CybrIQ
● Written for security engineers, SOC analysts, and detection-engineering teams.
CybrIQ for security engineers

Every security tool above Layer 2 reads what the device claims to be. We read what it is.

CybrIQ polls your managed switches in read-only mode every 30 seconds, resolves every observed device against a reference database of 750 million-plus device fingerprints, and emits a deterministic identity called Device DNA. The path is deterministic end to end: a database lookup, not a model. The inventory comes from the switches, not from an agent on the device or a tap on the wire. (One narrow exception: a small optional agent on workstations covers USB-threat detection; see below.) The audit teams call it "the only inventory I haven't had to argue with."

Start a 30-day pilot Show me the pipeline

One External Scan Engine (ESE) software install per up to 500 switches. No SPAN, no mirror, no traffic capture. (Optional USB-threat agent on workstations; everything else is switch-derived.)

Where this fits in your stack

Every existing tool reads from Layer 2 up. CybrIQ adds the floor. That's the whole story.

L7 Application SIEM, SOAR, WAF L4-6 Transport EDR, NDR, IDS L3 Network Firewalls, segmentation L2 Data link NAC (only if the device bothers to authenticate) visibility ceiling. Every tool above this reads claims, not facts. L1 Physical wire CybrIQ Device DNA. Observed signatures, deterministic, no model. CybrIQ adds this floor.

If your NAC, EDR, and CMDB are returning three different device counts (and mine usually were), you already have direct experience with the visibility ceiling. The tools aren't broken. They were built for the layers above. Nobody was watching what's on the wire.

What every pilot turns up.

01
The asset register is wrong by 10 to 28 percent. Every pilot surfaces devices the CMDB has never heard of. The variance isn't the point. The point is that nobody can quote the actual number until they've seen what the switches actually report.
02
Vendor labels lie. Relabeled cameras turn up in federal-contractor environments where the procurement paperwork says one vendor and the 750M-device reference lookup says another. OEM packaging matches. Switch-derived identity doesn't. If your NDAA compliance depends on what the box claims to be, you don't actually have NDAA compliance.
03
The 6-week reconstruction never gets less painful. Manual audit prep eats the senior engineer for a quarter. The auditor accepts the result on faith because nothing better exists. The team promises to start earlier next time. They never do. This is the cycle the platform was built to break.

The validation loop, simplified

Continuous polling across in-scope switches; sub-minute end-to-end. If you've ever wished the asset register would update itself, this is what that actually looks like in implementation.

POLL switch signal set per port RESOLVE vs 750M+ device DB COMPARE vs prior signature DECIDE similarity ≥ 0.65? EMIT event to SIEM if changed continuous polling across in-scope switches structured signal set

What a swap actually looks like in your SIEM

Someone replaces a device on port 47. Same MAC, same VLAN. Above L2, the swap is invisible. On the next switch poll, the structured signal set shifts enough that the 750M+ reference-database lookup resolves to a different device. Here's what shows up in your SIEM moments later.

{
  "event":        "device-substituted",
  "severity":     "high",
  "timestamp":    "2026-05-10T17:08:12Z",
  "port":         "sw-bldg-3-fl-2/port-47",
  "previous_dna": "dna:7a4f-1c91...",
  "current_dna":  "dna:5b8e-2a4f...",
  "similarity":   0.31,
  "previous_vendor_hint": "Crestron DM-MD8x8",
  "current_vendor_hint":  "unknown (.41 confidence)",
  "mitre":        ["T1200", "T1556"],
  "controls":     ["PCI-4.0/12.5.1", "SOC2/CC6.1"]
}

Your correlation rule looks at similarity below 0.5 plus the absence of an open change ticket. No ticket, 0.31 similarity, that goes straight to the on-call analyst. The MITRE tags are there so the SOC manager's metrics roll up cleanly. The control mappings are there so when the auditor asks about PCI 12.5.1 next quarter, you've got the event history queryable.

Where this won't help you

Vendors regularly oversell tools into roles they can't fill. The list below keeps this product from doing the same.

If your pain is SQLi or XSS
That's a WAF problem. We're at L1; the application layer is six layers above us.
If your pain is endpoint malware
EDR's job. We see the device is the device. What it's running is somebody else's view.
If your pain is phishing
Email security gateway. None of this touches the inbox.
If your pain is identity attacks
IAM and UEBA. We don't watch authentication events.
If your pain is data exfil over TLS
NDR with cert visibility. We see the link is live, not what's flowing through it.
If your pain is cloud misconfig
CSPM or CASB. Different planet from where we operate.

CybrIQ closes one specific gap: Layer 1 inventory accuracy and continuous device validation. Nothing else covers that gap. Everything in your stack covers something else, and you still need most of it.

A note on AI, because every security tool has to have one now

There's no model in our detection path. There's no LLM in the analysis pipeline. The decision was made for boring reasons in 2017, before any of the current AI-attack literature existed. We wanted auditors to accept the signature as evidence, and "the SHA hash of these five observations" is auditable in a way that "the model classified it as a Crestron with 92 percent confidence" is not.

The side effect, six years later: the design is structurally immune to adversarial ML evasion, training-data poisoning, model supply-chain attacks, prompt injection, and the hallucinated-triage failure modes that newer tools are starting to learn about the hard way. That immunity wasn't planned; it falls out of the architecture.

Full AI-threat exposure matrix across security tools →

Where to read next

Pick what you actually need to know first. Each link is five to ten minutes of reading.

Engineering

The pipeline, step by step

Eight stages from physical wire to SIEM event. Includes the part where I explain why we did the SHA-of-SHAs instead of something more sophisticated.

 Evaluation

CybrIQ vs Forescout, Armis, Asimily, Claroty, Nozomi

Where each tool wins, where each misses. Includes the cases where one of the others is the right answer and CybrIQ isn't.

 Scenarios

Six problems we built this to solve

Each scenario in three parts: the gap, what you're doing today, what changes after deployment.

 AI & risk

The AI-threat exposure matrix

Nine AI-class attacks mapped against ML-EDR, LLM-SOC, signature-AV, NAC, and us. Most tools have at least one red column.

The pilot ships three artifacts. You keep all three.

A Layer 1 inventory of the piloted environment. A 30-day drift report. A framework-mapped evidence pack. Yours whether you go forward or not. Replaces the kind of six-week manual reconstruction most security teams have repeated more times than they want to count.

Start a pilot