CASE STUDY
Tandem Test Incident
Role: Product Designer
Responsibilities: UI/UX design, user flows, user personas, wireframes, presentations, documentation, prototyping, visual design
Duration: Jun 2022 to Jul 2022
Tools: Figma, FigJam, Photoshop, After Effects
Overview
Tandem is an 11-product SaaS with a focus on cybersecurity and compliance needs for financial institutions. As their first UI/UX and product design hire, I collaborated within a cross-functional team to design their 11th product, Incident Management.
After the Incident Management product rollout, it was determined there was a need for the ability to create a Test Incident. The Test Incident feature in Tandem's Incident Management product empowers organizations to "practice like you play" by enabling users to simulate incidents in a structured environment. Guided by the NIST Computer Security Incident Handling Guide, this feature mirrors the tracking process of actual incidents, offering realistic and actionable practice.
By addressing the gaps in previous approaches, such as relying on spreadsheets or plain text fields within the Exercises & Tests feature, the Test Incident feature elevates incident preparation and response. This initiative not only boosts user efficiency but also contributes to the success of Tandem’s Incident Management product—as evidenced by its Market Readiness award from FDITECH.
The goal was clear: add the ability to create a Test Incident to allow teams to test their incident response plan and handling processes.
Team
As the sole product designer, I collaborated closely with a multidisciplinary team to bring the Test Incident feature to life. The team included the company president, general manager, director of development, a team of web application developers, and a software support team. Together, we combined our expertise to tackle the challenges of improving the Incident Management product and creating a seamless, user-centered experience.
Problem
Before the Test Incident feature, organizations were forced to create an incident within the software without shared knowledge of it being a test. With incident response being a team effort, seeing a new incident without knowledge of it being a test would lead to confusion, and honestly, anxiety among incident handlers.
There were also cases where organizations were limited to ad-hoc methods for testing their incident response plans, such as using spreadsheets or even pen and paper. While Tandem offered an Exercises & Tests feature for setting up drills, there was no way to simulate an actual incident. Users had to rely on generic text fields for documentation without guided stages or a direct connection to incidents.
This lack of structure hindered users from effectively testing their plans, forecasting responses, and identifying gaps—ultimately reducing the utility of Tandem’s incident management offerings.
Research
Through user interviews, competitor analysis, and internal brainstorming, the research highlighted the need for a structured approach to testing incident response plans. Users sought realistic simulations that mirrored actual incident stages to better prepare their teams. The absence of such features in competitor offerings guided Tandem’s decision to align with NIST standards, creating a unique and valuable solution for its users.
Key Insights
Users emphasized the importance of "practicing like you play," underscoring the need for test environments that mimic real incidents.
Forecasting reactions by testing specific incident types was a key objective.
Identified additional functionality, such as adding a “Test“ filter to the incidents index, peer analysis, and global dashboard to exclude Test Incidents from crucial reports and document downloads.
Associating Test Incidents directly in the Exercises & Tests feature.
No direct competitors offered guided test incident features aligned with NIST standards, presenting an opportunity for Tandem to differentiate.
Solution
The Test Incident feature was designed to mirror the stages of actual incidents, offering a structured and realistic testing environment. Key enhancements included:
Flagging: clear visual indicators to distinguish test incidents from real incidents.
Filtering: add ability to filter Test Incidents on the incidents index, peer analysis, and global dashboard.
Integration with Exercises & Tests: users can create and associate test incidents directly from the Exercises & Tests page.
NIST-aligned stages: guided tracking through stages: Detection, Analysis, Containment, Eradication, Recovery, and Postmortem.
These solutions were designed to reduce potential confusion and inaccurate reporting, while enhancing usability of the Incident Management product.
Goals & Objective
The primary goal was to utilize the Test Incident feature to increase usage of the incident tracking side of the software. Doing so would increase the adoption rate of the Incident Management product as a whole.
Goals
Encourage widespread use of the Test Incident feature by demonstrating its value in incident preparation.
Integrate the ability to create and add a test incident to the Exercise & Test feature flow.
Ensure a seamless, intuitive experience that receives positive feedback.
Objective
See an increase is user adoption of the Incident Management product with an adoption rate of over 75% by increasing engagement of incident tracking.
Adoption rate of the Incident Response Plan side of the software
Adoption rate of the incident tracking side of the software
Process
Designing the new Test Incident feature was a collaborative effort involving the entire team, guided by a process as seen below. From understanding user pain points to delivering a refined user interface, each stage built on the last to ensure a robust and user-focused solution.
Two key steps from the Wireframes & Prototypes stage—UI Layout Sketches and Wireframes and Prototypes—played a critical role in shaping the final design. These steps are detailed below.
Click on the button below to see details of processes I use and have been a part of.
UI Layout Sketches
Initial sketches focused on the Create Incident page to integrate the Test Incident marker and visual indicator into the existing interface.
My first iteration had a hybrid marker/indicator in the upper right corner of the interface to call attention to the UI, but that was quickly changed to be inline with the primary incident info since marking an incident as a Test Incident would also display a field to associate and Exercise & Test.
I then moved on to an incident dashboard for placement of the Test Incident visual indicator, which required a decision for where to place the Incident Status UI. Additionally, I added sketches for the filter UI for the incidents index and peer analysis pages.
Wireframes & Prototypes
With sketches completed, I moved on to wireframes, starting with the Create Incident page and focusing on the placement of the test marker and indicator UI.
Create Incident: I add the Test Incident option to the Incident Info panel inline with preliminary fields which are typically filled out first. The Test Incident indicator was added to the upper right corner for quick distinction and consistency through the incident tracking pages.
Exercises & Tests: when an incident is flagged as being a test, a dropdown for associating an Exercise & Test is displayed. A wireframe was added to account for an exercise being selected, which auto-populates some of the form fields.
Incident Dashboard: the Test Incident indicator needed to be added to the Incident Dashboard and other incident stage pages. To maintain familiarity, I added the indicator to the upper right corner of the UI. There was a status dropdown to account for as it was already in that upper right corner space. It was decided to leave the indicator to the far right for consistency, and the status dropdown was placed to the left of the indicator.
Filters: a new filter option was added to the Incidents index, Global Incidents Dashboard, and Peer Analysis pages.
Iterations
During the iterative design process, there were several refinements to improve clarity and usability. Key refinements included:
Hybrid marker/indicator: as mentioned previously, I initially placed the marker in the upper right corner of the UI where the indicator ended up. I wanted to try out a hybrid button/indicator on the Create Incident page to make the experience more cohesive. However, the addition of displaying the Exercise & Test association would have made the hybrid marker/indicator disjointed from the added field.
Test Incident panel: another iteration for the Test Incident UI was to place the marker in its own panel below the Incident Info panel. I wanted to try this since the Exercise & Test association field is displayed upon marking the incident as a test. I wanted to keep the field displayed, but disabled until the incident was marked as a test. Ultimately, hierarchy won out, and the Test Incident marker was placed below the Name field in the Incident Info panel.
Indicator color: different colors used for the test indicator were tried out. A blue fill was looked at, but when placed next to the Status dropdown on the Incident Dashboard, you ended up having two blue-filled UI next to each, which created a false association. I ended up with our orange warning color to call attention and dark text to ensure contrast standards were being met and improve accessibility.
Through iterative refinements and thoughtful design decisions, this process transformed initial concepts into a user-friendly solution that aligned with project goals.
Final Solution
After extensive creative reviews, user testing of prototypes, and a few design iterations, the project culminated in the final visual design state. With completed prototypes, I moved on to integrating what has been learned into final designs.
This stage included refining every element, from the layout to the interactivity, to ensure a seamless user experience. Along the way, I added final designs and prototypes for creating an incident from the Exercise & Test feature.
I also finalized the addition of new Test filters to the Incidents Global Dashboard, the Peer Analysis feature, and the Incidents index.
Impact
The introduction of the Test Incident feature proved to be valuable in achieving the primary objective: increasing the usage of the incident tracking side of the software to increase user adoption the Incident Management product as a whole. Adoption rates were lifted from 63% to over 77%, a clear testament to the effectiveness of the added functionality.
By providing a method to test incidents guided by stages found in the NIST standards, we gave users the ability to “practice like they play“ when tracking and responding to incidents. They will be able to utilize this feature to fine-tune their Incident Response Plan and even forecast the effectiveness of their actions, preparing their teams for real-world incidents.
Some key outcomes included:
Increased activity: the introduction of the Test Incident feature boosted user engagement by 61% on the tracking side of the software.
Increased adoption: with the boost to engagement for incident tracking, adoption rates for the Incident Management product as a whole increased from 63% to 77%.
User feedback: users reported positive feedback and improved efficiency, particularly with the seamless integration of Exercises & Tests.
Industry recognition: the feature’s success culminated in winning the FDITECH Market Readiness award, affirming its value.
Through these thoughtful updates, the Test Incident feature achieved its objective and enhanced the overall value of the Tandem Incident Management product. For an added bonus the feature was presented during the FDITECH competition and helped Tandem win the Market Readiness award, going up against other teams including representatives from Google, AWS, and RSM.
Incident tracking increased 63% up to a 71% adoption rate
Incident Management adoption rate as a whole increased to 77%
Final Thoughts
The Test Incident feature was a challenging yet rewarding project. It required deep collaboration and a user-centered approach to solve real pain points. Seeing the feature’s impact on users and the accolades it garnered was incredibly fulfilling—a testament to the power of teamwork and thoughtful design.
Once again, research proved its worth, unveiling user pain points and opening the door to unexpected opportunities. What started as a mission to give users the ability to test incidents with a “practice like you play“ mentality, snowballed into additions to the Exercise & Test and Peer Analysis features—both of which turned out to be popular with users.
While designing for simulated incidents might not sound glamorous, it’s hard to argue with the results: empowered users, a celebrated product, and a designer who’s now slightly obsessed with NIST standards.
You may also be interested in
Qontrol Active Alerts
Surfacing alert details to improve adoption rate of a primary alert system tool.
chatPFF
Improving game-watching experiences on your own schedule with real and AI companions.