OpenText · 2024–2026

User & Entity Behavior Analytics (UEBA)
for Network Detection and Response (NDR)

Networks catch threats at Day 0 — before an attack reaches the endpoint. But OpenText had no coherent design story for network detection. I led research, strategy, and design to combine User & Entity Behavior Analytics (UEBA) with Network Detection and Response (NDR) — repositioning the portfolio around analyst efficiency and multi-variable intelligence.

Role: Principal Product Designer — research, competitive strategy, design direction, and cross-functional influence across ML Engineering, Product, and Go-to-Market.

$300M Market Opportunity Identified Network Detection and Response gap in OpenText portfolio
20 Research Participants 12 SOC analysts · 8 threat hunters
15 min Triage Constraint The constraint that shaped every UX decision
5 Competitors Mapped ExtraHop · Vertica · Defender · Wiz · Orca
Context Research Define Ideation Design North Star Impact
Project Brief & Context

The network sees threats before the endpoint ever does

EDR protects endpoints — but networks catch anomalies at Day 0, across North-South and East-West traffic, before an attack reaches a single device. OpenText had the ML models and SIEM integrations. What it lacked was a design that made that intelligence usable.

The competitive angle: ExtraHop and Vertica AI used single-variable anomaly detection — one signal at a time. OpenText's Intersect Models could correlate multiple variables simultaneously: login time + location + data access + privilege level. That was the differentiator. The design challenge was making it feel simple, not complex — and doing it within the median analyst triage window of 15 minutes.

Discovery & Research

Four problems. Every customer said the same things.

20 interviews with SOC analysts and threat hunters. Competitive analysis across ExtraHop, Vertica AI, Microsoft Azure, CrowdStrike, and Wiz. The findings converged around four problems that no competitor had solved.

01

Hidden threats invisible to IDS

Traditional IDS and dashboards require prior domain knowledge and struggle with evolving threats. Behavioural anomalies at the network layer — especially multi-variable ones — were going completely undetected.

Detection gap
02

Alert analysis too complex to act on

Analysts needed simpler, faster mechanisms to work through traffic alerts. The existing UI required domain expertise just to read the data — let alone act on it within the 15-minute triage window.

Usability
03

Severity buried — critical alerts lost in noise

There was no prioritised view. Analysts manually sorted through every anomaly. The most severe threats didn't surface first, and context was missing for quick decisions.

Signal-to-noise
04

No way to tune for your environment

Every network is different. Analysts needed to set exceptions and adjust thresholds for their specific environment — but no tool gave them that control without ML expertise.

Customisation
"By the time I've opened three tabs to correlate a single alert, my 15 minutes are already gone. I need the context in the row — not behind a click."
— SOC Analyst, Level 2 · Research interview, 2024

Competitive Context

Microsoft Azure — competitive analysis
Microsoft Azure — complex topology-first layout creates high cognitive load during alert triage

User Journey Map

NDR user journey map — from alert detection to threat resolution
Journey map — tracing the full alert lifecycle from detection through triage, escalation, and investigation for both personas

The core tension: SOC analysts needed speed (15-minute triage windows), while threat hunters needed depth (24-hour investigation cycles). A single interface could serve neither well. This insight drove the entire dual-interface strategy.

Define

The analyst who has 15 minutes to make the right call

Research surfaced a clear primary user — not a helpdesk generalist, but a trained analyst handling 40–80 alerts per shift, correlating behavioral signals with network data, and making escalation decisions under real time pressure.

🎯
Marcus Chen
SOC Analyst — Level 2
Security Operations Center
40–80 alerts per shift · 15-minute triage window
Goal
Surface the most severe anomalies first — with enough context (MITRE category, risk score, affected assets) to act without additional investigation.
Responsibility
First-line triage and escalation — classify threat type, correlate with user/entity behavior, and route to SIEM, TDR, or SOAR with context attached.
Challenge
Alert fatigue from low-signal noise — without risk scoring and behavioral context, every alert looks equally urgent. Severe threats get buried. The 15-minute window closes before the right call is made.
+

Secondary user — Threat Hunter (SOC Level 3): proactively hunts using historical behavior trends, multi-variable correlation, and custom anomaly thresholds. Needs depth and query power — not the same interface as Marcus. This tension between speed and depth drove the dual-interface design strategy.

Ideation

Lo-fi first — sketching the rules builder

Before touching hi-fi, I sketched the interaction model for the rules builder — the most novel UI challenge. How do you make rule creation approachable for a non-ML user without hiding the power a threat hunter needs?

Rules Builder Lo-Fi — threshold configuration
Threshold configuration — slider-based tuning with live alert frequency preview
Rules Builder Lo-Fi — rule comparison view
Side-by-side comparison — safe iteration without affecting live rules

The key lo-fi decision: rules as visual objects, not code. Conditions rendered as connected blocks rather than script syntax — bringing the builder within reach of analysts who understand logic but not ML. This became the foundational pattern for all subsequent security rules UIs at OpenText.

Design & Iteration

Analyst dashboard — severity first, context always

The hi-fi anomalies dashboard was designed around one constraint: every piece of information an analyst needs to make a triage decision must be visible in the alert row — no clicking, no expanding, no hunting.

Anomalies Dashboard — alert detail panel
Alert detail — contextual summary and one-click escalation to SIEM/TDR/SOAR

The design decision that changed the architecture: MITRE ATT&CK classification had to appear in the list row, not behind a detail click. This required ML engineering to surface classification data in the alert payload — a design requirement reshaping the data contract.

Design & Iteration

Threat Hunter Workbench — same data, different interaction model

When Elena investigates an anomaly, she needs correlation tools, historical context, and topology exploration. A completely different interaction model — depth over speed, breadth over brevity.

Hunter Workbench — network topology
Network topology — lateral movement paths and asset relationships rendered as an investigation graph
✦ Built with Figma Make AI

Experience the design live

This prototype was one of my first explorations using Figma Make's AI prompting interface — describing interactions in natural language and watching them come to life instantly. It cut iteration time dramatically and sharpened how I think about prompting AI for design. Test alert triage workflows, build custom rules, and explore the topology investigation interface. No login required.

Open Prototype
North Star Vision

The full picture — analyst triage to hunter investigation

The final design brings both interfaces into a unified platform. From a single alert in the analyst dashboard, context flows seamlessly into the hunter workbench — two distinct experiences sharing one coherent data model.

UEBA for NDR — live interaction demo showing analyst triage to hunter investigation
Live interaction — analyst triage view flowing into the threat hunter workbench as a unified Network Detection and Response platform
Decisions & Impact

Three decisions. Measured outcomes.

2
Interfaces
Analyst dashboard + hunter workbench — one data model, two modes
Day 0
Network Advantage
Threat detection before the endpoint — the core positioning argument
15 min
Triage Standard
Now written into all OpenText security UX briefs across the portfolio
"Don't compete on visual sophistication. Compete on analyst efficiency. Speed and clarity beat aesthetics every time."
— Core positioning recommendation, presented to Product Leadership, Q3 2024
01

Classify in the row, not the detail panel

MITRE ATT&CK classification surfaced in the alert row itself — requiring an ML pipeline contract change. Risk scores became the primary sort axis so the most severe anomalies surface first. One-click escalation to SIEM, TDR, or SOAR with full context attached — nothing lost in the handoff.

ML data contract Risk-sorted list One-click escalation
02

Two interfaces, one data model

Analyst dashboard for speed — built around the 15-minute triage window. Hunter workbench for depth — supporting 24-hour investigation cycles. Both built on a shared data layer so context flows between them without duplication or copy-paste overhead.

Shared data layer Dual interaction model No context lost in handoff
03

Visual rules builder — no ML expertise required

Filter and tune by user, IP, or asset without ML expertise — making threshold configuration self-service for the first time. Triage-first UX principles carried forward as a portfolio standard across ZENworks, ILM, and future OpenText security products.

Self-service tuning Portfolio standard ZENworks · ILM

Interested in discussing this work?

I'm happy to walk through the research findings, competitive positioning, or the design decisions that shaped the product architecture.

Get in Touch View Other Work
← Previous Project ILM Policy Builder Back to Home Next Project → XDR Platform Research