# 25 questions every AI SOC vendor should answer

**Category:** Counterpoint · **Author:** TandemTrace team · **Date:** 2026-07-01 · **Reading time:** 9 min · **Tags:** ai-soc, evaluation, autonomy, positioning, memory

torq.io, one of the louder voices in our category, recently shipped a manifesto - the [*"AI SOC Apocalypse"*](https://torq.io/resources/ai-soc-apocalypse/) - with 20 questions any AI SOC vendor needs to answer. We took the challenge, answered all 20, and added five of our own to challenge back.

> The old paradigm of one ticket per alert doesn't make sense anymore. Most SOCs see thousands of alerts a day, and maybe **1%** of them are ever worth full case management and a human's full attention.

Most of the twenty questions quietly assume the *case* is the unit of work. For us the unit is the *threat* - however many alerts it happens to fan out into. Keep that in mind; it's where one or two answers land somewhere the question didn't expect.

**Let's answer torq's 20 questions and see if TandemTrace is truly an AI SOC platform :-)**

## 1. Integration & unified data foundation

**1. Does the platform integrate with your existing stack as a unified orchestration and case-management layer instead of forcing a rip-and-replace?**

Yes. TandemTrace ships with its own case-management layer for collaboration across teams - and it also integrates with whatever you already run: ServiceNow, Atlassian, and, if you insist, Torq. No rip-and-replace, either direction.

**2. Can the platform correlate signals, context, threat intelligence, and historical activity across SIEM, EDR, identity, cloud, email, and other security systems?**

We have customers running **15 data sources at once** - a classic shape is Elastic as SIEM, CrowdStrike for EDR, Proofpoint for email, Netskope for ZTNA, Entra for identity. Collecting the alerts is the easy part. The hard part is **autonomously enriching** each one with context drawn from every source, plus alert history, prior investigations, and business context, to reach a verdict without an analyst touching the keyboard.

**3. Does the platform maintain a continuously updated context model or "single source of truth" for the SOC environment?**

A unified data layer holds all investigation state and context, so every agent begins a new investigation already current - no re-hydration step, no stale snapshot.

**4. Does the solution provide native case management, investigation timelines, and cross-tool evidence correlation?**

TandemTrace installs as an all-in-one SOC or slots in alongside what you already run. The AI does enough of the work that the analyst is left with the two things that actually need a human - **decision and response**. Agents are reachable directly through our MCP server, so you don't have to be a query expert anymore.

## 2. Memory & continuous learning

**5. Can the AI reference prior investigations, analyst decisions, and case outcomes when evaluating new alerts?**

Every new alert is evaluated against old alerts, analyst comments, and prior decisions. And unlike a SOAR, you don't hand-engineer a pipeline for each process - the entire underlying data pipeline ships built in, out of the box.

**6. Does the platform maintain persistent organizational memory so analyst decisions improve future investigations and verdicts?**

Analyst judgment is stored and reused across every AI pipeline. Nobody re-types the same comment and the same conviction on every new investigation - the platform carries it forward.

**7. Can the AI explain which prior cases, decisions, or historical patterns influenced a recommendation or verdict?**

Our agents connect the dots autonomously on every investigation. The philosophy isn't to wait for an analyst to ask - it's to answer the question before they think to ask it. Proactive follow-up is one prompt away through the AI modules.

**8. Does the platform learn from analyst feedback, verdict changes, investigation outcomes, and case resolutions to calibrate confidence and improve future decisions?**

Yes - 24/7 autonomous loops calibrated on history, context, and both old and new investigations. Feedback isn't a quarterly retraining event; it's the running state of the system.

## 3. Autonomy & automated response

**9. Does the platform go beyond triage to autonomously investigate, contain, remediate, and close incidents?**

All of it - but the bigger shift is that we're not bound to the one-incident-at-a-time paradigm. The new paradigm is to contain a threat autonomously whether it shows up as **one alert or a hundred**, whether it's hunting-driven or analyst-driven. Response plugs into whatever you run - identity management, XDR, and the rest.

**10. Can the AI dynamically update cases in real time, adapting a plan from autonomy to escalation on the fly when a threshold is met?**

Same machinery as above - thresholds are evaluated continuously against history and context, and a plan escalates the moment one is crossed. There's no batch window between "autonomous" and "hand it to a human."

**11. Does the platform enable "human-on-the-loop" operations, where analysts intervene only when needed instead of manually driving every workflow?**

By default, TandemTrace is fully autonomous for investigation and hunting - the point is to give analysts back their cognitive bandwidth and refocus the SOC on decision and response. Human-*in*-the-loop is configurable per scenario; that's the team's call, not ours.

**12. Does the platform support adjustable autonomy levels based on severity, confidence, business context, or risk tolerance?**

Full fine-tuning. Run it **read-only** for investigations, or in **full response mode** for autonomous mitigation - set per scenario, per severity, per your risk tolerance.

## 4. Customization & access control

**13. Can analysts customize agent behavior, workflows, permissions, escalation boundaries, and operational objectives?**

You can tune the operational behavior - and there's a dedicated security AI pipeline underneath it, built specifically to prevent fatal-analysis and hallucination failure modes. Customization doesn't come at the cost of guardrails.

**14. Can analysts use natural language to build and customize AI agents, workflows, permissions, and objectives?**

Yes - ad-hoc or permanent agent workflows for hunting and investigation, built in natural language.

**15. Can AI agents access only the systems, data, and tools explicitly authorized by administrators?**

Each connected data source has its own scope boundary. Every API is rate-limited so we never impact your production systems, and every API and data request has an option for full visibility.

**16. Does the platform include enterprise-grade RBAC, governance controls, approval workflows, and policy guardrails?**

Full RBAC, granular user permissions, and local / OAuth / SAML authentication.

## 5. Transparency & auditability

**17. Can the AI explain its reasoning for every verdict, recommendation, escalation, and action?**

Full visibility into the AI's thinking and its results - rendered differently depending on who's looking - with proactive follow-up on tap if you want the agent to dig further into any step.

**18. Are all AI actions, reasoning chains, overrides, and outputs captured in immutable audit logs?**

The system can be configured for full local logging and observability, enterprise-grade - the reasoning chain and every action are captured, not just the final verdict.

## 6. Enterprise scale & proven impact

**19. Can the platform reliably operate at enterprise scale - high alert volumes, real-time response, multi-tenancy, segmentation, and data residency?**

Customers worldwide, tens of thousands of endpoints, genuinely complex production networks, and a long tail of security-product integrations running side by side. Scale isn't a roadmap item.

**20. Can the platform prove operational impact - MTTR reduction, case closure rates, analyst time recovered, false-positive elimination - with the metrics a CISO takes to the board?**

MTTD / MTTR and whatever other metrics the SOC wants to track, surfaced in the UI and in reports built for exactly that board conversation.

## Five questions the checklist skips

Torq's twenty are good. They're also, conveniently, twenty questions a mature-sounding vendor can answer "yes" to in a boardroom without committing to a number. Here are five more we'd hand any buyer - the ones where a vague answer and a real one sound completely different. Ours come with the figures attached.

**21. What does one full autonomous investigation cost - and how fast, end to end, when 20 related alerts collapse into a single case?**

On average, TandemTrace clusters a full storm of related alerts into a single investigation and returns a cited verdict in **under two minutes**, for **about $0.10**. Ask every vendor for per-investigation cost and end-to-end latency *in writing* - most will quote you a seat price instead, because the per-verdict economics don't always survive daylight.

**22. How long from POC to full production - and how much engineer and operator time does it actually take?**

Zero to one in **under two hours**: multiple sources connected and the AI agents fully live in production mode. No quarter-long pipeline-engineering project, no professional-services line item standing between you and the first verdict.

**23. Can it be installed on-premise? Private cloud? Public cloud?**

All three. TandemTrace is environment-agnostic - deploy it on-premise, in your private cloud, or run it as SaaS on our managed cloud. Same product; **you decide where the data lives.**

**24. Can it work with different AI models - one or several at once, on your own inference?**

Yes. Point it at your own LLM API and inference, and configure multiple providers as a **hot-swap interface** for backup and failover. You're not welded to a single model, or to one vendor's rate limits and outages.

**25. Out-of-the-box AI threat hunting, or only proactive tools an analyst has to drive?**

Hundreds of **adaptive** AI threat-hunting scenarios that fire off the data in the environment - not hunts a SOC analyst has to launch by hand. The system hunts on its own, continuously, and shapes each hunt to what it's actually seeing.

## The real apocalypse

The only apocalypse worth the name isn't a marketing theme - it's the wave of AI-driven attacks already aimed at the organizations least ready for them. Adversaries now operate at a speed the industry has never seen, and no security team has the luxury of waiting. The moment attacks began unfolding in seconds and minutes instead of days, AI defense stopped being optional.

Every old paradigm was built for a slower world: one ticket per alert, a human in front of every verdict, a quarter to stand up a tool. That world is gone. Defense now has to move at the speed of the attack - in seconds and minutes - and the teams that make it through are the ones willing to change faster than the threat does.

> The attacks already moved to machine speed. Defense has to move with them - in seconds and minutes, not tickets and days.

TandemTrace was built for that clock: raw alerts to a cited verdict in **under two minutes**, autonomous by default, live in **under two hours**. Bring your noisiest week - [request a demo](https://tandemtrace.ai/#demo) and see what defending at machine speed actually looks like, then read how the layer underneath it works in [The AI model is rented. TandemTrace's ontology isn't.](https://tandemtrace.ai/blog/t2-ontology.md)

---

Corrections, counter-answers, and "you missed a question" notes welcome: hello@tandemtrace.ai

*Canonical URL: https://tandemtrace.ai/blog/ai-soc-25-questions*
