NDR Anomalies & Rules Dashboard

Design Process

Research & Strategy

Strategic Context: The Market Gap

EDR solutions excel at endpoint detection. But networks are the vectors. ExtraHop, Vertica AI, and others were winning the NDR conversation by offering intelligent threat detection at network-scale. OpenText had no coherent story here.

The problem wasn't technical—it was organizational and strategic. Without a unified design vision for network detection, product teams were building fragments. Without understanding analyst workflows, we couldn't compete on usability. Without seeing that SOC analysts and threat hunters have fundamentally different needs, we'd design for neither.

Design Philosophy

In enterprise security, complexity isn't the enemy—opacity is. Network anomalies are inherently complex. But they're not unknowable. My thesis: make the invisible visible by designing for the patterns analysts already recognize (sudden spikes, unusual deviations, unexpected connections). Design for understanding, not for impressive visualizations.

Research Strategy

Persona Research: Conducted interviews with 12 SOC analysts and 8 threat hunters across enterprises to understand the 15-minute triage constraint and 24-hour investigation cycles
Competitive Deep Dive: Analyzed ExtraHop, Vertica AI, CrowdStrike Falcon, Microsoft Defender XDR—specifically mapping their alert presentation, topology visualization, and investigation workflows
Market Insight: Identified that competitors competed on visual sophistication, but analyst feedback revealed speed and clarity were more valuable than aesthetics
Technical Foundation: Collaborated with ML engineering to validate OpenSearch (single-variable) + Intersect Models (multi-variable) architecture

Strategic Design Decision: Dual Interface

The key insight: SOC analysts and threat hunters have opposing needs. Analysts need speed (15-minute triage). Hunters need depth (24-hour investigation). A single unified dashboard would optimize for neither.

I proposed a dual-interface strategy:

Analyst Dashboard: Real-time alerts with ML confidence scoring. Customizable thresholds. One-click escalation to SIEM/TDR/SOAR. Designed around the 15-minute constraint—less information density, higher pattern recognition
Hunter Workbench: Deep investigation with network topology, historical pattern analysis, log correlation, threat intelligence integration. Designed for exploratory workflows—more context, more drill-down capability

This decision reshaped the entire product architecture and influenced engineering to build modular alert pipelines. It became the design principle for all subsequent security platform work at OpenText.

Cross-Functional Influence

ML Engineering: Led architecture alignment on OpenSearch + Intersect Models. Defined the data contract for single-variable vs. multi-variable anomaly payloads
Product Leadership: Influenced roadmap prioritization. Argued for Phase 1 MVP scope (Traffic Spikes + Unauthorized Access) based on analyst feedback and competitive gaps
Platform Strategy: Established design patterns for anomaly detection interfaces—now used across ZENworks, ILM, and future security products
Go-to-Market: Competitive positioning recommendation: compete on analyst efficiency (not visual polish) and integration readiness (not feature count)

Design Evolution

From Sketches to Validated Design

The design was iterative and research-informed. Started with low-fidelity sketches exploring persona workflows, refined through Figma Make prototyping against competitive benchmarks, and validated against analyst feedback before final handoff to engineering.

Phase 1: Low-Fidelity Rules Builder

Initial sketches exploring the rules builder UI—critical for letting analysts customize anomaly detection without requiring ML expertise. The challenge: make rule creation feel approachable, not overwhelming.

Four iterations exploring different interaction patterns: rule templates, visual condition builders, threshold sliders, and exception management.

Phase 2: High-Fidelity Anomalies Dashboard

Visual refinement of the analyst dashboard. The core insight: anomalies must be ranked by severity and context-rich from the first glance. No digging required for triage decisions. MITRE classification, risk scoring, and affected assets visible in the alert row itself.

Alert list showing severity-ranked anomalies with inline classification, risk scores, affected assets, and quick-action buttons. Designed for 15-minute triage cycles.

Phase 3: Threat Hunter Workbench

The investigation interface—designed for depth, not speed. When a threat hunter digs into an anomaly, they need correlation tools, historical context, topology exploration, and packet-level investigation. A completely different interaction model than the analyst triage dashboard.

Hunter investigation interface: timeline correlation, network topology with lateral movement paths, asset relationships, and forensic drill-down. Same data, completely different interaction pattern.

User Journey: Alert to Investigation

How an alert flows through the system from detection to resolution—showing the role of both interfaces and the handoff between analyst triage and hunter investigation.

The journey map visualizes how different personas interact with the system and the decision points that determine escalation from analyst triage to hunter investigation.

Interactive Prototype

Experience the Design Live

Rather than static screenshots, the full platform is interactive and clickable. Built entirely with Figma Make and AI prompts, this prototype demonstrates the complete analyst dashboard and threat hunter workbench in action. Click through alert triage workflows, build custom rules, and explore the topology investigation interface.

Open the interactive Figma Make prototype to explore the dual-interface design. Test alert triage flows, rules builder interactions, and hunter investigation workflows.

Open Interactive Prototype

Built with Figma Make + AI Prompts • Fully interactive flows • No login required

Competitive Strategy

How We Win Against ExtraHop

Analyzed 5 leading NDR competitors (ExtraHop, Vertica AI, Wiz, Orca, Defender XDR). The pattern was clear: everyone competed on visualization quality and feature breadth. But analyst feedback revealed the real pain: speed and clarity beat aesthetics. This insight shifted our entire competitive positioning.

The Competitive Landscape

What Competitors Do Well

+ Sophisticated network topology visualization
+ Comprehensive feature set (coverage = market positioning)
+ Rich historical data analysis for threat hunting
+ Deep packet-level investigation capabilities

Where They Lose Analyst Trust

✗ Alert fatigue: too many features = overwhelming defaults
✗ Slow triage: information density > speed
✗ Isolated workflows: no integration with existing SIEM/TDR
✗ Rule configuration requires ML/domain expertise

Our Differentiation Strategy

Rather than compete on feature breadth or visualization sophistication, we compete on analyst efficiency and threat hunter capability:

→ Multi-variable ML detection reducing false positives vs. competitors' single-variable heuristics
→ Native SIEM/TDR/SOAR integration enabling one-click automated response (not manual context-switching)
→ Dual-interface design optimizing for analyst speed (15-min triage) and hunter depth (investigation) separately
→ Visual rules builder eliminating ML expertise barrier for customization

Competitive Comparison: OpenText NDR vs. Microsoft Azure

Azure's NDR offers comprehensive network detection, but the interface reflects legacy Microsoft design patterns—information-dense, slow to parse, requires deep domain knowledge. Our approach prioritizes analyst decision speed with visual risk hierarchy and contextual summaries.

Azure Alert Management

OpenText NDR Analyst Dashboard

Key Difference: Azure requires analysts to navigate nested menus and dense tabular data. OpenText surface alert severity, MITRE classification, risk score, and affected assets in a single scannable view—enabling faster triage decisions.

Lessons & Principles

What This Project Taught Me About Principal Design

1. Design Strategic Decisions, Not Just Interfaces

The dual-interface approach wasn't a design detail—it was a strategic bet that differentiated the product and shaped engineering architecture. Principal design isn't about making things pretty; it's about making things that matter.

2. Constraints Are Your Best Teachers

The 15-minute triage window wasn't a limitation—it was clarity. It eliminated unnecessary features, forced prioritization, and created a defendable competitive position. Constraints breed focus.

3. Influence Happens Through Insight

I didn't "convince" engineers to adopt the dual-interface architecture—I showed them why it mattered. Principal designers earn authority through research rigor and strategic thinking, not through seniority.

4. Show Your Thinking, Not Just Your Solutions

The lo-fi sketches, competitive analysis, and design iterations matter as much as the final design. They prove you didn't guess—you researched. That's what separates principals from executors.

Metrics & Impact