Case study
Trickest · Solutions (Workflow Templates & Linked Updates)
Let teams publish a workflow as a template, copy it as a linked-but-editable instance, and pull source improvements through a reviewable, GitHub-style diff, without one cancelling out the other.
Design engineer on the feature. I framed the problem and the link/diff model and built every mockup here in code; the diff mechanics were shaped with the PM and the workflow-engine engineers before I designed and prototyped the review UI.
Solutions
Publish a workflow as a template and share it across the account. Copy from existing templates and stay in sync as they improve.
External asset discovery, enumeration and live-host triage.
Correlate scanner output against known CVEs, rank by exploitability.
Resolve subdomains, fingerprint dangling records, flag takeovers.
Scan buckets and repos for leaked keys and credentials.
Everything below is mock data — template names, workflows and counts. The design and reasoning are real.
The problem
Trickest lets people build security-automation workflows — chains of tools and scripts that scan infrastructure. Good ones are worth sharing: a Solution is a workflow an author publishes as a template so the rest of the account can reuse it instead of rebuilding it.
The moment you let people copy a template, you inherit a hard question: what is the relationship between the copy and its source over time? A recon template that was state-of-the-art last quarter is a liability today — tools change, false positives creep in, a step gets a critical fix. So the copy can’t just be a throwaway duplicate. But it also can’t be a mirror: the whole reason someone copies a template is to point it at their target and bolt on their steps.
The core tension: a plain duplicate means users lose every future improvement and templates drift silently out of date across the account. A hard-locked copy means users can’t customize without breaking sync entirely. The job was to design a model where a centrally-maintained template and local freedom don’t cancel each other out — and where, when the source changes, the user can see exactly what changed and decide whether to take it.
Where this came from — the account had quietly filled with near-identical private copies of the same few workflows, and when an author fixed a template there was no way to get that fix to the people already running copies. Publishers wanted reach; copy owners wanted to not fall behind. That gap is what the feature had to close. (Signals reconstructed from the real project for this write-up.)
Options explored
I framed the decision around the one relationship everything hangs on — the link between source and copy — and weighed three models against a single test: can a user both keep receiving improvements and freely customize their copy?
Simplest. But the copy can't trace back to its source, gets no future fixes, and templates fork silently across the account.
Never goes stale. But the first time someone needs a local tweak, sync has to break entirely — customization and updates cancel out.
Copy stays linked but fully editable. When the source moves, the instance offers a reviewable diff — accept, or ignore. Unlink stays available as an explicit exit.
Only the third model refuses the false choice. Duplicate-only trades governance for simplicity; hard-sync trades customization for freshness. A soft link with reviewable updates keeps both — the copy is editable, the link survives edits, and updates are offered, never forced. That framing — treat a template update like a pull request — is what made the rest of the design fall into place.
Final design
The feature is a lifecycle, so I designed it as one. An author publishes; a user instantiates; both sides evolve; the user reconciles on their own terms.
After review, two ways out —
Bring the changes in. The copy jumps to v4, stayslinked & editable, and waits for the next update — the loop repeats.
Leave the loop. A one-way exit: detach permanently, keep everything, stop receiving updates.
1 · A linked, editable instance. Copying a template creates a normal workflow
that carries a Based on badge back to its source. Editing it — here, adding a
slack-notify step — never severs the link. The instance simply tracks which
template version it last acknowledged.
You added slack-notify after copying. Editing your copy never breaks the link — updates are still offered, never forced.
2 · A reviewable update, like a diff. When the author ships a new version, the instance surfaces an amber “Update available” state. Opening it doesn’t overwrite anything — it opens a GitHub-style review: the copy on the left, the template on the right, every changed node called out. You can Take incoming or Keep current per node (and per input), then Apply only what you chose. This is the heart of the feature.
Review template update
5 changes · 4 to apply
Nodes
The diff speaks the workflow’s own language: added / removed / modified nodes up top, and for a changed node, a field-level breakdown — inputs, script, connections — with removed values in red and incoming values in green. Because customization and updates coexist, the default is “take everything,” but a user who tweaked a step can pin their version and still pull in the other four changes.
A template update has two halves. Editing a Solution isn’t only about workflow steps — an author (often an admin) also edits the reporting database schema: the tables and fields that runs write into. So an update can carry schema changes too, and those get their own review, because a database migration has stakes a node swap doesn’t: adding a field is safe, but removing one deletes its data.
Review schema update
dataset assets · from Attack Surface Recon v4
Adding a field is safe. Removing one permanently deletes its data, so it's never applied automatically.
Same diff grammar — added fields in green, removed in red, a type change flagged in amber — but the actions respect the data. Additions apply in one click; a removal is never automatic and a key field can’t be dropped at all; and because a live table can’t change a column’s type in place, a type change seeds a new table instead of silently rewriting the old one. The template’s version bump covers both halves, so one “Update available” can mean nodes changed, schema changed, or both.
3 · Unlink is an explicit, one-way door. Staying linked is the default, but a user who has diverged for good can detach. It’s deliberately heavy — a typed confirmation, destructive styling, and copy that says plainly it can’t be undone — so it never happens by accident.
Unlink from template?
Recon — acme.com will become a regular workflow and stop receiving template updates. The data and workflow stay untouched.This can't be undone.
One decision did the most work: make the update a review, not a sync. Every hard part — customization vs. freshness, trust, governance — dissolves once the user is the one who decides, with full visibility, what to bring in. Unlinking is the escape hatch that lets the default (stay linked) be safe.
I pressure-tested the review flow with template authors and copy owners on click-through prototypes. The clearest signal: people trusted “Update available” far more once the diff was reviewable per node and the schema changes were split out — a single “sync now” button made them hesitate to link at all.
Outcome
Figures below are illustrative — the mechanism and direction are real; the exact numbers are reconstructed, not measured.
- Stale copies stopped accumulating — because updates are one reviewable click instead of a manual rebuild, roughly 3 in 4 instances stayed linked to their source rather than forking off, and a critical template fix reached every linked copy in minutes instead of a per-team migration.
- Customization stopped breaking sync — teams could point a template at their own target and add steps while still receiving upstream improvements; the “I edited it so I’m now on my own” dead-end disappeared.
- Publishing became worth it — with a governed distribution path, template authors had a reason to publish, seeding a shared library instead of a sprawl of near-identical private workflows.
What I’d still improve: conflict handling when both sides changed the same node — today the user resolves it manually node-by-node; a clearer three-way merge would help. And I’d surface updates more proactively (a digest when a template you depend on ships) rather than relying on the user to open the workflow and notice.