Permiso Security · 2025–2026

Redesigning alert triage for cloud security analysts.

How we turned an overwhelming firehose of cloud detection events into a calm, prioritized workflow, letting analysts get to the alert that matters in seconds instead of minutes.

Role

Lead Product Designer

Team

1 designer (me) · 3 engineers · 1 PM · Detection & Response leads

Timeline

~6 months · discovery → ship

Surface

Web app · enterprise SaaS

Tools

Figma · FigJam · Loom · Google Analytics

Note to Rachel. This page mirrors the structure of your Figma slides. Every section below is editable directly in the browser; click any heading or paragraph to rewrite it with the real content from your deck. Image placeholders accept screenshots, drop them in later.

01 · Context

Permiso watches cloud identities, around the clock.

The product

Permiso is a cloud detection-and-response platform. Our customers, usually a small security team inside a much larger company, rely on us to spot suspicious identity behavior across AWS, Azure, GCP, Okta, and the dozens of SaaS apps their workforce touches.

That means a steady stream of alerts: an admin signing in from an unfamiliar country, a token being used outside its normal window, a service account suddenly reading from production. Some are real incidents. Most aren't. Analysts have to triage them all.

02 · The Problem

The old alert view treated every signal the same.

Analysts opened the inbox each morning to a flat list of thousands of alerts, sorted only by time, with no clear path to the work that mattered.

Pain · 01

Volume drowns signal

Critical alerts were buried beneath dozens of low-priority noise events. Analysts described "scroll fatigue" inside the first ten minutes.

Pain · 02

No notion of identity

Alerts were grouped by event, not by the actor behind them. A single compromised user generating thirty events looked like thirty separate problems.

Pain · 03

Triage state lived in heads

"Did someone already look at this?" was a question we asked in Slack. There was no shared notion of who was working what.

Replace. These three pain points are placeholders modeled on your professional summary. Swap in the exact pains your research surfaced (quotes, metrics, screenshots of the old UI).

03 · Discovery

I spoke with the people who actually live in the inbox.

Method

Over four weeks, I ran moderated interviews with eight security analysts across six customer accounts, paired with a heuristic review of the existing inbox and analytics on how alerts were actually opened, dismissed, and escalated.

I also shadowed a senior analyst through a real morning of triage, watching the rhythms, the tab juggling, the Slack pings, the moments where attention broke.

8

Analysts interviewed across six customer accounts

3wk

Of usage analytics reviewed in Google Analytics

12

Distinct triage tasks mapped end-to-end

Replace numbers. Adjust counts to match what you actually did. If you used customer-success transcripts or sales calls, list them too.

04 · What We Learned

Three insights reframed the design problem.

Insight · 01

Analysts triage by identity, not by event

Every analyst we watched mentally grouped alerts by the user or service account behind them. The product should do that grouping for them.

Insight · 02

Severity isn't a number, it's context

"Critical" meant different things depending on the actor, the environment, and the time of day. Rigid severity scores misled more than they helped.

Insight · 03

Triage is a team sport

State, who's looking, what's been ruled out, what's been escalated, needed to live in the product, not in Slack threads.

05 · Approach

Design principles I held the work against.

Principle · 01

Identity first

Group everything around the actor. Events follow people, not the other way around.

Principle · 02

Calm by default

Quiet typography, restrained color. Save visual urgency for things that are urgent.

Principle · 03

State is shared

If one teammate has touched an alert, every teammate should know within a glance.

Principle · 04

One screen, one decision

From any alert, the next sensible action should be the most prominent thing on screen.

06 · Process

From sketches to shipped.

Step · 01

IA & flows

Mapped current vs. proposed inbox structure. Reorganized around identity clusters and triage state.

Step · 02

Low-fi exploration

Twenty-plus quick wireframes in Figma to test layout patterns, list, board, timeline, split-view.

Step · 03

Hi-fi prototyping

Interactive Figma prototype with real data shapes. Reviewed weekly with detection engineers.

Step · 04

Usability testing

Five remote sessions on the high-fidelity prototype. Two rounds of revisions before dev handoff.

Process artifact, flow diagram or IA before/after

Drop a screenshot here. A flow map, IA diagram, or a strip of wireframe-to-hi-fi evolution from your Figma file.

07 · The Design

A triage queue organized around people, not events.

The new inbox collapses thousands of raw alerts into a working queue of identity clusters, one row per actor, ranked by a contextual risk read that draws on the actor's behavior, environment, and time of day. Triage state (open, in-review, escalated, dismissed) is visible to the whole team, and one click drills from a cluster into a timeline of every event that composed it.

Hero screen, new alert triage queue

Identity cluster, detail view

Event timeline within cluster

Team triage state & assignments

Final screens. Replace these four placeholders with the actual hi-fi exports from your Figma deck. Aspect ratios are flexible, adjust the class (imgph, imgph wide, imgph tall, imgph square) to match.

08 · A Closer Look

Why the cluster row reads the way it does.

Each cluster row was the unit of work in the new inbox, so I spent the most time on it. The hierarchy reads, left to right: who, what's different, how worried to be, what to do next.

Type is restrained, Geist Mono for identifiers, a single accent color for the risk read, no severity badges. The whole row is a single focusable element, keyboard-first, with the primary action accessible without leaving the row.

Anatomy of an alert cluster row

09 · Outcomes

What changed after we shipped.

Win · 01

"It feels quieter"

Two customers used almost identical language in feedback sessions, the inbox felt calmer, even though we were sending the same underlying signals. Triage had moved from fighting the interface to evaluating events.

Win · 02

Slack triage threads stopped

"Did anyone look at this?" disappeared from customer Slack channels almost overnight. Shared triage state inside the product replaced the side-channel coordination we'd built workflows around.

Win · 03

The cluster pattern propagated

Identity clustering, designed for the inbox, became the structural metaphor other surfaces adopted: investigations, reports, the executive summary view. One mental model now spans the product.

We didn't ship with a fully instrumented analytics plan, so I can't show clean before/after metrics. What I can speak to is the shape of the conversations that changed: the questions customers asked us, the requests support no longer received, and the patterns the rest of the product began to reuse.

Honesty as a feature. These are observational wins, not metrics. They're real, defensible, and they tell hiring managers you understand the difference between proof and noise. Edit the specifics to match the conversations you actually had.

10 · What I'd Do Differently

Lessons I carried into the next project.

Learning · 01

Test the unit, not the screen

Most of our usability friction lived inside a single row. I should have prototyped that component in isolation, much earlier.

Learning · 02

Quiet is a feature

The instinct in security tools is to shout. We bought more trust by being calm and consistent than we ever did with red badges.

Learning · 03

Ship the analytics with the design

Designing the measurement plan at handoff, not after launch, was the single best decision I made this cycle.

Want to talk through the details?
rachelsobrepena@pm.me

←All work Get in touch →