M&A is an inventory problem.

The cadence mismatch.

Deal teams close on a schedule the deal commits to. Network connectivity is usually live within weeks of close. The InfoSec integration milestone is typically scheduled somewhere between 30 and 90 days post-close. Between the day connectivity goes live and the day InfoSec arrives, the new site is on the network with whatever inventory the acquired organization brought with them — which is usually a spreadsheet from a prior consultant dated 2019 or earlier. The accurate-inventory clock has been running since the day connectivity flipped.

What the acquired site usually has.

An asset list that was assembled for a prior diligence cycle. A switch closet last audited when the prior IT contractor was still under contract. A VLAN scheme that is partly documented and partly tribal knowledge. A radiology workstation on the same flat /24 as the front-desk PC. A handful of devices owned by vendors whose contracts you have not seen. Sometimes the most senior IT person at the acquired organization no longer works there. Sometimes there was never a most senior IT person.

Why you cannot pause to find out.

You cannot pause the acquired practice to discover what it has. The clinical workflow has appointments today. The retail store has customers walking through the door. The accounting firm has tax-season clients. Active network discovery is off the table; even a benign nmap scan is risky against medical equipment, OT controllers, or production payment infrastructure. Whatever you do to find out what is on the network has to be passive enough to be invisible to the devices and to the staff using them.

The pattern that survives the deadline.

For repeat acquirers — health systems with active M&A pipelines, MSOs absorbing practice groups, dental and behavioral-health rollups, multi-store retail expansions — the pattern is to preposition a software External Scan Engine instance in the deal-team field kit. Day one of close, local IT gives read-only switch access. The ESE polls the switches with read-only access, identifies every device on the acquired network, and emits the inventory to the parent organization's risk register over syslog or REST. The new site appears in the same dashboard, in the same schema, in the same audit feed, as the owned sites. Inside of one day.

The repeat-acquirer math.

If the integration playbook calls for six weeks of network discovery per acquired site, and the acquisition pipeline is six per year, the InfoSec FTE budget for that workstream alone is somewhere around two-thirds of one full-time engineer's year. With the prepositioned-ESE pattern, the same six acquisitions consume roughly six engineer-days. Three FTEs return to other workstreams. The integration milestone moves up by an average of four weeks per acquisition. The acquired-site risk-analysis update lands during the same fiscal quarter as the acquisition itself.

Why this matters for compliance posture.

Every regulatory framework that asks "what is on your network" is implicitly asking "including the sites you acquired this quarter." HIPAA §164.308(a)(1)(ii)(A), PCI 12.5.1, SOC 2 CC6.x, CMMC CM.L2-3.4.1, NIST CSF ID.AM-1. The auditor who arrives in March wants the inventory that covers the practice acquired in January. The "we will get to it after integration" answer is itself the finding.

The prepositioned-ESE pattern for deal teams is part of how CybrIQ deploys for repeat acquirers. The technical reference is at cybriq.io/technology. The 30-day pilot terms — including the deal-team field-kit configuration — are at cybriq.io/pilot.