FIELD // KHUSHI SHAH

01 / Field Deployment · Security Operations

Spotlight Security

Deploying a usable security workflow
across fragmented customer environments.

Field conditions

IT and OT telemetry · three firewall ecosystems · inconsistent configuration formats · customer-specific baselines · security teams operating across consoles, tickets, and spreadsheets

“We don't need more alerts. We need to help people decide what was worth acting on, and what the next step needed to be.”

AGENTIC IT / OTDETECTION + REMEDIATIONCUSTOMER CONTEXT

Signals become useful when they arrive with enough context to guide a decision.

Follow the workflow ↓

The Situation

A distributed environment,
viewed through fragments.

Security and infrastructure teams were working across host-level telemetry, firewall configurations, vendor consoles, spreadsheets, tickets, and customer conversations. They could see pieces of the environment — but not always the full story.

The Questions People Needed Answered

Is this system configured insecurely?

Is this device behaving unusually right now?

Which finding deserves attention first?

What should happen next?

01

What the workflow looked like before

The issue was not a lack of data. It was the lack of a consistent path from scattered evidence to a trustworthy action.

01Firewall consoles
02Host-level tools
03Manual correlation
04Senior engineer context
05Ticket or remediation

A generic detection could look suspicious in one environment and be completely normal in another.

The Product Insight

A technically unusual signal
is not automatically useful.

It becomes useful when it is understood in the context of the customer, the system, and the decision someone needs to make next.

02

What we chose to build first

Rather than trying to ingest every data source and detect every possible issue, we centered the workflow around the signals customers repeatedly needed help acting on.

Host agents
Firewall configurations
Network context
NORMALIZE + DETECT
PRIORITIZED FINDING
ACTION + FOLLOW-THROUGH
CUSTOMER-SPECIFIC RELEVANCEMULTI-VENDOR NORMALIZATIONACTIONABLE CONTEXT
03

From signal to action

The product had to answer more than "something happened." It needed to make the what, why, urgency, and next step legible to the person responsible for remediation.

Spotlight dashboard showing incoming telemetry stream, issue identified, recommended action, and resolution

What This View Makes Possible

01

Find the signal

02

Understand why it matters

03

See the recommended action

04

Track resolution

04

What I built

01

Mapped the customer decision workflow

Defined what customers needed in a finding: asset, anomaly, context, and next step.

02

Normalized multi-vendor security data

Designed normalization layers across Palo Alto, Ubiquiti, SonicWall, and host telemetry.

03

Built context-aware detection logic

Built detection workflows that fused config findings with device and operational signals.

04

Connected deployment into the product

Connected OMNI deployment to the commercial product through sidecar agents, REST APIs, and FastAPI/PostgreSQL ingestion workflows.

05

Designed the remediation handoff

Structured findings as: what happened → why it matters → urgency → recommended action.

05

Proof, not decoration

The metrics are evidence of a workflow that made security work more usable.

What this taught the product: A finding was only valuable when it arrived with customer-specific context and a credible next action — not merely a severity label.

10,000+

events/day across IT and OT contexts

3

firewall ecosystems: Palo Alto, Ubiquiti, SonicWall

15+

recurring misconfiguration patterns

~60%

reduction in manual audit effort

06

Detection is only the beginning

The product decision was to move beyond "we found a problem" and create a clearer path through explanation, recommended action, and follow-through.

Side-by-side comparison: Legacy platforms show an alert with no context; Spotlight shows detection, fix, and explanation

The point was not only to surface an issue. It was to close the gap between detection and the work of remediation.

Customer Feedback

"I've never seen anything like it. For someone who's in these environments every day, you have no idea how useful these tools are."

Larry Hill — CEO, Hill Technical MSP

07

What I would improve next

I would validate which findings most often led to action, then use that behavior to improve prioritization, confidence signals, and remediation follow-through.

Feedback Loop

FindingdetectionHuman actionremediationOutcomeresolved?Prioritizationfeedback