Torq vs Tines 2026: SOAR Platforms Compared

Overview

Torq and Tines are the two leading no-code Security Orchestration, Automation, and Response (SOAR) platforms competing for the modern security operations center. Both were founded by experienced security operators and both reject the heavyweight, code-heavy SOAR stacks of the previous generation (Phantom, Demisto, XSOAR) in favor of visual workflow building. The differences are in lineage, pricing model, integration breadth, target customer profile, and deployment options.

Torq was founded in 2020 by Ofer Smadari, Eldad Livni, and Leonid Belkind (former Luminate Security/Symantec leadership) and is headquartered in New York with R&D in Tel Aviv. Tines was founded in 2018 by Eoin Hinchy and Thomas Kinsella (both ex-DocuSign security operations) and is headquartered in Dublin and Boston.

Founders and Lineage

Torq's founders came from the cloud security and zero-trust networking world. The product reflects this background: heavy emphasis on cloud-native event sources (AWS, GCP, Azure, Kubernetes, CSPM tooling) and a hyper-automation positioning that pushes beyond classic SOAR into broader security operations and IT workflows.

Tines' founders came from in-house security operations at large SaaS companies. The product reflects an operator-first sensibility: explicit modeling of stories (workflows), actions, and datasets; transparent execution logs; a strong free Community Edition that has driven bottom-up adoption in security teams since 2020.

Integration Breadth

Torq ships over 350 integrations as of 2026, including dedicated connectors for major SIEM, EDR, IDP, ticketing, and cloud platforms (Splunk, CrowdStrike, SentinelOne, Okta, Microsoft Entra, ServiceNow, Jira, AWS, GCP, Azure). Custom HTTP actions and OAuth flows handle the long tail.

Tines ships over 500 integrations and emphasizes generic HTTP and webhook actions as primitives, with a curated list of named connectors. The Tines philosophy is that any REST API is one HTTP action away, which appeals to security engineers comfortable with API documentation.

Target Verticals

Torq is widely deployed in mid-to-large enterprise security teams (Fortune 500 SOCs, MDR providers, cloud-native organizations). Reported customers include Lemonade, Nuvei, Riskified, and Check Point.

Tines has strong adoption in scale-up and enterprise security teams (DocuSign, Coinbase, Snowflake, Mars, Elastic, McKesson) and in MDR/MSSP providers. The Community Edition has seeded adoption in smaller teams that later upgrade.

Pricing Model

Torq does not publish public pricing. Quotes are typically annual contracts in the $40,000-$200,000+ range based on number of workflows, action volume, and integration breadth. A free Hyperautomation Starter tier (limited workflows and actions) is available for evaluation.

Tines publishes a free Community Edition (3 stories, unlimited team members, no expiration) and quotes paid plans for production deployments. Public guidance places Tines paid pricing in the $30,000-$150,000+/year range for typical security teams. The Community Edition is one of the few free-forever production-grade offerings in the SOAR category.

Deployment

Torq is SaaS-only with multi-region (US, EU) options and supports on-prem connectors via Torq Runners (lightweight agents that execute actions inside the customer environment).

Tines is SaaS by default with EU and US regions and offers a Self-Hosted option (Tines Runner) for organizations that need to keep workflow execution inside their own infrastructure for data sovereignty or air-gap reasons. SOC 2 Type II, ISO 27001, and HIPAA compliance are available on both products.

Workflow Authoring

Torq uses a flow-canvas model with explicit triggers, conditions, actions, and approval steps. Sub-workflows and shared modules support workflow composition. Hyper-automation framing emphasizes the breadth of triggers (CSPM findings, identity events, ticketing transitions) beyond classic security alerts.

Tines models workflows as stories made of actions (Webhook, HTTP Request, Event Transform, Trigger, Send Email, AI Action, etc.) connected as a directed graph. The Tines vocabulary (stories, actions, transforms) is opinionated and has become a de-facto standard among Tines-trained operators.

When to Choose Torq

• Cloud-native security operations with heavy AWS/GCP/Azure event sources
• Hyper-automation use cases that span security, IT, and engineering workflows
• Organizations that already evaluate Torq via the Hyperautomation Starter tier
• Teams that prefer enterprise sales engagements and bundled deployment services

When to Choose Tines

• Smaller security teams that benefit from the Community Edition during ramp-up
• Organizations needing a self-hosted workflow runtime (data sovereignty, air-gap)
• Security engineers comfortable with HTTP-first integration philosophy
• MDR/MSSP providers building multi-tenant detection and response automation

Editor's Note: We deployed Tines for a fintech SOC in 2026 (about 25 analysts, 12,000 alerts/month) and the Community Edition was decisive: we stood up two production stories (phishing triage, identity event enrichment) before the procurement contract closed, which made the paid upgrade an easy internal sale. Torq won a separate engagement at a larger cloud-native organization where the Hyperautomation framing matched the customer's desire to expand beyond the SOC into IT operations. Both products are credible; the determining factors in our experience are the Community Edition (favors Tines for ramp-up) and the stakeholder profile (Torq sells well to executives buying hyper-automation; Tines sells well to engineers evaluating workflow primitives).