01 / Operational Systems
Spotlight Security
From scattered security signals
to a usable path to action.
“We don't need more alerts. We need to help people decide what was worth acting on, and what the next step needed to be.”
Follow the workflow ↓
A distributed environment,
viewed through fragments.
Security and infrastructure teams were working across host-level telemetry, firewall configurations, vendor consoles, spreadsheets, tickets, and customer conversations. They could see pieces of the environment — but not always the full story.
The Questions People Needed Answered
Is this system configured insecurely?
Is this device behaving unusually right now?
Which finding deserves attention first?
What should happen next?
What the workflow looked like before
The issue was not a lack of data. It was the lack of a consistent path from scattered evidence to a trustworthy action.
A generic detection could look suspicious in one environment and be completely normal in another.
The Product Insight
A technically unusual signal
is not automatically useful.
It becomes useful when it is understood in the context of the customer, the system, and the decision someone needs to make next.
What we chose to build first
Rather than trying to ingest every data source and detect every possible issue, we centered the workflow around the signals customers repeatedly needed help acting on.
From signal to action
The product had to answer more than "something happened." It needed to make the what, why, urgency, and next step legible to the person responsible for remediation.

What This View Makes Possible
Find the signal
Understand why it matters
See the recommended action
Track resolution
Where I contributed
Customer-relevant detection
Worked close to the question of what customers actually needed to know: which assets mattered, which anomalies created risk, and what context made a finding actionable.
Detection + analysis logic
Contributed to workflows that combined configuration-based findings with device and operational signals instead of producing raw alert lists alone.
Data normalization
Helped make Palo Alto, Ubiquiti, SonicWall, host telemetry, and network information more comparable for the people using the product.
Platform + testing support
Worked across Python, FastAPI, PostgreSQL, AWS, Docker, ingestion workflows, and Docker-based IT/OT validation environments.
From detection to remediation
Helped shape findings so users could understand what happened, why it mattered, what was involved, urgency, and a recommended next step.
Proof, not decoration
The metrics are evidence of a workflow that made security work more usable.
10,000+
events/day across IT and OT contexts
3
firewall ecosystems: Palo Alto, Ubiquiti, SonicWall
15+
recurring misconfiguration patterns
~60%
reduction in manual audit effort
Detection is only the beginning
The product decision was to move beyond "we found a problem" and create a clearer path through explanation, recommended action, and follow-through.

The point was not only to surface an issue. It was to close the gap between detection and the work of remediation.
Customer Feedback
"I've never seen anything like it. For someone who's in these environments every day, you have no idea how useful these tools are."
Larry Hill — CEO, Hill Technical MSP
What I would improve next
I would validate which findings most often led to action, then use that behavior to improve prioritization, confidence signals, and remediation follow-through.
Feedback Loop