Three to ten IT staff. Thousands of devices. Twelve to forty buildings. CybrIQ keeps the inventory honest.

Three documented gaps every K-12 IT team has felt.

• The chromebook fleet drifts. The procurement spreadsheet says 1,847 chromebooks. The MDM console says 1,612 active enrollments. The network sees 1,503 today. The 344-unit gap is some combination of devices that broke, devices that left with families, devices that were stolen, devices that are sitting in a closet, and devices that were never properly enrolled. Each year the gap gets harder to close manually.
• Building automation arrives outside IT. Facilities replaces an HVAC controller. The integrator on the building-management contract puts it on a VLAN that sometimes lands on the same physical switch the AV system uses. Nobody told IT. The asset register has no entry. The network sees a new device with a Tridium MAC OUI and a serial number IT has never heard of.
• Classroom AV refreshes happen one building at a time. Two summers ago, the high school got new short-throw projectors and document cameras. Last summer, two elementary schools got smart displays. This summer, the middle school is getting whatever is on this year's E-Rate Category 2 budget. Each refresh is its own purchase order, its own integrator, its own set of devices that may or may not show up in the central asset list.

The cyber-insurance carrier asks at renewal: "What is your current hardware inventory?" The honest answer is "We have three lists, none of them agree, and we know the network has more than any of them say." That answer has consequences for the renewal premium and for the K12 SIX essentials checklist the board is asking about.

The asset register stops being a manual project.

CybrIQ deploys an External Scan Engine on a server inside the district network (a small Linux VM works; we provide the spec). The scan engine reads each managed switch via SNMP with read-only credentials. The same credentials your network team already uses for monitoring work fine. We do not need write access. We do not touch the chromebooks, the teacher laptops, or any device on the wire.

The output is a continuous inventory of every device on every switch port: vendor, model, MAC, port history, VLAN context, and a Layer-1 fingerprint matched against a 750-million-device reference library. You see the chromebook fleet that is actually checked in today, the classroom AV that was installed during last summer's refresh, the building automation that facilities added without telling you, and the personal devices that show up on guest VLANs.

For the IT team that is already short-handed, the most important thing is that the inventory maintains itself. New device shows up on the wire, it appears in the inventory. Device leaves the building, it stops appearing. The team's time goes back to the work that actually moves the district forward.

Naming the limits matters.

• We do not see student data. Our scope ends at the network layer. Student records, grades, attendance, and IEP documentation live in your SIS and LMS. We are looking at switch ports, not at databases.
• We do not handle FERPA-protected data. Our reads do not include the contents of any traffic. We are reading switch-side metadata about what is plugged in, not what is being said.
• We do not replace your MDM. Your chromebook MDM (Google Admin, Jamf, Mosyle, whatever you use) does device-side configuration management. We tell you what is on the wire, including the devices the MDM does not see (BYOD, contractor laptops, building automation, guest IoT).
• We do not replace your NAC. If you operate Cisco ISE, Forescout, or Aruba ClearPass, we feed identity events into the policy decision. We do not enforce policy ourselves.
• We do not detect malware on devices. We see the device's identity, not its behavior. EDR and antivirus products handle behavioral detection on managed endpoints; we identify the endpoints.