Security analysts were missing critical alerts in a noisy, fragmented triage workflow. I redesigned the alert pipeline around consolidated incident views and risk-based scoring.
Role
Lead Product Designer
Company
SecureVault — Enterprise cybersecurity SaaS
Platform
Web · iOS · Android
Duration
10 months
01
SecureVault is an enterprise cybersecurity SaaS platform where security analysts triage incidents 24/7 across multiple tools. I led a 10-month redesign of the alert pipeline — consolidating surfaces, introducing risk-based scoring, and shipping a unified design system across Web, iOS, and Android. Three headline outcomes:
−32%
Time-to-triage critical alerts
+18%
Analyst satisfaction with workflows
Fewer
Missed critical incidents (qualitative, 60 days post-launch)
02
Security analysts at SecureVault triaged across three separate tools. High alert volume — 200+ alerts per shift — led to missed or delayed responses. The pain surfaced as inconsistent data states, slow decision-making, and audit gaps.
Current environment
Existing alert engine only
We couldn't change the upstream detection or scoring engine. The redesign had to make better use of signals already produced, not invent new ones.
24/7 SOC operations — zero-downtime deploys
SecureVault ran live client SOC operations continuously. The redesign had to ship incrementally — no big-bang cutover, no disruption to running shifts.
Strict compliance
Must meet audit and regulatory requirements — every action traceable, every state change logged, every notification policy explicit.
Limited analyst time
Senior analysts only spare 1-3 hours per week for research and validation. Every contextual inquiry and usability session had to be tightly scoped.
03
Collaborated closely with PM, Engineering Lead, and SOC managers to map current workflows, validate concepts, and refine designs based on real user feedback.
Discovery Studio
Workshop with PM, SOC lead, and Engineering Lead to align on risks, constraints, and success metrics.
Contextual inquiries
Observed 6 frontline analysts handling live incidents to capture workflow patterns and pain points.
Usability testing
Two rounds of testing on interactive prototypes to capture robust feedback and refine interaction details.
The following screens are representative mockups created for portfolio purposes. Original interface designs remain confidential under a mutual NDA with the client organisation.
Consolidate alerts into a single incident view
Reduced context-switching by integrating all relevant information — live actions on one screen, aligned with analysts' mental models.
Trade-offs
Accepted a denser interface to minimise navigation overhead. Ran multiple rapid prototyping sessions and design critiques to optimise information density.
Impact
Enabled leaner triage and improved audit log accuracy.
Allow critical alerts to break through Do-Not-Disturb
Integrated filtering to surface urgent security alerts even when analyst devices were in Do-Not-Disturb mode — to avoid missed critical incidents.
Trade-offs
Required users to configure notification preferences explicitly. Implemented clear escalation design patterns to set expectations appropriately.
Impact
Ensured timely alert delivery to mobile SOC analysts, reducing the risk of missed critical alerts.
Visually separate alerts from routine pushes
Developed a distinct visual language using colour, iconography, and typography to separate security alert notifications from routine system pushes — while respecting existing design system consistency.
Trade-offs
Carefully balanced user fatigue and contrast — alerts had to be clearly distinguished from routine productivity notifications.
Impact
Improved analyst ability to prioritise and respond appropriately, increasing overall efficiency.
04
| Metric | Before | After | Change / Impact |
|---|---|---|---|
| Median time-to-triage critical alerts | 25–30 mins | 17 mins | Reduced by 32% — faster response to high-severity incidents |
| Analyst satisfaction with triage workflows | 3.2 / 5 | 3.8 / 5 | Improved by 19% — cleaner workflows and reduced cognitive load |
| Missed critical incidents (qualitative) | Frequent escalations due to missed alerts | Fewer escalations reported | SOC lead reports noticeable reduction; ongoing monitoring in place |
| Cross-platform consistency (qualitative) | Fragmented design system, ~15 inconsistent components | Unified system — 60+ components, 180+ semantic tokens | Platform-consistent UI, reduced dev rework across iOS, Android, Web |
Validation
I no longer have to scroll the whole queue — what's marked urgent is right at the top, every time.
Analyst — post-pilot debrief
It's much easier to see what's first and there's clear options available now.
Ryan — Analyst
I wasn't sure about crosspath whether to do my signup or by phone.
Wendy — pre-launch usability test
05
The redesign shipped what it set out to ship — but with hindsight there are three calls I'd make differently next time.
Early task mapping was too module-focused
Spent early research mapping features rather than starting from business outcomes. Starting from "what does a successful analyst shift look like?" would have focused the brief faster.
Limited usability testing
Only two rounds with 5 participants each. With more time I'd push for broader recruitment — including night-shift analysts and contractors with different fatigue profiles.
Would explore predictive analytics for proactive detection
The redesign was reactive — consolidating existing alerts. A meaningful next step would be ML-assisted alert scoring to surface likely-critical items before analysts open them.
Treat contexts as a first-class design object
State, role, and shift context aren't engineering details — they're the primary design material for any workflow product. Design navigation, content visibility, and available actions around context first.
Systems over single screens
60+ components and 180+ semantic tokens beat any single hero screen. A shared system survives scope changes, release trains, and personnel turnover; one-off screens don't.
Make AI safe and explainable
Risk scoring and prioritisation that affect critical decisions need to be inspectable. Confidence labels, explicit thresholds, and clear escalation patterns turn opaque scoring into something analysts can trust and audit.
Happy to share additional artefacts, walk through the risk scoring and consolidated incident view in detail, or talk through how this would apply to your product.