ARKO

AI security plugin for VS Code + Cursor

I designed the sidebar experience, visual language, and brand for a developer-first security tool. Three-person team: the founder (an active CISO), one developer, and me.

Year

2025 - 2026

Team

3 people

Role

Lead Designer

Company

DevSecAI UK

VS Code ExtensionUI/UX DesignUX WritingBrand Identity

The Brief

DevSecAI shifted from a heavyweight enterprise dashboard to a developer-first product that meets engineers inside their editor. The company needed everything visual and strategic built from zero.

I joined as the first and only designer, working directly with the founder and one developer. Equity-free arrangement. Direct mentorship from a CISO in exchange for full design execution.

My Role

-Plugin UI design

-Brand identity system

-UX writing + microcopy

-DevSecAI.com

-Enterprise data sheets

The Problem

Security tooling that developers ignore is not security tooling.

Traditional SAST tools produce long lists of generic severities. Developers skim and move on. AI-assisted coding increases velocity, which means security debt compounds faster.

The product hypothesis: if the tool reasons about architecture and returns one obvious next action, developers fix issues before merge.

My design challenge: earn trust inside a 300px-wide sidebar panel, while producing enterprise marketing that convinced CISOs the same product was worth procuring at scale.

The Product

ARKO scans a codebase using an AI pipeline, builds an architectural threat model, and returns prioritized findings with plain-language fixes. The sidebar is the entire product surface for the extension.

UI Decisions

Every decision was shaped by two constraints: 300 pixels of width, and developers who close panels they do not trust.

Score, not count

47 issues tells you nothing. A 0-100 Hackable Score with dynamic color, circular gauge, and a copyable README badge tells you everything at a glance.

One action, not a list

The Next Action card surfaces the highest-severity open issue only. Fix copies a structured AI prompt. Open jumps to the vulnerable line.

Named phases, not fake progress

Scans take minutes. Showing real pipeline phases builds trust and educates users. No fake percentage bar hitting 99% and stalling.

Posture first, depth on demand

Hackable Score at the top, Next Action below, then collapsible threat model and vulnerabilities. Progressive disclosure, not overload.

Design System

One mental model, reinforced everywhere. The Hackable Score color scale drives the gauge stroke, status pill, pulse speed, bar fills, and README badge.

Constraint

Single HTML/CSS/JS string injected as a VS Code webview. All styles inline in TypeScript. No bundler. Pure CSS variables and DOM manipulation.

hackable score - color scale

0-30

31-50

51-70

71-85

86-100

critical

elevated

caution

low risk

secure

--arko-accent

CTA, Next Action, low severity

--arko-purple

File paths, Builder tier

--arko-amber

Warnings, high severity

--arko-red

Critical severity, risk gauge

Outcome

ARKO shipped to the VS Code and Cursor extension marketplaces. Visit devsecai.io for more information. The company received a £750k investment offer, declined because the investor required too large a stake in the company.

PluginShipped to VS Code + Cursor

BrandZero to full identity system

WebsiteDevSecAI.io

CollateralData sheets, HLDs, carousels

Investment£750k offer (declined on terms)

devsecai.io ->linkedin ->

home/work/arko

get-in-touch ->