Skip to main content

Competitor UX Analysis — What Can We Steal?

Sergey flagged that the four RSAC 2026 competitors solve similar problems but may show information more intuitively. This analysis maps their UX patterns to our known usability gaps from the March platform review.

Context: Our platform is rated B- for UX, 70% CISO-ready, 1.8/5 sellability for partners. Deloitte said it would require "a week-long bootcamp for junior analysts." The core problem: too technical below the cluster level.

Competitors analyzed: Token Security, Geordie AI, Realm Labs, Fig Security. See also competitive positioning analysis.

Key references:

The Big UX Ideas Worth Stealing

1. Natural Language Query Interface (Token Security)

What they do: Token's MCP Server lets security teams query their NHI environment through Claude, ChatGPT, or Cursor using plain English. Their in-platform AI Agent adds a chat panel directly in the dashboard UI.

Example queries they showcase:

  • "Which identities haven't rotated secrets in 90 days?"
  • "What are the top 5 riskiest NHIs?"
  • "Generate a script to resolve the top 5 riskiest NHIs"
  • "Who owns this service account, and what does it access?"

Why this matters for us: Our platform requires navigating Overview → Cluster → Path → Detail to answer questions that could be asked directly. A CISO shouldn't need to learn our navigation to ask "which orphaned automations are reaching sensitive data?"

Our usability gaps this addresses:

Effort to implement: Medium. We already have a structured API. An MCP server is a protocol adapter, not a new product. Could be a quick win for demo impact.

2. Compliance Framework Badges on Every Surface (Geordie AI)

What they do: Geordie's dashboard shows framework compliance as card-based widgets directly on the main view:

  • OWASP Agentic Top Ten: 78 risks
  • ISO 42001: 62 risks
  • EU AI Act: risk count
  • NIST AI RMF: risk count

These aren't buried in a compliance tab — they're first-class dashboard citizens alongside the risk score.

Why this matters for us: Our platform has zero compliance framework mapping in the UI. Deloitte specifically asked "What's the OWASP impact? What's the business relevance?" We already have the OWASP mapping documented internally — it just isn't surfaced.

Our usability gaps this addresses:

Effort to implement: Low. We already have the OWASP mapping. This is a UI rendering task — add badge components to Risk Cluster cards and Finding Detail pages.

Specific implementation: Add a <ComplianceBadge> component showing "OWASP ASI-03" next to orphaned_ownership findings, "OWASP ASI-10" next to scope_drift, "OWASP ASI-02" next to llm_egress. No new data — just surface what we already know.

3. Executive Risk Score with Trend Line (Geordie AI)

What they do: Top of dashboard shows a single "Organization Risk Score" with a 30-day trend chart and percentage change (+5.97%). Below it: "Top Risks by Platform" as a ranked list.

Key design: One number dominates. Not five metrics competing for attention — one score with trend context.

Why this matters for us: Our Overview has four stat cards below hero tiles showing inventory counts ("Active Autonomous: 5 Identities", "Dormant Authority: 2 Identities") that don't answer "so what?" Plus delta percentages that are noisy without context.

Our usability gaps this addresses:

Design tension: We deliberately removed scoring (Sergey's decision — no visible scores, no ML). But a simple count-based aggregate is not a "score" — it's a summary. "12 unresolved governance failures across 3 sensitive domains" is deterministic and more useful than four inventory metrics.

Adaptation for SV0: Instead of a risk score (which implies ML), use a deterministic headline stat: "Unresolved Governance Failures: 12" with a 30-day sparkline showing trend. Below it: ranked Risk Clusters by finding count. This gives CISOs a single starting point without introducing scoring.

4. Problem-Solution Card Framing (Token Security)

What they do: Token's homepage uses gradient-colored cards to frame problems in business-impact language:

  • Green card: "Everywhere & Exploding" (machine identities outnumber humans 50:1)
  • Blue card: "Complex & Connected" (identities span cloud, on-prem, SaaS)
  • Pink card: "Impossible to Remediate" (no tools exist to fix this at scale)

Then each capability page leads with the problem, then the solution, then proof (testimonials).

Why this matters for us: Our platform presents findings as technical facts. We say "orphaned_ownership" — Token would frame this as "No One's Watching" with a subheading like "3 autonomous systems execute daily with no accountable owner." The difference is emotional resonance vs. technical precision.

Our usability gaps this addresses:

Adaptation for SV0: Our Risk Cluster cards currently show "13 Paths" as the dominant element. Invert this: verdict sentence dominates ("3 orphaned automations access patient records daily"), path count becomes a secondary badge. This is already in our spec (Phase 1.1) but Token validates the pattern works in market.

5. Progressive Disclosure via Accordion Cards (Token Security)

What they do: Every capability section uses expandable +/− accordion cards. Page stays scannable — you see 5-6 capability headlines at once. Click to expand any one for full detail. This is their primary information density management pattern.

Why this matters for us: Our Authority Path Detail page dumps everything at once — graph, risk tiles, remediation, standing authority panel. The Findings page is a flat table with 6-51 items. No progressive disclosure below the cluster level.

Our usability gaps this addresses:

What we already do well: Our Cluster Detail page uses collapsible Authority Paths table — "progressive disclosure done right" per the review. The pattern works at cluster level; we just need to push it down to findings and path detail.

6. Real-Time Split-Panel Layout (Realm Labs)

What they do: Realm Prism uses a two-panel design — left panel shows the user interaction/prompt, right panel shows live-updating metric gauges that animate as the model processes. When a prompt changes, metrics immediately respond.

Why this matters for us: This isn't directly applicable to our domain, but the split-panel concept is powerful for our Authority Path Detail. Left panel: the path chain (workload → identity → destination). Right panel: live-updating context — findings, ownership status, execution evidence, remediation.

Our usability gaps this addresses:

Adaptation for SV0: Consider a split-panel layout for Authority Path Detail: path graph dominates the left, contextual panels (findings, evidence, remediation) stack on the right. Click a node in the graph → right panel updates. This is a natural extension of our graph-first layout.

7. "Guides, Not Blocks" Governance (Geordie AI Beam Engine)

What they do: Geordie's Beam engine intervenes in AI agent execution by adjusting context, not blocking actions. It "guides rather than blocks" — no binary allow/deny UI. The governance is invisible to the agent user; it modifies the agent's decision-making context so the agent naturally avoids risky actions.

Why this matters for us: Not directly applicable to our read-only model, but the philosophy applies to how we present remediation. Currently our remediations are prescriptive commands ("Remove role X", "Restrict LLM access"). The "guides, not blocks" UX philosophy suggests we should present remediation as options with trade-offs, not just instructions.

Our usability gaps this addresses:

Adaptation for SV0: Remediation cards could show: (1) the recommended action, (2) what it fixes, (3) what it might break (blast radius of the fix), (4) alternative options. This is more "guide the analyst" than "tell the analyst."

8. Warm Color Palette — Cream over Clinical White (Fig Security)

What they do: Fig uses cream background (warm off-white), ink (near-black) text, and purple accents. Deliberately avoids the standard dark-mode SOC dashboard aesthetic. Stack Sans font with tight letter-spacing gives a modern, approachable feel.

Token's approach: Bright teal-green (#3CC982) primary, Satoshi font (geometric sans-serif), generous whitespace, rounded corners (1.2rem border-radius).

Geordie's approach: Dark theme with light/dark toggle and bright accent colors.

Realm Labs: Blues, purples, pinks gradient aesthetic.

Why this matters for us: Our platform's visual design wasn't explicitly critiqued, but the "too technical" perception is partly visual. Fig's warm palette signals "executive briefing" rather than "SOC tool." Token's generous whitespace and rounded corners signal "modern SaaS" rather than "enterprise tool."

Adaptation for SV0: This is a longer-term design consideration, not a quick fix. But when we build the assessment report generator (Phase 4: Reports & Deliverables), the visual design should lean toward Fig's warm/executive palette rather than a technical dashboard aesthetic. The report is the partner-facing artifact — it needs to feel like a consulting deliverable, not a tool export.

9. Activity Analytics with Multi-Platform Timeline (Geordie AI)

What they do: Dashboard includes a 6-month timeline showing adoption/activity across platforms (Dust, Copilot, etc.). Also: horizontal bar charts showing tool usage counts ("code interpreter: 98 uses").

Why this matters for us: We have execution_30d counts but no visual timeline. Our execution evidence shows individual events but doesn't aggregate into trends. The CISO can't see "execution volume has been growing for 3 months" — they just see a point-in-time count.

Our usability gaps this addresses:

Adaptation for SV0: Add an execution trend sparkline to Authority Path cards showing execution volume over time. Note: current path APIs only expose a 30-day aggregate plus a prior snapshot (execution_30d / execution_prior_30d), not a daily time series. A true sparkline requires either backend changes to store historical daily aggregates, or a simpler two-point "current vs. prior period" indicator. The two-point version (up/down arrow with delta) is achievable quickly; a full sparkline needs backend modeling work first.

10. Simulation / What-If (Fig Security)

What they do: Teams can simulate proposed changes in a sandbox and see predicted downstream effects before deploying. "See how a change to a pipeline, rule, or integration will affect downstream detections and playbooks."

Why this matters for us: Our authority path model contains the full chain (workload → identity → destination → data domain), and we have blast radius queries. However, the current blast radius endpoint shows what a workload can reach, not what would happen if a specific role were removed. True "what-if" simulation requires per-role graph traversal — a meaningful backend modeling effort, not just a UI layer.

Our usability gaps this addresses:

Adaptation for SV0: "What if I remove this identity's access?" → Platform traces the authority path graph and shows which workloads, destinations, and data domains would be affected. Not automated remediation (we're read-only), but impact preview. This is directionally aligned with our blast radius queries but requires new per-role graph traversal logic — the current blast radius shows what a workload reaches, not the inverse (what breaks when you remove a specific permission).

UX Patterns Mapped to Our Usability Gaps

Our Problem (→ Action Plan)TokenGeordieRealmFig
Too TechnicalProblem-solution framing, NL queriesCompliance badges as business anchorsWarm executive palette
Remediation ActionlessAI-generated scripts with system specifics"Guides not blocks" optionsSimulation shows fix impact
Roles HiddenSplit-panel always-visible context
Visual Hierarchy InvertedProblem statement dominates, data secondaryRisk score as single hero
Missing VerdictsProblem cards ARE verdicts
No "What Changed"NL query: "What's new since yesterday?"6-month activity timeline
Navigation OrphansNL query bypasses navigation
23 Jargon TermsNL query bypasses jargonOWASP/compliance terms as shared vocabulary
Secondary MetricsSingle org risk score + trend
Findings PageNL query replaces table navigationCard-based grouped display
No OWASP TagsFirst-class dashboard badges
Noisy Deltas30-day trend sparklineContextual timeline
Clusters UndifferentiatedRanked risk listSimulation: "fix this first"
No Business ImpactBusiness-language cardsCompliance framework context"Green dashboards lie"
No Cross-LinksSplit-panel shows related contextDAG shows dependencies

Priority Actions (Sorted by Impact / Effort)

Quick Wins (Low Effort, High Impact)

  1. Add OWASP compliance badges to Risk Cluster cards and Finding Detail — mapping exists, just needs UI rendering. Directly answers Deloitte's "what's the business relevance?" question. Estimated: 1-2 days.

  2. Replace inventory stat cards with one deterministic headline — "12 Unresolved Governance Failures across 3 Sensitive Domains" beats "Active Autonomous: 5 Identities." Pure copy/layout change. Estimated: half day.

  3. Add execution trend indicator to Authority Path cards — current APIs expose execution_30d and execution_prior_30d. A two-point up/down indicator (not a full sparkline) is feasible now. Full sparkline requires historical daily aggregation (backend work). Estimated: 1-2 days for two-point indicator; 1-2 weeks for full sparkline with backend.

  4. Invert cluster card hierarchy — make verdict sentence the hero, path count the badge. Already in Phase 1.1 spec. CSS/layout only. Estimated: half day.

Medium Effort, High Impact

  1. Build an MCP server for SecurityV0 — protocol adapter over existing API. Lets CISOs query authority paths, findings, evidence in natural language. High demo impact, validates "AI-native" positioning. Estimated: 1-2 weeks.

  2. Add remediation impact preview — "If you remove this role: 3 paths affected, 2 workloads lose access." Requires new per-role graph traversal (current blast radius shows what a workload reaches, not what breaks when a role is removed). Not automated remediation (stays read-only), but impact preview. Estimated: 2-4 weeks (backend modeling + UI).

  3. Group Findings page by severity with expandable sections — instead of flat table, show severity distribution bar at top (data already in meta.bySeverity), then grouped accordions. Follows Token's progressive disclosure pattern. Estimated: 3-5 days.

Longer Term

  1. Split-panel Authority Path Detail — graph on left, contextual panels (findings, evidence, remediation) stacking on right. Click node → right panel updates. Estimated: 1-2 weeks.

  2. Assessment report with warm executive palettePhase 4 deliverable. When building the report generator, use Fig-style warm cream/ink/purple palette rather than dashboard aesthetics. The report should feel like a consulting deliverable.

  3. Activity timeline on Overview — 30-day or 6-month execution trend across all monitored paths. Requires temporal data aggregation. Estimated: 1-2 weeks.

What NOT to Copy

  • Don't add ML-based risk scoring — Geordie's dynamic risk scoring conflicts with our deterministic philosophy. Our "no score, sorted by finding count" is a valid alternative
  • Don't add real-time intervention — Beam-style context manipulation is a different product category. We're read-only by design
  • Don't add dark mode as priority — Geordie offers it, but our CISO audience prefers light/executive palette per UX research
  • Don't chase Realm's model interpretability UI — attention heatmaps and token probability gauges are for a different domain entirely
  • Don't over-invest in marketing site polish — Token's animated GIF logo and GSAP scroll animations are nice but not what makes CISOs buy. Fix the product UI first

Key Insight: The "Legibility Inversion" Validated

Our March review found that "non-technical buyers rate opinionated single-verdict reports ~2 points higher on purchase intent than analytically rich dual-axis formats."

Every competitor confirms this:

  • Token leads with problem statements, not data tables
  • Geordie leads with one risk score, not five metrics
  • Fig leads with "green dashboards lie" (a verdict), not a feature list
  • Realm leads with "securing AI from within" (a philosophy), not technical architecture

Our Risk Cluster Detail — with its verdict sentence, exposure brief, and governance checklist — is already the best implementation of this principle. The gap is that everything BELOW cluster level reverts to technical presentation. The fix: push the verdict-first pattern down to Finding Detail and Authority Path Detail.