Unified Cyber Operations

First portal transformation at BlueVoyant — in-house design agency, customer research with operators, and a unified Cyber Defense Platform; MDR workflow redesign cut mean time to respond by 42%.

Challenge

Outsourced design; legacy portal built from customer requests; parallel product SKUs with no shared operating model.

Role

Director, Product Design — agency, research, design system, portal unification

Approach

Customer research with account teams and service operators; design system and UI Guidelines; dedicated front-end infrastructure; unified portal shell across MDR, SCD, and DRP.

Outcome

MDR ticket and incident workflow redesign → 42% faster MTTR; unified portal shell → Fortune 500 cross-product adoption.

Thesis

MSP digital transformation fails when design has no agency. Unification isn't a UI program — it's standing, a shared language, and customer-grounded discovery before the interface can converge.

BlueVoyant · Phase 1 of 3 — Ambiguity

BlueVoyant was a managed security provider becoming a product company. Design had been outsourced — UI work arrived when Engineering or Product needed it. Leadership brought design in-house to unify a fragmented portfolio. Operating model and design system depth live in Building Design That Ships and One Source, Every Surface. This study covers the portal transformation.

Context

I joined BlueVoyant as Director, Product Design with a mandate to create agency for design — the standing, process, and infrastructure for design to operate as a structural partner, not a vendor of screens.

The company was an MSP evolving through digital transformation: services needed to become products that let customers self-serve, automate workflows, and understand what BlueVoyant was doing on their behalf without calling an operator. Growth had been organic and through acquisition — Managed Sentinel, Concanon, Group202, etc. — and each addition brought its own tooling, conventions, and customer-facing surfaces.

What already existed was a client portal shaped by business requirements and customer requests, not a unified product vision:

Dashboards with mislabeled metrics, disorganized charts, and no customization for the insights customers actually needed
Security events and incident escalations that showed operator activity without trustworthy, actionable context
Managed asset and vulnerability inventories that were out of date or failed to sync correctly
Assessments based on outdated cybersecurity frameworks — certification without a path to improvement
Reports that exported the dashboard as a PDF rather than answering executive questions

Concurrently, MDR (Managed Security), SCD (Supply Chain Defense / managed risk), and DRP (Digital Risk Protection) were being packaged and sold by separate teams — disconnected customer operations and disjointed experiences. Leadership’s vision was clear: unify the disparity, avoid redundant feature work, reduce technical debt, and improve quality. My job was to make that vision buildable.

Insight

UX evaluation scored portal sections 3.1–4.3 while customers asked executive questions the product couldn't answer — workflow and data trust failed before aesthetics did.

Hypothesis

Research run with client account teams and service operators — not product stakeholders alone — would produce evidence siloed PMs already respected when prioritizing cross-product work.

Decision

Isolated a dedicated front-end team to own component infrastructure — giving shared UI a single accountable owner instead of a volunteer effort across squads.

The Legacy Portal

UX evaluation of the existing MDR portal surfaced the gap between customer expectations and what the product delivered. The slides below document scores and structured feedback from that review — utility and aesthetics could score moderately while workflow value still failed.

UX evaluation of legacy BlueVoyant product dashboard — overall score 4.3 with feedback that navigation breaks UI consistency outside the dashboard — Legacy dashboards — metrics and charts without customizable insight; UI consistency broke when navigating beyond the landing view.

UX evaluation of legacy BlueVoyant Alerts section — overall score 3.4 with feedback that alerts show data without workflow actions — Legacy alerts — data visibility without workflow action; filters lacked business value and search couldn't partial-match entries.

UX evaluation of legacy BlueVoyant Cases section — overall score 3.4 with feedback on filter logic and export limitations — Legacy cases — incident management with filtering gaps and restricted exports; the surface MTTR improvements later targeted.

UX evaluation of legacy BlueVoyant Assets section — overall score 3.1 with feedback citing data freshness and missing data — Legacy assets — links between assets, cases, and vulnerabilities had value, but freshness and missing data undermined trust.

UX evaluation of legacy BlueVoyant Reports section — overall score 3.2 with feedback on redundant report types and awkward generation workflow — Legacy reports — many single-purpose exports with weak workflow; customers ranked unified reporting as the top unmet need in research.

The Demisto contract reaching end-of-life acted as a forcing function: migrating off the platform required deliberate, cross-product thinking the organization wasn’t natively structured for. Partnering with deployment, product, engineering, and services, I mapped out existing workflows and data intersections. This defined exactly what needed to be built natively versus integrated externally. The outcome was a clear architectural roadmap for the unified portal that successfully aligned stakeholders across the business.

BlueVoyant · Phase 2 of 3 — Architecture

Before the unified portal could ship, design needed agency — an operating model, a shared language, and customer-grounded discovery. I advocated for partnerships with client account teams and internal service operators for research, a design system as common delivery infrastructure, and alignment with sales, marketing, and product on the unifying narrative.

Customer Research

Research ran through interviews, usability testing, surveys, and design workshops — partnering with client account teams and the operators who delivered services daily. A formal MDR survey with 50 customers (CISOs and SOC teams) quantified priorities: onboarding and deployment tracking, daily service digests, incident escalation paths, and risk-based reporting — with 60% ranking reports as must-have.

The qualitative themes behind those numbers were consistent across solutions:

We feel protected — but what are you doing for us continually?
We know you run SOC duties — how are you actually performing?
Why does your data differ from ours?
We have control gaps — how do we improve hygiene and posture?
How do I prove to executives this service is working — what’s covered, what’s our SLA, what else should we buy?

Those questions became the backlog for unified reporting, trustworthy data surfaces, workflow-oriented alerts, and a portal shell that could eventually answer coverage and package questions across MDR, SCD, and DRP.

BlueVoyant UX Research MDR Survey Feedback — methodology and prioritized feature findings from 50 customer interviews — MDR UX survey — 50 customers; research became the shared evidence base when cross-product roadmap conversations stalled.

The operating model — shared researcher, cross-functional rituals, dual-track discovery and delivery — and the design system with Product UI Guidelines — tokens, semantic color, dashboard templates — are documented in the pattern studies. Here they matter as prerequisites: research without a system to implement against stalls; a system without customer voice doesn’t survive PM prioritization.

BlueVoyant Product UI Guidelines overview spread — design principles through application templates — Product UI Guidelines — the written standard and design system that let distributed teams build toward one Cyber Defense Platform.

BlueVoyant · Phase 3 of 3 — Surface

Research and infrastructure converged in what shipped: a unified portal shell, MDR workflow improvements, and the first credible cross-product customer experience — with longer-horizon workflow unification still in flight.

Portal Unification — What Shipped

The unified portal launched as a navigation layer first: single authentication across MDR, SCD, and DRP with a consistent shell, header, and navigation — getting customers into one place before merging workflows inside it.

Within MDR, we shipped substantial ticket management and incident workflow updates — the primary day-to-day surface for SOC analysts and customer security teams. The data grid was rebuilt with consistent sorting, filtering, and bulk actions to handle security event and incident dispositions more efficiently. Onboarding was redesigned for faster time-to-value on new deployments. Report generation moved into a unified framework for exporting MDR, risk, and exposure data together.

Cross-product workflows — connecting a supply-chain risk finding to an active MDR incident, or a DRP credential exposure to monitored endpoints — were designed and partially prototyped. Endpoint intersection between MDR and DRP was underway at the end of my tenure. Full workflow unification remained a multi-year arc; the shell and MDR improvements were the credible first layer.

BlueVoyant Product Dashboard UI template — Cyber Defense Platform with metric cards, charts, and data grid — Unified dashboard template — metric summaries, visualizations, and tabular data composed within the shared application framework.

flowchart TD A([Legacy portal\nrequest-driven features]) --> B[Customer research\n50 MDR survey + workshops] B --> C[Design system +\nUI Guidelines] C --> D[Dedicated front-end team] D --> E[Unified portal shell\nMDR · SCD · DRP] E --> F[MDR tickets +\ndata grid rebuild] E --> G[Onboarding +\nunified reports] F --> H([42% faster MTTR]) E --> I([Fortune 500 adoption])

Outcome

42% faster mean time to respond came from MDR workflow changes — ticket management redesign, incident queue architecture, and less context-switching between Demisto, the legacy portal, and external SIEM tools.

Fortune 500 adoption reflected financial-sector clients expanding from MDR into newer risk products. A portal that presented all three lines coherently — even before workflows fully merged — made that expansion conversation credible.

Brand and visual identity unification, the design team’s charter, and DesignOps to maintain the system were part of the same transformation — detailed in One Source, Every Surface. The longer arc — genuine data and workflow unification across product lines — needed the foundation this work put in place: customer voice, shared infrastructure, and design with agency to keep building.