When the Wall Stops Working: What Post-Fortress Architecture Teaches Cybersecurity UX

July 7, 2026
7/7/2026
Padraig Mannion
Director of UX
When the Wall Stops Working: What Post-Fortress Architecture Teaches Cybersecurity UX

Star forts were once the state of the art in defensive design.

Their angled bastions, low profiles, and overlapping fields of fire were not decorative. They were a precise response to a change in attacker capability. Earlier medieval castles relied on height and mass, but gunpowder artillery made tall walls vulnerable. The star fort adapted by changing the geometry of defense. It removed blind spots. It allowed defenders to cover the base of adjacent walls. It made the perimeter active.

For a time, the star fort was not just beautiful. It was correct.

But every defensive architecture is only correct for a particular attacker.

As artillery improved, the assumptions behind fixed fortifications began to fail. Rifled cannon increased range, accuracy, and destructive power. At Fort Pulaski in 1862, Union rifled artillery breached masonry walls from a distance defenders had believed safe; the U.S. National Park Service describes the event as rendering masonry forts obsolete.  

The lesson was not that defense no longer mattered. The lesson was that the wall could no longer be the whole answer.

By the late 19th century, fortification design increasingly emphasized concealment, distribution, earthworks, and mutually supporting positions rather than visually dominant masonry structures. Historic England describes this as a pivotal shift from grand fortifications toward less visually imposing strongholds where concealment became a design priority.  

That is how we should be thinking about design for cybersecurity today.

We are not living through the invention of the star fort. We are entering the period after it.

The network perimeter is no longer the promise

Cybersecurity has already moved beyond simple perimeter thinking. Zero Trust is one expression of that shift. NIST defines Zero Trust as a move away from static, network-based perimeters toward defenses centered on users, assets, resources, and workflows, with no implicit trust granted solely because something is “inside.”  

But AI changes the urgency.

AI-enabled attackers do not need to be magical to create a major defensive problem. They only need to compress time. They can accelerate reconnaissance, generate more convincing social engineering, vary attack paths, and process stolen information faster. The UK National Cyber Security Centre assesses that threat actors are already using AI to enhance reconnaissance, vulnerability research, exploit development, social engineering, malware generation, and analysis of exfiltrated data.  

That changes the defender’s design brief.

The old question was: how do we keep attackers out?

The new question is: how do we design an operating model for when attackers get in, move quickly, and force decisions faster than humans can manually assemble context?

That is not only a tooling problem. It is a UX problem.

The SOC was designed around signals, not movement

Many security operations centers are still organized around product outputs: endpoint alerts, identity alerts, cloud alerts. Each one can be useful. But attackers do not move through an organization according to product categories. They move through relationships.

They compromise an account. They reach a machine. They discover what that machine can access.

That path is the modern battlefield.

The defender, however, often experiences the attack as fragments. One suspicious login. One endpoint detection. One unusual connection. The hardest work is not seeing each signal. It is understanding how the signals connect.

This is where the post-star-fort analogy becomes useful for UX leaders. Once the wall can be crossed, the design challenge shifts from perimeter strength to terrain awareness. Defenders need to understand movement, preserve command, coordinate response, and reduce the time between observation and action.

A clean dashboard is not enough if the dashboard preserves the wrong mental model.

From fortress UX to post-wall UX

The core UX shift is from event-centered design to movement-centered design.

This table is the heart of the argument.

AI-era defense cannot rely on humans manually translating fragmented events into attacker movement. The product experience has to do more of that synthesis. It has to help defenders see sequence, relationship, confidence, consequence, and response.

That is where UX moves from interface polish to operating-model design.

NDR as a post-wall visibility pattern

NDR is not the new wall. It is a post-wall visibility pattern.

It assumes the attacker may already be inside and focuses on behavior across the terrain of the modern enterprise. That terrain is no longer just the corporate network. It includes data centers, remote locations, cloud environments, SaaS applications, identities, and unmanaged or semi-managed assets. Vectra AI describes the modern attack surface as spanning network, identity, and cloud, with NDR helping connect signals across those domains rather than treating the network as a single fixed perimeter.  

That makes NDR analogous to the observation and coordination systems that became more important after fixed fortifications lost dominance. When the perimeter is no longer decisive, defenders need to understand movement across the environment: how users, devices, workloads, and services interact; what changed from normal behavior; and where an attacker may be using legitimate pathways for illegitimate purposes.

For UX leaders, the point is that NDR represents a broader design principle: show movement, not just events.

This is especially important in hybrid and cloud environments, where attack paths may cross from endpoint to identity, from identity to cloud control plane, or from one workload to another. Vectra AI frames NDR around behavioral detection across network traffic and metadata, including signs of lateral movement, command-and-control activity, reconnaissance, and exfiltration — the kinds of behaviors that matter after an attacker has bypassed prevention controls.  

A SOC experience that integrates network behavior with identity, endpoint, and cloud context gives defenders a better chance of understanding what is happening before the final impact. Without that integration, NDR risks becoming one more queue. With it, NDR becomes part of a shared operating picture: a way to help analysts see the attacker’s path through modern terrain, not just another signal from another tool.

UX’s role is to redesign the process of defense

The next generation of cybersecurity UX need to ask what workflows still fit the threat.

Should an analyst have to read ten alerts to understand one attack path?
Should a system wait for human review before taking a low-risk containment action?
Should blast radius, confidence, and reversibility be visible before response?

These are product strategy questions as much as design questions.

AI will force security products to negotiate a new relationship between human judgment and machine action. Too little automation, and teams drown in volume. Too much opaque automation, and teams lose trust. The UX challenge is shared control: systems that can summarize, recommend, contain, and explain; humans who can govern, override, and apply judgment.

That requires designing for trust under pressure. Confidence must be visible. Evidence must be inspectable. Actions must be understandable. Where possible, response must be reversible.

The future the SOC is a command environment

The post-wall SOC will feel less like a collection of dashboards and more like a command environment.

Not because it needs cinematic maps or dramatic visualizations. Because it needs to help teams understand terrain.

What is connected?
What has changed?
What is moving?

Those are better questions than “how many alerts are in the queue?”

The best cybersecurity UX in the AI era will reduce cognitive assembly. It will turn fragmented signals into attack paths. It will connect prevention, detection, response, and recovery into a single experience. It will make automation trustworthy enough to use, but governed enough to trust.

The wall still matters. Perimeters, endpoints, identities, networks, and cloud controls all still matter.

But none of them are the fortresses.

The real product is the experience that connects them.

When the wall can be crossed, defenders must understand the terrain. When attackers move at AI speed, that understanding cannot depend on human-speed reconstruction.

That is the new UX mandate for cybersecurity: design the post-wall experience of defense.

Read more from Padraig Mannion, here.

FAQs