VulnTool

By introducing structured triaging, VulnTool transformed Meta how engineers and analysts prioritized vulnerabilities — cutting triage time by 75%, reducing average remediation time by 57.7%, and enabling detection of 171% more false positives. The tool doubled remediation impact and led to 105% more vulnerabilities resolved across Meta, improving accuracy, speed, and overall security coverage.

Role

Product Designer

Length

Ongoing ownership & iteration

Users

5,000 + Meta Employees

Responsibilities

Product Design — Designing new internal tool from the ground up
Problem Definition — Redefining the core challenge and solution space
User Research — Identifying pain points and requirements; usability testing
Design Systems — Building within Meta’s internal xDS framework

VulnTool Final Home Dashboard

The Problem

Meta’s infrastructure was increasingly exposed to vulnerabilities, putting sensitive data at risk.

The “EE Vuln Org Overview” Dashboard

The existing dashboard that displayed CVEs (Common Vulnerabilities and Exposures) gave leadership visibility, but did not support day-to-day remediation workflows.

Frontline teams lacked an effective system to investigate, prioritize, and fix vulnerabilities, resulting in:

Delays in remediation
Missed handoffs between teams
Elevated security risk

The Legacy Vuln Remediation Task

Auto-remediation tasks were then generated to prompt engineering teams to fix vulnerabilities, but the process proved ineffective and often failed to drive timely action.

Scanner

Vuln/CVE Detected

Task Auto-Created

Attempted Fix

No clear tracking nor remediation confirmation

Pain Points

Inefficient Workflows

Manual matching of CVEs to hostnames
Googling for remediation steps due to lack of in-tool guidance
Ambiguous task statuses, making it hard to know what’s done
Multiple tasks for same vulnerabilities

Poor Tracking & Visibility

No unified view of scanned assets and their associated CVEs
No clear lifecycle statuses like “Fix Applied”
No dashboards or charts to monitor vuln health or remediation trends

Limited Navigation & Usability

No ability to sort, search, or group CVEs effectively
No grouping logic (e.g., by shared solution or severity)

Auto vuln task before VulnTool

Scaling a Hackathon Idea into a Core Workflow

When I joined Meta, VulnTool’s MVP was already in production—engineer-built, lightly researched, and poorly designed. While it did streamline parts of the legacy workflow, the team had jumped to solutions without fully validating the problem, leaving significant gaps for me to address.

Original VulnTool Homepage

Original Vulns Solution Grouping View (Where task linked to)

The VulnTool MVP "Improved" Remediation Workflow

1. VulnTool Scanner Runs

Auto-creates remediation tasks for engineers

2. Engineer Opens VulnTool

Views recommended fix and affected hosts

3. Follows Remediation Instructions

Applies patch to affected host(s)

4. Marks Fix as Applied

Grouped vulns auto-marked if sharing same solution

5. Clicks “Rescan” to Confirm

Scanner auto-closes task if resolved, or reopens if still active

VulnTool Users

Engineers

Remediates vulnerabilities after receiving a task

Team Managers

Monitors their infrastructure & their engineers’ productivity

Security Analysts

Identifies high priority vulnerabilities and coordinates remediation

Leadership

Tracks fleet wide vulnerability insights

Early Challenges

Ambiguity & Velocity

Inherited a Hackathon MVP

The tool originated from a hackathon without UX input or research. When I joined, there was no clear product strategy and a lot of ambiguity. I had to navigate carefully—respecting the original vision while introducing structure and user-centered thinking.

Learning While Building

Still ramping up on Meta’s complex infra and security workflows. Initially trusted engineering assumptions without questioning enough.

Fast Timelines, Limited Resources

The eng lead was under pressure to ship quickly. I wasn’t given time to pause and fully reframe the problem space.

Design + Research in Tandem

Despite constraints, I conducted lean research (charrettes, interviews, usability tests) while designing — to keep progress moving without blocking eng.

Early UX Work

Usability Testing

Ideation Session

Heuristic Evaluation

User Journey

First Iteration

Vulns Table

MVP Problems & Solutions

Unclear Next Steps: The interface lacked a clear call to action, leaving users uncertain about what to do.
- Solution
  - Linked task tool directly to vulns tab with more information.
No Actionable Items: The vulnerabilities page didn’t allow users to take action.
- Solution
  - Added multi-select and an actions bar.
Mixed States: Active and remediated vulnerabilities were shown together, causing confusion.
- Solution
  - Created separate pages for active vs. remediated vulns, with banners to cross-reference counts.
Too Many Clicks: Filtering required excessive steps, slowing down workflows.
- Solution
  - Added clickable filters for vuln statuses.
Poor Layout & Visual Hierarchy: Limited viewport space and cluttered navigation hindered focus.
- Solution
  - Adopted internal design system standards, collapsed nav by default, moved charts to a separate page, and added “See More” for long solution/proof lists.
False Positives & Anxiety: Users struggled to confirm remediation due to insufficient details.
- Solution
  - Displayed last scan date with “last seen” date to flag potential false positives and track rescans.

Vuln Grouping Challenge & Constraint

The Problem
- Vulnerabilities were usually fixed in groups (e.g., OS tiers, apps, clusters) rather than individually.
- The UI didn’t support grouping by vulnerability type or CVE.
- With limited engineering bandwidth, I needed lightweight solutions to bridge the gap.

Solutions

1. Entity Groups Column – Added a table column where users could select a category (e.g., OS tier) and filter the table by specific group instances.

2. Active CVEs Widget – Introduced a homepage & widget with quick links to filter the vulnerabilities table by CVE in a new tab.

Entity Group Column

Dashbloard with CVE Grouping Widget

Stagnant User Satisfaction...

Despite major improvements, the push to ship fast meant we prioritized quick fixes over re-examining the problem space. User satisfaction stalled—and I knew the approach had to change.

"How can we disable auto-task creation for Vulns? The auto task creation is simply adding addition noise."

This is not the first time I've wasted hours of my life because you are not using information that you could easily collect."

"How can I group by CVE's and the host it effects? I would rather fix a CVE that goes to every host (that I care about) than fixing CVE's by host."

A Push For Change

I advocated for a large-scale qualitative research study to rethink the tool from the ground up, starting with the core problems.

The engineering project lead was initially protective of his MVP vision, but by emphasizing the importance of UX research and its value to both users and stakeholders, I was able to gain full buy-in.

Research Plan

Goals

Understand why users were dissatisfied with the current VulnTool experience
Identify needs across key personas, teams, and platforms
Uncover the ideal remediation workflow to reduce errors and speed resolution
Define an optimized information architecture for clarity and ease of use
Use insights to shape the roadmap and prioritize high-impact improvements

Who

18 participants, mix of teams and personas

What

1:1 60 min interviews

When

3 Months (Oct-Dec)

How

Remote Sessions through VC

Single Interview Synthesis (3 of 10 pages)

Research Affinity Board

Research Results

Reliability

Nexpose Vuln Data

Very generic. Doesn’t consider FB or OS specific steps.

“The Nexpose solution is pointless at best and probably harmful because the manually installed package would not get any further updates.”

False & Unknown Vulns

The tool can’t identify backports & has too many false/unknown CVSS vulns.

“95% of frustration dealing with backports & manually marking false positive.”

Task/Vuln Tool Relationship

It’s difficult to monitor remediation success via tasks due to poor data & complex patch schedules.

“I waste a lot of time when tasks don’t automatically close due to overlaps & gaps in scan cycles of general scanner vs when OS auto-patches.”

Discoverability

Solution Grouping Hides CVE Info

The VulnTool link from the task tool hides vuln info & doesn’t communicate the highest priority ones.

“I don’t like the solution view. I want to view the highest CVSS & which hosts the vuln affects. I don’t see the information I need here.”

Active Vulns Table too Broad

The active vulns view has too many statuses that don’t reflect the true lifecycle of a vuln.

“I want to auto focus on vulns that need attention & in progress, rather than manually filtering out all the false positives.”

Scattered Metadata

Vuln data to make decisions and act on them is indirect & dispersed all over the views/task.

“The task itself doesn’t provide any helpful info. It just says you have this vulnerability.”

Simplicity

Absent Vuln Timeline

There is no aggregated single vuln history that includes vuln published date, status changes, & scanner updates.

The last scan date is misleading, because it makes it seem like physical host was scanned but it is actually a nexpose run date.”

Labeling of Vulns

Application versus OS issues (and the OS type) aren’t communicated in the tool.

“Engineers attack vulns by OS type & applications. It makes sense to split up by them like that.”

Notifications & Noise

Unimportant vuln tasks and misleading critical CVE references from auto tasks creates distress & waste time.

“I am alarmed by the number of active vulns in home dashboard. In reality only a few are validated & in progress.”

Flexibility

Ownership of Entity Groups

Tasks and CVEs are matched to single hostnames that often are not assigned to the right person.

“Tasks are made on oncall rotations; it doesn’t consider vulns that need to be attacked on upstream dependencies.”

Overrides

There is no way to insert or override the correct versions and workarounds in the tool.

“I want to override solutions in bulk to easily communicate proper remediation steps to my team.”

Custom Columns & Saved Searches

The tool needs to be flexible to accommodate different types of users & edge cases.

“It’s too many clicks & filters to find the info I need to see. I want columns for the metadata in the extra vuln and host info.”

Ideation

Short Term - Quick Wins

Launch Triaging View so analysts validate vulnerabilities before assignment
Reduce noise by filtering false positives at the triage stage
Improve ownership accuracy (assign vulns to the right person/team)
Provide basic vuln lifecycle metadata in one place (status, published date, scan updates)
Add bulk overrides for known false/duplicate vulns

Mid Term – Next Phase

Redesign the Active Vulns Table to reflect the true lifecycle of vulnerabilities
Group & prioritize by CVSS score and business impact (not scanner buckets)
Improve metadata discoverability (centralize scattered vuln info)
Add customizable columns & saved searches for different user roles (engineers vs. analysts)
Clarify task/vuln relationship so remediation progress is trackable

Long Term – Future Vision

Use AI-assisted triage to suggest ownership and validate severity
Auto-detect sensitive systems / upstream dependencies and recommend fixes
Provide predictive remediation timelines (ETA to resolution)
Fully automate handoffs and notifications across security + engineering teams
Standardize vuln policy across tools and environments (OS vs. application consistency)

Biggest Short Term Impact

Triaging View

Through research with Meta’s Production team, I learned they rely on triage workflows—where a security analyst reviews vulnerabilities before sending them to the right team.

Triaging means validating an issue first, then assigning clear ownership. This helps:

Focus only on real vulnerabilities
Improve accuracy of ownership and systems affected
Cut noise from false positives
Reduce dependence on flawed auto-remediation
Support decision-making at scale isolation

The Production Manuel Triage Decision Table

After I presented this idea during the ideation session, the team aligned on building a triaging view in VulnTool—the biggest short-term impact to group, prioritize, and track vulns more effectively.

Triaging Workflow Diagram

Triaging Designs

The final triage designs were shaped through collaborative input, rapid validation, and iterative sessions with analysts and engineers, even though I wasn’t able to fully document the evolution before leaving Meta.

Key Challenges

Sub Groupings: The triage view grouped vulns by CVE since it was the most common method, but each CVE could include multiple entity types—some of which didn’t require triage.
Engineering Bandwidth: We lacked the resources and time to build dynamic, multi-level vuln selection across entity types. This was deferred to the next phase, when the vulns table would be redesigned.

Triage View Default

Grouping Multiple CVEs
- Bulk triage options in the left-side CVE list, paired with detailed info on the right, enabled analysts to make triage decisions across multiple CVEs at scale.
Saved Searches
- Search queries persisted when switching between the vuln table and CVE view, letting users quickly return to affected CVEs and related vulns.
CVE Info Icon
- Hovering over the left-side info icon revealed full CVE details, avoiding the heavy load time of opening the full CVE panel.
CVSS Rankings
- Multiple sources for CVSS scores and vectors were included in the right panel, with indicators showing whether a score was original or adjusted.
Tabs & Sidebar
- Each CVE included tabs for individual vulns and tasks, giving users a quick at-a-glance view without returning to the vuln table
- An additional sidebar showed affected entity groups, since users wanted visibility into groups while making triage decisions.
Null State
- When no triage existed for a CVE, the right panel displayed a null state with an illustration to clearly indicate that no triage was available

Triaging State

Flexible CVSS Scores
- Allowed analysts to rescore each CVE via its vector, with clear indicators showing whether a score was original or adjusted throughout the UI.
Meta-Specific Remediation Info
- Triage entries could now include tailored remediation steps (solutions, impacted versions. URLs, notes, and tags), giving engineers Meta-specific guidance instead of relying on generic Nexpose solutions.
Only Show Selected
- Added a checkbox to filter the dropdown and display only chosen entity groups, making it easier to review selections before creating a triage.
Triage Subset Icon
- When a CVE was triaged by an entity group subset, an icon appeared in the left-side CVE list to indicate multiple triages existed and some CVEs might still be untriaged.

Entity Groups Workaround

Analysts often triaged only subsets of affected vulns by entity group, but multi-level groupings weren’t available and we could only group vulns in this view by CVE.
- Solution
  - We added a Triage Subset dropdown, enabling analysts to target specific entity groups and leave out the rest—allowing multiple triages per CVE.

Remediation Task Creation

Triage Cards
- Once a triage was created, the right-side null state was replaced with a triage card dropdown—collapsed by default so multiple triages could fit in the viewport, with the option to expand for full details (Shown expanded above).
Task Creation
- Analysts could click “Create Task” to open a modal where they assigned the correct owner/team and selected either a corp or prod task template to align with Meta standards.

Triaging Impact

Remediated 105% more vuln issues

117,905 remediated vuln issues in H2, to 242,476 remediated vuln issues in H1.

Reduced the average remediation time by 57.7%

Average remediation dropped from 45 days to 19 days after introducing triage workflows.

171% More False Positives Detected

Security analysts identified and flagged ~38,000 false positives per half-year compared to ~14,000 before triage improvements.

Medium time to triage vulns decreased by 75%

Median triage time dropped from 12 days to 3 days, accelerating prioritization and resolution.

Phase 2: Dynamic Vuln Groupings

The Problem

The vuln table lacked dynamic groupings, and the MVP triage flow only allowed users to triage by CVE and then manually subtract unneeded entity groups—creating an unnecessary two-step process. In the separate vulns table, triages couldn’t even be initiated, leaving analysts stuck with endless scrolling, switching tabs duplicate effort, and a slow, frustrating workflow.

The Solution

We planned a redesign of the vulns table to support group-level triage, tracking, and visibility. Vulnerabilities could be grouped by entity type or CVE—whether application or OS issues—with multi-level groupings. This would enable analysts to act on clusters of related issues in a single workflow, cutting down scrolling, simplifying decisions, and eliminating repetitive steps.

User Journeys

Ideation Session

A/B Testing

Option 1

Table-Level Multi-Groupings: Multi-level grouping built directly into the vuln table, with a slide-in right panel for detailed results

CSAT 4.4 / 5
Better than Current UI 4.8 / 5

Option 2

Card-Based Navigation: Layered cards with breadcrumb navigation to move through groupings step by step.

CSAT 4.4 / 5
Better than Current UI 4.8 / 5

Outcome

Option 1 showed a slight lead, but results weren’t conclusive. We moved forward with a dual-panel table view, incorporating UX improvements informed by feedback from both options.

Final Dynamic Grouping Designs

Vulns Table Default

A/B Testing Insights & Solutions

Cluttered Metrics: Wireframes displayed too many metrics, taking up space and reducing the number of vulns visible in the viewport.
- Solution
  - Optimized metrics based on user feedback and added a toggle to show or hide them.
Grouping Navigation: Users preferred having first-level groupings available in tabs for quick switching (fewer clicks than a selector)
- Solution
  - Retained the tabs concept from Option 2, but moved them to the left side instead of the top to maximize viewport space.
Hidden Environment Filter: The environment filter icon was ambiguous, and the design lacked a clear system status indicator.
- Solution
  - Replaced the icon with a labeled dropdown for clarity and added visible system status by default.
Busy UI: Overall layout felt overwhelming and hard to digest.
- Solution
  - Centralized all filters into a single unified filter panel.
Ambiguous Vuln Counts: The vuln count token wasn’t clear, and users wanted to see whether counts were increasing or decreasing.
- Solution
  - Clarified the column header, added arrows, and used color coding (red/green) to indicate trends.
Missing Metadata: Analysts lacked relevant context in the vuln table.
- Solution
  - Added Trend Ranking, Number of Owners columns, and a 100 scale severity score.

Vulns Table Grouped

A/B Testing Insights & Solutions

Complex Navigation: Users found breadcrumb views for multi-level groupings required too many clicks.
- Solution
  - Adopted a tree table with selector access, reducing navigation steps.
Grouping Order: Users preferred seeing CVEs listed under their parent grouping for clarity.
- Solution
  - Reordered the tree table so parent groups appear at the top, with CVEs nested beneath.

Save Search Modal

Development on these views began just as I was leaving the company, so I don’t have impact metrics. However, the designs were very well received by both stakeholders and users, and there was strong excitement to adopt the new UI.