No rip-and-replace. CybrIQ feeds your existing SIEM, reconciles against your CMDB, and respects your change-management process. Two egress channels: syslog and REST. Nothing else.
Directors evaluating CybrIQ are usually running between five and twelve existing security and IT tools. The question isn't "will this become the new center of my stack?" It's "will this slot in without breaking what works?" This page is that answer, in the same shape as your procurement security-review questionnaire. What CybrIQ pushes, what it pulls, what it leaves alone, and what it deliberately doesn't do.
Two universal channels for outbound. Switch reads are the only inbound; change-management is optional.
Egress (outbound): two channels, and only two.
Every CybrIQ event leaves the platform on one of two channels. We don't ship webhooks, we don't ship STIX/TAXII, we don't ship a proprietary connector for any single SIEM. Two universal channels, fully documented.
1. Syslog (RFC 5424)
The push channel. Every drift event, every framework-readiness change, every notable finding, every banned-vendor match formatted as a structured RFC 5424 syslog message with a stable schema. Receives in any compliant SIEM: Splunk, Microsoft Sentinel, Elastic, Sumo Logic, Datadog, Devo, Exabeam, IBM QRadar, Chronicle. TCP, UDP, or TLS-encrypted. Field mapping ships with the deployment; your SIEM engineer wires it in within an afternoon.
2. REST API
The pull channel. Your SOC tooling, SOAR platform, or ticketing system queries the API on the cadence you choose. Every device record, every drift event, every framework readiness export, every supply-chain screening result is available as a JSON object. Authenticated via API token or mTLS depending on your environment. Documented endpoint surface; your senior engineer reads it in an hour.
Ingress (inbound): what CybrIQ reads from your environment.
CybrIQ pulls data from two places: your managed switches (the source of truth for device identity) and your change-management system (so we can suppress approved changes instead of alerting on them).
From your managed switches
Read-only queries over the standard switch-management plane. CybrIQ supports Arista, Aruba, Cisco, HP, Huawei, Juniper, Meraki, Rockwell Automation, and Ruijie Networks. Polling cadence is 30 seconds by default, tunable. The default deployment is observe-only: no write commands, no configuration changes. Optional SNMP-based enforcement (quarantine a port, disable an interface) is available if the customer wants CybrIQ to take action on detection; it ships disabled and is enabled per-event-type by your security team.
From your change-management system (optional but valuable)
The integration that drives auto-suppression of approved-change drift events. Read-only access to ticket records via REST API or scheduled CSV export. Supported out of the box: ServiceNow, Jira Service Management, Freshservice, BMC Helix, Zendesk. Custom systems integrate via REST or scheduled export. The CMDB and the change-management system are typically the same ServiceNow tenant; one integration covers both purposes.
Tools CybrIQ works alongside.
CybrIQ is rarely the first dollar in a security stack. These are the tools customers most often run it next to. The slot is consistent: continuous device-identity evidence underneath enforcement and detection that operate on higher-layer signals.
SIEM / SOAR
Splunk, Microsoft Sentinel, Sumo Logic, Elastic, Chronicle, Exabeam, QRadar, Devo. CybrIQ pushes events; SIEM correlates and your SOC playbook routes from there.
NAC
Forescout, Cisco ISE, Aruba ClearPass, Portnox. CybrIQ provides the spoof-resistant identity layer; NAC handles enforcement. Integration via syslog + REST.
EDR / MDR
CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Sentinel One. EDR for software-side detection; CybrIQ for hardware-side and unmanaged-device visibility. No overlap.
NDR
Vectra, Darktrace, ExtraHop, Corelight. NDR for traffic-behavior analysis; CybrIQ for identity verification. Different questions.
CMDB / ITSM
ServiceNow, Atlassian Insight, Lansweeper, RunZero, BMC Helix. CybrIQ generates the ground-truth network inventory; CMDB consumes the reconciliation report.
OT visibility
Claroty, Nozomi, Dragos, Tenable.OT. They cover the OT-protocol plane; CybrIQ covers IT and non-protocol devices. Boundary maps onto your existing IT/OT segmentation.
What integration does NOT mean.
Three things Directors should explicitly confirm with their team, because the answers differ from many enterprise security tools. CybrIQ does not push configuration changes by default. The default deployment is read-only at the switch-management plane; we cannot break the network in normal operation. CybrIQ does not take enforcement actions by default. Quarantine-a-port and disable-an-interface are available as optional SNMP-driven actions if you want CybrIQ to act on detection; they ship disabled and are turned on per-event-type by your security team. Most customers route enforcement through their existing NAC rather than through CybrIQ directly, but either path is supported. CybrIQ does not require SPAN or mirror-port infrastructure. Many network-visibility tools require capacity you may not have; CybrIQ does not, because we read from the switch rather than from the wire.
The questions procurement and infosec review will most often ask: "What does it write by default?" Nothing. "Can it take enforcement actions if we want it to?" Yes, optional SNMP-driven actions are available and ship disabled. "What egress channels does it use?" Syslog and REST API. "Does it require SPAN/TAP infrastructure?" No. "What does it pull from our environment?" Switch read-only queries plus an optional change-management read integration. Those five answers close the integration-and-security portion of most procurement reviews.
Want the integration scoped to your stack?
A live demo of the platform and a conversation about whether CybrIQ fits your environment. Mention your SIEM and NAC when you book; we'll show the egress and event format on the demo.
Book a demo