Rubrik — Redesigning Anomaly Detection for 40% faster investigations
Rubrik helps businesses back up and quickly recover data if it's ever lost or hacked. Anomaly Detection feature flags unusual activity in enterprise data and alerts users. I was responsible for redesigning this feature to make it more efficient.
Impact
Reduce task completion time by 40% and the number of clicks by 33%
Anomaly Detection is a security monitoring feature that helps users identify and investigate potential ransomware attacks
Rubrik is a B2B cybersecurity company that helps enterprises protect and recover their critical data. Attackers typically threaten these enterprises with ransomware, which means encrypting essential files and demanding payment to unlock them. Anomaly Detection alerts security teams to unusual activity that may indicate ransomware attacks, so they can investigate and recover data quickly.
How Anomaly Detection looked before versus how it looks now
Detail Page
Key information was missing, making investigations slow and confusing
Users can now investigate with sufficient information in an intuitive order, faster and sleeker
Listing Page
Users couldn’t easily compare or connect related anomaly alerts
Users can now view related alerts in groups and compare them without opening multiple tabs
-33%
Number of clicks
-40%
Time on task
+20%
Customer satisfaction rate
Security analysts who must quickly decide whether an alert is a real attack
Core Goal:
Responsible for securing company data (PII, Client Data, Transaction Data)
Workflow:
They need to review a long list of anomaly alerts.
They must determine if the alerts are real attack.
Users struggled with inefficient investigation workflows
After launch, key metrics showed low satisfaction and long investigation times. I reviewed existing research and spoke with PMs, UX researchers, and sales engineers to understand how investigations actually happen in practice.
When investigating multiple anomalies
Users couldn’t easily identify related anomalies or compare them
When investigating an anomaly
Users lacked enough context to understand an anomaly
Reviewing many anomaly alerts to find related attacks
Users couldn’t easily identify related anomalies or compare them
In the old design, anomalies were listed in a flat table. Even when multiple alerts were part of the same attack, they appeared disconnected. To compare alerts, users had to open multiple tabs, remember details across pages, and manually piece together patterns.
Add “Group By” to help users find relevant anomalies
I introduced a “Group By” option to help users quickly spot related anomalies. After aligning with PMs and sales engineers, we chose Location and Recovery Plan because attacks often occur and spread at these levels, making them meaningful grouping dimensions.
Exploring different ways to help users compare anomalies and find patterns
Concept A: An accordion that expands to show a table of key comparison metrics
Concept B: An interactive diagram that visualizes groupings
4/5 users prefer Concept A because it streamlines comparison, while Concept B requires opening each card to remember details
In user testing (n=5), users mentioned that Concept A's design caused back-and-forth as users had to open each card for details. Concept B was more efficient, streamlining comparisons by placing metrics directly on the cards.
✓ Accordion card color-coded by group severity
✓ Surface condensed key comparison metrics from the detail page
✓ Reduce navigation to a new page
Missing accordion in the design system
Engineering flagged that an accordion component didn’t exist in the design system, and building a one-off solution would increase cost and risk.
Aligning with engineering and the design system team on a phased solution
To meet the timeline, I worked with engineers and the design system team to break the solution into two phases. This allowed us to ship a usable experience immediately while preparing for a more scalable design system component.
Milestone 1
Clicking a card opens a separate detail page
Milestone 2
Introduce a full accordion once the design system supports it
Users lacked enough context to understand an anomaly
Users struggled to understand the anomaly based on the info provided
When investigating a single anomaly, users struggled to understand what actually happened and why Rubrik sent this alert. There's a gap between the user needed information and displayed information.
Old design
Old design
User needs
Explore the layout first
I explored multiple layout options to balance clarity, interaction cost, and engineering effort.
Option 1: left side facts + right side actions
Pros
✓
The left side presents facts, while the right side offers actions.
✓
Good for wide data like timelines.
Cons
X
Text is difficult to read if the screen is very wide.
X
Requires more scrolling.
Option 2: select a sidebar item to view its details
Pros
✓
Focus on one specific aspect.
Cons
X
Needs a lot of clicks to switch tabs.
X
Out of sight, out of mind.
Option 3: two columns to provide key info at a glance
Pros
✓
Accommodate both text and charts.
✓
Low engineering efforts.
Cons
X
Certain content sections might become excessively long.
Determine what information to include and how to present it in each widget
To understand what our target users think of each widget, I consolidated existing research and collaborated with 3 sales engineers to validate the information users expect to see.
Add “Recent Suspicious File”
Our search users struggle to map the entire story of an attack. To address this, I introduced an "Activity" diagram that enables users to easily and quickly visualize the story and identify patterns of spikes.
Add “Activity” to show files change spike
Users needed to understand how an attack evolved over time, not just static numbers. I chose the option 3 to highlight file change spikes and make attack patterns easier to recognize.
✓ Clearly compares different metrics for a single day
✗ Hard to track one metric's progress across multiple days
✓ Communicates the severity of an issue against a "Normal" baseline
✗ Lacks context; users can't tell if a high number is from a sudden spike or a gradual increase
✓ Best for visualizing trends
With the redesigned experience, users can access enough context directly from the detail page to make faster decisions
User testing to quickly validate the new design
Participants
Security Analysts (n = 5) — provided by the Product Manager and Sales Engineers
Familiar with basic cloud security concepts (S3, IAM, Ransomware)
Daily work involves handling anomaly alerts
Method
Each participant needs to complete two sets of identical tasks (one set in the current platform, one set in the new prototype)
Results
-33%
Number of clicks
-40%
Time on task
Navigating ambiguity with proactive assumptions
I learned the importance of making informed assumptions and collaborated closely with PMs and engineers. Sales engineers were an invaluable resource, especially when we had limited access to users.
Understand the product before designing
As someone new to cybersecurity, I found it helpful to create a customized Gemini Gem to consolidate documentation and demos, and to ask questions. Design reviews were also a valuable opportunity to understand my colleagues' work.
Design Team Off-site Pottery
Up Next
