Closing the Context Gap: How Reco and Torq Automate the "Risky Employee" Investigation

In the modern SOC, time and context are the scarcest resources. Security analysts are often tasked with a nearly impossible challenge: take a vague signal—a suspicion about an employee, a confusing alert, or a tip-off—and manually stitch together a complete picture of risk across dozens of fragmented tools.

‍

But today, that picture is messier than ever. The attack surface has exploded with the rise of AI agent sprawl and Shadow AI. It is no longer just about tracking human users; it is about monitoring a vast, decentralized fleet of non-human agents that read, write, and execute actions across your SaaS ecosystem.

‍

Is this employee actually exfiltrating data, or just feeding proprietary code into an unsanctioned LLM? Is that "unauthorized activity" a malicious insider, or a runaway AI agent with excessive permissions? Answering these questions requires deep visibility into all SaaS identities—human and machine—along with a granular understanding of SaaS events and data movement.

‍

At Reco, we believe the future of security operations isn't just about better alerts—it’s about autonomous, agent-to-agent collaboration. Today, we’re sharing a powerful workflow we built with Torq that demonstrates exactly how this future looks.

‍

The Use Case: The "Risky Employee" Investigation

‍

Imagine a scenario every security team fears: an employee is flagged as "risky." Perhaps there’s an indication they are sharing confidential information externally, or maybe they’ve been flagged for unauthorized activity on critical company applications.

‍

In a traditional workflow, an analyst would spend hours manually querying logs, checking cloud permissions, and reviewing DLP alerts.

‍

In our Agent-to-Agent workflow, this entire investigation is handled autonomously, in seconds. Here is how the Torq Hypersoc agent orchestrates Reco, as well as other security tools such as DLP, cloud security, EDR, SASE, and more, to deliver a final verdict.

‍

Step 1: The Trigger

‍

The workflow begins simply. The customer enters the suspected employee’s email address into the system. This single input kicks off a chain reaction of automated workflows designed to build a 360-degree view of that identity.

‍

Step 2: Reco Provides the SaaS & Identity Context

‍

The workflow immediately calls on Reco. Because Reco’s Identity Interaction Graph understands the complete context of user behavior, we don't just return raw logs. We provide a curated intelligence package:

‍

• AI Identity Summary: A generative AI-driven synopsis of the user’s typical behavior versus recent anomalies.
• Raw SaaS Events: A timeline of recent actions across the SaaS ecosystem.
• Active Alerts: Any existing security flags associated with that user.

This step is critical. Without Reco, the Hyperagent would just have "activity." With Reco, it has context.

‍

Step 3: Cross-Stack Enrichment

‍

SaaS is only one piece of the puzzle. To be truly comprehensive, the workflow can simultaneously poll other specialized tools:

‍

• Cloud Security: Does this user have toxic combinations of permissions in AWS or Azure? Are they accessing sensitive cloud assets?
• Data Loss Prevention: Has this user moved sensitive files to USB drives or personal cloud storage?
• Endpoint Detection & Response (EDR): We interrogate the endpoint to gather more data. Is the user’s device acting strangely? Are there unauthorized scripts running to scrape data? Did they recently install unapproved software or disable local security controls?
• Secure Access Service Edge (SASE): We analyze network context through other platforms. Is the user bypassing the corporate VPN? Are they accessing high-risk, unsanctioned web categories or uploading encrypted files to unknown destinations?

This demonstrates the power of an open ecosystem. By ingesting data from the endpoint (EDR), the network (SASE), the cloud (CNAPP), and the data layer (DLP), the Hyperagent eliminates blind spots and builds a verdict based on facts, not just alerts.

‍

Step 4: The Hyperagent Verdict

‍

This is where the magic happens. The Torq Hypersoc agent acts as the central brain. It ingests the deep identity context and behavioral baselines from Reco, combines them with cloud posture data from your CNAPP, and correlates data movement logs from your DLP and endpoint solutions.

‍

Using this synthesized data, the Hyperagent applies advanced logic to determine:

‍

1. Is the suspicion correct? (True/False)
2. What is the confidence level? (High/Medium/Low)
3. The Reasoning: A clear, natural-language explanation of why the verdict was reached.

Example Verdict: "High confidence of risk: User downloaded sensitive blueprints from Salesforce (verified by Reco) and uploaded them to a personal drive (detected by DLP) immediately after an unusual login location (flagged by Reco). Cloud admin privileges are present, increasing potential blast radius."

‍

Why This Matters

‍

This workflow represents a fundamental shift in how we secure the enterprise. By enabling Agent-to-Agent collaboration, we are moving beyond disjointed alerts and into the era of autonomous investigations.

‍

• Reducing MTTR: Investigations that once took analysts hours of manual cross-referencing now happen in seconds.
• Eliminating False Positives: By correlating SaaS identity context with the whole security stack, we filter out noise with high precision.
• Empowering Analysts: Instead of chasing data, analysts are presented with a finished investigation and a recommended verdict, allowing them to focus on remediation and strategy.

The Reco Difference While traditional tools see events (a file move, a login, a permission change), Reco sees the identity behind them. The Torq hypersoc agent is powerful, but it relies on high-quality fuel. Reco provides that fuel by delivering the deep, identity-centric context—who the user is, their peer groups, their typical behaviors, and their true risk level—that other tools simply miss.

‍

When you combine Reco’s identity intelligence with the orchestration power of Torq, you aren't just finding risks—you're solving them with confidence.

Want to see this workflow in action? Join Reco and Torq on April 15th for a live webinar, Crush Insider Threats: Agent-to-Agent Security with Reco and Torq, where we'll demo how AI agents autonomously investigate flagged users and deliver confident verdicts in seconds — register here.