Sentinel Cluster Icon

The Front Line in Cyber Defense

UX Design @ CounterTack

Hi-Res UX. Design artifacts to give our engineering team a clear understanding of the primary problems we're trying to solve, and to emphasize the importance of user-centric thinking in development.

Strategy. I kept things lo-res as well, sketching out thoughts on everything from data visualizations, workflows and iconography.

Collaboration. An early version of the map used to motivate and inform the engineering team of our purpose.

We had to go back to the drawing board to figure out how exactly our users could make full use of our product.

The technology was great, but we didn't really know how the product was being used, and we needed to step waaay back to get a look at not only what our users goals and pain points were, but who they were as well.

Customers & Users

One of the things we firmly understood from the beginning is that our product's users and our company's customers are different entities. Customers have two fundamental needs:

  1. Protect sensitive data
  2. Keep costs low

The first is a given, but the second is tricky. There are a few constraints Security Operations Centers ("SOCs", our customers) face in regard to hiring personnel, not least of which are the relative scarcity of security experts and the fact that they're expensive. SOCs, then, are forced to find shortcuts while not compromising the integrity of their data.

What companies need are smarter tools so less skilled personnel can perform rote tasks like identifying what is and is not a potential threat. That way, experts are need only when complex data forensics are needed.


The most common setup of every SOC is to employ three types of analyst: Tier 1 (Novice), Tier 2 (Intermediate) and Tier 3 (Expert). From this, we created three Analyst Personas to represent our core user-base and to create a canvas upon which to structure our strategy and research.

We knew that the upfront task of Tier 1 is to weed out False Positives and pass along anything that looks remotely threatening to Tier 2 and Tier 3 (the experts). Each analyst's goals will differ, but each will try and answer the same fundamental question:

"Do I understand enough about the data to make a decision?"

Until they can answer this question with confidence, they will keep digging through the data, looking for the signals they need.

Product Goals

The challenge for us was to develop a product that will give each user the tools to answer the above question while being empathetic to their respective skills and competencies.

Strategy & Opportunities

The product was already capable of sophisticated threat investigations, with great technology built to collect and organize large amounts of data, but there were major experience gaps in the user-facing product.

Essentially, customers were using our UI almost exclusively for its Search functionality, and then using our API to create their own workflows. Both solutions are great in their own right, but they each suffer from several "blind spots" in actually identifying threats.

To help cover those blind spots as well as stay competitive in the growing field of cyber-security solution providers, we needed to truly understand how users work.

The User Journey

We needed to step back and take a look at not only how users might use our product, but how they perform their jobs within the context of responding to security incidents within their organization.

From our sessions we discovered four macro phases that define their workflow:

  1. Identify
  2. Know
  3. Fix
  4. Verify

From the macro stage we were further able to tease out multiple micro stages that identified what the users goals were and what they might be thinking.

Task Analysis

It's always easy to just know what your users do and what they need:"Our users are security analysts who look for threats and eliminate them… duh!". Simple right? Unfortunately, too many organizations approach problems in exactly that way.

Understanding the patterns in which they operate is much more useful. This much is obvious to just about anyone, and clearly one could develop a gameplan from just that knowledge alone, but we needed more. We needed to understand how users behave in their natural environments.

Collect Data
Identify Potential Threats
Filter Data
Pivot Among Objects
Save Observations
Report Findings
Remediate Threats
Automate Alerts
Collect Data
Identify Potential Threats
Filter Data
Pivot Among Objects
Save Observations
Report Findings

This gave us a good jumping off point for identifying opportunities and figuring out which problems we would like to tackle first.


Not only did I learn alot about the troubles users were having with our product as it exists, but I learned a heck of a lot about who our users are and how they go about protecting the world's data every single day. Hint: It's a huge effort!

The strategies and implementation in the ensuing months further validated many of our assumptions about how to fix our navigational shortcomings and get closer to aligning with the user's mental model of how data could and should be displayed to enable browsing and discovery.

Sentinel Cluster Icon