One trading floor. One quarter end. 846 devices reconciled.

The setup

The customer is a top-25 US bank with multiple trading floors, retail branches across 28 states, and a federal contracts arm. Standing compliance obligations: SOX (annual ITGC), PCI 4.0 (branch and bank-card environments), NYDFS Part 500 (state-level cybersecurity), GLBA Safeguards Rule, and an internal audit cadence that cross-references all of them. The recurring finding the audit committee asked the CISO to close: asset inventory completeness. The bank's existing inventory was assembled from procurement, change tickets, and quarterly reconciliation by the GRC team. The auditor had been politely declining to take it at face value.

Why CybrIQ

The CISO and Director of GRC had narrowed the candidate set to three vendors after evaluating Forescout, Armis, and CybrIQ. Forescout was already deployed for NAC and was performing well at that job; the team wanted a complementary platform that closed the gap below NAC, not a replacement. The criteria were direct:

• Non-disruptive deployment. Trading-floor environments do not tolerate scheduled downtime; the platform had to read passively from the wire with no agent.
• Per-port evidence. The audit firm wanted device-to-port pairing dated to the second, not periodic snapshots.
• SOX-friendly evidence shape. The artifact had to map cleanly to ITGC controls without manual reformatting.
• Fast time to first inventory. The engagement had to land before SOX fieldwork started in three weeks.

The engagement

SpacesIQ deployed against the agreed scope on Tuesday morning. The trading floor and the adjacent operations center share a network fabric anchored by Cisco Catalyst infrastructure; CybrIQ's per-port view rolled up cleanly. The CISO's team and the head of trading-floor operations joined the daily review for the first three days. The GRC director joined the Day-7 inventory handoff.

What the wire showed

• 846 devices identified across the scope. The asset register listed 773; the wire showed 846. Most of the gap came from vendor-managed display arrays and rebroadcast equipment that sat on the same VLAN.
• 73 devices missing from the asset register. 38 were trading-turret-adjacent vendor-managed devices. 17 were unmanaged signage players in the operations center. 12 were mid-week-installed gear from a recent refresh that had not yet been logged in change management. 6 were classified as random-MAC devices and traced to test equipment.
• 4 NDAA-prohibited components flagged. Three signage players in the executive briefing center contained covered components from a prohibited vendor; one camera in a board-meeting room. All four were vendor-managed and labeled as a different brand. The bank's federal contracts arm had been carrying the 889 obligation; nobody had checked the executive briefing center against it.
• 2 unmanaged switches in the trading-floor closet. Both predated the current ops manager. CybrIQ flagged the change in the parent-port signature; the discovery came up in the Day-2 review.

The outcome

The SOX ITGC inventory-completeness finding was closed in the next audit cycle. The audit firm took CybrIQ's continuous evidence as the source-of-truth artifact and stopped requesting the GRC team's separately maintained spreadsheet. The bank expanded SpacesIQ across the rest of the trading-floor footprint and into branch networks over the following two quarters; ComplianceIQ now wires the evidence into both SOX and PCI fieldwork.

More case studies

• Fortune 500 healthcare system. 312 unmanaged devices found, 47 missing from the register, audit prep collapsed from six weeks to four days.
• Top-25 US bank. 846 devices reconciled across one trading floor, 73 missing from the register, SOX inventory-completeness finding closed.
• Federal defense contractor. 11 NDAA-prohibited components identified and auto-blocked at the wire ahead of a 889 sustainment review.