Enterprise SaaS · Cybersecurity · Security Automation

BulwarX
Routines

Designing a visual workflow builder that lets security analysts automate complex incident response, without writing a single line of code.

Lead Product Designer
1 PM · 4 Engineers
Figma · Miro
2023–2024
Context

The product and the problem

BulwarX is an Israeli cybersecurity integration company headquartered in Ra'anana. Their business is implementing and managing enterprise security stacks for organizations across industries, working with partners including Palo Alto Networks, Microsoft, CyberArk, Broadcom, and Netskope. Routines is an in-house platform BulwarX built for their own operations and for their managed security clients: a visual automation engine that lets security teams respond to threats, run investigations, and manage remediation without manual intervention. A Routine chains together Tasks, each one performing a discrete action like downloading a file, scanning for malware, sending an alert, or quarantining a device, connected through branching logic that handles success, failure, and edge cases.

The problem BulwarX was solving is real and expensive. Enterprise SOC teams handle hundreds of alerts per day. Most of that work is repetitive: download a file, scan it, escalate if suspicious, notify someone, open a ticket. Done manually, each incident takes an analyst between 30 minutes and 2 hours. Done wrong, it creates liability. The bottleneck wasn't detection. It was response, and response was still manual.

My Role

End-to-end design: research, flows, information architecture, UI, dashboard, workflow builder, task creation experience, and dev handoff

Users

CISOs, SOC team leads, security analysts, and IT operations managers at enterprise organizations

Domain

SOAR (Security Orchestration, Automation and Response). A category of tools used to coordinate and automate security operations

Challenge

Design a workflow builder powerful enough for complex security logic, but accessible enough that analysts can build and own it without engineering support

The Key Constraint

Automation that can't be a black box

In security, trust is non-negotiable. An analyst who doesn't understand what a Routine does won't run it. A CISO who can't audit what ran during an incident has a compliance problem. Unlike most SaaS tools where "it just works" is a feature, in security operations, opacity is a liability.

That constraint shaped every design decision. Every Routine needed to be readable, not just functional.

What we couldn't compromise on

Every Routine had to be fully auditable. Analysts needed to trace exactly what ran, what the output was, and where a failure occurred, without reading logs.

Failure paths were as important as success paths. A silent failure in a security workflow is worse than no automation. Every branch, retry, and fallback had to be visible and intentional.

Non-engineers had to be the primary builders. If Routine creation required engineering support, adoption would stall. The UI had to be powerful enough for complex logic, simple enough for an analyst who's never written code.

The system had to handle real-time load. Running jobs, failed jobs, and scheduled jobs all needed to be visible simultaneously, without overwhelming the person monitoring them.

This pushed me away from the standard SOAR approach of script-based configuration and toward a visual-first system where the logic of a Routine could be read at a glance, not decoded from a config file.

User Research

Who actually runs the security operations

I ran research sessions with security professionals across three roles: CISOs responsible for strategy and compliance, SOC team leads managing daily operations, and frontline security analysts doing the actual triage and response work. The most revealing insight was a split that I didn't expect.

CISOs cared about visibility and reporting. Analysts cared about speed and clarity. But the people in between, the SOC team leads, were where the real pain lived. They were the ones context-switching between management dashboards, raw alert feeds, and makeshift scripts. They were the intended primary users of BulwarX, and they were being served poorly by every existing tool.

David Chen persona
David Chen
Head of Security Operations, Fintech company, 2,400 employees
"I know exactly what needs to be automated. I just can't build it without pulling an engineer off something more important."
Goals

Reduce manual triage time. Build automated playbooks his team can run without him. Have clear visibility into what's running and what's failing, without digging into logs.

Frustrations

Existing SOAR tools require Python. His team is 6 analysts, not engineers. By the time a playbook is built, the threat landscape has changed. Failed automations are invisible until something breaks.

Context

Processes 300+ alerts per day. Spends roughly 40% of his time on manual triage that he knows could be automated. Reports directly to CISO, responsible for SOC performance metrics.

Mental model

Thinks in playbooks and decision trees, not code. If shown a visual flow with conditions and branches, he can read it instantly. If shown a YAML file, he needs an engineer.

Competitive Analysis

Why existing SOAR tools fail analysts

The SOAR market is dominated by tools built by engineers, for engineers. The assumption baked into almost every competitor is that the person creating automations has a technical background. That assumption is wrong for most mid-market security teams, and it's where BulwarX had real room to differentiate.

PLAYBOOKS incident_response.py malware_triage.py email_alert.py escalation.py close_ticket.py incident_response.py import demistomock as demisto # automated incident response playbook def handle_incident (args: dict): severity = args.get( 'severity' , 0) if severity >= 3: demisto .executeCommand( 'escalate_incident' ) return CommandResults (outputs=result, readable_output=msg) Python 3.10 UTF-8 XSOAR 8.2
Palo Alto XSOAR
  • Extremely powerful and deeply integrated across the security stack
  • Playbook creation is primarily Python-based, requiring engineering involvement
  • Visual canvas exists but is supplementary to code, not a replacement for it
  • Setup and onboarding typically takes weeks, with steep configuration overhead
Phantom Playbook Editor malware_triage · Draft Start Trigger: new_alert getsysteminfoV2 phantom.act() file_reputation phantom.act() send_email phantom.act() failure_handler configure manually failure_handler configure manually
Splunk SOAR
  • More developed visual playbook builder than XSOAR, but still engineer-first
  • Interface is dense with a steep learning curve despite drag-and-drop
  • The distinction between Apps, Actions, and Playbooks causes onboarding confusion
  • Failure state visibility is limited — failed paths are not surfaced clearly
Microsoft Azure | Logic Apps Designer · sentinel-automation-v2 DESIGNER ▶ Run Trigger Resources • microsoft-sentinel • teams-connector • azure-monitor • logic-apps-runtime When a Microsoft Sentinel alert fires Trigger · Microsoft Sentinel Get incident details Action · Microsoft Sentinel · azure.microsoft.com Condition: Severity equals High Built-in · Control · Separate Azure context needed True False
Microsoft Sentinel
  • Cloud-native SIEM with strong Azure ecosystem integration
  • Automation through Logic Apps feels bolted on, not purpose-built for security ops
  • Monitoring and failure tracing requires switching between multiple Azure interfaces
  • Not a dedicated SOAR tool — and the workflow experience reflects that clearly

The gap across all three: none of them treat the security analyst as the primary workflow builder. BulwarX's opportunity was to own that space.

Strengths

Visual-first workflow builder designed for analysts, not engineers. Step-by-step task creation reduces cognitive load. Real-time monitoring with clear failure states. Dark theme designed for extended SOC use.

Weaknesses

Newer platform with fewer pre-built integrations than XSOAR or Splunk. No established customer base to draw social proof from. Enterprise sales cycle requires proven reliability.

Opportunities

Mid-market SOC teams underserved by enterprise-priced tools. Growing demand for no-code automation. Analyst-owned playbooks reduce dependency on stretched engineering teams.

Threats

Palo Alto and Splunk continue to improve their visual builders. Enterprise lock-in through existing SIEM investments. Security buyers prefer established vendors for perceived reliability and compliance.

Design Exploration

How do analysts think about workflows?

Before touching UI, I ran a card-sorting exercise with three analysts and two SOC team leads. I gave them a complex incident scenario, a malware investigation with multiple possible outcomes, and asked them to map the response flow on a whiteboard. Every person drew the same structure: a top-down decision tree with branching paths, clear labels on each outcome, and explicit "what happens if this fails" branches alongside the success path.

That told me everything I needed to know about the right interaction model. The question was how to translate that mental model into a builder that was both powerful and usable.

malware_triage.yml routines : - name : malware_triage trigger : alert_received tasks : - action : download_file params : url : "{{ alert.file_url }}" on_success : scan_file on_failure : null
Script-based configuration Not chosen
Analysts define Routines using structured YAML or a Python SDK. Powerful and precise, but requires technical knowledge to create and maintain. Every change to a Routine requires either engineering time or a technically skilled analyst. Debugging means reading logs. Adopted by XSOAR and Splunk for their core experience. Fast to build for a technical user, inaccessible for everyone else.
Visual workflow builder canvas
Visual node-based builder Chosen
Analysts build Routines by connecting visual nodes on a canvas. Each node is a Task with clearly labeled inputs, outputs, and branch conditions. Logic is readable at a glance. Failure paths are first-class elements, not afterthoughts. Non-engineers can build, read, and modify complex workflows without help. The builder is the documentation. Chosen because it matches the mental model analysts already use when thinking through a response playbook.
Design decision: I made failure paths visually identical in weight to success paths in the workflow builder. In all competitor tools, failure handling is a secondary concern in the UI. In BulwarX, every Task has an explicit Failure branch by default, making error handling a design requirement rather than an afterthought. This directly addressed the biggest operational risk: automations that fail silently.
The Solution

Four surfaces, one operational picture

The BulwarX Routines experience follows a single creation journey across five surfaces — from situational awareness, to the Routine library, to creating and building out a Routine, to the completed visual workflow.

Surface 01

The Dashboard

The first screen any analyst or CISO sees. Designed to answer one question immediately: what's happening right now and does anything need my attention? The dashboard surfaces Running Jobs, Failed Jobs, Scheduled Jobs, Engine health, and Package status in a single view.

Design decision: I used card-based layout rather than a table to allow scanning at different levels of urgency. Color was used sparingly, reserved only for failure states, so that red always means "act now." Jobs with no issues are intentionally low-visual-weight so that problems stand out without scanning every row.
BulwarX Dashboard — running jobs, failed alerts, engine and package status
Surface 02

Routine Management

The central library of all Routines in the organization. Analysts can search, filter by status, engine, or label, and understand the health of each automation at a glance without opening it. Card layout was chosen over a table to support scanning by status, not just by name.

Design decision: Labels and status indicators were surfaced directly on each Routine card, not hidden behind a hover or a click. In security operations, context-switching is expensive. An analyst should be able to triage the automation library in under 30 seconds.
Auto-cycling
Routines library — card view with status labels
Routines library — filter panel open
Surface 03

Creating a New Routine

From the library, analysts launch a new Routine through a minimal creation panel — name, trigger, dependencies, and labels. Keeping the entry form short was intentional: early testing showed analysts abandoned creation when asked too many questions upfront. Advanced configuration happens inside the Routine, not during creation.

Design decision: Separating "create" from "configure" reduced drop-off and let analysts reach the workflow canvas faster. The creation form is a gate, not a configurator. Everything else is deferred to where the real work happens.
Add new routine — creation panel with name, trigger, and label fields
Surface 04

Task Creation Wizard

Once inside a Routine, analysts add Tasks through a structured three-step wizard: Information (name, engine, description), Input (what data this Task needs), Output (what it returns and what each outcome triggers). Each step is a single concern — analysts never have to think about inputs and outputs at the same time.

Design decision: I introduced a side panel pattern for editing Tasks inside an open Routine, so analysts could make changes without losing their position in the workflow. In competitor tools, editing a node opens a new full-screen context, breaking the spatial awareness of the canvas. The side panel preserves that context and makes iteration significantly faster.
Auto-cycling
Routine detail — empty tasks state, ready to build
Add task — Step 1: Task Info
Add task — Step 2: Input configuration
Add task — Step 3: Output mapping
Surface 05

The Workflow Builder

The completed Routine lives here: a visual canvas where every Task is a node, every connection is a decision, and every failure path is visible at full weight alongside the success path. This is the output of the entire creation journey — a Routine that reads like a flowchart, not a config file. Analysts can audit, modify, and share it without needing the person who built it in the room.

Design decision: I rejected the common pattern of collapsing failure branches by default. Every Task node shows both the success path and the failure path simultaneously. Analysts who build Routines also run incident reviews under pressure — they need to read the workflow instantly, not reconstruct it from memory. The builder is the documentation.
BulwarX Workflow Builder — visual node canvas with connected task branches and failure paths
Outcomes

Results from pilot deployments

BulwarX was piloted with three enterprise security teams over a six-month period. Metrics were tracked across manual triage time, Routine adoption rate, and analyst satisfaction scores collected through structured usability sessions.

68%
Reduction in manual triage time across pilot deployments
14 min
Average time to create a new Routine, vs. 3+ hours for equivalent scripted automation
4.4 / 5
Usability score from SOC analysts in beta testing across all three pilot organizations
"This is the first automation tool I've used where I can actually read what a Routine does without asking the person who built it."
SOC Team Lead, pilot organization
Reflection

What I'd do differently

The hardest design problem on this project wasn't the workflow builder. It was designing for failure states. In most products, the error path is a secondary concern. In security automation, it's co-equal to the happy path. Every Routine we shipped had as much design thinking in its failure branches as in its core flow, and that was a mental shift I had to drive across the entire team.

If I were starting over, I would have introduced the side panel pattern earlier in the project. We went through two rounds of redesign on the Task editing experience before landing on the side panel, and both earlier versions broke the spatial context of the canvas in ways that analysts noticed immediately in testing. The insight was obvious in hindsight: people who spend hours in a workflow canvas develop a spatial memory for where things are. Breaking that context to edit a single node is a real cost.

The broader lesson: in tools designed for experts, respecting the user's mental model isn't a UX nicety. It's the product. Security analysts are professionals operating under pressure. Design that fights their instincts is design they'll route around.

Next up
UI/UX Playground
View Playground