Dashboard Overview
The Surface Security dashboard is the home base for your security team. It condenses everything the browser extension fleet is reporting — alerts, credential hygiene, phishing enforcement, device health — into a single at-a-glance view, and gives you two purpose-built alternate views: an Analyst Dashboard for deep-dive investigation and an Executive Dashboard for strategic reporting.
All three views draw from the same live data. Nearly every number, chart segment, and bar is clickable: clicking drills into a preview of the underlying alerts or navigates to the relevant filtered page, so you can move from "the critical count went up" to the actual alerts in two clicks.
How it works
Telemetry from enrolled browsers is aggregated continuously on the server. The dashboard summarizes it along a few dimensions:
- Security posture score — a 0-100 weighted composite recalculated from the last 30 days of activity. The contributing factors are MFA Adoption, Phishing Protection (share of phishing attempts blocked or warned), Credential Hygiene (share of logins free of breached passwords), Alert Resolution (share of alerts resolved), and Policy Compliance. A factor only appears once your deployment has data for it — for example, MFA Adoption is shown only after authentication endpoints have been observed — and the overall score is weighted across the factors that are present.
- Alert severity counts — how many Critical, High, Medium, and Low alerts are open, plus how many threats were Blocked or Warned by policy.
- Trends — alert and event volume over time, so spikes stand out.
- Fleet health — whether enrolled devices are actively checking in.
- Triage performance — how quickly your team acknowledges and resolves alerts.
The main dashboard
The main dashboard (Dashboard in the sidebar) opens with the header "Security overview for your organization" and buttons to jump to the Executive View, Analyst View, and Onboard pages. On a fresh deployment an onboarding checklist appears at the top until initial setup steps are complete.
[SCREENSHOT PLACEHOLDER: Main dashboard home page showing the Security Posture card with circular score, the four severity KPI cards, and the Alert Distribution bar]
Security Posture card
The large card at the top shows your posture score in a progress circle, the week-over-week trend ("vs last week"), and three quick stats: Active Threats (open Critical + High alerts), MFA Adoption, and Blocked. Click anywhere on the card to expand the Score Factors breakdown — each factor is listed with its weight badge, a progress bar, and its individual score. Clicking a factor navigates to the page where you can act on it (for example, the credential-related factor links to filtered alerts).
Alert KPI cards and Alert Distribution
Four cards — Critical, High, Medium, Low — show current alert counts by severity. Click a card to expand an inline preview of the most recent alerts at that severity, with a link through to the full Alerts page. Below them, the Alert Distribution bar shows the same severities proportionally; clicking a segment opens the same preview.
Alert Severity Breakdown and Top Threat Categories
- Alert Severity Breakdown ("Alert volume by severity level") charts alert volume per day, split by severity. Click a day to open a drill-down pane titled "Alerts on <date>" with a Show all button that opens the Alerts page pre-filtered to that date.
- Top Threat Categories ("Most frequent alert types (30 days)") ranks the alert types generating the most volume.
Policy Enforcement and Fleet Health
- Policy Enforcement ("How effectively your policies are blocking threats") shows a donut of total alerts split into Blocked, Warned, and Logged, alongside a 30-Day Enforcement Trend bar chart of blocks and warnings per day. Each segment and stat links to the Alerts page filtered by that action. Use this to confirm your policies are actually intercepting threats rather than just recording them.
- Fleet Health ("Device connectivity and version status") counts devices that are Active (24h), Stale (1-7d), Offline (7d+), and Revoked. Each count links to the Devices page.
Triage performance
The Triage performance card reports four operational metrics for the selected window: Time to acknowledge (median and P90), Time to resolve (median and P90), Acknowledged (percentage of alerts acknowledged), and Resolved (percentage resolved). These are the same numbers your team is measured on during incident reviews.
[SCREENSHOT PLACEHOLDER: Policy Enforcement donut with Blocked/Warned/Logged stats, Fleet Health widget, and the Triage performance card]
Quick Links
The bottom row links to View All Alerts, Manage Users, and Security Policies.
The Analyst Dashboard
The Analyst Dashboard (Analyst View, or /dashboard/analyst) is the deep-dive workspace: "Deep-dive security metrics and custom analytics." It is designed for the analyst who wants to slice data rather than skim it.
[SCREENSHOT PLACEHOLDER: Analyst Dashboard showing the six stat cards, the Threat Landscape distribution bar, and the Activity Overview chart]
Key sections, top to bottom:
| Section | What it shows |
|---|---|
| Stat cards | Critical, High, Medium, Low, Blocked, Warned — click any card for an inline alert preview |
| Threat Landscape | Alert volume grouped into Phishing, Credentials, Extensions, Data Loss, and Discovery categories; clicking a category opens the Alerts page filtered to those alert types |
| Activity Overview | Area chart of alerts and events over a selectable date range; click a data point to see that day's events |
| Credential Exposure | Credential health and user risk overview |
| Alert Type Landscape and Phishing Detection | Per-type alert breakdown and phishing detection methods and effectiveness |
| Credential Health (30 Days) | Daily credential events; click a day to drill in |
| Identity Provider Distribution | Donut of which identity providers your discovered authentication endpoints use; click a segment for details |
| MFA Adoption | Click to drill down into the MFA breakdown across endpoints |
| Extension Risk | Browser extension security posture summary |
| Policy Violations | Bar list of Password Reuse, Pwned Passwords, Domain Blocks, and Warnings Issued — each bar links to filtered alerts |
| Alert Response | Mean time to acknowledge and resolve |
| User Risk Analysis | Unified per-user risk view across all dimensions |
Custom Analytics
At the bottom of the Analyst Dashboard, the Custom Analytics section lets you build up to four of your own charts with Add Chart (or Create Your First Chart when the section is empty). Each chart is configured with:
- Data source: Alerts, Events, or New Sites
- Group By (Alerts only): None, By Severity, By Alert Type, or By Action Taken
- Timeframe: 7 Days, 30 Days, or 90 Days
- Chart Type: Area, Bar, or Stacked Bar
Charts can be edited or removed at any time. Custom chart configurations are saved locally in your browser, so each analyst keeps their own layout.
[SCREENSHOT PLACEHOLDER: Custom Analytics section with the chart configuration dialog open, showing Data source, Group By, Timeframe, and Chart Type options]
The Executive Dashboard
The Executive Dashboard (Executive View, or /dashboard/executive) is the "Strategic security posture overview" — the view to put on a screen in a leadership meeting. It trades detail for trend and outcome.
- Security Posture — the score in a large progress circle with the week-over-week improvement or decline percentage and a small trend spark line.
- KPI cards — Active Threats (Critical + High alerts), Auth Endpoints (discovered services), MFA Adoption, and Threats Blocked (last 30 days). Clicking Active Threats or Threats Blocked expands a preview table of the underlying alerts; MFA Adoption expands a summary of MFA-enabled vs. no-MFA endpoints.
- Alert Trend — alerts and events over the last 7 days; click a data point to see that day's alerts.
- Top Risk Categories — bar list of Credential Reuse, Phishing Attempts, Critical Alerts, and High Severity Alerts, each linking to filtered alerts.
- Policy Deployment — group distribution by enforcement mode, plus Deployment Progress showing policy mode distribution over 90 days. Useful for tracking a rollout from learning mode toward warning and blocking.
- Security Posture Factors — the same factor breakdown as the main dashboard, but each factor is clickable for improvement guidance. Factors below the 80% target show an estimate of how many points fixing them would add to the overall score.
- Triage performance — the 30-day acknowledge/resolve metrics.
[SCREENSHOT PLACEHOLDER: Executive Dashboard with the Security Posture circle, four KPI cards, and the Alert Trend and Top Risk Categories charts]
Worked example: investigating a score drop
Your posture score reads 72, down 4.1% vs last week.
- On the main dashboard, click the Security Posture card to expand Score Factors. Phishing Protection shows 55% with a red indicator; the others are above 80%.
- Switch to the Analyst View. The Threat Landscape bar shows the Phishing category dominating this week's volume; click it to open the Alerts page filtered to phishing-related types.
- Back on the main dashboard, the Policy Enforcement donut shows an unusually large Logged share — meaning many phishing detections were recorded but not blocked or warned. That points to groups still in learning mode.
- Open the Executive View and check Policy Deployment: one large group is still in learning mode. Moving it to warn or block mode (see Policies) will raise the Phishing Protection factor — and the overall score — as new detections start being enforced.
Troubleshooting
A factor is missing from Score Factors. Factors only appear once there is data to compute them. MFA Adoption, for example, requires observed login activity on authentication endpoints. Deploy the extension to more users and the factor will appear.
MFA Adoption shows "N/A". Same cause — no login data has been observed yet.
All counts are zero. No telemetry has arrived. Verify extensions are deployed and devices show as Active (24h) in Fleet Health; if not, start with the Quick Start enrollment checks.
My custom charts disappeared. Custom Analytics layouts are stored in the browser you built them in. Using a different browser or profile, or clearing site data, starts you with an empty layout.