Defender Experts is a managed security service that augments a customer's security operations center by adding trained Microsoft analysts to their environment. The service was doing real work — resolving incidents, hunting threats, reducing customer burden. But customers couldn't see it. There was no artifact that communicated what Microsoft was doing on their behalf or demonstrated the value of the service in terms leadership could act on.
The problem had a business dimension too. Without a clear way to communicate ROI, customers struggled to justify the service internally, and Microsoft struggled to retain them. The goal was to ship a reporting experience that answered the questions customers were actually asking.
Research identified three distinct stakeholders, each needing something different from the report. The Chief Information Security Officer needed strategic artifacts to share the state of security with leadership. The Security Operations Center Manager needed to communicate across both tactical and strategic forums. The SOC Analyst needed support in the field and opportunities to learn.
Mapping both workflows revealed the core design challenge: the analyst loop runs daily and hourly, generating incident reports that feed into the CISO loop, which runs monthly and quarterly. The report needed to serve both cadences and both audiences — tactical detail for the analyst, strategic overview for the CISO — while connecting the two into a coherent picture of service value.
Early explorations focused on placement and presence before diving into content. Three options were sketched: integrated as a card in the existing dashboard, a larger footprint with a dedicated section on the home page, or a fully standalone page with left navigation. The standalone approach won — it gave the report the space to answer the breadth of questions customers needed addressed without competing with other dashboard content.
Early screen designs went through several rounds of iteration. Annotated redlines called out specific problems in the existing report experience: wording that needed tightening, data that needed to be stratified by severity, missing context about response times, and charts that needed trended views rather than point-in-time snapshots. Each annotation was a design decision about what customers actually needed to understand.
The final report was structured to answer questions in sequence. An overview statement gave a high-level read of service health. A 30-day default window matched the CISO's need for a broad view. Incident breakdowns showed the behind-the-scenes analyst activity. Time-to-resolve data answered the ROI question directly. Impacted assets addressed tactical concerns for SOC Managers.
Future considerations identified at the time of handoff included increasing the number of data sources in the report, introducing ways to show volume and trend together in the same section view, exposing threat intelligence summaries of emerging threat actors, and using Copilot to generate summaries similar to the Software Delivery Manager's talking points — an early signal of where AI would take this kind of customer-facing reporting.
[ What did designing at Microsoft's scale teach you? What was the hardest part of working across a large cross-functional org — PM, engineering, data, and customer success all in the loop? What would you do differently? ]