Product Design Concept

PRISM

Decomposing threats. Composing clarity.

A unified threat investigation platform designed around the MITRE ATT&CK framework — from detection to response.

Staff-Level Concept

Role

MITRE ATT&CK

Framework

SOC Workflow

Focus

5-Tier System

Severity Levels

01. Overview

Why another security tool?

SOC analysts deal with thousands of alerts daily. Most are noise. The real threats — coordinated attack chains spanning phishing, credential theft, and lateral movement — get buried. PRISM reimagines threat investigation as a continuous, connected workflow. Instead of jumping between siloed tools, analysts see the full attack narrative mapped to MITRE ATT&CK, and respond from a single surface.

02. Problem

Three systemic failures in SOC workflows

Alert Fatigue

Analysts drown in isolated alerts with no context. Signal-to-noise ratio makes it nearly impossible to identify coordinated attacks.

Tool Fragmentation

Detection, investigation, and response live in separate products. Context is lost at every handoff.

No Attack Narrative

Individual signals don't connect into a coherent story. Analysts must manually reconstruct attack chains across disconnected data.

03. Approach

Design principles

1

End-to-end workflow

Map the full analyst journey: detect → investigate → respond. One surface, zero tool-switching.

2

MITRE ATT&CK as structure

Not just labels — the organizing principle for how information is layered, connected, and color-coded.

3

Progressive disclosure

Surface the right depth at the right moment. Dashboard → timeline → actions → summary.

04. Initial Prototype Experiments

Core Prototype Based on MITRE ATT&CK Framework

A full SOC investigation workflow — from dashboard triage through automated response to case closure. Start with any incident.

PRISM
Total Incidents

6

Critical

1

Open

2

Avg Response

34m

Recent Incidents

05. Reflection

Designing for high-stakes environments

Security tools fail when they optimize for data density over decision clarity. The core insight behind PRISM is that SOC analysts don't need more information — they need better structure. MITRE ATT&CK provides that structure, but only if the interface treats it as architecture, not decoration.

This concept draws directly from my experience building EagleEye at DiDi — a real security platform serving 500+ million users. The patterns are the same: reduce cognitive load, connect fragmented signals, and compress time-to-action. The difference is scope. PRISM explores what a unified SOC surface could look like if designed from first principles.