Modern security operations don't fail from lack of data, they fail from too much of it.
An enterprise bank's Cyber Threat Operations Center monitors petabytes of telemetry across dozens of disconnected tools. Analysts triage 1,400+ alerts an hour. Leadership wants one number that tells them whether the bank is safe today.
The pattern this concept responds to is familiar: tier-one analysts swivel-chairing between six browser tabs to correlate a single phishing event. Critical alerts buried by noisy ones. Inconsistent severity definitions between detection tools. Executives reading PDF reports that were stale the moment they were exported.
The fragmentation wasn't a tooling problem, every individual product worked. It was an interaction problem: thirteen dashboards built by thirteen vendors, each speaking a different visual dialect, and a workforce paying the cognitive tax.
"A SOC analyst's most expensive resource isn't time, it's the working memory they spend reconstructing context that the tools already had."
Grounding the concept in how security operations actually work.
This is a self-directed concept, so the research was desk-based: I studied the source PRD, published SOC operating models, MITRE and Lockheed Martin frameworks, and the way existing security tools present information. The goal was to design as if for four real constituencies: tier-1, tier-2, and tier-3 analysts, SOC and CTOC managers, fraud and incident response teams, and cybersecurity leadership who report to the board.
Three questions framed the work: what are the viewing patterns (how would a tier-1 analyst look at a wallboard?), what are the workflow behaviors (the sequence between detection and containment?), and what are the environmental constraints (dark control rooms, 24/7 shift rotation, multi-monitor setups)?
Three jobs, three latencies, three layouts.
The product had to feel native to a tier-1 analyst working an eight-hour overnight shift and to a CISO presenting to the board fifteen minutes later. I resolved that tension by designing three distinct experience layers against three modeled persona types.
Triages alerts and investigates incidents under time pressure. Lives in the dense analyst dashboard.
Oversees the floor. Balances workload, tracks SLA performance, escalates major incidents.
CISO, CRO, board reporting. Translates technical posture into business risk and regulatory exposure.
Seven principles. Every screen had to defend itself against all of them.
Before we drew a single screen, we wrote down what the product should never do. These principles became the criteria every design review used. When a panel didn't earn its place against them, it was cut.
If a wallboard takes more than two seconds to read, it has failed. Critical state must dominate visual attention without the viewer choosing to look for it.
A five-level severity ladder, color- and shape-encoded, applied consistently across every screen. No exceptions, no per-tool dialects.
Progressive disclosure: the dashboard shows what's true, the drawer shows why, the timeline shows when, the playbook shows how to act.
The interface during a P1 incident should feel calmer, not louder. Layout density stays constant; color and motion carry the urgency.
Shared interaction patterns, same filter chips, same drawer, same severity pill, so an analyst trained on one dashboard already knows the next.
Animation is used only to signal change: a new critical alert pulses; a contained event fades. Decoration is forbidden.
The product is information-dense by design, but information density is earned through hierarchy, not crowded by stacking.
Thirteen dashboards, three operational tiers, one design language.
The product is organized into three tiers that mirror how the work actually flows: Operations (live triage and response), Domains (specialized monitoring), and Reporting (executive translation). Every dashboard inherits the same chrome, severity model, and interaction grammar, what changes is information density and refresh cadence.
The hero screen. Cross-stream correlation: every alert mapped onto a kill-chain stage plus the MITRE ATT&CK matrix, with blast-radius topology and live campaign tracking.
The analyst workhorse. Real-time alert queue across all detection sources with filtering, suppression analytics, and triage handoff.
Active investigation management, SLA timers, response progress, ownership, and resolution workflows.
Manager-facing view of who's overloaded, who's under-utilized, and which shifts are running hot.
SOAR health: playbook execution logs, success rates, failure analysis, containment confidence per action type.
Sensitive data movement, PII, PCI, source code, M&A drafts, held or blocked at every egress channel including GenAI prompts.
External feed aggregation, IOC management, actor tracking, geographic origin mapping, coverage gap analysis.
Transaction-velocity anomaly detection, corridor risk, cross-account linkage, ML clustering of coordinated wires.
Customer-facing fraud, ATO, card-not-present, synthetic identity, mule activity, with loss-prevention trend reporting.
CVE exposure, KEV-catalog prioritization, patch compliance, business-unit risk heatmap.
Behavioral anomaly detection on internal users, ethically scoped, with HR and Legal escalation paths built in.
VIP travel monitoring, geopolitical risk overlays, device exposure, loaner-device tracking, MITM detection.
The board-ready view. Composite risk score, business-impact framing in dollars, regulatory-framework readiness, and a one-paragraph headline ready to brief.
Five-level, color and label, identical everywhere.
Right-side flyout with the same six-step workflow, recommended playbooks, related signals, analyst notes, invoked from any alert.
Live · 1H · 24H · 7D · 30D, persistent in the top bar.
Six-up tabular numerals, delta indicators, trailing footnote, at the top of every screen.
What's the worst thing happening to us right now?
The Fusion Kill Chain is the dashboard the team turns on first thing in the morning and leaves on the wallboard all day. Its job is to fuse signals from every detection source, endpoint, network, identity, cloud, email, fraud, onto a single attack-stage timeline, then make the highest-priority correlation visible inside two seconds.
Seven headline metrics with deltas against the rolling baseline. The critical-incident tile is reserved for the worst number, color used sparingly so when it appears, it's read.
The seven canonical attack stages with per-stage event volume, active correlations, and detection confidence. A stage with active correlations gets a red gradient, drawing the eye without alarm-fatiguing the analyst.
Bayesian-fused groupings of alerts that appear to belong to the same actor. Each row links to topology, MITRE mapping, and the live alert feed.
Assets compromised by the selected campaign, with edges colored by intent: solid red for exfiltration, coral for escalation, dashed for lateral movement. Pulsing nodes are still actively involved.
The seven primary tactic columns with the techniques observed in this campaign highlighted. Tactics with critical-confidence hits go deep red. Click any technique to filter the feed.
Three coordinated panels: a human-readable narrative of cross-stream events, a live alert stream filtered to the campaign, and the top contributing detection sources and IOCs.
"The Fusion Kill Chain is the only screen where an analyst can answer 'what's happening?', 'where is it?', and 'what should I do next?' without clicking, and click into any one of them to investigate."
Why a kill chain at all?
The Lockheed Martin Cyber Kill Chain isn't just an industry convention, it's a shared language. By laying every alert against the same seven stages, the dashboard makes correlation legible to a tier-1 analyst, a fraud investigator, and a CISO simultaneously. Each persona reads a different layer of the same diagram, but they're looking at the same picture.
T1059.Five levels. Color, label, position, motion. Never just color.
Color-blind safe severity required encoding the level in more than one channel. Every severity is a compound signal a colored pill plus a label plus, in critical cases, a pulsing motion cue. The system never relies on red alone to communicate critical.
| Severity | Color | Defined as | Surface treatment |
|---|---|---|---|
| ▪ Critical | #b91c1c | Active compromise, exfiltration in progress, or known-exploited vulnerability on an exposed asset. SLA: 15 min response. | Pulsing motion, top of queue, paged to T3 |
| ▪ High | #e64d3c | Strong correlation with active campaign, escalation indicator, or significant policy violation. SLA: 30 min response. | No motion, prominent surface treatment |
| ▪ Medium | #d4a036 | Investigative state, likely benign but warrants analyst review. SLA: 2 hr. | Standard row, no special emphasis |
| ▪ Low | #1570ef | Informational. Low-confidence detection or background context. | Collapsed by default in dense views |
| ▪ Resolved | #16a34a | Successfully contained, false positive confirmed, or remediated. Visible for trend reporting; never noisy in live queue. | Faded surface, archived after 24h |
Type as data
Numbers dominate this product. We selected Inter for display headlines (clear at distance for wallboards) and JetBrains Mono for all numeric data, with tabular-numeral spacing. Numbers in the same column always align vertically, a tiny detail that compounds across a 1,400-alert queue.
Body type is DM Sans at 13–14 px. We rejected the temptation to go smaller. Density comes from tight row padding (6 px) and economical labels, not from font size, analysts read this screen for an entire shift.
The drawer that carries context with the analyst.
When an analyst clicks any alert anywhere in the system, the same right-side drawer slides in. It contains the six-step triage workflow, the alert context, the related signals from the last thirty minutes, recommended playbooks ranked by confidence, and a notes field, all without leaving the dashboard the analyst was on.
One pattern language, applied across every operational domain.
Every dashboard inherits the same chrome (top bar, sidebar, time-range, KPI strip) and the same severity system. What varies is the information architecture each domain has a unique payload, but the analyst reads them all the same way.
The dense real-time queue. Filters by severity and source; tactic-coverage bars surface which MITRE columns are lighting up; "top noisy rules" gives the analyst direct input into the suppression model.
Where alerts become investigations. SLA timers color when at risk, breached cases surface to the top, response-progress steps mirror the drawer workflow for continuity.
Manager view. A 24×N heatmap shows where the floor is hot, capacity bars flip color past 90% utilization, and a "burnout signals" panel asks the manager to act on early warning.
SOAR health. Per-playbook sparklines reveal degradation before it becomes a failure; containment confidence is broken out by action type so analysts know what they can trust to auto-run.
Sensitive-data egress monitoring. We added GenAI prompt inspection as a first-class channel, the fastest-growing exfiltration surface in the bank.
External feed aggregation. The world map shows indicator origin; the actor table tracks who's hot; the coverage-vs-actor panel does gap analysis: do our detections cover this actor's known TTPs?
Where cyber meets fraud. Transaction-velocity anomalies, corridor risk, ML clustering of coordinated wires, the dashboard the fraud team and the SOC share.
CVE exposure prioritized by CISA's KEV catalog and EPSS scoring. The business-unit heatmap turns "we have 14,000 CVEs" into "Wholesale Banking has 14 critical."
UEBA-driven behavioral anomaly detection with built-in HR and Legal escalation paths. Designed with ethics review baked in, explicit watchlist enrollment, evidence trail, no shadow monitoring.
Customer-facing fraud, ATO, card-not-present, mule activity. The loss-trend chart reports prevented vs actual side-by-side: leadership wants to know what we saved, not just what we lost.
VIP travel risk, geopolitical overlays, device tracking, MITM detection. Built after a real incident where a CISO's loaner device hit a hostile network in transit.
The board-ready view. Composite risk trend, dollar-value framing, regulatory-framework readiness bars, and a one-paragraph "headline" the CISO can read into the room verbatim.
The shared vocabulary of the system.
Cybersecurity is acronym-dense and the product reflects that. We did not try to simplify the terminology, analysts speak this way, and dumbing it down would have made the product harder, not easier, to use. Every term has a consistent definition surfaced as a tooltip on first use.
A sophisticated, typically state-sponsored adversary group, long-lived, well-resourced, focused on espionage or financial gain. Identified internally with codenames (e.g. APT-441 "Nostromo").
Fraud where an attacker gains control of a legitimate customer's account through credential theft, SIM swap, or social engineering.
Stage 6 of the kill chain. The infrastructure an attacker uses to issue instructions to malware once it's installed, typically a periodic encrypted "beacon" call-out.
The control layer between users and SaaS apps. CASB telemetry is a primary detection source for cloud data exfiltration and OAuth abuse.
CVE identifies a vulnerability. CVSS scores how bad it could be (0–10). EPSS estimates exploit probability in the next 30 days.
An attack where an adversary impersonates a domain controller to harvest credentials from Active Directory. Surfaced as the stage-6 critical alert on DC-01.
Controls that prevent sensitive data from leaving the enterprise, through email, USB, cloud sync, printer, GenAI prompts, etc.
The agent on every endpoint that monitors process and file behavior in real time. Highest-fidelity detection source in most enterprises.
CISA's catalog of vulnerabilities being actively exploited in the wild. KEV entries get priority patching, typically 14-day SLA.
The Windows process that holds authentication secrets in memory. Accessing it (T1003.001) is a near-certain sign of credential harvesting.
Defeating multi-factor authentication, through push-fatigue, SIM swap, OAuth abuse, or token theft. Identity is the new perimeter and MFA bypass the new front door.
The detection layer that watches network traffic for anomalies, beacons, lateral movement, exfiltration. Complementary to EDR.
P1 is critical (15-min SLA). P2 is high (30-min). P3 is medium (2-hour). Priority drives queueing and escalation throughout the system.
PII personally-identifiable information. PAN payment card account number. PCI the cardholder data regulatory regime.
The automation layer that runs response playbooks across tools without human intervention. The Automation dashboard reports SOAR health.
Machine-learning models that baseline normal behavior per user and entity, then flag statistical deviation. Powers the Insider Threat dashboard.
What success would look like for this system.
As a concept, this work hasn't been through user testing or production rollout, so rather than report results, this section states the targets the design is built to hit. Each is drawn from the source PRD's success criteria and expressed as the bar a future validation effort would measure against.
What I'd do differently.
The decision to commit to a single severity model across all 13 dashboards is the most consequential one in the concept. Every downstream pattern, the KPI accents, the row colors, the pulse animations, the drawer banners, the executive risk gauge, inherits from those five levels. The system reads as "one tool" precisely because that ladder holds everywhere.
The triage drawer as a single, universal workflow surface paid back tenfold. Once it existed for the Fusion dashboard, every other screen got it for free.
Choosing a warm cream palette instead of the conventional dark SOC look was a deliberate bet. The thesis: control rooms are already dark; the screen doesn't need to be. A calmer surface puts severity color to harder use and should reduce eye fatigue across a long shift, a hypothesis a future validation effort would test.
The MITRE ATT&CK heatmap as a 7-column grid is a useful summary, but the real matrix has 14 tactic columns and hundreds of techniques. For tier-3 hunters, a full-bleed sub-page with the complete grid and per-technique drill-downs would be needed. The concept only hints at that.
The Money Movement and Fraud dashboards share substantial logic. In a v2 I'd merge them into a single "Financial Crime" dashboard with role-based view variants, cyber sees the IOC overlay, fraud sees the customer overlay, both see the same underlying transactions.
The concept designs for analyst stress but not yet for analyst fatigue as a measurable signal. A future version should treat analyst dwell, click cadence, and decision-time as telemetry, the same way it treats alert volume.