Redesigning the core entry point for security triage — making it actionable, structured, and trustworthy for analysts at every level.
A security signal is a moment of decision: escalate, suppress, or investigate further. The Signal Side Panel is where that decision gets made — and it wasn't built for deciding.
SOC analysts review dozens of signals per shift. For each one they need to understand what happened, determine severity, take ownership, and move the signal to the right state — fast. The panel is the primary surface for all of that.
But the panel had grown without a plan. What started as a simple alert viewer became a wall of raw data — every field, every log, every related entity given equal visual weight in a single unbroken scroll. There was no hierarchy. No opinion about what to look at first. The signal lifecycle had no states, so analysts couldn't tell if a signal was actively being worked or silently stale.
The panel was showing analysts everything and guiding them toward nothing. New hires were hit hardest — they didn't know where to look, what to click, or how to move forward.
After shadowing SOC analysts through live triage shifts, the same pattern emerged every time: they were fighting the panel, not using it.
No signal had a status. There was no concept of Open, In Review, or Closed — analysts couldn't tell if a signal was being worked, already resolved, or quietly stale. Every signal looked the same regardless of its state.
SIEM, ASM, and CSM each had their own panel layout. Analysts who moved between products had to relearn the interface every time — same concept, three different implementations, zero shared foundation.
The three most critical triage actions — Add to Case, Run Workflow, Archive — were split across the header, footer, an overflow menu, and a secondary drawer. Most analysts never found them. The default became leaving signals perpetually Open.
Three months. We introduced a signal state model, reorganized content around triage decisions, and shipped to three security products.
Shadowed SOC analysts through live shifts and logged every scroll, every detour, every action that never got clicked. The data was consistent: scroll depth was extreme, action completion was near zero, and first-week analysts had no path forward. Audited the panel across SIEM, CSM, and ASM — three products, three divergent layouts, zero shared components.
The layout wasn't the core problem — the missing state model was. Before reorganizing content, we needed to define what states a signal could be in. Introduced Open → In Review → Closed → Archived with auto-ownership assignment. Once the model existed, content hierarchy followed naturally: What Happened → Take Action → Deep Details. Co-designed signal states with detection, security, and workflow engineering.
Built Figma flows for side panel and full-page modes, testing the dynamic CTA model against the new lifecycle states. Ran async reviews with engineering and product, then shipped to Cloud SIEM. ASM and CSM followed using the shared component set — four weeks later, all three products were on the same panel foundation.
The old panel showed data. The new one drives decisions. Five design moves that made triage feel guided instead of guessed.
Before the lifecycle existed, every signal looked the same regardless of its actual state. The new model introduced four explicit states — Open, In Review, Closed, Archived — with a primary CTA that changes to match. "Start Review" when untouched. "Escalate" or "Close" once claimed. Auto-ownership assignment means nothing sits at Open indefinitely.
The original panel ordered content by what was easiest to pull — logs at top, entity details buried in the middle, actions at the bottom. We flipped the model: What Happened first, Detection Rule context second, Take Action third. Deep details collapse below. The order isn't historical — it's the order of a triage decision.
Every critical action — suppress, escalate, link to case, run workflow — was pulled from wherever it lived into a single Take Action surface above the fold. Always visible, always contextual. No more hunting. Usage of "Add to Case" and "Run Workflow" tripled within the first month after launch.
Experienced analysts know what to do with a brute-force signal. New hires don't. Playbooks add attack-specific investigation procedures — not a generic checklist, but steps tuned to the signal type. Investigator gives every analyst a quick entity graph showing IP, Host, and User activity, with one-click access to deeper dashboards. First-week analyst ramp dropped by approximately 2 days.
The side panel handles most signals quickly. Complex incidents need room. Full-page mode adds a signal timeline, linked case history, and related signals grouped by correlated attributes or detection rule. Analysts who needed deep investigation had been leaving the panel to find another tool — now they don't have to.
Shipped to Cloud SIEM in Q1 2024. ASM and CSM followed within four weeks. Zero panel inconsistencies across all three products since.
Average time-to-triage dropped 42% in moderated testing. Panel scroll depth decreased 35% — analysts found what they needed sooner.
Users reported feeling clear on what to do next in 88% of sessions. "Mark as Closed" and "Add to Case" used in 64% of reviews.
Workflow usage tripled, especially among Tier 1 analysts. 70% of reviewed signals were directly linked to incidents or cases.
New analyst self-reported confidence rose from 3.6 to 4.2 out of 5. First-week ramp-up time reduced by approximately 2 days.
Over 85% of core panel components shared across SIEM, ASM, and CSM. Internal audits found zero CTA placement inconsistencies.
Full-page view adoption increased 60%. Signal timeline MVP launched just 4 weeks after the panel update shipped.