CybrIQ
● Built for security engineers, SOC analysts, and detection-engineering teams.
Engineering site Make the case Case studies
Case studies

Five anonymized engagements. What we found, told the way I'd tell it to another security engineer.

Identifying details are scrubbed. Device counts, timelines, framework controls, and the SIEM event behavior are real. Each card is written to answer one question: what did this look like when the External Scan Engine (ESE) first started reporting? The summaries are deliberately short. If you want the full read on any of them, ask during the working session and I'll walk through the dashboard.

Healthcare · Fortune-500 hospital system

312 devices found in a single day. 47 had never been registered.

Context. A Fortune-500 healthcare campus, around 120 conference rooms across two main buildings. HIPAA, PCI 4.0, and SOC 2 controls all required current device inventory. The security team's stated inventory accuracy was about 85%. The actual number, once we got the ESE running, was lower.

What the first sweep produced.

  • 312 devices total across the piloted footprint
  • 47 devices not on the asset register at all (about 15% of total)
  • 11 devices whose vendor labels didn't match the reference-database identity; relabeled gear, almost certainly from a previous integrator engagement that nobody on the current team remembered
  • 3 unmanaged switches bridging laptops onto the production VLAN, one of them had been quietly in place for over a year

What changed. The next HIPAA control walk-through used the evidence pack directly. The auditor accepted on first review. Audit prep dropped from six weeks to four days.

MITRE coverage: T1200, T1199, T1078. Framework controls: HIPAA Security Rule 164.312(b), PCI 4.0 12.5.1, SOC 2 CC6.1.

Financial services · Mid-tier bank

846 trading-floor devices. SOX inventory finding closed at day 11.

Context. A multi-state bank carrying an open SOX inventory finding from the prior year. Trading floors with heavy AV gear, dealer-board devices, market-data terminals, and a high density of unmanaged switches behind individual desks. The clock on the finding was 90 days to closure before the next quarterly audit.

What the 30-day pilot produced.

  • 846 devices fingerprinted across the piloted trading floors
  • 72 devices not previously inventoried
  • 0 NDAA-prohibited components, confirmed by fingerprint
  • 14 device-substituted events in the pilot window; all attributed to routine hardware refresh, all logged for the forensic record

What changed. The security team closed the SOX finding with the evidence pack at day 11 of the pilot. The decision to extend the deployment to all floors was made at day 17, before the pilot was even technically over.

MITRE coverage: T1200, T1078. Framework controls: SOX inventory controls, NIST 800-171 3.4.1, SOC 2 CC6.1.

Federal contractor · government and defense supply

11 NDAA-prohibited components found. 7 auto-quarantined at the port.

Context. A federal contractor with active CMMC L2 obligations, AV networks across 8 facilities. Procurement had used several third-party integrators over the years, and some vendor provenance was unclear. The CISO wanted real-time NDAA Section 889 detection, not the periodic audit she'd been getting.

What the first 30 days produced.

  • 11 NDAA-prohibited components detected across the deployment
  • Cisco ISE integration auto-quarantined 7 of them inside 60 seconds of detection
  • 4 required manual review through the legitimate vendor-exemption pathway
  • 1 supply-chain-compromised batch of switches; the manufacturer's documentation didn't match the reference-database identity, and the investigation traced it back to overseas relabeling that the supplier had never disclosed

What changed. The CMMC L2 finding was pre-empted. The contractor terminated the supplier relationship that produced the relabeling discovery. Deployment extended to all 8 facilities. The relabeling case is the one I tell when someone asks "but how could it really matter?"

MITRE coverage: T1199, T1542. Framework controls: NDAA 889, CMMC L2 CM.L2-3.4.1, NIST 800-171 3.4.1.

Higher education · R1 research university

1,247 devices across research labs. CMMC L2 finding closed.

Context. An R1 research university with controlled-unclassified-information (CUI) research projects requiring CMMC L2 compliance. Lab environments were high-churn: students rotating equipment, departments swapping gear, constant BYOD on guest VLAN. The security team needed continuous validation, not point-in-time scanning.

What the pilot produced.

  • 1,247 devices identified across 14 buildings
  • 234 device-appeared events in the pilot window; most legitimate, 12 required follow-up
  • 89 device-substituted events, all matched to documented hardware refresh
  • 2 unmanaged switches inserted in CUI research areas, escalated immediately

What changed. CMMC L2 inventory finding closed. Lab-environment severity tuned down for high-churn but logging stayed on for audit defense. The network team got a clean topology baseline for the first time in three years. The university's security director told me on a follow-up call that he'd stopped dreading audit week.

MITRE coverage: T1200, T1199. Framework controls (inventories half only): CMMC L2 CM.L2-3.4.1, NIST 800-171 3.4.1. Configuration-baseline and 3.4.2 settings-enforcement halves need complementary config-management tooling.

Retail · 200-store chain

12 stores piloted. ~28% register-vs-reality gap. Multi-store rollout in 6 weeks.

Context. A 200-store retail chain with PCI 4.0 obligations, including inventory controls (12.5.1) and change-detection (11.5.1). Point-of-sale infrastructure had been inherited from a chain of acquisitions. The security team's confidence in store-level inventory accuracy was, as the security director put it, "zero."

What the 12-store pilot produced.

  • About a 28% average gap between the asset register and the actual inventory per store
  • 3 stores had POS hardware on the wrong VLAN, which is a PCI segmentation finding
  • 1 store had been running a personal mobile hotspot off a back-office jack for roughly 5 months
  • The roll-out plan for the remaining 188 stores landed at 6 weeks post-pilot

What changed. PCI 4.0 inventory and segmentation findings pre-empted before the next QSA assessment. Per-store evidence packs replaced manual reconciliation. The security team's finance counterpart estimated the manual audit-prep process they replaced had been costing roughly $240,000 a year in labor.

MITRE coverage: T1200, T1078. Framework controls: PCI 4.0 12.5.1, A2.1.

The patterns that recur

After enough pilots, the shape of what we find stops surprising me. The numbers below are the bands I've watched the reference customer set produce. Your environment will produce its own numbers; the pilot is what quantifies them on your actual fleet.

PatternTypical magnitude
Devices missing from the asset register8 to 28% depending on environment
Devices with vendor labels that don't match the Layer 1 fingerprintUsually 1 to 4% of total, higher in environments inherited through acquisition
Unmanaged switches plugged into production wall jacks1 to 3 per piloted floor on average
NDAA-prohibited components (in scope deployments)Highly variable, depends on procurement history
Audit-prep time savingsTypically 4x to 10x reduction (weeks become days)

Run the same play on one of your sites.

30-day pilot, no fee. You keep the inventory, the drift report, and the evidence pack regardless of the decision at the end.

Start a pilot