PHEN
← All case studies

// Horizon3.ai · 2022

Turning a powerful AI pentesting engine into a product security teams could actually use.

Security // Platform // Enterprise SaaS // Worked alongside engineering architects and marketing on a parallel rebrand.

// The challenge

Powerful
engine.

Illegible
UI.

The findings were thorough. They were also unreadable — long lists with no priority, no context, and no next step.

My job was to learn the security space well enough to design for red teamers and CISOs, then turn raw output into decisions either of them could act on.

// What I led

  1. 01

    Audit

    Full application audit with the engineering architects and customer interviews.

  2. 02

    Shared UX pattern

    A reusable layout every later feature inherited — list on the left, detail on the right, action in the top corner.

  3. 03

    New surfaces

    Real-time attack view, executive dashboard, data viz, MITRE ATT&CK matrix, policy insights.

  4. 04

    Brand refresh

    Visual identity refresh in lockstep with marketing.

01

/ Credentials

Cracking the password was the easy part. Making it mean something was the design problem.

Credential attack graph showing the kill chain
The kill chain made visible. A credential becomes a node, not a line item.

The gap

The old product was built entirely on datatables. Cracked credentials lived as rows in a grid — readable only as raw data. No priority, no context, no path to action.

The bet

Frame each credential as a thread in a larger risk story, not a row in a table.

  1. 01

    Which credential is the biggest problem right now?

  2. 02

    How did the attacker actually use it?

  3. 03

    What systemic weakness does it expose?

Credentials list view with severity scoring
Severity-scored list. Hash type, permissions, "View Proof" command.
Policy Insights tab
Policy Insights — Complexity score, Time-to-Crack donut, team comments.

02

/ Real-time attack view

A pentest used to be a black box. We made it a live broadcast.

Live attack timeline
Live timeline of an attack as it runs — hosts, findings, credentials, command output.

The gap

Customers waited days for the final PDF. They saw the verdict, never the work.

The bet

Show the attack as it happens. Every host, every command, every finding, in order.

// Live_telemetry

Time elapsed
Live timer, pause and resume.
Findings
Hosts touched, weaknesses confirmed and potential.
Credentials
Captured as they crack, ready to inject on the next hop.
NodeZero data
Which probe is running and against what.

Why it mattered

SOC teams could watch their own systems get popped in real time. The pentest doubled as training.

03

/ Executive dashboard

A board-ready story, one screen deep.

Executive dashboard rolling up every pentest
Impacts, weaknesses, credentials, MITRE ATT&CK, priority list, chord diagram.

The gap

A CISO opening the old product saw raw counts. They needed a posture.

The bet

Roll every pentest into a single screen that explains organizational risk.

Impacts

Domain, host, ransomware, sensitive data, critical infrastructure.

Weaknesses

Confirmed and potential, grouped by severity.

Credentials

How many found, how many cracked, what they had edit and delete on.

MITRE ATT&CK

Coverage across the kill chain — where the attack landed, where defenses held.

Priority list

What to fix first, with a one-line reason and the related finding.

Pentest relationships

A chord diagram showing how findings recur across tests over time.

Why it worked

A blue-team member could pull actionable next steps in seconds. A CISO could lift the same screen straight into a board report. An analyst could drill into any tile and keep going.

// Outcomes

/ Valuation

Higher valuation at the next funding round.

/ Pipeline

Sales saw measurable increases with the new real-time attack view leading deals.

/ Org-wide

The whole company pivoted — marketing and product direction both realigned to the new patterns.