TL;DR
This project began with the goal of developing a new product to ensure regular revenue streams for our company. We explored the integration of DAST scanning, aligning it with pentesting. Extensive research and user polls validated our direction, while team collaboration shaped the user-centric design. We partnered with a specialized service to deliver a simple, high-quality solution. Collaborating with the sales team, we identified early adopters and received positive feedback from users. The project highlights the importance of understanding user needs, efficient development, and team collaboration in product innovation. |
Intro
As a product designer, I embarked on a journey with my product manager and engineering team to identify and develop a new product that would offer a continuous revenue stream for our company. At the outset, we recognized that pentesting was primarily performed for compliance purposes, typically on an annual basis. To address this challenge and generate consistent revenue, our goal was to create a product that would be used regularly and could even be automated while still accommodating the option for manual pentesting services.
Dates: June - October, 2023 The company: Cobalt is a Pentest as a Service (PtaaS) platform with a community of testers who simulate cyber attacks and deliver insights to help companies remediate risks and innovate securely (friendly-hacking for hire). |
DiscoveryDeciding on a direction
We initially considered DAST scanning but decided to investigate its relevance thoroughly before proceeding. To gain insights, we conducted research, including studying perviously conducted interviews and customer advisory board events. While DAST scanning was used, it wasn't viewed as a cutting-edge security tool. However, it was similar to pentesting, making it relevant for our brand and possible for pentesters to enhance. Our key question was whether enough customers regularly performed DAST scanning. User research and poll
To answer this question, we conducted a poll through Pendo, asking: "Has your team run DAST scanning in the last 3 months?". We received 75 responses, with 27% answering yes. Around the same time, a reputable security company released a study showing that about 30% of companies performed DAST scanning. This data provided the confidence needed to continue the project Understanding customer needs
We then delved deeper into why customers used DAST scanning and what the Minimum Viable Product (MVP) functionality should be. Collaborating with our Product Marketing Manager, we invited customers who had responded to the poll to discuss their motivations, previous experiences, likes, dislikes, and the "Jobs to be done" fulfilled by DAST scanning. I prepared the interview guide and we took turns interviewing the customers. I analysed the calls and put together a list of motivations, pains, and needs as well as identified the players involved. I used this to design personas and a high level map of the flow to achieve the jobs to be done. |
IdeationIdentifying a gap in the market
The research revealed a clear pattern: DAST wasn't the only security measure customers relied on, and they used it less frequently than before. However, around 30% of companies used it regularly due to compliance requirements. It was considered a checkbox that had to be ticked, but most paid DAST services offered more features than necessary, and free versions were plagued by false positives. We believe that by providing a simple low-touch solution with a high enough output quality, Pentest customers will choose our service over the more complicated leading DAST providers. Building a partnership
We lacked the expertise to develop a low-false-positive DAST service in-house within our timeframe. Thus, our product manager and an engineer began searching for potential partner services. We found a service built by pentesters that could be integrated entirely through APIs, allowing us to create our own user experience and fully integrate it into our platform. Workshop and ideation
Armed with personas, requirements, and a high-level map, I designed a workshop for our team. We identified open questions and threats and brainstormed ways to deliver value to customers in the most efficient manner. We also explored how to fit these findings into our existing workflow. |
Designing the UIUI design and information architecture
As the teams delved into backend tasks and deeper technical investigations, I took on the role of creating the information architecture and user interface (UI) for our new DAST scanning product. Drawing inspiration from other DAST tools and leveraging the building blocks of components from our design system and patterns from existing pages within our platform, I focused on crafting a simple and intuitive UI. Iterative design and collaboration
I actively sought feedback from our fellow designers and engineers, incorporating their insights and suggestions into the evolving design. Figma prototypes played a crucial role in demonstrating the user flow and gathering comments, allowing us to iterate and refine the UI efficiently. |
DeliveryPhased development:
Working closely with the team, we divided the product's functionality and elements into distinct phases. This approach enabled us to prioritize and deliver value to our customers as quickly as possible. Elements that were not directly hindering users from completing their critical tasks were deferred to later phases, ensuring a more efficient development process. Collaborating with sales to validating customer interest
To ensure we weren't merely speculating about customer demand for our Cobalt scanner, we recognized the limitations of asking directly and turned to a collaborative approach with our sales team. They had been in direct contact with customers who had inquiries about Cobalt's scanning capabilities. We initially requested them to gauge interest when customers brought it up. As our solution matured, we took the proactive step of having the sales team demo it to customers, even though it wasn't user-friendly yet. This led to 60 enthusiastic hand-raisers from various segments during a roadmap seminar, a strong indicator of genuine interest. Encouraged by this response, we continued to enhance the functionality, making it more versatile and user-centric. User testing and refinement
Once we had brough the product to a point where we had adequate features, guidance and error messages, we provided the tool to our in-house security team and shadowed their initial experiences. This process revealed critical insights, such as the importance of tracking changes for compliance. User adoption and feedback
We gradually introduced the tool to early access users, and the feedback was consistently positive, with customers appreciating its simplicity and efficiency. After addressing a few bugs and adding in more of the functionality we earlier deprioritized, we opened the tool to all our customers, and 40 users activated the feature within the first 24 hours. "I really like how easy it is to set it up, not a lot of fields that you have to put in. In the majority of use cases, it just a few clicks to get the scan set up and just let it run." "I like how the results are displayed. It's a very clean layout. You see exactly what I need: what the request was that actually generated the finding, and then what the suggested fix is." |
In conclusionOur user-focused design and collaborative teamwork led to the successful launch of the DAST scanning product. By addressing market gaps and exceeding expectations through strategic partnerships and user validation, we've set a new standard for simplicity, efficiency, and high-quality cybersecurity solutions.
|