Security analysts operate in a constant stream of alerts. Each alert requires investigation. Analysts must triage across multiple products and make decisions that could impact entire systems. This process is fragmented. To understand a single threat, analysts must manually piece together signals across tools and reconstruct the story of an attack step by step.

This fragmented investigation process leads to hesitation: analysts either over-investigate or avoid taking action altogether.

To bridge the gap between receiving an alert and making effective decisions, I led the design of an intelligent assistant that empowers analysts to reduce investigation time and increase response confidence. This effort progressed from developing a minimum viable product (MVP) to releasing the product for general availability.

Introduction

The VMware vDefend product provides a suite of tools — including Malware Prevention, Network Detection & Response, and IDS/IPS- to help users investigate and respond to threats.

Three structural challenges may hinder the users:

• Siloed products:
  Threat monitoring features are spread across separate pages and/or consoles, each requiring its own workflow.

• Constant Context switching
  Analysts jump between multiple interfaces to correlate alerts and implement the corresponding firewall policies to secure the systems.

• High expertise required
  Interpreting packet signatures and triaging alerts efficiently requires deep domain knowledge that often only seasoned security analysts can decipher.

Challenge

A Fragmented Threat Defense Workflow

The threat triage workflow often begins with IDS/IPS, where the security analyst receives a detection as the initial signal of malicious activities.

From there, analysts may branch out to the NDR product to see whether this detection is part of a larger attack, and to Malware Prevention to see whether the malicious activity was executed or blocked.

The Ideal Investigation Workflow

While the IDS/IPS investigation workflow for Security Analysts seems linear, it is, in fact, full of back-and-forth.

An analysis constantly loops back and forth between steps, and the context of malicious activities is scattered. The highest cost is the cognitive load of investigation in the software world.

User Pain Points

• High alert volumes:
  Users are bombarded with detections—many of which are low priority or false positives.

  
  

• Lack of clarity:
  Signature-based alerts often lack sufficient context for analysts to assess severity.

The project goal is to help security analysts:

Project Goal

“How should AI enter a workflow — and build trust — where users are already overwhelmed?

But before any of the above goals, as the first AI-assisted conversational feature in the ecosystem, we faced a more fundamental challenge:

Move faster through complex alerts.

Reduce manual correlation work.

Make more confident decisions.

Make AI Presence Explicit
Clearly signal when AI is available and when it is active, starting from onboarding.

Preserve User Agency at Every Step
Users remain in control of when and how AI is used. The assistance of AI only presents information or knowledge and recommends solutions, not replacing human judgment.

Design Principles

To integrate AI into the VMware ecosystem efficiently, it will be activated through a Chrome Extension. This means that users have to move across three surfaces:

• The Chrome Extension

• The VMware vDefend product

• The intelligent assistant chat interface.

Design Challenge 01

How to introduce an AI assistant without disrupting existing workflows?

I designed a seamless, guided onboarding flow that connects these surfaces into a continuous experience — reducing the cognitive and operational friction of adopting a new AI tool.

Chrome Extension

• Tested different width and height combinations to optimize readability

• Designed with a clear hierarchy: one primary action per screen

Admin Dashboard

• As a standalone activation link to onboard users, I explored how this external activation page could be

• Applied our existing UI patterns to ensure consistency with vDefend, even if hosted outside

The IDS/IPS experience is structured around signatures and occurrences, while investigations are non-linear and context-driven. This creates a mismatch between how data is presented and how analysts actually think.

Design Challenge 02

How might we embed an AI assistant into a signature-driven IDS/IPS experience without disrupting analysts’ investigative workflow?

Decision:

I introduced contextual entry points at the detection and signature levels, allowing analysts to seamlessly transition into chat-based investigation while preserving their existing workflow structure.

Analysts spend most of their time manually correlating signals, interpreting occurrences, and deciding whether they have enough evidence to act—often with low confidence.

Design Challenge 03

How to effectively help analysts move from detections to confident decisions?

Decision:

The assistant highlights attack patterns, explains signals, and guides the analysts for the next steps. I designed the assistant to allow users to take a deep dive from a signature to an occurrence, reducing cognitive load and helping analysts reach confident decisions faster.

MVP Design

Wei is the security analyst at Acme Company, who adopts the intelligent assistant to improve investigation clarity and efficiency.

Feature Activation

As the admin of the intelligent assistant, Wei installed the Chrome Extension and enabled the assistant for her organization.

Admin Activation

A team member wants to activate on his device. Through Chrome Extension, Brian activates the feature via the browser and submits an activation request. Wei approves access, enabling the assistant for both users.

User Activation

A new IDS/IPS alert has been triggered by the Acme Company monitoring system. Wei opens the intelligent assistant to begin analysis.

Alert Investigation

Wei notices a new alert detected in the system. Immediate investigation is required. Wei reviews the alert details and discovers that it is connected to a signature with multiple instances. Wei chooses a specific occurrence for further investigation.

From an alert detection to a deep dive with the intelligent assistant.

Through conversations with the assistant, the cause of the detection is explained, and the next step is recommended. Wei follows the assistant's suggestion to confirm and add a new firewall rule to strengthen system security.

The intelligent assistant suggests solutions for fixing issues.

Impact

• Increased adoption of AI-assisted investigation across IDS/IPS workflows

• Improved resolution rates by supporting clearer decision-making within each investigation

• Established a new interaction model for AI-assisted workflows across the platform

This project established the first AI-assisted workflow within the VMware vDefend ecosystem—expanding from a single IDS/IPS use case into a cross-product capability.

By the end of 2024, the assistant was shipped to General Availability and presented at VMware Explore 2024. See the demo below.

We initially saw the assistant as an extra step in existing workflows. But along the way, we realized that adding AI would transform how analysts interpret information and make decisions.

Learnings & Challenges

Not just an interface, AI reshapes decision-making

Trust is built before the first interaction

Making the AI chatbot's presence clear, from onboarding to daily interactions, is essential for helping users understand how much control they have. Without clarity, users won't trust to begin the interaction.

Structure matters more than intelligence

How the experience was structured matters more than assuming that AI responses alone would solve the users' problems. Through design, I learned to preserve the investigation hierarchy and ensure users never lose context during the conversation.