Security tools that ignore how people actually work get ignored. I led the research that produced five archetypes, and realigned HackerOne's roadmap around real user goals instead of assumptions.
Customer Archetypes is the research that gave HackerOne one shared picture of who it was building for. As Head of Product Design I led the research and the synthesis, then turned it into five archetypes that product, design, and engineering still build against. It is the case study of replacing assumptions with evidence.
The problem
HackerOne was building for a user nobody could quite agree on. Product, design, and engineering each carried their own mental model of "the security person," and the roadmap reflected whoever argued hardest in the room. Security tools that ignore how people actually work get ignored, and the product was drifting toward features that looked right on a slide but missed the real job.
Research & discovery
I went wide and deep across the org, from hands-on analysts to CISOs, to understand not just what people did but what drove them.
Research · how I got to the truth
01
Ethnographic research
Watched security people work in their own environment, not in a script.
02
Semi-structured interviews
Talked across the org, from hands-on analysts to CISOs.
03
Mental-model mapping
Mapped how each person actually thinks about risk and reporting.
04
Stakeholder workshops
Pressure-tested the patterns with the teams who build the product.
The goal was to group people by what drives them, not by the title on their business card.
Synthesis: the reframe
The titles lied. A "Security Analyst" at one company wanted something completely different from one at another, and a CISO and a DevOps engineer sometimes wanted the same thing. So I stopped sorting people by their role and started sorting them by what drives them.
Attention nowModernize & prove itStay compliantUnblock the teamsDrive revenue
The same job title hid completely different goals, and different titles shared the same one. So I clustered people by what drives them, and five clear archetypes fell out.
The five archetypes
Five archetypes emerged, each a distinct driver rather than a job title: the practitioner who needs to know what matters now, the leader modernizing security, the compliance-driven guardian, the cross-functional connector, and the one who treats security as a driver of revenue.
The deliverable · five archetypes
01
The Diligent Decoder
“Tell me what needs my attention now.”
Hands-on practitioners: security analysts and engineers.
02
The Traditionalist in Transition
“Modernize our security, and prove it to the board.”
Leaders moving from infrastructure overseer to business partner.
03
The Cautious Guardian
“Keep us clear of regulatory trouble.”
Compliance-driven directors who need proof before they trust.
04
The Ambassador
“Unblock the teams, and show our coverage.”
Cross-functional connectors between security and product.
05
The Value Champion
“Make security a driver of revenue, not a tax.”
Innovation-minded leaders who tie security to growth.
Each one is a full research profile: goals, pain points, needs, attitudes, and the real roles it covers. Together they gave every team one shared picture of who they were building for.
One profile, in full
Behind every archetype is a complete, evidence-backed profile a PM or designer can actually design against.
Impact
The archetypes became the roadmap's reference point. Prioritization stopped being a contest of opinions and started being a question of which real, named need a feature served.
Impact · what the archetypes moved
Before · built on assumptions
After · mapped to archetypes
Notifications nobody could prioritize
Surface what needs attention now (Decoder)
Reports buried, no exec view
Coverage reporting for leadership (Ambassador)
Trust assumed, never shown
Compliance evidence and proof (Guardian)
The roadmap stopped being a fight over the loudest stakeholder and started being a map of real, named needs.
Reflection
The lesson that stuck: the fastest way to end a roadmap argument is to make the user real. Once everyone could point to the same five people and what they needed, the conversation moved from "what I think" to "what they need."
Explore · the full set
We went deep on one above. Here are all five. Tap any profile to open it full-size.
