Case studies

Three engagement patterns, anonymized.

Federal and SLED customer names require formal authorization to publish. The engagements below are anonymized to that constraint; the environments, the deployment shape, and the outcomes are real. Specific reference contacts are available on request under MNDA — the briefing call is the path.

Three representative engagement patterns based on anonymized customer types. Pattern one — federal civilian Section 889: pre-engagement register of 2,400 devices listed in the agency's asset register; CybrIQ identified 6 percent flagged as covered, including 12 cameras shipped under non-covered labels; outcome was FAR clause representation corrected before next IG cycle. Pattern two — defense contractor first CMMC L2 assessment: pre-engagement register of 1,150 devices in the CMDB and authorization list; CybrIQ identified plus 312 missing devices including a contractor laptop on the CUI segment; outcome was remediation completed before the C3PAO and CM family evidence ready. Pattern three — K-12 district cyber-insurance renewal: pre-engagement register of 4,800 devices listed across 11 school buildings; CybrIQ identified a 41 percent network gap with unlisted building-automation, AV, OT, and guest-VLAN devices; outcome was a 28 percent premium reduction at renewal with the carrier-provided signed evidence. Inventory gap typically becomes visible in weeks 2-4 of the 30-day pilot. Figures are representative of anonymized engagements; named details available under MNDA.

Federal civilian · cabinet department

Section 889 (a)(1)(B) walkthrough across 14 buildings

Context. A cabinet department had received an IG observation on (a)(1)(B) compliance — three covered devices had been found in physical walkthroughs that the asset register did not list. The department needed evidence of the next-cycle posture across all 14 of its main-campus buildings within 90 days.

Deployment. SpacesIQ installed on department-owned hardware; ESEs sized to one per building cluster (3 ESEs total) feeding a single main instance. Read-only SNMP credentials configured per the department's existing access-management process. No SPAN, no inline tap.

Findings, first 30 days. 47 covered devices identified — 41 of which were not on the asset register. Pattern split roughly: building-systems integrations (cameras, badge-reader gateways) about half; conference-room AV from prior installation cycles about a third; the remainder distributed across lab gear and contractor-provided equipment.

Outcome. Department was able to produce a deviation log and remediation timeline to the IG within the original 90-day window. Subsequent quarters' inventories continued to surface relabeled devices through normal procurement; the same dashboard captured them.

Defense contractor · CMMC L2

CM.L2-3.4.1 evidence for a first C3PAO walkthrough

Context. A mid-size defense contractor handling CUI scheduled its first CMMC 2.0 Level 2 assessment. The C3PAO pre-engagement findings flagged Authorized Hardware (CM.L2-3.4.1) and Baseline Configuration (CM.L2-3.4.2) as likely weak areas. The contractor had a CMDB but no continuous reconciliation against the network.

Deployment. RoomIQ for the CUI-enclave network. Two managed switches, one ESE, one main instance, all on contractor-owned hardware in the CUI enclave. Air-gapped from the rest of the corporate network.

Evidence shape. Continuous device inventory feeding the contractor's eMASS package as a signed CSV per assessment cycle. Authorization-list deviations logged automatically; SSP citations to CM.L2-3.4.1 reference the inventory-discovery evidence stream.

Outcome. First walkthrough closed without findings on CM.L2-3.4.1 or CM.L2-3.4.2. The assessor explicitly noted the audit-trail SHA-256 signing as a continuous-monitoring strength.

SLED · K-12 district

Cyber-insurance renewal — hardware-inventory completeness evidence

Context. A K-12 district covering 22 school buildings faced a cyber-insurance renewal that required documented evidence of hardware-inventory completeness across student, staff, and operational technology segments. The district's existing endpoint management reached student laptops but not the long tail of building systems, classroom AV, and library kiosks.

Deployment. SpacesIQ on district-owned hardware. Two ESEs (elementary cluster, secondary cluster) feeding a single main instance in the district central IT facility. Read-only SNMP credentials issued per the district's existing access-management process.

Evidence. Per-building device inventory with signed CSV exports as the carrier's required artifact. Quarterly delta reports for the renewal audit period.

Outcome. Renewal completed at flat premium (carrier had originally signaled a 15% increase pending evidence). District's MS-ISAC governance report now includes the hardware-inventory completeness metric the carrier originally asked for.

Walk a customer-specific reference

Named customer references with specific contacts are available under MNDA. The briefing call is the path; we route based on the engagement shape closest to your environment.

Request a reference