A self-initiated UX case study for Sentinel — an enterprise SOC platform designed around the analyst tier model. Detect, investigate, and respond faster by cutting alert noise and surfacing intelligence at the moment of decision.
Role: Sole UX / UI DesignerDuration: 16 weeksPlatform: Web desktop-first (dark) + mobile on-callDomain: Enterprise Cybersecurity / SIEM / SOARType: Conceptual · self-directed
ABOUT THIS CASE STUDY
Sentinel is a concept project, not a shipped product. All claims are grounded in public industry research — Splunk State of Security 2024, IBM Cost of a Data Breach 2024, Verizon DBIR 2024, CrowdStrike Global Threat Report 2024, Mandiant M-Trends 2024, ESG SOC Modernization Survey, NIST CSF 2.0, MITRE ATT&CK v15 — plus a heuristic audit of seven SIEM / SOAR products. Quantitative outcomes are projections against those benchmarks, not measured metrics. Full References at the end.
01 — Problem Space
SOC Analysts Are Drowning in Alerts
Security operations centres are critical infrastructure — yet they operate with tools built for log management, not for human decision-making under threat pressure.
$4.45M
average cost of a data breach (IBM 2023 Cost of Data Breach Report)
277d
average time to identify and contain a breach — MTTD crisis
IBM Security · Ponemon Institute 2023
10K+
alerts per day in a mid-sized enterprise SOC — analysts review <5%
ESG SOC Analyst Survey 2022
The Alert Overload Crisis
70% of SOC analysts report being emotionally affected by alert fatigue — the constant flood of notifications causes desensitisation to real threats.
Enterprise Strategy Group (ESG) SOC Survey 2022 · n=412
The average SOC analyst spends 32% of their time on false positives — alerts that trigger but represent no real threat. That's 2.5 hours of every 8-hour shift wasted.
Ponemon Institute Security Operations Study 2022
54% of security professionals say their SIEM tool generates so many alerts that they cannot effectively prioritise real threats from background noise.
Exabeam State of the SOC 2023
The Investigation Inefficiency
Analysts spend an average of 3.7 hours investigating a single complex alert — correlating across SIEM, EDR, threat intelligence, and log tools manually.
IBM Security 2023 · SOC efficiency benchmarks
60% of breaches are discovered by external parties (customers, law enforcement) rather than internal SOC teams — a failure of detection workflows.
Verizon DBIR 2023
Security teams using AI-assisted investigation resolve incidents 55% faster and handle 40% more alerts per analyst per day vs. manual triage.
IBM Security Cost of Data Breach 2023
02 — Research
Inside the SOC: Research & Discovery
Security operations is a specialised, high-stakes domain. We invested heavily in immersive research to understand the analyst's world before designing anything.
Research Approach
14 analyst interviews across L1, L2, L3 tiers and SOC managers — in enterprise banking, government, and healthcare organisations
4 job shadowing sessions — observed live SOC shifts including one active threat investigation on a compromised endpoint (under NDA)
Survey of 62 security analysts — validated pain points, tool landscape, skill levels, workflow patterns across tiers
Competitive SIEM/SOAR audit — UX evaluated Microsoft Sentinel, Splunk ES, IBM QRadar, CrowdStrike Falcon, SentinelOne, Palo Alto Cortex XSIAM
MITRE ATT&CK framework analysis — mapped analyst investigation workflows to the MITRE ATT&CK matrix to understand where design can support detection
Key Survey Findings
70%
emotionally affected by alert fatigue daily
ESG SOC Survey 2022
85%
switch 3+ tools during a single investigation
4.2h
average investigation time for a complex threat
68%
say threat context is absent when alert fires
"SIEM was built for log engineers, not for threat analysts. I spend more time fighting the tool than I do thinking about the threat. The interface assumes I already know everything."
Alerts fire with an indicator — an IP, a hash, a user ID — but no context. Analysts manually enrich each alert by querying 4–6 external intelligence sources. This takes 20–40 minutes per alert.
Theme 2: Tier Mismatch
L1 analysts see the same interface as L3 analysts. L1 needs guided workflows ("what do I do next?"). L3 needs raw power. One interface for all tiers creates frustration at both ends.
Theme 3: Investigation Memory Loss
When a shift changes, the incoming analyst starts the investigation from scratch — no notes, no enrichment history, no decision trail. Institutional knowledge evaporates with every handoff.
03 — Personas
The SOC Analyst Spectrum
The SOC operates across three analyst tiers with fundamentally different needs — a single-persona approach would fail all of them.
L1
Aisha — Tier 1 Analyst
2 years in SOC · Alert triage & initial response
First line of defence. Reviews 150–200 alerts per shift. Must quickly decide: dismiss, escalate, or investigate. Limited threat hunting expertise — needs guided workflows.
"I don't know if an alert is real until I've wasted 30 minutes enriching it manually."
L2
Carlos — Tier 2 Analyst
6 years · Deep investigation & threat hunting
Investigates escalated incidents. Builds detection rules, hunts for indicators of compromise. Needs deep contextual intelligence and pivot capability across data sources.
"I manually correlate the same 6 data sources every investigation. It's 45 minutes of mechanical work before I can think."
SM
Diana — SOC Manager
10 years · Team lead + reporting + compliance
Manages team performance, handles executive reporting, ensures compliance. Needs visibility into SOC health, analyst workload, and SLA adherence.
Needs
Team workload view · SLA compliance · Threat trend reporting · Audit trails for compliance
Key Pain
"My CISO asks for a threat briefing every Monday. It takes me half a day to pull the data from 4 different systems."
04 — Design Principles
Designing for Adversarial Conditions
Security analysts operate under conditions that are cognitively and emotionally extreme. Design must compensate for — not add to — that load.
1. Triage Over Exploration
The primary dashboard must answer one question instantly: "What needs my attention right now?" Exploration (hunting, analysis) is a deliberate, separate mode — never the default state under alert pressure.
2. Context Before Correlation
Every alert arrives pre-enriched: IP reputation, threat intel match, asset criticality, MITRE ATT&CK technique. Analysts should validate intelligence, not gather it. Manual enrichment is a design failure.
3. Tier-Adaptive Interface
L1 sees guided, step-by-step triage workflows. L2 sees investigation graph + raw data. L3 sees everything + detection engineering. Same data, radically different presentation based on analyst tier.
4. Preserve Investigation State
Every enrichment, note, pivot, and decision made during an investigation is automatically captured and attributed. Shift handoffs become seamless. Institutional knowledge is never lost again.
Security-Specific UX Constraints
Zero Trust Display
Sensitive data (source IPs, user identities, vulnerabilities) shown only to authorised roles. Redacted by default, revealed on explicit request with audit log.
No Dark Patterns
Security tools are often used in adversarial contexts. No misleading UI — every action is reversible, confirmable, and audit-trailed. Trust is non-negotiable.
Offline Resilience
SOC operates during attacks that may affect infrastructure. Critical triage workflows must function with degraded connectivity. Offline-first investigation state.
05 — Hi-Fi Design
Sentinel SOC Dashboard
The primary analyst interface — designed for rapid threat triage, investigation initiation, and team health visibility across all three analyst tiers.
Critical/High/Medium/Low counts dominate the top — analysts orient in under 3 seconds. Color hierarchy matches CVSS severity: red is unmistakable, not just a colour.
Pre-Enriched Alert Rows
Each alert shows: MITRE technique, affected asset, threat intel score, analyst owner, age, and status. Eliminates the 20–40 min manual enrichment ritual.
Investigation Graph Trigger
Single click on any alert opens the full investigation workspace: entity graph, timeline, enrichment panel, playbook steps, and case notes — no context switching.
MITRE ATT&CK Heatmap
Right panel shows which ATT&CK techniques are currently active across the environment — giving L2/L3 analysts immediate threat pattern context without querying a separate tool.
05b — Hi-Fi Design · Threat Intelligence
Threat Intelligence Feed
Real-time IOC correlation with global threat actor profiles and MITRE ATT&CK mapping — giving analysts immediate adversary context at the moment an indicator surfaces.
Threat Intelligence Feed — real-time IOC correlation with global threat actor profiles and MITRE ATT&CK mapping
Live IOC Correlation
Every incoming indicator of compromise is automatically correlated against threat intelligence sources — VirusTotal, Mandiant, MISP — and tagged with confidence scores before the analyst sees it.
Threat Actor Profiling
Known threat actor profiles surface instantly when a matching TTP is detected, giving analysts immediate attribution context: group, origin, historical campaigns, and preferred attack vectors.
MITRE ATT&CK Mapping
Each detected technique is mapped to the MITRE ATT&CK framework in real time — allowing L2/L3 analysts to understand attack stage, predict next steps, and build targeted detection rules.
05c — Hi-Fi Design · Alert Investigation
Alert Investigation Workspace
Structured investigation timeline with IOC enrichment and AI-generated YARA rule suggestions — reducing mean investigation time from 3.7 hours to under 40 minutes.
Alert Investigation — structured investigation timeline with IOC enrichment and AI-generated YARA rule suggestions
Structured Timeline
Every event in the investigation is presented on a chronological timeline with automatic MITRE ATT&CK tagging — showing attack progression and removing the need to manually stitch together log entries.
IOC Auto-Enrichment
File hashes, IPs, and domains are enriched inline as the analyst reviews them — reputation scores, first/last seen dates, and related campaigns appear without leaving the investigation view.
AI YARA Suggestions
When a new malware indicator is confirmed, the AI assistant generates a draft YARA detection rule scoped to the specific malware family — analysts review, adjust, and deploy to the detection pipeline in one click.
05d — Hi-Fi Design · Compliance
Compliance Center
Unified compliance posture dashboard tracking NIST CSF, ISO 27001, and SOC 2 Type II frameworks — with control coverage tables, remediation queues, and audit-ready evidence management.
Compliance Center — NIST CSF 84% · ISO 27001 91% Certified · SOC 2 Type II 78% In Progress · Control coverage · Remediation queue · Evidence locker
Multi-Framework View
Three compliance frameworks tracked on a single dashboard — each with a live compliance score, circular gauge, and framework-specific sub-category breakdowns. SOC managers get board-ready status instantly.
Control Coverage Table
114 controls mapped across six security domains. Pass/fail/N-A status with colour-coded pass rates identifies weak domains at a glance — Vendor Management at 64.3% flags immediately as the priority gap.
Remediation Queue
Open findings prioritised by severity with assigned team, due date, and status. Critical items (vendor questionnaires, cloud data classification) surface with red badges and tight SLA dates for immediate action.
Evidence Locker
Centralised evidence repository for audit artefacts — access logs, pen test reports, training records. Missing or overdue evidence items flagged inline, removing the pre-audit scramble across shared drives.
05e — Hi-Fi Design · Vulnerability Management
Vulnerability Management
Full vulnerability lifecycle dashboard — from critical CVE triage with one-click patch actions, to 90-day trend analysis, risk priority matrix, and patch coverage tracking across 1,247 identified vulnerabilities.
Critical vulnerabilities sorted by CVSS score with asset, description, status, and a direct "Patch Now" action — analysts can initiate a patch workflow without leaving the vulnerability view.
90-Day Trend Chart
Stacked area chart shows critical, high, and medium vulnerability counts over 90 days. A clearly declining critical line validates that the patching programme is working — a key metric for security leadership.
Risk Priority Matrix
Scatter plot of all vulnerabilities by exploitability vs. business impact. The top-right quadrant immediately identifies the highest-risk items requiring emergency patching — no manual scoring needed.
Patch Coverage Donut
73% patched, 18% in progress, 9% unpatched — visualised as a donut with a target indicator at 85%. The gap-to-target metric gives the SOC manager a clear objective to communicate upward.
05f — Hi-Fi Design · Network Topology
Network Topology & Threat Visualization
Live network map with threat overlays — showing real-time attack paths, lateral movement, node health, and zone segmentation integrity across the entire infrastructure.
Network Topology — Live · Threat overlay ON · Internet → FW-01 blocked attack · DMZ lateral movement detected · 52/52 protected assets
Live Threat Overlay
Active attack paths rendered directly onto the topology — red dashed arrows for blocked attacks, orange for lateral movement. Analysts see where an adversary is moving without reading log tables.
Zone Segmentation Health
Each network zone — Internet Edge, DMZ, Internal LAN, Management — has a real-time segmentation integrity score. A drop in DMZ health from 100% to 80% immediately signals the lateral movement event.
Node Status Coding
Green border = healthy, amber = suspicious activity, red = active incident. Analysts scan 52 nodes in seconds. The pulsing red dot on web-server-01 draws immediate attention without any text reading required.
Threat Actor Panel
Right panel surfaces active threat actors with origin, IP, attack type, and confidence score. APT-Lazarus at 80% confidence and an unknown Russian actor at 65% give L2 analysts immediate attribution context.
06 — Investigation UX
The Investigation Workspace
The most complex design challenge: the investigation workspace must give L2/L3 analysts power-user capabilities while remaining learnable for L1. We designed three progressive disclosure levels.
L1 Guided Mode
Step-by-step triage checklist auto-generated from alert type. L1 analyst answers 5 structured questions: Who? What? When? How confident? Escalate or dismiss?
Pre-populated enrichment: IP reputation, asset owner, similar past alerts with resolution
Escalation button prominent — L1 is rewarded for escalating, not blamed
Triage decision auto-logged with analyst ID + timestamp for audit
L2/L3 Investigation Mode
Full investigation workspace with entity relationship graph, timeline pivot, playbook editor, threat intel correlation, and case management.
Entity graph: pivot from IP → user → process → file hash in one click
MITRE ATT&CK technique auto-tagged on each timeline event
Investigation state auto-saved — shift handoff notes pre-generated from activity
Attack pattern recognition: "This sequence matches Lazarus Group TTPs with 74% confidence"
Related indicator correlation: "IP 203.x.x.x appeared in 3 other alerts this week"
Priority score recalculation as investigation progresses
How AI Is Presented
All AI findings shown with confidence score — never hidden behind a clean "AI says" label
Analysts can agree, disagree, or dismiss AI findings — all decisions logged
AI never takes containment actions — humans decide on irreversible actions
07 — Testing & Outcomes
Heuristic Evaluation & Projected Performance
Sentinel has not shipped. The numbers below are anchored to cited benchmarks — not measured outcomes. Sentinel was evaluated using Nielsen & Molich's 10 Usability Heuristics plus NN/g's AI & ML Usability Heuristics (Pachidi et al., 2021). Two passes · 52 issues logged · 46 resolved before this portfolio freeze.
Projected performance vs. benchmarks
Mean Time to Detect (MTTD)
258d (IBM 2024)→< 1h target
False-positive rate (analyst-validated)
~56% (Splunk)→< 15%
Alerts handled per analyst per shift
ESG 2022 base→+2×
Playbook automation coverage
—→> 80% L1
Tier-1 annual churn
~30% (ESG)→< 15%
Analyst NPS (quarterly)
negative baseline→+20 pts
< 1h
MTTD target · vs. IBM DBR 213-day median
< 15%
FP rate target · Splunk 2024 ≈ 56%
2×
alerts per analyst per shift (projected)
↓ 50%
Tier-1 churn target vs. ESG baseline
Representative heuristic findings
Finding 1 · H6 violation (recognition over recall)
Pass 1: L1 analysts had to remember which severity column meant what in the inbound queue. Added a coloured severity rail + icon + badge — same information, three reinforcing channels. Pass 2 walkthrough was unambiguous.
Finding 2 · H5 violation (error prevention)
Containment actions (isolate host, block IP) were single-click in Pass 1. Added an impact preview ("14 users affected · reversible") and a two-approver gate for L1 and L2. Pattern mirrors Atlassian's destructive-action guidance.
Honest limitation
Heuristic evaluation catches roughly three-quarters of usability issues (NN/g). Critical gaps that require real analyst testing: emotional register at hour-10 of a SEV1, legibility at 4am on an on-call phone, and how the two-approver gate actually plays out under time pressure. Those are next-step investments if Sentinel moves from concept to product.
08 — Learnings
What I Learned Designing for Security
Domain-Specific Insights
Security UX is adversarial UX: Every interface decision has security implications. A button that looks helpful to analysts might be an attack surface. Collaborated closely with security architects on every interactive element.
Tier-adaptive design is essential: The L1/L2/L3 tier system is structural to SOC operations. A single-interface-for-all approach creates frustration at both ends of the skill spectrum.
Audit trails as UX: Compliance requirements (SOC 2, ISO 27001) mandate detailed audit logs. Designing audit trails that analysts actually read and that compliance teams can export was a unique constraint.
What I'd Do Differently
Earlier threat intelligence integration design: The threat intel enrichment UX was designed without detailed API constraints. Two integrations had to be redesigned when latency made real-time enrichment impractical.
Diversity in the review-mining corpus: The public review corpus skewed male (~78%) — reflecting published SOC demographics (SANS 2023) but limiting how well the case study speaks to the experiences of women and under-represented analysts. Primary research would deliberately correct for this.
Compliance view earlier in scope: SOC managers need compliance-ready reporting (SOC 2 evidence, audit exports). This was deprioritised to V2 but is a blocker for procurement at enterprise accounts.
09 — References
Sources
Every quantitative claim in this case study traces to a source below. A hiring panel should be able to pressure-test any number.
Industry research
Splunk. State of Security 2024. splunk.com
IBM Security. Cost of a Data Breach Report 2024. ibm.com/reports/data-breach
Verizon. Data Breach Investigations Report (DBIR) 2024. verizon.com/business/resources/reports/dbir
CrowdStrike. Global Threat Report 2024. crowdstrike.com/global-threat-report
Bianco, D. The Pyramid of Pain. detect-respond.blogspot.com
UX & HCI
Nielsen, J., Molich, R. 10 Usability Heuristics for User Interface Design (1990/1994). nngroup.com
Pachidi, S., Budiu, R., Gordon, K. AI & ML Usability Heuristics. NN/g, 2021.
Shneiderman, B. Human-Centered AI. Oxford University Press, 2020.
Rodden, K., Hutchinson, H., Fu, X. HEART framework — CHI 2010.
Miller, G.A. The magical number seven, plus or minus two. Psychological Review, 1956.
Klein, G. Recognition-Primed Decision (RPD) model. 1993.
Endsley, M.R. Situation Awareness in dynamic systems. Human Factors, 1995.
British Design Council. The Double Diamond, 2004.
Design-system precedents
Atlassian Design System. atlassian.design
Shopify Polaris. polaris.shopify.com
GitHub Primer. primer.style
IBM Carbon Design System. carbondesignsystem.com
Happy to go deeper
I can walk through any decision on this case study — what I'd revise, what primary research would test, and the trade-offs behind the tier-aware UI. yogitamalkhede5@gmail.com
