The switch already knows.
Every device that connects to a managed switch announces itself, negotiates link parameters, broadcasts neighbor information, and accumulates port-stats counters as a side effect of normal operation. None of that requires the switch to copy traffic. The switch already knows; CybrIQ just reads what the switch already has.
By the CybrIQ team · 7 minute read
What the switch records by default.
Five categories of signal that any modern managed switch maintains as part of its own operation, not as a security feature. Link negotiation pattern, including speed, duplex, and auto-negotiation outcome. MAC OUI and the descriptors the connected device presents on connection. LLDP and CDP announcements — every TLV the connected device sent at the management plane, recorded by the switch as neighbor data. Port-stats footprint, including counter rates, error rates, frame-size distributions, and link-flap history. VLAN and topology context, including spanning-tree role, neighbor port relationships, and BPDU patterns. None of these signals are derived from packet contents. All of them are recorded as a side effect of the switch's normal operation.
Why this matters operationally.
Traditional Layer 1 visibility approaches assume you can put something in line with traffic, or hang a sensor off a SPAN port. Both work at small scale and both break at enterprise scale. SPAN is expensive in switch CPU. Mirror ports are a finite resource. Putting any in-line device into the production path is a change-management conversation nobody wants. Switch-derived collection sidesteps all of that. The signals are already there. The CPU cost is the cost of read-only switch access, which the switch is engineered to absorb.
Why this matters architecturally.
The switch-derived path is deterministic. Given the same signal set, the identity resolution against the reference database produces the same identity, every time. There is no model deciding whether the observation looks like a device. The observation plus the database lookup IS the device's identity. An auditor will accept "the signature is the SHA of the collected signals plus the database identity record." An auditor will not accept "the model thought it looked like a Crestron."
Determinism matters when something has to hold up under interview. A switch-derived identity resolves the same way today, tomorrow, and during the post-incident reconstruction. A behavioral-inference identity might not.
Why this matters operationally for the team.
Read-only access does not change network state. The worst-case behavior of the integration is "stops polling," and the security blast radius of "stops polling" is "we go blind," not "we caused an outage." Compare to the change-management posture of an in-line sensor, where the worst-case behavior is "drops production traffic," and the integration conversation has to address recovery, failover, and bypass. Read-only switch-derived integration is the cleanest blast-radius posture any visibility tool can have.
What the reference database adds.
The signal set tells you a device is on a port. The database tells you which device. The CybrIQ reference library carries 750 million-plus device fingerprints — workstations, conference-room codecs, biomedical equipment, retail kiosks, OT controllers, building systems — and grows weekly. Pattern-matching against a million-device reference is competent. Pattern-matching against 750 million is what makes the long tail of weird devices in real environments resolvable. The most common customer reaction in the first week of pilot is "you identified things our other tools have been calling 'unknown' for years."
The narrow constraint.
The tradeoff for the switch-derived approach is that we do not see anything the switch does not see. If the device is connected but the switch is misconfigured to ignore its port, we miss it. If the device is on an unmanaged switch downstream of a managed switch, we identify the downstream segment as one entity rather than enumerating the devices behind it. Those constraints are real, and the rest of the design (the structured signal set, the 750-million-device reference database, the change-event taxonomy) has to do the heavy lifting on identity resolution to make the narrow path useful at scale.
The technical reference for the switch-derived approach is at cybriq.io/technology. The deployment posture, including which switches are supported and how access is provisioned, is at cybriq.io/trust. The integration surface (syslog and REST) is at cybriq.io/integrations.