually seeing.
The real apocalypse
The only apocalypse worth the name isn't a marketing theme - it's the wave of AI-driven
attacks already aimed at the organizations least ready for them. Adversaries now operate at
a speed the industry has never seen, and no security team has the luxury of waiting. The
moment attacks began unfolding in seconds and minutes instead of days, AI defense stopped
being optional.
Every old paradigm was built for a slower world: one ticket per alert, a human in front of
every verdict, a quarter to stand up a tool. That world is gone. Defense now has to move at
the speed of the attack - in seconds and minutes - and the teams that make it through are
the ones willing to change faster than the threat does.
TandemTrace was built for that clock: raw alerts to a cited verdict in under two
minutes, autonomous by default, live in under two hours. Bring
your noisiest week - request a demo and see what defending at machine
speed actually looks like, then read how the layer underneath it works in
The AI model is rented. TandemTrace's ontology isn't.
Corrections, counter-answers, and "you missed a question" notes welcome:
[email protected].