01 / Field Deployment · Security Operations
Spotlight Security
Deploying a usable security workflow
across fragmented customer environments.
Field conditions
IT and OT telemetry · three firewall ecosystems · inconsistent configuration formats · customer-specific baselines · security teams operating across consoles, tickets, and spreadsheets
“We don't need more alerts. We need to help people decide what was worth acting on, and what the next step needed to be.”
Follow the workflow ↓
A distributed environment,
viewed through fragments.
Security and infrastructure teams were working across host-level telemetry, firewall configurations, vendor consoles, spreadsheets, tickets, and customer conversations. They could see pieces of the environment — but not always the full story.
The Questions People Needed Answered
Is this system configured insecurely?
Is this device behaving unusually right now?
Which finding deserves attention first?
What should happen next?
What the workflow looked like before
The issue was not a lack of data. It was the lack of a consistent path from scattered evidence to a trustworthy action.
A generic detection could look suspicious in one environment and be completely normal in another.
The Product Insight
A technically unusual signal
is not automatically useful.
It becomes useful when it is understood in the context of the customer, the system, and the decision someone needs to make next.
What we chose to build first
Rather than trying to ingest every data source and detect every possible issue, we centered the workflow around the signals customers repeatedly needed help acting on.
From signal to action
The product had to answer more than "something happened." It needed to make the what, why, urgency, and next step legible to the person responsible for remediation.

What This View Makes Possible
Find the signal
Understand why it matters
See the recommended action
Track resolution
What I built
Mapped the customer decision workflow
Defined what customers needed in a finding: asset, anomaly, context, and next step.
Normalized multi-vendor security data
Designed normalization layers across Palo Alto, Ubiquiti, SonicWall, and host telemetry.
Built context-aware detection logic
Built detection workflows that fused config findings with device and operational signals.
Connected deployment into the product
Connected OMNI deployment to the commercial product through sidecar agents, REST APIs, and FastAPI/PostgreSQL ingestion workflows.
Designed the remediation handoff
Structured findings as: what happened → why it matters → urgency → recommended action.
Proof, not decoration
The metrics are evidence of a workflow that made security work more usable.
What this taught the product: A finding was only valuable when it arrived with customer-specific context and a credible next action — not merely a severity label.
10,000+
events/day across IT and OT contexts
3
firewall ecosystems: Palo Alto, Ubiquiti, SonicWall
15+
recurring misconfiguration patterns
~60%
reduction in manual audit effort
Detection is only the beginning
The product decision was to move beyond "we found a problem" and create a clearer path through explanation, recommended action, and follow-through.

The point was not only to surface an issue. It was to close the gap between detection and the work of remediation.
Customer Feedback
"I've never seen anything like it. For someone who's in these environments every day, you have no idea how useful these tools are."
Larry Hill — CEO, Hill Technical MSP
What I would improve next
I would validate which findings most often led to action, then use that behavior to improve prioritization, confidence signals, and remediation follow-through.
Feedback Loop