ORION Security and Torq Close the Loop on Data Loss Prevention in the AI Era
The ORION and Torq integration brings AI-native DLP alerts directly into SOAR workflows, giving security teams the context they need to automate response without manual triage.
Key Takeaways:
- The ORION and Torq integration brings AI-native DLP alerts into SOAR workflows.
- ORION’s alerts arrive in Torq’s AI SOC with data lineage, classification, and user context already attached.
- Playbooks fire on real incidents without waiting for human triage.
- Security teams get automated response coverage for the data loss scenarios policies can’t catch, including AI tool usage, shadow data movement, and insider risk.
Security teams need alerts that keep pace with AI tool adoption across their organization, and response infrastructure that can act on it.That combination has been hard to find.
The alert side and the response side typically operate in separate worlds, connected at best by a noisy signal that requires human intervention before any playbook can reasonably fire.
ORION Security prevents data loss by understanding how data actually moves, not just what it contains. Our AI-native platform uses context across every source and surface to understand behavior, not rigid, pre-determined rulesets. And now, security teams have a direct way to act on those alerts inside the tools where they already work.
With today’s alliance announcement, ORION’s automatic alerts now land directly in Torq’s AI SOC. Teams can build agentic playbooks around alerts, decide how to respond, and let Torq execute that response, whether automated, human-reviewed, or somewhere in between.
ORION and Torq Apply AI at the Foundation
Legacy security orchestration, automation, and response (SOAR) failed because the playbooks could only automate what humans already anticipated. The moment an incident demanded judgment, contextual reasoning, signal correlation, and prioritization under ambiguity, traditional SOAR hit a wall. The cognitive load stayed with analysts, and alert volume scaled faster than headcount.
Torq’s approach is that the bottleneck isn’t automation, it’s intelligence, and built its security operations center (SOC) around agentic AI. Rather than pattern-matching incidents to templates, it reasons through them autonomously. Torq’s AI agents investigate, triage, and remediate in real time, handling the decision loop from alert to response without waiting for human intervention.
We founded ORION on the same diagnosis applied to data loss prevention (DLP). The problem was never that security teams were writing the wrong rules; it was that rules, by definition, can only catch what someone had already anticipated. That doesn’t include sensitive data moving through a new AI tool, an agentic workflow accessing files it never touched before, or an employee using a browser extension that nobody thought to block.
Legacy DLP doesn’t produce a signal until a rule exists for it, which doesn’t work in a world where the ways data can leave an organization are multiplying faster than any policy team can keep up. That is a structural failure, not an implementation one. That’s why we built an alert engine that starts from behavior rather than policy.
Two hard problems, one architectural answer: apply AI at the foundation, not as a layer on top. That’s what this alliance with Torq is all about.
How ORION’s Behavioral-Context Alerts Work
Most alert tools that feed into a SOAR send rule-matched alerts: something tripped a condition, and here is the condition that tripped. That works fine until the data loss doesn’t match any rule anyone wrote, which is increasingly the case in environments adopting AI tools faster than security teams can write policy for them.
ORION doesn’t start from rules. Our platform models how data moves across your environment, learns what normal looks like for your specific users and applications, and flags deviations from that baseline. When a shadow AI tool appears, or an agentic workflow starts touching files it has never accessed before, or an employee moves data through a channel no policy covers, ORION catches it because the behavior is outside of normal business context.
That is what lands in Torq: alerts with real behavioral context behind them, not just a matched condition and a severity score.
| Rule-based Alert into Torq | ORION ’s Alerts into Torq |
|---|---|
| Alert is defined by what was anticipated when the rule was written. | Alert is continuous and learns from your environment. |
| New channels require new rules before detection begins. | New channels are covered by behavioral baseline from the moment they appear. |
| Payload contains the matched condition. Context requires manual enrichment. | Payload includes behavioral context, risk score, and trigger reason. Teams can act on it immediately. |
| False positive rate degrades as the environment changes and rules fall out of sync. | The model learns as the environment changes. Signal quality improves over time. |
What ORION Passes to Torq
When ORION detects a data loss event, it sends a structured payload to Torq. That payload is what gives Torq’s playbooks something meaningful to work with.
| Field | What It Captures | How Torq Uses It |
|---|---|---|
| alert_type | Whether the event was AI-based behavioral alert, a policy-based rule violation, or an action already taken by ORION. | Teams use this to decide whether Torq should investigate, respond, or simply log and confirm. |
| source | The origin of the data loss event: endpoint, cloud application, email, managed SaaS connector, or agentic workflow. | Routes to the right playbook for that environment. |
| trigger_reason | The specific reason ORION flagged the event: AI model classification, behavioral anomaly, pattern match, or policy rule. | Lets teams build playbooks around alert logic rather than just severity level. |
| context | User identity, data classification, risk score, and correlated behavioral signal. | Provides what a Tier 1 analyst would otherwise need to gather before a playbook could reasonably fire. |
Better Signals, Smarter Response
Torq is already where security teams manage response logic. ORION gives it signals worth acting on.
When an ORION alert fires, it lands in Torq’s AI SOC like any other alert, but with the context most DLP signals lack: source, type, and the precise reason it triggered. That structured context means Torq’s agentic playbooks can route, triage, and respond autonomously.
From there, teams control the response posture: full autonomous remediation, a human-in-the-loop checkpoint, a targeted notification, or any combination. Teams who’ve already built response logic around DLP events can wire ORION’s alerts directly into existing playbooks and watch the loop close automatically. For teams starting from scratch, our platform delivers accurate alerts you can build around immediately.
What This Means for Security Teams
The real cost of broken DLP is not just the incidents it misses. It is what it does to the team around it.
When detection is noisy, analysts spend their days triaging alerts that go nowhere. When policies need constant upkeep, engineers are perpetually one new tool or workflow behind. When the business asks whether they can roll out a new AI platform, the answer from a team stretched by inadequate tooling is often a slow no, or a reluctant yes with no real visibility into what happens to the data afterward.
Having ORION alerts available in Torq changes what security teams can do with their response posture. Instead of building playbooks around the limited signal that most DLP tools produce, teams can build around what actually happened: the behavior, source, and reason it was flagged. That specificity is what makes the difference between a SOAR that runs in production and one that sits underused because the signal feeding it was never good enough to trust.
For teams using ORION and Torq, here’s how this looks:
- Alerts land in Torq with full context, source, trigger reason, and alert type, ready to trigger the right playbook without manual enrichment first.
- Teams can create distinct response workflows for behavioral anomalies, policy violations, and actions already taken by ORION, rather than handling everything through a single generic DLP alert handler.
- Because ORION detects from behavior, new AI tools, SaaS integrations, and agentic workflows are covered immediately.
- When the signal is specific and the context is already there, teams can automate with confidence. The playbook knows what happened and doesn’t need to go find out first.
How to Get Started
The ORION and Torq integration is available to joint customers today through the Torq AMP alliance program.
If you’re on ORION and want your alerts in Torq, or on Torq and want AI-native DLP signal in your SOC, request a demo to get started.
