Building the MVP of a Cybersecurity SOC Tool powered by Agentic AI

Building the MVP of a Cybersecurity SOC Tool powered by Agentic AI

From cognitive overload to focused threat response: designing a SIEM from the ground up, aligned to NIST CSF

Client

Cybersecurity SOC Tool Startup

Role

Lead Product Designer

Platforms

Desktop

The Problem

The founding team, three veterans with over 30 years of combined experience at a leading cybersecurity company, saw firsthand what was broken about existing SIEM tools. Analysts were drowning in data, unable to surface what truly needed their attention. Case creation and initial incident reporting were still manual, slowing response times at exactly the moments that mattered most.

Their vision: build a SIEM that reduces cognitive load by design, automates repetitive analyst tasks, and structures the entire product around the NIST Cybersecurity Framework, making it both more usable and more defensible to enterprise buyers from day one. The MVP had to serve two roles with fundamentally different needs: a Super Admin managing the platform, and an Analyst working within it, always in the context of a specific client.

Key Design Decisions

01
NIST CSF as the navigation spine, not just a compliance checkbox
The NIST CSF modules (Govern, Identify, Protect, Detect, Respond, Recover) became the primary navigation of the product. For enterprise buyers, seeing their SIEM organised around a framework they already report against reduces procurement friction. For Analysts, it creates a shared vocabulary between the tool and their workflows. It also gave the IA a principled foundation that could scale as new capabilities were added.
02
Global client-level filter as a first-class product decision
The Analyst role required all data to always be viewed in the context of a selected client. Rather than treating this as a filter widget, we designed it as a persistent global selector that anchors the entire session, meaning every module, every data view, and every workflow is implicitly scoped. This eliminated a class of errors where an analyst might act on data from the wrong client environment.
03
Carbon Design System over a custom component library
Given the team size (one developer, one designer), building a custom component library was not viable without compromising depth of product coverage. Carbon Design System gave us an enterprise-grade, accessible foundation with dense information layouts suited to a power-user tool. It also signalled credibility to technical buyers. The tradeoff was some visual differentiation, which we managed through considered use of colour and data hierarchy rather than custom components.
04
Laying the groundwork for agentic AI without over-indexing on it in the MVP
Rather than designing AI features speculatively, we focused the MVP on establishing the right structural foundations: clear contextual boundaries, consistent action patterns, and defined workflow states that agentic tools could hook into in future. This kept the MVP focused while future-proofing the architecture.

Process

The domain required significant upfront research: studying the NIST CSF, understanding the two primary user roles, and learning the language of cybersecurity operations before any wireframes were drawn. I worked closely with the CTO to map the IA against the six NIST modules, then defined the sub-functions and data points within each. Since the detailed IA is under NDA, it cannot be presented here, but this foundation directly determined every structural decision in the product. Wireframes were produced for all modules before moving to high-fidelity in Carbon Design System.

Iterations

Given the MVP scope and close collaboration with a technically expert CTO, the design process involved focused refinement rather than structural pivots. Key iterations included tightening information density within each module to surface the most critical data first; adjusting the global client filter's visual prominence after early reviews showed it was being overlooked; and refining the layout of the Analyst's case management views to better separate active investigations from historical records. Each review cycle with the CTO produced incremental improvements, a reflection of the thoroughness of the upfront IA work.

Final Output

A high-fidelity prototype covering core workflows for both the Super Admin and Analyst roles, structured across the six NIST CSF modules. The Carbon Design System provided the component foundation, with custom layout decisions made for information-dense views. The prototype was built to proof-of-concept standard, ready for early enterprise prospect demonstrations.

Reflection

The domain required significant upfront investment before any design work could begin. Studying NIST CSF, mapping user roles, and building enough cybersecurity fluency to have productive conversations with the CTO all took time. In retrospect, I would have pushed earlier for even one session with a working SOC analyst, not just the founding team. The founders' expertise was invaluable, but their mental model was shaped by years of familiarity. A practising analyst would have surfaced friction points around daily workflow patterns that we could only infer from first principles.