Endpoint Events
Unified endpoint events into a single remediation workflow. Reduced vulnerability resolution from 160 hours to 10 minutes (99%)
FortiClient is Fortinet’s endpoint security agent, managed by an Endpoint Management Server (EMS). In 2024, Fortinet introduced a new Event Management capability within EMS to unifiy fragmented endpoint events into a single, actionable system.
User research revealed that vulnerability remediation frequently stalled not due to lack of detection, but because critical remediation context (such as file paths) were missing. Visibility into vulnerabilities and the information required for remediation were disconnected.
As lead UX designer, I led the design of a unified workflow that connected visibility with action in one place, reducing remediation time from 160 hours to 10 minutes per vulnerability event and delivered $100,000+ in annual operational cost savings.
Product
Web design
Skills
User research & testing
Painpoint discovery
Stakeholder management
Product design
Interactive prototyping
Public speaking
Role
Lead designer
Team
Kunal Marwah, Thiago Santana, Tony Huang, Kelvin Tao
Timeline
Q1 - Q4 2024
Overview
The original EMS Event Management feature allowed administrators to view endpoint activity, but it functioned primarily as a passive reporting tool. While events were visible, they were fragmented views and there was no clear or efficient path from detection to remediation; particularly for vulnerability-related events.
I reframed the problem from "how do we display consolidated events" to "how do admins primarily use this feature?"
The resulting workflow consolidated all endpoint events into a single interface and exposed the exact data required for remediation at the point of decision. This transformed the Events feature from a monitoring surface into an end-to-end remediation system, enabling admins to investigate, prioritize, and act without context switching.
Discovery
The executive team assumed that improving visibility and visuals alone would significantly enhance the user experience.
I conducted an in-depth user research, to check:
Do they face challenges with the current events feature?
Are they currently satisfied with this feature?
Are there any experience modifications we could apply to improve their daily workflow?
Research Results
User research revealed a critical issue: IT administrators found the existing EMS event management feature nearly useless. The key missing detail was simple, yet crucial, the exact file path for detected vulnerability events. Without it, admins had no easy way to trace the vulnerability event to its source, forcing them into a cumbersome workaround. They had to ask end users to open their agent (FortiClient console), take screenshots of the vulnerability event details, and send them back. This could take hours or even days (up to 160 hours), depending on user response times.
At scale, the impact was significant. An admin managing thousands of endpoints could spend entire days chasing screenshots instead of actually resolving security threats. While EMS provided visibility, it didn’t offer the actionable data needed to drive quick, effective responses.
Negotiating Alignment
This was one of the most challenging projects I led at Fortinet, not because of the design complexity, but due to the resistance I encountered along the way.
When I presented these findings, the reaction from stakeholders was mixed. Many believed that simply consolidating all events into a single view would be enough to improve the experience for premium license holders. To challenge this assumption and gain buy-in, I had to be patient, present compelling evidence, and reframe the problem in terms of lost time, inefficiency, and the potential business risks posed by delays in remediation.
After I gained buy-in from key stakeholders, we aimed to hit two critical goals with a single, efficient solution that would address both the business and user needs.
Business Goal
Centralize all events generated by managed endpoints into a single, unified view within EMS to upsell product.
User Goal
Display the exact file path for detected vulnerability events to enable quick, actionable remediation.
Collaborative Win
I designed and shared a high-fidelity prototype to align UX, engineering product and security teams on a single remediation workflow before development began.
The prototype served as a shared reference point across disciplines, enabling engineers to validate feasibility, security teams to confirm required data visibility, and product stakeholders to align on scope and prioritization.
This early alignment reduced ambiguity, prevented rework, and enabled the team to move into development with a clear, validated direction.
Solution
The design unified fragmented endpoint events into a single actionable system. Admins can view all critical remediation data, such as file paths for vulnerabilities, directly within the event table and take action without leaving context.
This feature shifted EMS from passive monitoring to an active remediation workflow, eliminating manual follow-ups, screenshots and cross tool investigating.
The final solution introduced several core features that significantly improved the workflow and user experience:
Limitation
This feature is gated by Elasticsearch and is only available once Elasticsearch is enabled on EMS. This was an intentional platform constraint. The solution was designed to leverage indexed data to support real-time filtering, bulk actions, and remediation data at scale.
Validated Impact
What was once a fragmented, multi-day process became a seamless, end-to-end workflow.
The redesign reduced the average vulnerability event remediation time by 23+ hours per case, improved remediation workflow by 99% and generated over $100,000 in annual operational savings at Fortinet. .
Remediation workflow improved
0%
Average remediation time reduced
0Hours
Yearly operational cost savings
$0
