back to work

GitHub's first code security dashboard, built to unblock enterprise adoption

Leading design and product strategy for the first reporting experience in GitHub Advanced Security, giving enterprise security teams a way to prioritize risk across their codebases and track remediation progress over time.

Problem

GitHub Advanced Security was a young product without reporting or analytics features. Enterprise customers couldn't meet compliance audits or prioritize risk across their codebases, and it was actively blocking acquisition and retention.

My role

Lead designer. I owned the design vision and co-led product strategy across the multiple GitHub product teams contributing data to the experience, from research design through launch.

Solution

A dashboard that gives application security managers a high-level view of risk posture and remediation trends, helping them prioritize where to focus remediation next.

Outcome

Launched at GitHub Universe 2023 as a keynote highlight. Year over year, monthly active orgs grew ~6x and the most engaged cohort (teams returning 10+ days a month) grew ~100x. Sales credits the experience with removing reporting as a top adoption blocker for GitHub Advanced Security.

Demo of the currently shipped dashboard as of July 2025, as seen in our test environment.

Why this was hard

Every security product team and stakeholder had their own goals and KPIs, and every one of them wanted their product's metrics to be the focus. We risked shipping our org chart instead of a tool that actually helped application security managers prioritize and track remediation.

Using data to gain alignment

I ran research with existing and prospective customers across every target role: an open card sort to rank the data and insights they cared about most, plus jobs-to-be-done interviews to capture how each role measured success. From then on, I led every internal proposal with those ranked findings.

To build buy-in across the org, I also ran an async brainstorming workshop where every product team shared ideas and ranked them together. Stakeholders felt heard and shared ownership of the direction, which improved buy-in.

Spotting a retention opportunity

The MVP was going to ship with fewer vulnerability insights than planned, so I went looking for ways to make it richer. Past customer feedback pointed at one: application security managers struggled to justify the cost of GitHub's security tools to the leadership controlling their budgets. I argued for a Prevention tab built around that question, surfacing vulnerabilities prevented, risk reduced, and posture trending in the right direction. It turned an adoption fix into a retention lever.

What shipped, and what it changed

The MVP launched and was a keynote highlight at GitHub Universe. In the year that followed, the dashboard moved from a launch metric to a habit: monthly active orgs grew ~6x, and the most engaged cohort (teams returning 10+ days a month) grew ~100x. Users consistently outpaced orgs, a sign teams were expanding usage within their accounts. Follow-up interviews matched what we had heard in prototype testing: the metrics, filters, and scoping we shipped lined up with how enterprise security leads actually triage risk and prove compliance.

Sales and field teams have since reported that reporting is no longer a top adoption blocker for GitHub Advanced Security.

What people said

  • “This new screen is almost perfectly the report I want for my leadership.”

    Principal Architect, Platform Architecture and Security · enterprise customer

  • “One of the customers on the private beta is loving the new overview. They've been able to report burndown of alerts on their monorepo with it. This is going to help a lot of AppSec teams.”

    Field engineer · relaying private-beta feedback ahead of Universe

  • “Other teams across the company are now looking to these dashboards for inspiration and guidance.”

    Staff product designer · GitHub security products team

Takeaways

  • Even with clear evidence, your best ideas will struggle to land without a strong narrative and stakeholders who feel collective ownership.
  • When no single view can satisfy every role, filtering and scoping is the right answer. Letting each role cut the same data their own way served more people than one curated view would have.

What I'd redesign for the AI era

AI has changed how application security managers operate: At the Gartner SRM Summit in June 2026, analysts flagged that traditional application security metrics like MTTR and vulnerability counts are losing relevance as enterprises shift toward risk posture and security outcomes. If I were leading this work today, here's how I'd redesign the feature to address these evolving needs:

  • Make governance, visibility, and policy controls first-class views as AI accelerates application security risk.
  • Reframe prioritization insights around exploitability, runtime context, and attack-path analysis instead of ambiguous severity scores and counts.
  • Let security leads prove posture and outcomes, not just track tickets and close rates that say little about real risk.

On the GitHub blog