Back to work
Case Study 01 · Alert Triaging
Permiso Security · 2025–2026

Alert Triaging
UX Review.

A close-read of the alert triaging workflow used by SOC analysts on the Permiso platform, mapping where critical context is hidden, truncated, or scattered, and where small interaction fixes would compound into real time savings.

Role

Lead Product Designer

Format

Internal UX review & recommendations

Surface

Web app · enterprise SaaS

Persona

SOC Analyst

Tools

Figma · FigJam · Loom

01 · Problem Statement

The data is there. The interface keeps it just out of reach.

The problem

Security analysts working in high-pressure environments struggle to quickly assess, investigate, and act on alerts, not because of a lack of data, but because of how that data is presented.

Critical information is truncated, scattered across multiple interactions, and lacks clear prioritization signals, forcing analysts to manually piece together context before they can take action.

In a workflow where speed directly impacts outcomes, this friction compounds decision fatigue and slows response time.

02 · Context

The platform, and the person doing the work.

Product

Permiso Platform

Permiso secures the modern identity attack surface across cloud, SaaS, and on-prem environments, helping organizations inventory identities, assess identity risk, and detect and respond to identity-based threats.

Primary Persona

SOC Analyst

SOC Analysts are a primary user of the platform, responsible for monitoring, investigating, and resolving alerts. Alert triaging is a high-frequency, high-impact workflow for this persona, making it a critical focus area for improving efficiency, clarity, and response speed.

03 · Typical Workflow

How an analyst moves through a single alert.

Main workflow
01

Start from Alerts Overview

Scan alert volume & severity.

02

Open Alert Details

From the overview dashboard or a notification.

03

Review alert summary

Skim key details on the Overview tab.

04

Inspect session activity

Open the Full Session tab for deeper context.

05

Take action

Return to Overview, open the action menu, resolve.

Optional steps
·

Refine alert list

Adjust filters and/or columns.

·

Validate IP context

Click IP to open the access map drawer (IP, Geo, ASN).

04 · Alert Overview

Where analysts start, and what's already in the way.

  1. Alert counts and severity breakdowns are unclear, making prioritization difficult.

  2. Alert Signature is often truncated, forcing column resizing to view alert context.

  3. The Expand column is rarely used and takes up prime table real estate.

  4. The AWS Health Events table was never implemented.

BeforeFig. 4.1

The current Alerts Overview: severity is hard to scan, signatures truncate, and the Expand column eats real estate.

AfterFig. 4.2

The proposed view promotes severity, gives the signature room to breathe, and reclaims the Expand column.

05 · Alert Details

Inside a single alert, the shortcuts aren't there.

  1. The Edit Alert UI is only available to Super Users, with no easy access to the Alert Tuning UI.

  2. The action menu is only available on the Overview tab and doesn't support a status change to Info.

  3. Analysts can only navigate to the Identity Details page through a tooltip link.

  4. The Event List Table, default-filtered for "This Alert", is typically the triage endpoint, yet it's buried.

  5. No visible confirmation notice for a successful status change.

BeforeFig. 5.1

The current Alert Details: actions are tab-gated, key links live in tooltips, and the Event List is buried.

AfterFig. 5.2

The proposed details surface: actions are always reachable, the Event List is promoted, and confirmation is visible.

06 · A Closer Look

The status-change interaction, component by component.

The "Change Status" action is the moment an analyst commits a triage decision. It's the highest-impact micro-interaction in the workflow. Today it's a flat menu with no confirmation feedback. The recommendation is to surface the two decisions an analyst is actually making (state & disposition), make Info a first-class status, and confirm the change visibly.

BeforeFig. 6.1

The current Change Status menu: a single flat list, no disposition, no confirmation.

AfterFig. 6.2

The proposed modal: two-step decision (Status + Disposition), Info promoted, explicit Apply, toast on success.

Change Status to
Open Resolved In Progress Info
Change Disposition to
Benign True Positive False Positive Undetermined
Apply → Changed Alert Status (confirmation toast)
Bonus · Alert Tuning

The tuning surface is hard to reach, and starts cold.

  1. The Alert Tuning UI is only available from the Alerts Overview page, not from the alert itself, where the analyst is already looking at the relevant context.

  2. Once opened, the form's data points are not auto-populated, forcing the analyst to retype the very identifiers they just reviewed.

BeforeFig. 7.1

The current Alert Tuning UI: reachable only from the Overview, fields start empty.

AfterFig. 7.2

The proposed tuning UI: opened from the alert in context, pre-filled from the current event.

The fix isn't more data; it's letting analysts see what's already there without piecing it together first.
Reflection · Alert Triaging UX Review · 2026

Thank you for your time.
rachelsobrepena@pm.me

All work Case Study 02 Get in touch
© 2026 Rachel Sobrepeña Case Study 01 · Alert Triaging UX Review Permiso Security · 2025–2026