I own UX end to end and drive product direction. I'm at my best at the messy, undefined front of a project, turning "we're not sure what this is yet" into something clear, shipped, and functional.
Five case studies from Spec, a B2B SaaS security infrastructure startup. Research-driven 0→1 builds spanning investigative tooling, information architecture, data visualization, and self-service features. 2023–2026.
I came to product design by a winding route: years of construction project management and running small businesses. That mix left me fluent in stakeholder alignment, quick to read how a business actually works, and permanently allergic to solutions that ignore it. Today I'm the sole designer and PM Lead at Spec, a B2B security infrastructure startup, owning UX end to end from problem definition through shipped feature.
For all that business pragmatism, what I really believe is simpler: UX isn't fundamentally a digital problem. It's a human one. That's what growing up in the performing arts taught me.
Digital products should exist to give us more time back in the real world.
As for my real world: I'm a New Orleans native who enjoys good music, good company, and good cooking. When I'm offline, you can find me teaching Ballet, learning about photography, and coaxing the garden through a zone 9 summer.
Drop me a line. I like knowing what people are working on, even when the timing isn't right.
meghan.m.thomas@gmail.comEntity Linking for Investigations
Rebuilding the entity profile — a fraud analyst's view of a single identifier like an email, IP, or merchant ID — into one hub where they investigate and act without leaving the page.
I reviewed Gong call recordings for verbatim client pain points and spoke with the Product Success team who field analyst questions daily. They were the closest proxy to the end user. Finally, I used affinity mapping to turn scattered quotes into themes, and those themes pointed to one surface as the highest-leverage place to start: the Entity Behavior and Linking experience.
Affinity mapping exercise in Excel
"Where can I see all the orders for this user?"
"How many devices are associated with this email?"
Ideating with AI
AI takes the tedium out of ideation, but it doesn't replace the designer: you trade managing yourself for managing an IC only as good as your direction. Used with intention it's a genuine additive; left unchecked, you spend your time fixing its output instead of sharpening your own.
New information architecture layout for the entity profile
The 90-day activity cap wasn't arbitrary: it kept ClickHouse query costs down given Spec's event volume. But 90 days often wasn't long enough to establish behavioral patterns.
Rather than lift the cap, I kept the cost-conscious default and gave users an optional window up to 365 days. Most analysts rarely needed past two or three quarters, so 365 was a deliberate test boundary: enough to validate real demand before expanding further.
Before
After
Every entity shows a status chip (Allowlist, Blocklist, or No List), editable in place and synced both ways with Lists. The same treatment carries through every table, search result, and flyout in the product.
Before
After
A search bar in the side nav lets analysts look up any identifier without leaving context. Live suggestions surface as they type; one click lands in the right profile.
It's arguably the highest-leverage unlock, so why M3 and not M1? Dependencies. A true global search would have been prohibitively expensive at Spec's data volume, so I scoped it with PS to a semi-global lookup on key entities. That still needed a new search table from the platform team first, so I sequenced lighter milestones ahead of it and landed it as early as the release chain allowed.
Before
After
Events split into four tables (Payments, Refunds, Logins, Signups), each with tailored columns and breakdowns. A new event_context field lets PS add plain-language explanations to failed events.
Before
After
A node graph surfaces first-degree connections grouped by identifier type, node size scaled to volume. Selecting a node filters the linked entities table and updates the event volume chart live.
This wasn't the first attempt. An earlier graph had been scrapped for good reason: nodes drifted when selected, and color noise buried any pattern. The rebuild was a series of corrections: scope links to first degree, strip the palette, lock the nodes static, and scale each by its event count so volume reads at a glance. From there it hands off to the real analytical work: aggregates, timelines, and click-throughs into event search.
Before
After
Cut on engineering scope and flagged for revisit after launch, recalibrated to whichever clients were actually onboarded by then.
This had to be solved at the session level first. Surfacing it in the profile before that upstream work landed would have shown clients false confidence.
Entity profile
Entity linking
"Awesome!! We have made so much positive progress in such a short amount of time across the board. It's been crazy!!"
Dependencies always shape the order: some work can't ship until its prerequisites exist. Within those constraints, I front-loaded the highest-leverage, lowest-lift pieces, so when the initiative wound down early, the work that mattered was already in users' hands.
Site Sentry
A 0→1 product that maps customer traffic into a visual route table, cutting onboarding from weeks to hours.
I mapped how customer deployments actually worked. PS team interviews exposed a manual, speculative routine: push catch-all specs to see what existed, then reconfigure once the data came back. Sales conversations revealed a parallel gap, Spec was pitched as "proactive," but that proactiveness lived in the process, not the product. Mapping the deployment steps made the root cause plain: with no way to see what routes a customer actually had, every setup started from zero.
"Guess and check. Every time."
You can't configure what you can't see. PS was deploying blind just to learn what was there, so the first thing to build wasn't the config tool, it was the ability to see at all.
Configuring Spec's event catalog meant mapping URIs, headers, query parameters, and body criteria for every route worth monitoring. The problem: there was no way to know what routes actually existed in a customer's environment, or what data was present in any given request or response.
The project was structured around a clear priority order: surface everything first, then give users the tools to act on what they see. Route discovery had to work reliably before route management could mean anything.
The Site Sentry home view is a route table: one row per route key, automatically populated by sampling the proxy. Each row surfaces the route key, sampled call rate, a 7-day velocity visualization, and the associated spec name and event type if one has been deployed. ID-heavy paths are algorithmically compressed into wildcard routes, and irrelevant routes are filtered by MIME type and HTTP verb before they ever reach the table.
Clicking into any route opens a detail view with the full picture: velocity history, spec name and event type, a breakdown of the route key (URI, query parameters, headers, body), and a sample request and response from the actual customer environment. This was the answer to the question PS had been asking manually for every deployment: what data is available on this route?
Site Sentry isn't a read-only view. It's a working surface. PS can full-text search across all routes to check for specific cookies, headers, or form data keys. Routes can be split by adding match criteria that distinguish one variant from another, or merged via wildcards when ID segments clutter the table. When a route is ready to become a spec, match criteria can be exported as JSON and fed directly into the spec catalog. No transcription, no translation.
The sampled call rate for any route doubles as an insertion rate estimate: telling PS teams roughly how many events a new spec will generate before they commit to it. This closed a key gap in the configuration workflow: teams could now validate the scale of new coverage before deployment, rather than discovering it after the fact.
Two capabilities were explicitly held back from this release, not because they weren't wanted, but because they would have created fragility or set the wrong expectations at launch. Visibility and trust had to come first.
Promoting Route Key Specs into native Specs would have blurred a meaningful distinction in the data model. Keeping them separate at launch meant users understood what they were working with, and the upgrade path could be designed deliberately rather than bolted on.
Onboarding-time range per the Product Success team's lived experience.
Site Sentry replaced a manual, error-prone onboarding process with an automated, visual one. Customers get immediate visibility into what's happening across their environment on day one. PS teams get a surface they can trust, and for the first time, the product could demonstrate its own proactiveness rather than have someone explain it.
Allow / Block Lists
A self-service hub that hands clients all 20 allow and block lists, making time-sensitive blocks instant.
PS team interviews surfaced a constant stream of inbound Slack messages that had nothing to do with their actual expertise. Request pattern analysis showed how lopsided it was: a disproportionate share were simple, repeatable updates clients could easily make themselves. And urgency mapping made the cost concrete, fraud moves fast, but a block only happened when PS was free to action the request.
"Can you add this email to the block list?"
Clients knew exactly what they wanted to block. The product just wasn't letting them do it themselves.
Clients who needed to update their allow or block lists had one option: submit a request to Spec's Product Success team and wait. For routine list hygiene, that was an inconvenience. For time-sensitive fraud operations, a known bad actor appearing in real time, it was a genuine operational gap.
The core of the work was structural. All twenty list types lived only in a backend JSON config. There was no client-facing UI at all; consolidating them into a single, filterable hub under Model Settings was the decision the entire feature hung on. Close work with the PS team, who fielded these requests daily, informed how the lists were grouped and surfaced in the new structure.
The feature was scoped as a single release targeting the core self-service loop: find the right list, make the change, confirm it happened. Each capability built on the last: the hub made the lists visible, entry made them editable, validation made editing safe, and the log made it trustworthy.
The lists manager now lives in a Model Settings tab (the start to a self-service UX which will eventually hold other self-service actions) and opens to all 20 allow and block lists displayed simultaneously. A filter panel on the left lets users search by list name or by values within lists, so finding a specific entry across all lists takes seconds. No toggling between tabs. No hunting through menus.
Adding entries was designed to support both the single-value case (one email to block right now) and the batch case (a report of 200 suspicious IPs). Users type a single value or paste a comma-separated list directly into the input field and press Enter. Both paths feel the same: no separate import modal, no file upload flow required.
Validation catches duplicates across lists and format errors where the element type has a consistent format to check against. Entries are not case-sensitive. But the system is transparent about its limits: some element types, like zip codes, vary enough by country that format validation would produce false negatives. For those, the product doesn't attempt validation it can't do reliably.
The Change Log sub-tab gives clients a full history of every modification. Each line item represents a save event, so if a user updated three lists in one session and hit save once, those changes appear grouped together, reflecting how the action actually happened. Especially valuable in multi-user environments where multiple team members have access.
Nothing here was a hard cut. The discipline was the opposite: holding a tight scope so v1 could ship fast and prove the core loop (find the list, make the change, confirm it) before anything else got layered on. These were the lines drawn deliberately, to be revisited once real usage showed which ones actually mattered.
Paste-and-go covered bulk entry well enough to ship. A file uploader sounds obvious, but "obvious" is just an assumption until someone actually hits the wall. Let real usage ask for it.
The PS team had been fielding list management requests as a matter of course: a low-complexity, recurring task that took up availability they needed for actual client work. Handing that control to clients didn't just unblock them. It freed the team to focus on the work only they could do.
Color Palette 101
Spec's first color system: a 12-color chart palette and five semantic states, replacing 50+ scattered hex values.
Color was one layer of a wider audit spanning IA, interaction, styling, and type, and it was impossible to ignore: 50+ disconnected hex values, no shared language, no rationale for any single choice. I don't come from a deep color theory background, so I leaned on outside help. Paul Tol's color research gave me a framework to reason about it; Viz Palette tested color sets in real chart contexts and flagged where shades collapsed or failed accessibility. Then I did all my testing in context, inside real data visualizations rather than swatches, since that's the only way to know whether "distinct" values stay distinct at the sizes and densities they'd actually appear in.
What's mathematically distinct isn't always visually distinct. The eye doesn't read hex codes. Twelve "unique" colors can still collapse into a blur of blues, so the real job was optimizing for perception, not math.
The product had accumulated over 50 disconnected hex values across charts and UI elements without systematic organization. As the charting surface expanded, the inconsistency compounded: each new visualization made its own color choices, with no shared language to tie them together.
The work unfolded over eight months in three distinct phases: each one building on the last, and one of them responding to a surprise mid-project rebrand. What started as a color audit became a full system, and then had to be rebuilt around a new brand anchor before it could ship.
Color was one piece of a broader product audit covering IA, interaction design, styling, and typography. On the color side: every value in the product was catalogued, the inconsistency documented, and then a real research phase began.
I initially thought I needed 15 colors. After testing with Viz Palette and working through Paul Tol's color theory research, I landed on 12, including Spec's brand blue as the anchor. The research phase was extensive and essential. This wasn't territory I had deep color theory experience in, so I built the foundation before making decisions. Accessibility was a core part of that exploration: Viz Palette simulates how color sets read across different types of color blindness (deuteranopia, protanopia, tritanopia) and flags pairs that become indistinguishable. Several early candidates that looked strong in isolation failed those checks entirely. That feedback loop was what made the tool so valuable; it caught issues no swatch review would surface.
With the chart palette established, the next layer was semantic: a set of colors that would communicate risk and informational states consistently across the product. Five states: red (malicious), yellow (suspicious), green (good), grey (neutral), blue (secondary informational). Yellow was the hardest. It had to read clearly as "suspicious" without veering into orange or washing out into something too bright to be taken seriously. Getting it right took significant iteration, but landing on a yellow that was unambiguously moderate risk, not too orange, not too light, was one of the most important decisions in the whole system.
I tried and tried and tried again. The palettes that came close to being greenlit kept running into the same wall: too similar to a competitor, or too close to another well-known product. Which raised a harder question: how do you differentiate without diverging for its own sake? Being different just to be different isn't design. It's noise. And noise, in a data product, is the last thing you want. At the same time, if a palette works, if it's accessible and legible and users already understand its language, is replicating it actually wrong? That was the quandary. There's no clean answer to it, which made it one of the most genuinely difficult parts of this project.
Where we landed: anchor to meaning. The risk and status colors didn't need to be original. They needed to be correct. Green means good. Red means bad. Yellow means watch out. Those associations are too deep to fight, and fighting them in the name of differentiation would have made the product harder to trust. The distinctiveness came from how the system was built around those anchors, not from the anchors themselves.
Midway through the project, a surprise: Spec rebranded with a new brand blue and purple. The palette had to go back to the drawing board. The goal expanded: not just update the chart colors, but build a full color system: 8 main color families (red, orange, yellow, green, blue, purple, pink, grey) with stops up and down from each main to support future dark mode. Brand blue and purple were subbed in directly. Grey was edged toward Spec's blue tones to keep blacks away from true black. Red and green carried over from the risk color work in Phase 2. The one exception: the risk yellow stayed protected. It had taken too long to find and was too precisely calibrated to risk touching. A distinct orange and yellow were drilled into separately for the chart palette. Four accent colors (for chips, icons, categories, future product features) were also defined as part of this phase.
With the expanded palette defined, the same validation process from Phase 1 ran again: every color put through Viz Palette to check for distinguishability and accessibility issues. The rebrand had introduced new values that hadn't been tested in data visualization contexts before, so this wasn't a formality. New blue, new purple, adjusted neutrals, all of it needed to hold up at small sizes, in overlapping series, and across the range of visual impairments the tool flags. Some colors needed nudging. Some passed cleanly. The color report became the documentation of what was intentional and what was a known tradeoff, so future decisions could be made with context rather than from scratch.
A color system without usage guidance is just a swatch set. The output of Phase 3 included how each color category applied across UI contexts (backgrounds, borders, icons, text) with clear rules for where each role belonged. This layer also laid the groundwork for a future dark mode: the color stop structure across each family was designed with that in mind, so it wouldn't require starting from scratch when the time came.
Two pieces were deliberately deferred, not for lack of value, but because the timing wasn't right. The system itself shipped complete; these were the extensions left for the moment they could land with full impact.
The existing chart palette was good enough to hold, so the overhaul was deliberately paused: better to fold it into the eventual redesign of the Insights experience and its core charting aids than to rebuild the chart colors in isolation.
A matter of time, not priority. The system was fully defined in Figma; codifying it as tokens in code was slated to build with the front-end team during the next innovation week.
Before this work, every chart made its own color choices. After, every chart pulled from the same intentional framework: built around brand, tested for legibility, and documented for future contributors to build on without having to reinvent decisions that had already been made.
Insights Experience
Turning a passive analytics Hub into one that surfaces what changed, before users even know to ask.
The PS team knew the sessions worth watching, the trends, the patterns that mattered per customer, but none of it lived in the product. A new-user audit showed the cost: people arriving at the Hub had no way to see what was happening without already knowing what to ask, so the product rewarded expertise it couldn't assume. A second chart-interaction audit surfaced a related gap: nearly every chart was a dead end. Only the Session Volume Timeline let you click through to search; everything else forced users to rebuild the query by hand.
"They are great examples of why we need to make the product clean for clients. They will actually be using it."
The product could answer almost any question a fraud analyst or security team wanted to ask, but only if you arrived with the question. That core gap, a powerful tool with no guidance, surfaced in three different ways over three years, and each became its own phase of work.
The original Insights experience: powerful, but it required you to arrive with a question.
The Insights experience launched in 2023 as a standard surface giving new users immediate context on their properties. A second phase expanded beyond session-centric data into custom, PS-configured, per-customer dashboards built around events and entities, speaking in the language customers actually used. A third phase closed the biggest remaining gap: charts that couldn't be clicked into for query analysis.
The foundation. Before Custom Dashboards (2024) and chart click-through (2025) could build on it, the core experience had to exist: a starting point assembled from the PS team's knowledge of what mattered to each customer. What follows is that founding effort, end to end: explore, converge, ship.
With the PRD in hand, I moved into the design space to make sense of it: roughly translating requirements into Figma, pulling screen inspiration from products solving adjacent problems, and pressure-testing how the insight cards and overall layout could come together. The goal was to explore widely before committing: how insights should be grouped, what belonged on the first screen, and how each metric should read at a glance.
The exploration converged on a deliberate narrative arc: the broadest view at the top, narrowing down to the most granular. At this time, the product was communicating user journeys at the session and lightly at the event level. Every chart became a doorway into the underlying data for each use case that was sold to the customer in the form of 'modules'.
From there the structure resolved into concrete wireframes, then got checked against the original experience to make sure nothing in the PRD was lost.
Lo-fi user flow: the full path from insight list through overview and detail, out into search.
The experience shipped as a single progressive drill-down. The Insight List grouped session and event trends, each showing its week-over-week change and a 7-day trend, color-coded so problems read red and wins read green. Clicking an insight filtered the Session Volume Timeline to the relevant sessions and events in that use case.
States: the loading, empty, and populated states behind each surface.
Curated beats flexible. Most users don't want to build their own dashboards — they want someone to have already decided what's worth watching.
The original Insights page was session-centric, but customers thought in events and entities, and PS was regularly fielding questions session-based reporting couldn't answer. Custom Dashboards handed that flexibility to the Product Success team: with a JSON config and a ClickHouse SQL query against the underlying event and entity data, PS could spin up any visualization a customer needed (refund reasons, top cities, high-velocity IPs) and white-glove each customer's experience without an eng ticket or a redesign. Three chart types (bar, line, pie); an internal-only flag let PS build and vet privately before exposing a dashboard to the client. Just as useful, it doubled as a low-cost testing ground for which visualizations customers actually reached for: signal to de-risk a future overhaul of the core Insights experience. This phase didn't call for new design: the charts reused the existing chart library and color system, so my role was to be available to test as engineering built it out.
By 2025 the architecture had grown: the original drill-down plus Phase 2's custom event and entity charts (shown here). One gap remained: most of it was a dead end. Only the Session Volume Timeline could be clicked into; every other chart left analysts to rebuild the query by hand in search. The V2 release made the whole structure navigable: clicking any chart opened a filtered Event Search in a new tab, with each insight defining which columns the drill-down surfaced. There wasn't much to design here; the interaction reused existing patterns. My role was stewardship, making sure engineering reused the existing chart library and color scales so it stayed visually consistent, and testing in staging before it shipped.
"[The flow is] cumbersome… Don't always have 45 minutes to analyze something."
At an early-stage startup, delivery is a resource problem before it's a design problem. Every release started as a wishlist, the theme-park version of what Insights could be, and the real work was getting it down to something shippable without losing what actually mattered to customers. Each idea had to clear three filters, in order:
What cleared all three was rarely the biggest release — it was the next increment. The phases in this case study weren't a roadmap set in advance; they were these decisions, made one constraint at a time: ship fast, ship often, listen, pivot.
You rarely get to throw the whole pot of pasta at the wall and see what sticks. You pick the strand most likely to land, ship it fast, and let what you learn point to the next one.
Before Insights, new users arrived at an empty starting point and had to already know what to search for. After, the product did the work of surfacing what had changed, and the chart click-through phase closed the last gap between seeing something interesting and being able to act on it.