Onboarding System hero
3 1Surfaces unified into one journey
2 of 3Pillars already shipped
6Features designed & prototyped
DirectorLevel sponsorship reached
05Elastic Security · Germany

Onboarding System

Context

Setting the stage

New Elastic Security customers faced three distinct but related first time experiences: getting basic data flowing (Get Started), assessing their security posture (SIEM Readiness), and migrating detection rules from legacy SIEMs like Splunk or QRadar (Automatic Migration).

As the senior designer on Automatic Migration, I had end to end visibility into how these three flows connected, and proposed a unified onboarding system to close the gaps between them. I designed and prototyped this vision independently; it was in early development discussions with engineering when I was laid off, so the system described below reflects a proposal I built and pitched, not a shipped unification.

Scope & Ownership

Senior Product Designer, self initiated

Role: Senior Product DesignerTimeline: 2025 to 2026Team: Self-initiated, informed by Automatic Migration

This proposal existed because I decided it should. No team owned the space between the three first time experiences, so from my seat on Automatic Migration, the only vantage point with end to end visibility across all of them, I created the mandate myself: mapped the three surfaces and where users fell between them, defined the unified journey and its branching model, and designed and prototyped the entire system independently, from the interactive demo to the six feature mockups. Then I took it up the organization, pitching across design, product, and engineering and building sponsorship level by level, until the Director of Design and the Director of Product Management were in active discussions about bringing it onto the roadmap. That is where it stood, in early development conversations with engineering, when the layoff ended my involvement. My ownership ran from noticing the problem to the edge of delivery.

Responsibilities
  • Identified the unification opportunity from end to end visibility on Automatic Migration.
  • Mapped the three existing surfaces and their overlapping steps, owners, and progress models.
  • Defined the unified journey and the single branching question that serves both tracks.
  • Designed and built the interactive prototype and all six feature mockups independently.
  • Aligned the proposal with each pillar's existing terminology, patterns, and constraints.
  • Drove stakeholder alignment up to the Director of Design and Director of Product Management, carrying the proposal into active roadmap discussions with engineering.
The Challenge

What was broken

Onboarding churn in security products is high. The complexity of initial setup, connecting data sources, configuring detection rules, understanding the platform, is enough to stall even experienced security engineers.

Design opportunity 01 · DirectionHow might we give every new team one clear path to its first real detection?

Without a clear path, new users bounced before reaching the first real detection, the moment onboarding is supposed to build toward.

Design opportunity 02 · ConsistencyHow might we make three separately owned surfaces feel like one product?

Three separate teams owned three separate surfaces, so users entering from different paths met inconsistent progress indicators and information architecture.

Design opportunity 03 · HandoffHow might we carry users from one pillar into the next without dropping their progress?

There was no shared handoff model between the three flows, so a user finishing one pillar had no natural next step into another.

Solution

What I proposed

The proposal unified three pillars, one of which (Automatic Migration) I owned and shipped, into a single guided path. Get Started is the foundational onboarding step: connect a first data integration, review auto detected alerts, and run a first detection. An AI powered Automatic Import feature parses custom log formats and generates integration configurations, eliminating the need for manual mapping, designed as a checklist with contextual guidance at each step.

SIEM Readiness is a readiness assessment that evaluates security coverage, which data sources are connected, which MITRE ATT&CK techniques are covered by detection rules, and what gaps exist, producing a personalised readiness score with prioritised recommendations. Automatic Migration is the LLM powered tool I designed for teams migrating from Splunk or QRadar: it ingests existing detection rules and translates them to ES|QL, mapping to existing prebuilt rules where possible and generating custom rules for the rest, with a migration wizard that gives analysts visibility and control before anything activates.

Key features proposed

The proposed system

Mockups

Screen designs

01 · The full journey · click through it
Workflow maps

Process & flows

AI Framing

Designing with the model

Two of the three pillars are directly AI powered. Automatic Import uses AI to parse and configure data sources; Automatic Migration uses an LLM to translate SIEM rules, with the designer's role being to make AI outputs reviewable, correctable, and trustworthy.

The user stays in control

Across both AI powered pillars, the design principle held: AI accelerates, it does not decide. Every AI output is reviewable and correctable before it takes effect.

Flag uncertainty, do not hide it

Low confidence rule translations are flagged explicitly in the migration wizard rather than silently applied, so analysts know exactly where to focus their review.

Outcomes

Where this stood

3 1Surfaces unified into one proposed journey
2 of 3Pillars already shipped in production
6Features designed & prototyped end to end
DirectorDesign & PM sponsorship reached
Status

This proposal was in early development discussions with engineering when I left Elastic, so it never shipped as a unified system. Had it gone forward, it would have reduced time to first detection, improved activation rates, and given new customers one coherent path to a production ready SIEM. The Automatic Migration piece it was built around, one of the three pillars, already shipped and is live in production today.

Reflections

Learnings & key takeaways

Proposing a system nobody asked for is a different discipline from shipping a feature somebody did. This project sharpened how I make a case: not with a vision deck, but with a working prototype grounded in patterns the organization already trusted. It also left me with a conviction that onboarding is a property of the whole system, not a screen you can assign to a single team.

The seams are the product.

Each of the three flows was well designed in isolation; users were lost in the handoffs between them. The gaps between shipped products are real product surface, and because nobody owns them by default, they are where experience quality quietly dies.

Borrow trust from what already shipped.

Anchoring the proposal in Automatic Migration's shipped patterns, its wizard, its statuses, its AI framing, made the vision feel like an extension of something proven instead of a reinvention. Familiar bones made the new idea cheap to believe.

A prototype is the sharpest pitch.

The interactive demo did more persuading than any document. Letting stakeholders click through the journey themselves moved the conversation from whether to unify to how, which is the conversation a proposal needs to reach.

What I would do differently: recruit a product sponsor earlier.

I built design conviction first and went looking for roadmap commitment second. Bringing a PM into co-ownership from the first mapping exercise might have gotten the proposal onto a committed roadmap before the layoff, instead of leaving it in early discussions.