Michele Du

Michele Du

Michele Du

Dashboard

Project

Case Study

In this project, I set out to redesign that story — not as a list of events, but as a living, three-dimensional narrative that reveals relationships across time, threat types, and entities.

Overview

TYPE

SaaS Product Design

ROLE

Lead Designer

TOOL

Figma

Contribution

Led the product design from end-to-end;

Redefine the way to tell takedown story

project snapshot

Goal

Challenge

Outcome

Goal

To transform complex takedown data into a clear, story-driven visualization that helps cybersecurity teams and business users understand the scale, speed, and impact of URL takedowns. The aim was to move beyond traditional dashboards and introduce a new way of narrating takedown progress through an interactive, three-dimensional framework.

Goal

Challenge

Outcome

Outcome

Created the 3D TAE Framework, a dynamic model linking Takedown, Abuse, and Entity dimensions. It visualizes takedown volume, time, and status across multiple perspectives, transforming complex cybersecurity data into a clear, intuitive 3D narrative. The new design also balances information exposure between customers and the SOC team. Customers gain clarity into real progress and performance trends, while the SOC team benefits from an internal view that tracks who is taking what actions and when, reducing redundancy and improving operational efficiency.

Goal

Challenge

Outcome

Goal

To transform complex takedown data into a clear, story-driven visualization that helps cybersecurity teams and business users understand the scale, speed, and impact of URL takedowns. The aim was to move beyond traditional dashboards and introduce a new way of narrating takedown progress through an interactive, three-dimensional framework.

Goal

Challenge

Outcome

Goal

To transform complex takedown data into a clear, story-driven visualization that helps cybersecurity teams and business users understand the scale, speed, and impact of URL takedowns. The aim was to move beyond traditional dashboards and introduce a new way of narrating takedown progress through an interactive, three-dimensional framework.

Need for Real-Time Transparency

Need for Real-Time Transparency

Users wanted to know why a takedown was still “In Progress,” what actions were pending, and who was responsible.

“The customer should know in real time if there’s a takedown request pending from Bolster’s side — about its progress and what’s causing it.”

Need for Actionable Context

Need for Actionable Context

Instead of raw records, users wanted insight, which entities caused delays, how long each step took, and where to focus attention.

Trust and Consistency Issues

Trust and Consistency Issues

Several users questioned the reliability of status labels.

“I don’t care about takedown visibility and just assume Bolster is doing the best at this. Come down when it happens. Once it’s in Malicious, I’m more in sync with you there.”

Complex Workflow Visibility

Complex Workflow Visibility

Mixing automated and manual updates made it unclear what actions were complete or verified. Internal teams wanted clearer separation between customer and SOC views.

Stay educated on threat actors targeting my company, identify what actions I can take outside of Bolster (M)

Difficult to Navigate and Interpret

Difficult to Navigate and Interpret

Users had to manually scroll and filter to find relevant updates.

“They have to come here to check what’s ‘In Progress’ if they want to know the status.”

INTERVIEW SUMMARY

Previous Takedown Visibility Center

The original TVC was designed as a functional data table for tracking takedown progress but fell short in delivering clarity, hierarchy, and insight.


  1. Overloaded Layout: The table displayed raw data without summaries, making it hard to see patterns or trends.

  1. Poor Hierarchy: Text-based status labels (e.g., In Progress, Takedown) didn’t reflect actual progress or relationships between stages.

  2. No Insights: Users couldn’t tell which entities were slow or how takedown time compared across cases.

  3. Usability Issues: Dense data, hidden filters, and repetitive entries created friction.

  4. Unclear Transparency: The mix of automated and manual updates confused users about what information was accurate or relevant.


The design provided information but not understanding, it is more like a data log rather than an insight-driven experience.

design Audit

A data visualization model that connects Takedown (T), Abuse (A), and Entity (E) dimensions to tell the takedown story in a dynamic, multi-perspective way. It reveals how threat types, entities, and response times intersect, transforming complex cybersecurity data into an interactive narrative of speed, scale, and impact.

TAE FRAMEWORK

3D Model Visualization

A cross-team investigation with SOC, engineering, and customer success uncovered key data gaps and clarified the full URL lifecycle—from detection to post-remediation. This mapping simplified complex workflows and informed the Takedown Visibility Center redesign, ensuring technical accuracy while staying clear for both expert and non-technical users.

A cross-team investigation with SOC, engineering, and customer success uncovered key data gaps and clarified the full URL lifecycle—from detection to post-remediation. This mapping simplified complex workflows and informed the Takedown Visibility Center redesign, ensuring technical accuracy while staying clear for both expert and non-technical users.

takedown workflow

Takedown Time Analysis


This view compares takedown speed across different entities and abuse types.


Each block shows the median takedown time, color-coded by duration for quick visual benchmarking.


By switching to the Time focus mode, users can instantly identify which entities resolve threats faster or slower than the industry average, revealing performance gaps and optimization opportunities in real time.

Takedown Time Analysis


This view compares takedown speed across different entities and abuse types. Each block shows the median takedown time, color-coded by duration for quick visual benchmarking. By switching to the Time focus mode, users can instantly identify which entities resolve threats faster or slower than the industry average, revealing performance gaps and optimization opportunities in real time.

Takedown Time Analysis


This view compares takedown speed across different entities and abuse types.


Each block shows the median takedown time, color-coded by duration for quick visual benchmarking.


By switching to the Time focus mode, users can instantly identify which entities resolve threats faster or slower than the industry average, revealing performance gaps and optimization opportunities in real time.

Abuse - Volume Focus


This view visualizes the overall scale of malicious activity across different abuse types such as Phish, Scam, Trademark, and Copyright.


Each bubble represents the total volume of URLs detected under that category, sized by their count and segmented by takedown status.


Users can interact with the bubbles to see how many URLs are actively processing, awaiting response, or already taken down. This helps identify which threat categories dominate the landscape and how effectively each is being mitigated.

Abuse - Volume Focus


This view visualizes the overall scale of malicious activity across different abuse types such as Phish, Scam, Trademark, and Copyright. Each bubble represents the total volume of URLs detected under that category, sized by their count and segmented by takedown status.


Users can interact with the bubbles to see how many URLs are actively processing, awaiting response, or already taken down. This helps identify which threat categories dominate the landscape and how effectively each is being mitigated.

Abuse - Volume Focus


This view visualizes the overall scale of malicious activity across different abuse types such as Phish, Scam, Trademark, and Copyright.


Each bubble represents the total volume of URLs detected under that category, sized by their count and segmented by takedown status.


Users can interact with the bubbles to see how many URLs are actively processing, awaiting response, or already taken down. This helps identify which threat categories dominate the landscape and how effectively each is being mitigated.

Abuse - Time Focus


This view focuses on takedown efficiency by abuse type.


Using box plots, it visualizes the median, average, and outlier takedown times for each category, revealing how quickly or slowly different types of threats are resolved.


Users can pinpoint which abuse types tend to face longer response times or greater variability, uncovering performance gaps and opportunities for operational improvement across the takedown process.

Abuse - Time Focus


This view focuses on takedown efficiency by abuse type. Using box plots, it visualizes the median, average, and outlier takedown times for each category, revealing how quickly or slowly different types of threats are resolved.


Users can pinpoint which abuse types tend to face longer response times or greater variability, uncovering performance gaps and opportunities for operational improvement across the takedown process.

Abuse - Time Focus


This view focuses on takedown efficiency by abuse type.


Using box plots, it visualizes the median, average, and outlier takedown times for each category, revealing how quickly or slowly different types of threats are resolved.


Users can pinpoint which abuse types tend to face longer response times or greater variability, uncovering performance gaps and opportunities for operational improvement across the takedown process.

Timeline View


This view visualizes the full lifecycle of each URL, mapping every takedown action over time.


Each colored marker represents a specific step such as sending notices to hosting providers, registrars, or TLDs, allowing users to track progress day by day.


By switching between week, month, and half-year ranges, users can monitor patterns, identify delays, and understand when and how each action occurred.


This timeline gives teams a clear historical record of takedown activities and supports better coordination between SOC and customer teams.

Timeline View


This view visualizes the full lifecycle of each URL, mapping every takedown action over time. Each colored marker represents a specific step such as sending notices to hosting providers, registrars, or TLDs, allowing users to track progress day by day.


By switching between week, month, and half-year ranges, users can monitor patterns, identify delays, and understand when and how each action occurred. This timeline gives teams a clear historical record of takedown activities and supports better coordination between SOC and customer teams.

Timeline View


This view visualizes the full lifecycle of each URL, mapping every takedown action over time.


Each colored marker represents a specific step such as sending notices to hosting providers, registrars, or TLDs, allowing users to track progress day by day.


By switching between week, month, and half-year ranges, users can monitor patterns, identify delays, and understand when and how each action occurred.


This timeline gives teams a clear historical record of takedown activities and supports better coordination between SOC and customer teams.

FINAL design

Go Back

Takedown Visibility Center

Dashboard

Project

Case Study

My Profile

Back to top

Live

Go Back

Takedown Visibility Center

Dashboard

Project

Case Study

My Profile

Back to top

Live

Go Back

Takedown Visibility Center

Back to top

Live