Human Firewall · InfoSec Ventures
Evolving a legacy security platform into an AI-native risk intelligence system
Enterprise SaaS · Cybersecurity · AI-Assisted Design
Timeline
2024 to Q1 2026
Team
Product, Eng, CS
Role
Product Designer

01: The Starting Point
A 10-year-old platform. Functional, not empowering.
Human Firewall 2.0 had been running for nearly a decade. It allowed security teams to run simulations, assign training, and view risk scores. It worked, but it reflected the era it was built in.
Campaigns were historically executed. Analytics were static. Risk was displayed as a number. Workflows required frequent support involvement.
The system was functional. It wasn’t empowering. Modernizing without breaking trust became the real challenge.
HF 2: Legacy
- ✕Manual campaign creation
- ✕Static reporting
- ✕CS-dependent workflows
- ✕Risk as a number
HF 3: What Was Needed
- ✓AI-assisted creation
- ✓Behavioral intelligence
- ✓Self-serve confidence
- ✓Risk as a structure
02: The AI Shift
Retrofit vs. Rebuild
HF 2.0 was built in a pre-AI era. Campaign creation was manual, content required effort, reporting was static. Meanwhile, competitors were adopting AI-driven workflows.
We had two options:
Option A
Add AI to a 10-year-old system
Modernize the surface. Not the foundation.
Option B ✓
Build entirely new
Design around AI, not on top of it.
I used Gen AI tools (Cursor, Claude, ChatGPT) to rapidly explore flows and prototype campaign structures. AI accelerated exploration. Direction and constraints were always human-defined.
Working with Engineering
Engineering pushed to defer AI-assisted content creation to a later MVP: the LLM fine-tuning needed for realistic phishing templates and landing pages required time we didn't have. We treated base-level AI assistance as essential for launch: users had to feel that HF3 was doing the work from day one. The compromise: ship a pre-made library for MVP1 while building the AI creation flow in parallel. Building that library manually taught us exactly how our backend prompts needed to behave, so when AI creation shipped in MVP2, it was grounded in real content patterns, not guesswork.

03: Low Compromise ≠ Low Risk
Low compromise didn’t always mean low risk
In several campaigns, compromise appeared low, but open rates were low too. We weren’t measuring vulnerability. We were measuring non-engagement.
To improve measurement accuracy, we introduced:
- • Action-based delivery: emails triggered when users were active
- • Needle phishing: AI-personalized content for realism
Open rates increased. Compromise increased. Not because risk worsened, but because it became visible.

04: AI Could Launch. We Said No.
Sending a campaign to 10,000 employees is not a background action. It is an organizational event.
Automation
AI prepares
Authority
Admins approve
Automation reduces effort. Authority stays human.

05: Risk Score Redesign
A risk score without context is just anxiety
HF 2 showed risk as a number. But a number without explanation creates uncertainty. Admins couldn’t see why risk increased, which factor contributed most, or where to intervene.
What we tried before the radar
A weighted single number with hover to explain
The number got better. The trust did not. Admins still asked CS what it meant.
A long horizontal bar split by contributing factor
Technically accurate. Admins read it left to right and stopped at the first factor.
A radial gauge with severity zones
Looked decisive. But severity was the wrong frame. A user is not eighty percent risky. They are risky in a specific way.
The shift came when we stopped trying to summarize risk and started trying to describe it.
Behavior
Simulation response patterns
Training
Compliance & completion
Amplifier
Role sensitivity weight
Hierarchy breakdown
Not a score: a structure.

“Understanding our security posture used to be a closed conversation between us and the security team. With vCRO, every role can read it from their own view. The non security stakeholders finally understand where we stand.”
CISO, mid sized enterprise customer. Paraphrased from migration feedback.
06: Reporting Without Distortion
We chose not to soften truth, and not to dramatize it either.
No ranking of failures. No public exposure of compromised users.
Gamification rewarded positive behavior: reporting phishing, completing training, improving over time.
Failure stayed private. Improvement became visible.

07: Compromise → Micro-Learning
Compromise became intervention, not punishment
A transparent landing page explained the simulation and highlighted missed cues, followed by a single action: Start Training.
Flashcards became the core format. Each pack combined learning cards with quiz cards: short, interactive, immediate. No long LMS modules. No passive video fatigue.
Training strictness was configurable. Compliance modules remained non-skippable by default. Awareness modules allowed flexibility.



08: Building HF3 While HF2 Lived
Two systems. One customer base. Zero room for confusion.
HF 3 was not a replacement launched overnight. Migration had to feel justified, not forced.
“I don’t need to call CS for everything.”
From customer calls during the HF3 beta.
“I trust the system more.”
From customer calls during the HF3 beta.
HF 3 reduced dependency. It increased clarity. That difference, more than AI, drove adoption.
7 tabs, manual setup, CS-dependent

AI-assisted, self-serve, clean structure

09: Confidence Replaced Dependency
The shift wasn’t loud. It was behavioral
48 percent increase in admin engagement after the HF3 rollout.
Measured before and after across all 10 migrated clients.
The shift showed up across signals over the first six months of HF3, not in a single dashboard.
CS tickets that used to come in before every campaign launch dropped to a trickle. Campaigns that took days to schedule started going out the same day. Admins began discovering features without asking, the role sensitivity settings, the gamification controls, the training strictness toggles.
The numbers backed this up. Admin engagement went up 48 percent, measured before and after across all 10 migrated clients. Customer side report adoption rose 32 percent, measured via portal downloads across the same clients. And new feature and bug report escalations dropped roughly 20 percent on onboarded customers.
Admins stopped needing reassurance before pressing launch. The platform stopped feeling like a tool they operated carefully. It became a system they trusted.
“We trust the system enough to launch without help. That is the win.”
Security operations lead, enterprise customer. Paraphrased from migration feedback.
10: What This Project Changed in Me
I moved from designing interfaces to defining boundaries
- Where AI should act.
- Where humans must decide.
- How risk should be shown.
- How failure should be handled.
In the AI era, execution is accelerated. Judgment is not.
Clarity builds trust.
Trust creates autonomy.
Autonomy scales products.