There is a background image of the QualysGuard Vulnerability Management app on a laptop.

My biggest achievement at Qualys was the redesign for version 5.0. The app languished under the first UI for years which was late '90s nested tables and large images so it wouldn't scale beyond a few additional features.

By the mid '00s, the app had grown from two simple features to a suite of 9 primary features and over 15 supporting feature sets. As an engineering-centric company, most people didn't see an issue. It worked. People used it. Let's build the next big feature.

QualysGuard 5.0 dashboard
QualysGuard 5.0

I spent several months simplifying and standardizing, even building the entire app out in HTML as a fully functional prototype. I shopped this around to sympathetic allies: QA, Customer Support, some others and eventually got a meeting to put it in front of the CEO. At that point I had full support.

It was a tremendous effort. On everyone's part. Engineering rewrote the UI from the ground up. Documentation had to be completely rewritten. Training had to update existing content and add 50% more material to fill the extra time they now had since the design allowed them to move through the content that much faster. It was a lot to coordinate.

QualysGuard Executive Report sample
Executive Report Summary

QualysGuard's primary use case is to find vulnerabilities in a network and info that could be used in other exploits. Scanning 16 million nodes at a time generates hundreds of MBs of data. The biggest challenge here was to make navigating the data easier, both visually and in the browser.

Flow chart example tracing the path for downloading a report.
Download Flow

Qualys switched from waterfall to agile methods partway through my time there. Even with a just in time, and just enough, approach to documentation, I would always breakdown every flow into a diagram. This helps identify edge cases while optimizing for the primary use case for a given feature.

QuIDScor logo
Qualys IDS Correlation Daemon Logo

I also enjoyed the opportunity to brand the open source QuIDScor project. There was a lot of creative freedom on this project. I took the Qualys red with black outlines and envisioned tentacles pulling data from various sources to a central location. And to me, the name sounds like a pig-latin variation of the word squid.

Headshot of Tricia Trujillo

[Thomas] has an amazing ability to take complex, technical requirements and turn them into a simple design that doesn't burden the user.

The fast pace of the world of vulnerabilities demanded not only quick responses to new exploits but also a UI that could expand naturally to allow adding new features to satisfy highly technical users in an enterprise as well as packaging up summary data to push to upper management.

Qualys was a fantastic opportunity. I acquired and honed many skills there that I use to this day. The biggest lessons I learned were around advocating for UX, gaining consensus for design through quick and dirty usability testing, and building allies by incorporating the insights that other departments can bring to the product.