A security company that owns its supply chain, its threat model, and the parts of its scope that don't make the marketing slides.
This company is built by people who spent the front half of their careers on the buying side of vendor diligence. Most of what's on this site is what we wished we'd been handed during those evaluations and never were. This page is the company-posture page: who builds the product, how the supply chain is hardened, what the disclosure path looks like, and the rest of the procurement-grade questions that come up in every diligence packet.
Engineering & security posture of the company
SOC 2 Type II
CybrIQ maintains continuous SOC 2 Type II controls. Report available under MNDA. Audit firm and audit period available on request.
Reproducible builds
The CybrIQ software (External Scan Engine (ESE) and control plane components) is reproducibly built. Customers can verify the SHA-256 of the running binary matches the SHA published on the artifact registry. Build provenance attestation (SLSA Level 3) ships with every release.
Signed releases, offline signing key
Software releases are signed by a key stored in a hardware token, held offline at CybrIQ's HQ. The ESE refuses any unsigned image. Signing-ceremony documentation is available under MNDA.
Vulnerability disclosure
Coordinated disclosure policy at cybriq.io/security/disclosure. PGP-signed advisories. SLA: acknowledgment within 24 business hours; status update within 5 business days; coordinated public disclosure on patch availability.
Software supply chain
CybrIQ ships no hardware; the ESE is software the customer runs on their own server, so the hardware supply-chain question is the customer's existing server-procurement question, not a CybrIQ-specific one. On the software side: every dependency in the CybrIQ codebase is pinned, audited, and tracked in a public SBOM. Build runs in a hermetic environment. SLSA Level 3 provenance attestation per release. The full dependency tree is auditable under MNDA.
Data residency
Cloud control plane: customer chooses US, EU, or APAC. On-prem control plane: customer-hosted, no outbound traffic required. Air-gapped: fully supported (with documented operational trade-offs, see Products).
Telemetry collected by CybrIQ itself
The ESE and control plane emit operational metrics (health, version, resource use) to CybrIQ for support purposes. No customer Layer 1 records are transmitted to CybrIQ. Customer data lives in the customer tenant only. Telemetry can be disabled in air-gapped or restricted environments.
Where we sit in the market
For evaluators doing comparison shopping.
| Adjacent category | How CybrIQ differs |
|---|---|
| NAC (Cisco ISE, Aruba ClearPass, Forescout) | NAC sees devices that authenticate. CybrIQ sees devices regardless of authentication. The two are complementary; many customers run both. |
| IoT/OT visibility (Armis, Claroty, Nozomi, Asimily) | Most IoT-visibility platforms read traffic at L2+ and infer device identity from protocol fingerprinting. CybrIQ adds Layer 1, independent of what the device says about itself. Often complementary for healthcare and OT environments. |
| Cable / port management (Network Critical, Cubro) | These are infrastructure tools; they don't produce a security inventory. CybrIQ derives identity from switch-management data rather than packet inspection, and frames the output as a security and compliance product, not an infrastructure tool. |
| Asset-management platforms (ServiceNow CMDB, Lansweeper) | CMDBs need a source of truth; they don't observe the network. CybrIQ feeds the CMDB with a continuous, validated inventory. |
More detailed comparisons against specific named vendors are on the public-site Comparisons page.
Channel posture
CybrIQ is sold through AV-integrator partners and directly to security teams in regulated industries. For security engineers: the partner relationship matters because the External Scan Engine is set up by the integrator (or the customer's in-house team), running on a small customer-provided server. The security team is the data consumer and the policy owner; the integrator is the install and operate path. CybrIQ staff never have physical or network access to the customer environment.
Need the full company-security packet?
Security-posture statement (SOC 2 Trust Services Criteria aligned; formal Type II on the roadmap), supply-chain provenance, signing-ceremony documentation, BOM, FTO summary. All under MNDA. Request packet via the contact form.
Request the diligence packet