All work04/05 · Case study

Spinas Web · Enterprise B2B Hosting

The queue collapsed.

200+ monthly tickets, each costing 2–4 hours of human time, folded into a 0.3-second click.

Spinas Web's hosting clients were getting blocked by the firewall multiple times per day. Each unblock required a support ticket. The fix wasn't a faster queue — it was no queue. Self-serve, gated by the exact same security checks the human workflow ran. The simulator below replays it.

Role: Lead / solo designer · End-to-end
Scope: Enterprise workflow · Security UX
Timeline: Jan 2021 – May 2021
Team: 1 PM · 1 eng lead · 1 eng · 1 designer (me)

Auto-runs on first scroll · click Replay to watch the queue collapse again

IT support inbox · 12 tickets · avg 3h to resolve

HIGHIP blocked · acme.com2h 14mopen

HIGHIP blocked · b2b.io3h 22mescalated

MEDIP blocked · shop.co4h 03min progress

HIGHIP blocked · store.app1h 48mopen

MEDIP blocked · trade.dev5h 11mopen

LOWIP blocked · marketplace.tech6h 24min progress

HIGHIP blocked · checkout.io2h 47mescalated

MEDIP blocked · api.work3h 35mopen

MEDIP blocked · studio.gallery1h 12mopen

HIGHIP blocked · labs.cloud4h 48min progress

LOWIP blocked · grain.bread7h 02mopen

MEDIP blocked · sage.studio2h 35mopen

2FA · rate-limited · audit-trailed

Tickets · this month

200+ → 20020h / WEEK RECOVERED

Brief

The bottleneck wasn't the queue. It was that there was a queue.

200+ tickets a month. Each one took 2–4 hours of human time because the work was real — verify the client, run firewall commands, log the action, confirm restoration. Hiring more support agents wouldn't fix it. The structure was the problem.

Client friction

2–4h

“My site is blocked. I open a ticket. I wait. I'm losing customers while support reads the queue.”

— Business owner · post-incident interviewaverage resolution time per ticket

Operations friction

20h/wk

“I spent 20 hours this week unblocking IPs. I want to ship product, not gate-keep firewall rules.”

— IT Manager · internal retrospectivesupport time lost · 200+ tickets/mo

Three constraints met simultaneously

Self-serve doesn't mean less secure. It means fewer people in the loop.

The design lived inside three hard constraints. Loosening any one would have killed the project — security would block, engineering would refuse to integrate, or clients would refuse to use it. The button only ships when all three axes hold.

Security · constraint 01

Security · don't weaken the firewall.

The security team had legitimate reasons for the rules. We could not bypass them — only expose them. Same checks, same rate limits, same audit trail. Just no human in the loop.

Technical · constraint 02

Technical · integrate with what exists.

The firewall + CDN + identity-provider stack was already running. The unblock action had to compose with all three through their existing APIs — not replace them.

UX · constraint 03

UX · self-serve without training.

Clients are SaaS operators, not security engineers. They shouldn't need a doc, a tutorial, or a support agent to learn the new flow. One screen. One click.

Three design rules behind the button

Make security visible. Respect rate limits. Restore agency.

One screen. One button. Three product rules, each anchored to a specific stakeholder concern.

for security team

Make security visible.

The 2FA prompt, rate-limit chip, and audit-log entry all live in the UI. Clients see the gates running. Auditors see the trail. The security team can tell at a glance the rules are being followed.

for engineering

Respect rate limits.

Three unblocks per session per hour, server-enforced. If a client trips it, the UI shows a calm cooldown countdown — no error modal. The cap is high enough for legitimate use, low enough to defang automation.

for clients

Restore agency.

No queue. No ticket. No waiting for support to open. The client controls the moment of resolution — the design's whole reason to exist.

Same gates · no human in the loop

The button runs the same security checks the ticket workflow ran.

Verify session token. Challenge with 2FA. Check rate limit. Write audit log. Click below to watch all four pass — they complete in 0.3 seconds.

Security gates · same as ticket workflow0.3s total

Verify identity

Session token

80ms

2FA challenge

TOTP · 6-digit

80ms

Rate-limit

3 / hour / session

70ms

Audit log

Immutable entry

70ms

Awaiting gates…

Same constraints as the ticket workflow · just without a human in the loop

What happened to the support team

20 hours / week. Reclaimed.

The unblock work didn't evaporate — clients now resolve their own incidents. What evaporated was the queue. The support team got 20 hours per week back, redirected to higher-value issues. Operational efficiency lifted +40%.

−60%

IP-related tickets

200+ / mo → near-zero

+40%

Operational efficiency

redirected to higher-value work

20h

Reclaimed per week

across the support team

What changed after launch

The queue went near-zero.

Measured over the first 90 days post-launch through ticket volume, support time logs, and client surveys.

Hero metric

IP-related support tickets

200+ tickets / month for years. After launch, the category functionally disappeared. Same security posture, zero queue.

200+ → near-zeroAudit-clean · 0 exceptions

+40%
Operational efficiency
20h/wk
Support time reclaimed
+25%
Client satisfaction
post-launch survey
0.3s
Median unblock time
was 2–4 hours
0
Security exceptions filed
audit-clean

Client feedback · post-launch

“Finally, I don't need to open a ticket for every small thing. It just works.”

— Business owner · e-commerce site

Reflection

Four lessons that traveled with me.

Security ≠ wait time. The slowdown wasn't the rules; it was the human in the loop. Same rules, automated, made the wait disappear.

Self-serve respects constraints — it doesn't bypass them. The win came from exposing the gates, not removing them.

Audit trails are user trust. When the merchant sees their action logged, they trust the action — and so does the security team.

Removing the queue restored agency. The most under-rated part of self-serve is the emotional shift from 'I'm waiting' to 'I'm doing'.

All workEnd of case study · 04/05