End to end investigation flow
Understanding the entity risk workflow
Before designing the risk dashboard, I mapped how SOC analysts, threat hunters, and risk engineers actually move from a raw anomaly signal to a documented decision. The friction wasn't in the ML models themselves: it accumulated in the gap between a risk score and an explanation an analyst could act on, and in the dead ends between "this entity looks risky" and an actual investigation.