Twenty-five questions a Director asks before bringing CybrIQ to the CFO, the board, or procurement.
Organized by the audience that usually asks: insurance, audit, board, procurement and legal, finance, operations, and scope. If your question isn't here, the demo is the right next step.
Insurance
1. Will my cyber-insurance premium drop?
Carriers won't put it in writing that any specific tool drives a discount. What they will tell brokers is that "continuous evidence" environments price differently from "annual attestation" environments. The honest answer: in most pilots, the artifact-first conversation with the carrier changes the renewal posture more than the headline number. Some customers see premium reductions in the 5–15% range; others see no number change but get a coverage extension or a deductible improvement that's worth more in practice.
2. What do I hand my broker?
Three artifacts: the continuous inventory export, the 30-day drift report, and the NDAA / sanctioned-vendor screening report. All signed, all forwardable. Brokers who've worked with our customers know the formats and pre-position them with carriers. See the cyber-insurance page for the broker conversation in detail.
3. What happens if I have an incident and my carrier disputes coverage?
The artifact trail pre-dates the incident, signed at the control plane. The signature is the integrity evidence; carriers and their forensic vendors accept it as proof the controls were in place before the event, not reconstructed afterward. That position is materially different from "we attest we had controls" when a $2M claim is being adjusted.
4. Will my carrier consider CybrIQ a control they require?
Today: no. Continuous device-inventory tooling is on the questionnaire as a question, not as a required control. The direction of travel is toward "required" over the next 2–3 renewal cycles; the carriers we've talked to all agree on the direction, none of them have committed to a date. Treat this as forward-looking, not as table stakes today.
Audit
5. Which frameworks does the artifact cover?
The same continuous-inventory artifact, with control-mapping cover-sheet variations, covers: PCI DSS 4.0 (Req 12.5.1, 11.5.1, 1.2.x), SOC 2 Type II (CC6.x, CC7.x), HIPAA Security Rule (164.308 and 164.312 inventory and audit-control requirements), NIST CSF 2.0 (ID.AM, DE.CM, GV.SC families), CMMC Level 2 (CM.L2-3.4.x, SI.L2-3.14.6), and NDAA Section 889 supply-chain screening. See audit prep for the per-framework breakdown.
6. Will my QSA / CPA firm / C3PAO accept this evidence?
Yes, with the standard caveats. Auditors accept the artifact as evidence; they then test it (sample, walk-through, control-execution observation) the same way they would test evidence from any source. The CybrIQ artifact passes the testing because the underlying data is continuous and signed. We've had customers run the artifact through every major QSA firm and the Big-4 CPA firms; no rejections to date.
7. Can I run this for a single framework (say, PCI) without expanding scope?
Yes. Deployment is scoped by network segment. PCI-only scope is the CDE; HIPAA-only scope is the ePHI VLAN segments; CMMC-only scope is the CUI-handling systems. Pilots are typically run scoped to one framework's perimeter and then expanded as the case for broader coverage is made.
8. How often does the evidence need to be refreshed?
Continuously. The artifact is generated from a live data stream, not a periodic snapshot. The relevant question is "what window are you reporting on?", which the artifact answers by date range. SOC 2 Type II wants 12 months; PCI annual; HIPAA annual with quarterly check-ins; CMMC at assessment time. The single artifact serves all of those windows.
Board
9. What does the quarterly board slide actually look like?
Whatever shape your board prefers. CybrIQ supplies the numbers (inventory completeness, drift events, framework readiness, notable events from the quarter, the trend data); your team builds the deck. We don't ship board-deck templates because every board's preferred format is different and your team knows that preference better than we do. The numbers slot into whatever shape works for your audience.
10. Will my board push back on a new line item?
Usually no, when the framing is right. The board pushback that happens is on tools that look duplicative of something already in the stack. The line "this closes a path our EDR and NAC don't see" earns more of the budget conversation than "this is our next-generation visibility platform." Lead with the gap.
11. What's the bare-minimum board update if I'm short on time?
Three numbers: inventory completeness, drift events over the window, framework-readiness percentage on your most active framework. If you have ten minutes for the cyber slide, those three numbers plus one notable event from the quarter is enough.
12. Can my CEO and CFO read the artifact without engineering translation?
Yes, intentionally. The board-facing exports use plain-language column headers ("device type", "first seen", "framework controls satisfied") and avoid engineering jargon. The same artifact has a deeper appendix the technical team can drill into; the board view is the cover sheet plus the rolled-up metrics.
Procurement and legal
13. What's the MNDA process?
We sign your form by default. Standard MNDA, 24–48 hour turnaround unless your legal team's queue is deeper. We don't ask for revisions to your standard agreement except where there's a genuine conflict; the follow-up email includes the few clauses we sometimes flag (rare). See procurement.
14. What about MSA terms? Indemnity, liability cap, SLA?
Standard mid-market MSA. Liability cap at 12 months' fees by default, negotiable for larger deployments. SLA on platform availability with credits, separate SLA on detection cadence. Indemnity scope is data-handling and IP; we don't carry general-business indemnity. Full term sheet on the procurement page.
15. Where does our data live, and can we keep it in our region?
Customer data residency is configurable. Default deployments run in your environment (the ESE is on-premise software you operate); telemetry and operational metadata can be hosted in US, EU, or Canadian regions, or kept fully on premise if your policy requires it. We don't egress customer device-fingerprint data outside the region you select. Full residency policy on the trust center.
16. What happens to our data when we end the contract?
Customer data export on request within 30 days of termination, in the same format you've been receiving it. Platform-side data deletion within 60 days of termination, certified in writing. The on-premise ESE is your software; you decommission it.
Finance
17. How is it priced?
RoomIQ: per-room recurring SKU. SpacesIQ: deployment-scale based on environment size. Both are annual. We publish ranges, not list prices; the demo closes with a quote tailored to your environment. See products.
18. What's typical first-year spend for an SMB our size?
Depends heavily on environment shape, but the range for SMBs in the $50M–$500M revenue band tends to land in the low-five-figure to low-six-figure annual band. The pilot is 30 days, no fee, so first-spend lands after a pilot completes successfully.
19. What's the payback window?
Most pilots see payback in 6–18 months on hard savings alone (labor reclaim, consultant displacement, audit-fee reduction). Insurance-premium effects and breach-avoidance value are upside, not in the base case. See ROI & TCO for the math.
Operations and change-management
20. Will this break my NAC or my network?
No. CybrIQ ships read-only at the network-device layer by default. We pull data from switches via standard read-only mechanisms; in the default deployment we don't push configuration changes and don't change network state. Optional SNMP-based enforcement (quarantine a port, disable an interface on detection) is available if you want CybrIQ to act directly; it ships disabled and is turned on per-event-type by your team. NAC, EDR, and existing tooling continue to run unchanged either way.
21. Who watches the alerts and the drift events?
Your team. CybrIQ feeds your existing SIEM via syslog (RFC 5424) or the REST API. Both are the only egress channels; CybrIQ does not do webhooks or STIX/TAXII. If you don't have a SIEM, the platform has its own dashboard and alerting; downstream notifications go through your SIEM or whatever your SOC tooling already routes from there. A documented on-call playbook ships with the deployment, covering swap detection, banned-vendor detection, topology change, and USB-attack detection, each with the 90-second decision tree your SOC analyst uses.
22. What does on-call look like for our SOC analyst?
Per-event response runs 90 seconds for the common cases (drift event, banned-vendor match, change-management ticket cross-check), 5–10 minutes for the cases requiring investigation. The on-call playbook documents the decision tree per event type. SOC analysts who've used the platform describe the events as well-scoped; the false-positive rate is low because we suppress on cross-referenced change-management tickets automatically.
Risk and scope
23. Does CybrIQ prevent breaches?
No. CybrIQ shifts the dwell-time distribution and bounds the regulated-data-in-unintended-scope risk. Those two effects are the largest cost drivers on the SMB breach curve, which is why the tool earns its place in the stack. We're not the firewall, EDR, IAM, or the SOC. See cost of a breach for the narrow claim.
24. What about our cloud / SaaS footprint?
Out of scope. CybrIQ covers on-premise network-attached devices: workstations, servers, switches, IoT, OT, conference-room AV, biomed, plant-floor sensors. SaaS posture management (Wiz, Orca, Wing) and cloud-workload protection (CrowdStrike Falcon Cloud, Lacework) are separate tools for separate problems. We integrate alongside; we don't replace.
25. What's the worst case if we deploy and don't find anything interesting?
You confirmed your asset register is accurate, you have continuous evidence on the inventory question your carrier and auditor will both ask, and you have an artifact to put in front of the board next quarter. The pilot is 30 days no-fee; three deliverables are yours regardless of decision. The "nothing interesting" outcome is itself a defensible answer to several of the questions on the renewal questionnaire.
Question not on the list?
A live demo of the platform and a conversation about whether CybrIQ fits your environment. Bring the question; we'll either answer it during the demo or follow up after.
Book a demo