Thumbnail for Taking Cylance to the Consumer Market
Back to Work

Cylance · Phase 2 of 2

2016

  • Consumer product design
  • B2C expansion
  • Self-service acquisition

Taking Cylance to the Consumer Market

Designing and shipping CylancePROTECT Home Edition — translating an enterprise ML endpoint protection product into a self-service consumer offering, and building the business unit to bring it to market.

Challenge

Translate an enterprise ML endpoint protection product into a self-service consumer experience with no IT admin, no policy configuration, and a full e-commerce acquisition path.

Role

Director of UX/UI — consumer UX from pitch to ship

Approach

Designed the consumer UX to pitch to founders first, then negotiated feature scope and API surface with engineering to make it buildable on the existing mono-architecture.

Outcome

CylancePROTECT Home Edition shipped across web portal, macOS, and Windows. New consumer BU established. Contributed to BlackBerry's $1.4B acquisition of Cylance.

Thesis

Cylance had proven its ML threat prevention model in the enterprise. Home Edition was the test of whether that same technology could work for a home user who had no IT admin, no policy knowledge, and no tolerance for complexity. The design problem and the business problem were the same: make enterprise-grade security feel like a consumer product — without stripping out what made it worth buying.

Cylance · Phase 2 of 2 — Consumer

The enterprise console and Optics EDR work — confidence scoring, disposition controls, the Confidence Design System — is in Phase 1. Home Edition was the parallel bet: same ML engine, completely different design contract. Shared infrastructure is documented in One Source, Every Surface.

Context

Cylance was built as an enterprise company. The core product — CylancePROTECT — was deployed by IT administrators across corporate fleets, configured through policy management consoles, and evaluated by security operations teams who understood kill chain visualizations and model confidence scores. The enterprise console case study covers that product surface; this study covers taking the same engine to households.

The idea to take that technology to the consumer market came from the design team. The pitch was simple and strategically credible: the ML model that protected Fortune 500 endpoints could protect a family’s home devices. No signature updates. No performance degradation. Prevention instead of reaction — against the McAfees and Nortons that had sold the same signature-scanning model for decades.

I helped shape that pitch to the founders — the CEO and CTO — and then down to VP of Engineering and Engineering Directors. With approval to proceed, what followed wasn’t just a design project. It was standing up a business.

Building the Business Unit

Home Edition didn’t have an org behind it. Before the product could ship, we needed a VP to own the business unit, an architect, engineering resources (sourced partly from the core enterprise team), marketing, and sales. Hiring, scoping, and coordinating that build happened in parallel with the product design work — roughly nine to twelve months from first pitch to ship.

The dependency on the core engineering team was the critical constraint. Cylance ran a mono-architecture. There was no separate consumer infrastructure to build against. Home Edition required new API endpoints, new provisioning logic, new billing integration, and a distinct UI layer — all on top of a system designed for enterprise fleet management, not self-service consumer sign-up.

Insight

The enterprise product assumed an IT admin at every step — policy configuration, device provisioning, license management. None of those assumptions held for a home user. The product needed a different surface, not a simplified version of the same one.

Hypothesis

If we designed the consumer UX to pitch first — before negotiating engineering scope — we'd have a concrete artifact to align on rather than an abstract requirements doc. The design would define what needed to be built.

Decision

Led with consumer UX design to secure internal approval, then used those designs as the negotiation surface with engineering to determine what was achievable on the existing architecture within the timeline.

Project Jarvis: The Mobile Concept

Early in the process, the design team explored a more ambitious direction internally codenamed Jarvis — a mobile-first, family-circle concept inspired by platforms like Circles by Disney. The idea was a social layer: a shared security view across family members’ devices, accessible from a mobile app, with a circle metaphor organizing the household’s protection.

Project Jarvis wireframe map — full mobile app user flow showing onboarding, dashboard, My Circle, System Manager, Passwords, Alerts, and Settings screens
Project Jarvis wireframes — the full mobile user flow exploring a family-circle model for consumer endpoint protection

The Jarvis wireframes mapped a complete mobile experience: onboarding, a household dashboard, individual device management, password management, alerts, and settings. It was a forward-looking concept — a vision for what a consumer security product could become if built from scratch. What shipped was more grounded. The architectural realities of building on the enterprise mono-architecture, the timeline, and the core value proposition — ML prevention, not social features — focused the product on what it needed to be at v1.

The Consumer UX Translation Problem

The enterprise CylancePROTECT console was built for IT professionals. Script control, memory protection, device peripheral configuration, USB policy — these were the controls that made enterprise customers confident and comfortable. For a home user, they were noise at best, anxiety-inducing at worst.

The translation work had two layers. The first was feature scoping: which enterprise capabilities translated to consumer value, and which needed to be hidden entirely. Advanced policy controls (script control, memory access blocking) were removed from the consumer surface. Device management was simplified from fleet-level administration to a personal device list. The threat response model moved from operator-controlled allow/quarantine decisions to automatic protection with a legible status.

The second layer was the visual and interaction model. The enterprise console operated in a security-professional mental model: technical identifiers, alert queues, bulk actions across hundreds of devices. The consumer portal needed to answer a different question: is my family safe right now?

CylancePROTECT Home Edition portal — My Devices dashboard showing Environment SAFE status, 3 of 10 installed devices, 430,994 files analyzed, 15 threats quarantined, and per-device status rows
Home Edition portal — the primary dashboard. Environment status, device count, files analyzed, and threats quarantined at a glance. Per-device status below.

The portal’s primary surface answered that question directly: a single “Environment SAFE” status, aggregate file analysis count, quarantined threat count, and a per-device row showing each family member’s machine. The same underlying data that fed the enterprise console’s threat queue — SHA256 hashes, execution event logs, kill chain data — surfaced here as a single status badge per device: SAFE or AT RISK.

Self-Service Acquisition and Onboarding

One of the largest gaps between the enterprise product and Home Edition wasn’t the interface — it was the acquisition path. Enterprise customers were provisioned through a sales process: account setup, license allocation, IT-administered deployment. None of that existed for consumer. Home Edition needed to invent the full self-service path from scratch.

Home Edition product registration flow — from announcement email through eligibility check, email verification, FastSpring checkout, account creation, EULA, and management portal with Add Devices
Registration and onboarding flow — the complete self-service path from announcement email to first device added, including payment via FastSpring

The registration flow we designed covered the full acquisition arc: eligibility check, email verification, payment processing via FastSpring, account creation, EULA acceptance, and first device provisioning. Error states — ineligible users, invalid email addresses — were designed at every branch. The onboarding path was designed to get a home user from purchase to protected in a single session, without a support call.

This required new backend provisioning endpoints, a consumer-scoped tenant model, and payment integration — all work that had to be negotiated with core engineering because it lived in the enterprise system’s infrastructure.

Cross-Platform Desktop Experience

The protection itself lived in the desktop agent — CylancePROTECT — running on each protected machine. The consumer version of the agent was designed for both macOS and Windows, with platform-appropriate visual treatment: the dark, focused aesthetic of the enterprise agent adapted to each OS’s native conventions.

CylancePROTECT desktop app on macOS — showing Threats and Events tabs with file analysis count
CylancePROTECT on macOS — threat and event views with per-machine file analysis count
CylancePROTECT desktop app on Windows 10 — same Threats and Events structure in a light platform-native treatment
CylancePROTECT on Windows — the same interface adapted to Windows 10 conventions

The agent surface was intentionally minimal. The value proposition of ML prevention is that it’s silent — threats are blocked before execution, without user intervention. The agent existed to confirm protection was active and surface the rare case where a user needed to see what had been caught.

Threat Visibility Without Technical Depth

When the portal did surface a threat, the design challenge was communicating enough detail to feel credible and actionable — without exposing the SHA256 hashes and classification taxonomy that a security operator would use to investigate.

Threat detail view showing FileName.PDF classified as Malicious/Trojan, affected devices with AT RISK and PROTECTED status, Quarantine Threat and Allow actions
Threat detail — file classification, affected device status, and direct quarantine/allow actions. Technical metadata present but not foregrounded.

The threat detail view retained the technical metadata — classification, SHA256, detection dates — but organized the surface around what the home user needed to act on: which devices were affected, what the file was classified as, and two clear choices: quarantine or allow. The per-device status (AT RISK / PROTECTED) translated the protection state into something meaningful without requiring knowledge of what Malicious/Trojan meant in technical terms.

Outcome

CylancePROTECT Home Edition shipped across web portal, macOS, and Windows — a self-service consumer endpoint protection product built on an enterprise foundation that wasn’t designed for it.

The consumer business unit was established with dedicated leadership, engineering, marketing, and sales — a greenfield org that didn’t exist before the pitch. Revenue was meaningful but not the primary metric: Home Edition’s strategic value was in demonstrating that Cylance’s ML model could extend beyond enterprise, broadening the company’s addressable market and product lineup ahead of the BlackBerry acquisition.

The acquisition — announced in 2018 at $1.4B — cited Cylance’s technology and product portfolio. Home Edition was part of that portfolio: evidence that the prevention model could scale from the Fortune 500 SOC down to a parent protecting their family’s devices.