Cisco XDR AI Assistant
Closing the security skills gap through AI-assisted incident response
I designed the AI Assistant experience within Cisco XDR, giving security analysts at every experience level the speed, context, and confidence to respond to threats before they escalate.
AI Product Designer
Scope
Cisco XDR’s end-to-end incident response flow designed through cross-functional collaboration with Security Engineering, Research, and PM
Recognition
UX Design Awards nominee
GigaOm XDR Leader and Fast Mover 2024-25
About
In 2024, 3.5 million cybersecurity jobs sat unfilled globally. At the same time, 75% of security professionals said the current threat landscape was the hardest it had ever been to navigate.
What if this wasn't just a hiring problem, but also a design problem?
Security teams are full of analysts at different skill levels, all staring at the same high volume of alerts. The question: how do you design an AI experience that makes every analyst more capable, without replacing their judgment or breaking the workflows they already trust?
Most AI security tools tend to surface more information faster, but the bottleneck for a SOC analyst isn't information, it is interpretation - knowing which alert is real, what to do next, and whether to trust a recommendation when the stakes are a live attack.
My framing: the AI Assistant's job was to act like a trusted senior colleague, one who could explain what was happening, recommend the next step with a reason attached, and adapt to whether the person asking had two years of experience or ten. The design challenge was building trust through transparency. Not just surfacing AI capability, but making the non-deterministic nature of AI responses legible enough that analysts could act on them with confidence.
Strategy
Process
When an incident fires, the analyst's first decision is whether it's real. I designed the confirmation flow so the AI presents a short summary first: what happened, when, and how, pulled from email, web, endpoints, and network signals, before revealing the full timeline. Enough to decide quickly. More detail available when needed.
Progressive disclosure at the right moment
I grounded the response flow in the PICERL model: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned, the incident response framework security teams are trained on. Aligning AI recommendations to phases analysts already know made the guidance feel credible, not arbitrary.
Building trust through a familiar mental model
Analysts needed to move freely between the AI conversation, the response flow, and the native XDR product, without losing context or being forced into a linear path. Senior analysts could skip steps and work conversationally. Junior analysts got the full guided flow with reasoning at each step. Same interface, two modes of engagement, determined by how the analyst chose to work.
Flexibility and control across skill levels
I designed the war room experience so analysts could spin up a Webex, Teams, or Slack channel directly from an active incident, with context already loaded. No copy-pasting, no switching tabs. The AI summarized messages and logged them to the incident worklog automatically for audit readiness.
Collaboration at incident speed
Improvements
1
The first version of the response flow was linear: step 1, step 2, step 3. Senior analysts found it patronizing. Junior analysts needed exactly that structure. The pivot was designing for a range of expertise within the same interface, not two separate products. The mode of engagement was determined by how the analyst chose to interact, not a profile setting.
2
The second pivot: analysts weren't asking what should I do? They were asking why is this the right action, given what I know about this specific incident? Recommendations needed reasoning attached, connecting each suggested action to the specific signals in the incident that justified it. We redesigned the recommendation surface to show the why inline.
Outcomes
1,000+ active customers have adopted Cisco XDR.
65% increase in analyst productivity: SOC teams saved up to 30 hours per week using XDR. That's not an efficiency metric. It's the difference between a team that's burning out and one that can stay proactive.
30% faster detection and remediation: 75% of respondents in a Pulse survey reported up to 30% faster response times.
At Cisco Live Amsterdam 2026, the agentic AI capabilities triaged 179 incidents autonomously, correctly dismissing 176 as false positives and surfacing three for analyst review. What would have taken a SOC analyst most of a week was reduced to reviewing three pre-analyzed reports.
Cisco XDR was named a Leader and Fast Mover in GigaOm's XDR Radar for both 2024 and 2025. The XDR experience was nominated for the UX Design Awards.
Reflections
The skills-gap framing and designing for analysts at every level was right. But we arrived at it through iteration rather than starting there. Early on, the experienced analyst was the assumed primary user, and our research sessions skewed toward senior SOC engineers who could articulate workflows fluently. The junior analysts we eventually designed for were harder to recruit for research and less likely to challenge a prototype. If I were starting again, I'd establish the full range of expertise as the primary design constraint from day one and structure research to deliberately weight the less-experienced users who are hardest to reach but whose needs most directly test whether the design is actually working. This research lesson is now something I coach junior designers on.
I also underestimated how much the PICERL framing would matter for stakeholder alignment, not just for the analysts. Grounding the design in a framework that security leadership already trusted made the design rationale legible to people who weren't in the room for the research. That's a lesson I now apply everywhere: choose a structural metaphor your stakeholders already believe in, and the design sells itself.
Cisco has been designated as a Leader and Fast Mover in GigaOm’s XDR Radar reports for both 2024 and 2025, underscoring consistent strong performance in the XDR market.
The Cisco XDR solution consists of eXtended Detection and Response (XDR) solution which simplify SecOps workflows by effective detection and response capabilities across workloads, networks, devices, and more. The goal was an intuitive XDR tool to help novice SecOps analysts minimize their time to detect and respond—ensuring they can focus on the most critical incidents.