Projects
Resume
UX & growth blog
Projects
Back to projects

SBOM vulnerability management platform

Designing a scalable cybersecurity product for regulated environments

I design end-to-end product experiences and the UX systems that sustain them — from early foundations through growth, optimization, and scalability.

Company position

The company was an early-stage medtech cybersecurity startup, and the product existed as a concept-phase prototype with a small customer base. There was significant urgency to establish an enterprise-ready platform to support medical device manufacturers under emerging FDA cybersecurity expectations.

Product state

At the time, the product had no UX foundation. There was no design system, information architecture, or shared mental model for how the platform worked—either internally or for customers.

From a user perspective, the expaerience imposed a high cognitive burden:

  • No onboarding, in-product help, or self-service
  • No release process or visibility into product changes
  • Limited transparency for internal stakeholders and customers
  • Unclear next steps
  • Low adoption and conversion
  • The early concept app relied on modals within modals, which couldn’t be tracked, bookmarked, or measured. The application was composed of modals on modals, making it difficult for users to understand available actions and workflows

The interface shipped exclusively in dark mode, which did not align with enterprise expectations in regulated environments. Contrast and legibility issues further reduced usability, and core interaction patterns—forms, filters, buttons, and status indicators were non-existent.

Additionally, the product’s value and positioning were not yet clear to the market.

Old design

With no designers, the initial concept had few customers and its value and positioning were not clear to the market.

The UI made it hard to know where to get started. The initial product was all in dark mode (which did not align with target audience mental model), used a narrow, illegible font, buttons were difficult to read, fields were not in dark mode, statuses were hard to read, filter button only cleared filters to left, etc.

Challenge

Design and deliver a usable, scalable SBOM vulnerability management platform from an early prototype — while the company, product strategy, and internal processes were still forming.

This required:

  • Establishing a clear UX foundation without an existing design system or IA
  • Reducing cognitive load in a highly complex, regulated domain
  • Making product state, risk, and next steps immediately understandable
  • Enabling adoption, trust, and day-one usability for startup and enterprise customers
  • Creating structure fast enough to support active customer commitments and regulatory pressure

Approach

I designed and built the foundational systems required to take the product from an early prototype to an enterprise-ready platform. I worked end to end across product design, product management, and technical writing, creating structure while the product and organization were still forming.

Platform foundations

  • Created design patterns, identified public design system to accelerate design pattern creation and delivery
  • Designed global navigation, toolbars, and a scalable breadcrumb and URL structure
  • Established table patterns with clear status badges, filtering, and next-step actions
  • Introduced empty states to guide users toward value
  • Created confirmation modals, toasts, and notifications to clarify system state and prevent errors
  • Ideated and identified all filtering needs, including categories, filter fields and options, as well as definitions of all options
  • Introduced light mode to align with enterprise and regulatory expectations
  • Established release processes and authored the first release emails
  • Created the first product datasheet to support sales and services
  • Built feedback channels to improve internal and customer visibility

Onboarding, activation, and roles

  • Designed account activation flows for all entry scenarios (self-signup, invited user, invited admin)
  • Defined role models and permissions (User vs Workspace Admin)
  • Authored transactional email content and provided matching HTML for engineering

Account activation

There were several scenarios, from creating your own to being invited as a user or an admin to an existing account and more. This was previously handled manually, so this included defining expiration limits and next steps.

Users can sign up fortheir own account or be invited to an existing company's account in a particular workspace.

Getting users to value

  • Designed a Get Started hub to surface integrations, documentation, and next steps
  • Created an Integrations hub to improve discoverability of CI/CD pipelines and APIs
  • Authored all help content while designing the product, establishing the first help center

Get started and unstuck

This enabled users to get started quickly, no matter where they were, brought forward our integrations (which were heretofore undiscoverable) to show how easy it was to integrate into your CI/CD pipeline, pointed you to key topics in the help center to ensure your success, and upsold our services team offerings if you needed extra help. I ideated this Get started hub and wrote all help center content to complement it.

Help center

There was no help center for the product, so I created all content (on Gitbook) while designing the product, which can be seen here: https://helm.docs.medcrypt.com/

Integrations hub

With the addition of a few integrations and our API, but low usage, I pushed for an Integrations hub to improve discoverability.

Added ability to invite user

As you know, getting users to invite other users to the application is a major factor of stickiness, so this enabled users to invite other users to join one or more workspaces within an organization. This also included determining what the roles would be and how they would fit in to the existing user administration processes.

Users could be a User or Workspace admin. For the former, the inviter would then set up SBOM and vulnerability view/edit access, while the latter would have full access to the workspace.

Navigation and scalability

  • Designed a sidebar and scalable breadcrumb system to support products, versions, and future workspaces
  • Mapped current and future URL structures to support traceability and growth
  • Ensured the navigation model could expand without redesign as customer needs evolved

Sidebar

I created a sidebar with iconography and integrated help.

Main navigation with scalable breadcrumb system

Breadcrumbs

Introduced breadcrumbs and underlying URL structure, mapping out current and future state of the platform. This enabled users to view all available products and versions and quickly switch between them.

These are just some of the variants of the toolbar for the different phases.
Breadcrumb and URL mapping

I pushed for breadcrumbs and URLs for traceability, mapping out the breadcrumbs and URL structure of current and future state for every use case, setting the product up for traceability to be added in the future.

Breadcrumb scalability

When customers asked for workspaces much later (including across multiple units within a larger organization) this was a snap to add to the scalable breadcrumb system.

Page-specific toolbars with bulk and individual actions

Both components and vulnerabilities had the same main goals, which was to remediate the most exploitable vulnerabilities and have an accurate understanding of your overall risk. From research, we'd found that many companies just wanted vulnerability remediation to be automated so that they didn't have to spend valuable cycles on this. We now had an AI guidance system that collected security advisories and vulnerability information from many sources, so this is integrating that automation to get customers to value quickly.

Created toolbar with bulk and individual actions to get users to value quickly.

Empty states

I introduced empty states for each page, making it easy to understand next steps. This also included figuring out all of the permission states, as these weren't clearly defined at this point.

Empty states enabled customers to get to value quickly.

Risk management and workflows

  • Designed page-specific toolbars with bulk and individual actions
  • Introduced row-level actions to remove ambiguity around next steps
  • Built mini-dashboards to surface component and vulnerability state over time
  • Designed primary dashboards for FDA metrics, SBOM quality, and threat intelligence

Dashboards

This was a project that I drove myself, identifying all of the categories for FDA metrics and SBOM quality and compliance, as well as what constituent parts made up each category.

FDA metrics & SBOM quality dashboard

This Compliance & quality tab encompasses FDA metrics and SBOM quality, in addition to the new categories I added: fixable and fixed vulnerabilities. The definitions for the FDA metrics were not clearly defined in the industry, thus I had to determine what fell into each category as well as how to calculate FDA metrics (how we could measure them given our current application features, as well as what we would need to add). The overview widgets are from a public design system, but I created the detailed bar charts beneath as well as the color scheme.

Fixable and fixed vulns show amount in each category vs the total number of vulns. FDA metrics are shown in green or red, depending on whether they are improving or worsening vs the previous time period. Overview widgets could be toggled to show a sparkline view of progress over time.


Threat intelligence dashboard

This was one of my favorites. From my several years designing the product and telling the story in the documentation, I determined what fell into each category. This shows a high-level exploitability intelligence, then gets into the lower-level risk-management dashboard.

Dashboard filters

For each table and each dashboard, I determined the categories of filters, as well as what was in each category so that users could quickly drill down on just what they needed.

The filter mechanism users progressive disclosure, only showing the most important and most frequently used filters by default.
This shows the filters fully expanded to enable you to drill down on exactly what you need, no matter how granular.

Data clarity and prioritization

  • Created a comprehensive badge system covering match status, exploitability, remediation, licensing, and lifecycle risk
  • Designed unified vulnerability and component views to consolidate actions and state
  • Enabled remediation workflows across product versions
  • Introduced AI-assisted recommendations and authored supporting documentation

Tables

Each table could be customized to exactly what you needed. This included creating all of the badge patterns and definitions, determining logic for next steps.

For every object, this brought forward the next step and showed clear badging to combine information in the dense table structure, to call attention to what was most important.
Mini-dashboards

This is something that I ideated to bring forward the current state of components and vulnerabilities. This showed changes over a 7-day change cycle (from conversations with customers, this was important), as well as exploitability, severity, fixability, and current remediation state.

Row-level actions

Instead of the user trying to guess what next action they should do, this eliminated all uncertainty.

This showed all possible next steps for a component or vulnerability.

Badges

I created a whole badge system to deal with every status, from match to remediation to license risk to lifecycle risk and beyond.

Match status badges

Getting your components matched to known NVD software was critical to identifying the associated vulnerabilities.

This showed what you still needed to do, components we weren't able to identify anywhere (and the source we checked, to eliminate redundant user effort), and how components were matched.

Exploitability badges

This showed what was most important to focus on because it had a CISA KEV, Metasploit, ExploitDB, and other exploitability sources.

Datasheet

I created the first product datasheet, showing how we could position the product, which enabled our sales and services team to better speak to our product's value.


Matching components

Getting a component to match to a known software component in the NVD or package manager was critical to the next step of viewing vulnerabilities for that component, so I put a lot of emphasis on making sure customers understood this and how to match components that didn't automatically match.

In addition to the badge system that displayed at the table level, shown above, with the suggested next step, users could click in to see exactly what state a component was in and what to do next.

Create alias rule for automatic matching

Users could create alias rules to automatically match a hard-to-identify component in existing and future SBOMs, drilling into the details about a possible match to ensure they were selecting the correct one. It is critical to identify components to have an accurate, complete view of risk.

Unified vulnerability view and actions

As the product was growing, each action had been tacked on, such that there was no unified view of the vulnerability and associated actions. I pushed for a unified view of each product, vulnerability, and component. Whether it was a vuln or a component, the problem was the same - prioritizing and remediating the most important vulns to make your product safer.

The unified view of each object showed its current state and fixability, as well as available actions, including AI recommendations.

This Remediate tab enabled users to apply a remediation for this particular vuln from any product version to this version.
AI recommendations

This assessed current risk against mitigation, assessing what still needed to be done, and providing AI recommendations for short and long-term mitigation, which could be shared with an R&D team for prioritization. I also wrote all documentation, including how we could position our nascent AI: https://helm.docs.medcrypt.com/manage-vulnerabilities/leverage-ai-powered-vulnerability-guidance

The Risk and Mitigation columns determined whether any mitigations you had in place decreased the risk, and whether it was sufficient. Risk scores would be next, but weren't in place yet.
This was the initial concept for next steps for each AI recommendation.

Self-service and trust

  • Designed in-product help and authored all documentation
  • Created first help center
  • Improved discoverability of CI/CD integrations and APIs
  • Introduced release processes and authored the first release emails
  • Established feedback channels for internal and external stakeholders

Impact

The product evolved from an early prototype into a cohesive, enterprise-grade platform.

  • Transformed an early prototype into a complete 0→1 platform
  • Enabled users to self-serve, via empty states, badge system, dashboards, get started hubs, in-product help, external help centers, integrated support, ensuring clear system status at all times, and more.
  • Improved product clarity, speed of iteration, and stakeholder alignment

Users were able to self-serve through onboarding flows, empty states, dashboards, and integrated help, reducing reliance on support and tribal knowledge. Cognitive load was reduced by clearly surfacing system state and next steps, improving clarity, adoption, and internal alignment.

The platform established a durable foundation for FDA metrics, compliance reporting, and continued product growth. Customers can now understand risk, prioritize remediation, and manage SBOM quality with confidence.