Enterprise SaaSCybersecurityHigh-risk / NOC

Reducing alert fatigue in a cybersecurity SaaS platform

Security analysts were missing critical alerts in a noisy, fragmented triage workflow. I redesigned the alert pipeline around consolidated incident views and risk-based scoring.

Screens and interface details in this case study are representative mockups. Original CYGNVS product UI is protected under a mutual NDA. All metrics shared with permission.

Role

Lead Product Designer

Company

SecureVault — Enterprise cybersecurity SaaS

Platform

Web · iOS · Android

Duration

10 months

01

Quick Brief

SecureVault is an enterprise cybersecurity SaaS platform where security analysts triage incidents 24/7 across multiple tools. I led a 10-month redesign of the alert pipeline — consolidating surfaces, introducing risk-based scoring, and shipping a unified design system across Web, iOS, and Android. Three headline outcomes:

−32%

Time-to-triage critical alerts

+18%

Analyst satisfaction with workflows

Fewer

Missed critical incidents (qualitative, 60 days post-launch)

02

The Problem

Analysts were drowning in alerts across three tools

Security analysts at SecureVault triaged across three separate tools. High alert volume — 200+ alerts per shift — led to missed or delayed responses. The pain surfaced as inconsistent data states, slow decision-making, and audit gaps.

Current environment

Three tools running separately, causing fragmented workflows and cognitive overload. Analysts switched between an alert queue, a comments thread, and a messaging channel — re-orienting every time — with no shared concept of incident state across surfaces.

Constraints

Existing alert engine only

We couldn't change the upstream detection or scoring engine. The redesign had to make better use of signals already produced, not invent new ones.

24/7 SOC operations — zero-downtime deploys

SecureVault ran live client SOC operations continuously. The redesign had to ship incrementally — no big-bang cutover, no disruption to running shifts.

Strict compliance

Must meet audit and regulatory requirements — every action traceable, every state change logged, every notification policy explicit.

Limited analyst time

Senior analysts only spare 1-3 hours per week for research and validation. Every contextual inquiry and usability session had to be tightly scoped.

03

The Approach

Collaborated closely with PM, Engineering Lead, and SOC managers to map current workflows, validate concepts, and refine designs based on real user feedback.

Key activities

01

Discovery Studio

Workshop with PM, SOC lead, and Engineering Lead to align on risks, constraints, and success metrics.

02

Contextual inquiries

Observed 6 frontline analysts handling live incidents to capture workflow patterns and pain points.

03

Usability testing

Two rounds of testing on interactive prototypes to capture robust feedback and refine interaction details.

Three key design decisions

The following screens are representative mockups created for portfolio purposes. Original interface designs remain confidential under a mutual NDA with the client organisation.

1

Consolidate alerts into a single incident view

Reduced context-switching by integrating all relevant information — live actions on one screen, aligned with analysts' mental models.

Trade-offs

Accepted a denser interface to minimise navigation overhead. Ran multiple rapid prototyping sessions and design critiques to optimise information density.

Impact

Enabled leaner triage and improved audit log accuracy.

2

Allow critical alerts to break through Do-Not-Disturb

Integrated filtering to surface urgent security alerts even when analyst devices were in Do-Not-Disturb mode — to avoid missed critical incidents.

Trade-offs

Required users to configure notification preferences explicitly. Implemented clear escalation design patterns to set expectations appropriately.

Impact

Ensured timely alert delivery to mobile SOC analysts, reducing the risk of missed critical alerts.

3

Visually separate alerts from routine pushes

Developed a distinct visual language using colour, iconography, and typography to separate security alert notifications from routine system pushes — while respecting existing design system consistency.

Trade-offs

Carefully balanced user fatigue and contrast — alerts had to be clearly distinguished from routine productivity notifications.

Impact

Improved analyst ability to prioritise and respond appropriately, increasing overall efficiency.

04

The Result

Before & after

MetricBeforeAfterChange / Impact
Median time-to-triage critical alerts25–30 mins17 minsReduced by 32% — faster response to high-severity incidents
Analyst satisfaction with triage workflows3.2 / 53.8 / 5Improved by 19% — cleaner workflows and reduced cognitive load
Missed critical incidents (qualitative)Frequent escalations due to missed alertsFewer escalations reportedSOC lead reports noticeable reduction; ongoing monitoring in place
Cross-platform consistency (qualitative)Fragmented design system, ~15 inconsistent componentsUnified system — 60+ components, 180+ semantic tokensPlatform-consistent UI, reduced dev rework across iOS, Android, Web

Validation

Data collected from production analytics and SOC operational reports approximately 8 weeks post-launch.

What users said

I no longer have to scroll the whole queue — what's marked urgent is right at the top, every time.

Analyst — post-pilot debrief

It's much easier to see what's first and there's clear options available now.

Ryan — Analyst

I wasn't sure about crosspath whether to do my signup or by phone.

Wendy — pre-launch usability test

05

What I'd Do Differently

The redesign shipped what it set out to ship — but with hindsight there are three calls I'd make differently next time.

1

Early task mapping was too module-focused

Spent early research mapping features rather than starting from business outcomes. Starting from "what does a successful analyst shift look like?" would have focused the brief faster.

2

Limited usability testing

Only two rounds with 5 participants each. With more time I'd push for broader recruitment — including night-shift analysts and contractors with different fatigue profiles.

3

Would explore predictive analytics for proactive detection

The redesign was reactive — consolidating existing alerts. A meaningful next step would be ML-assisted alert scoring to surface likely-critical items before analysts open them.

Related design principles in action

1

Treat contexts as a first-class design object

State, role, and shift context aren't engineering details — they're the primary design material for any workflow product. Design navigation, content visibility, and available actions around context first.

2

Systems over single screens

60+ components and 180+ semantic tokens beat any single hero screen. A shared system survives scope changes, release trains, and personnel turnover; one-off screens don't.

3

Make AI safe and explainable

Risk scoring and prioritisation that affect critical decisions need to be inspectable. Confidence labels, explicit thresholds, and clear escalation patterns turn opaque scoring into something analysts can trust and audit.

Want to walk through this case in more detail?

Happy to share additional artefacts, walk through the risk scoring and consolidated incident view in detail, or talk through how this would apply to your product.