Detection

What this catches that your NAC, EDR, and asset register all miss, mapped to MITRE ATT&CK.

Every detection on this page is something the higher-layer tools in your stack would let through. The point of this page is to be useful to your detection-engineering practice, so each one carries the trigger, the observable, the false-positive control, and the analyst response. The format is the same one I'd use to onboard a new SOC analyst to this signal source.

MITRE technique IDs are imperfect approximations of what an attack looks like in your environment. The mappings below are the closest fit. If your internal taxonomy maps these differently, your taxonomy wins.

Reconnaissance & Initial Access (TA0043 / TA0001)

Unauthorized switch insertion

T1200 · Hardware Additions

Trigger. A previously-direct device-to-uplink path develops a hop. The switch reports one more downstream hop on the port than the documented topology accounts for.

Observable. port-topology-changed event. The new hop's signature appears as a new Device DNA,

False-positive control. Cross-reference against change-management tickets. Auto-suppress when there's an approved MAC/network-change ticket within the last 24h that covers the port.

Analyst response. Verify whether IT installed it. If not, it's an in-band insertion; typically used to bridge an unauthorized BYOD device onto a corporate VLAN, or as a stepping stone for further pivot.

Device substitution (swap attack)

T1200 · Hardware Additions · T1556 · Modify Authentication Process

Trigger. Same physical port, same MAC OUI, but the switch-derived signal set has shifted enough that the reference-database lookup resolves to a different device record than before.

Observable. device-substituted event. The DNA hash changes; the port_id is constant.

False-positive control. Firmware updates can produce a small DNA shift. CybrIQ keeps a similarity score; events fire only when the score drops below a configurable threshold (default 0.65). A genuine firmware update typically shifts the score by 0.05–0.10.

Analyst response. This is the canonical signal that a device was physically swapped, replaced with a malicious twin, a tampered unit, or a different vendor's hardware altogether. Investigate as a P1.

Unmanaged device on managed VLAN

T1078 · Valid Accounts · T1133 · External Remote Services

Trigger. The switch reports a device drawing a link on a port assigned to a managed VLAN; the device is not authenticating via 802.1X and not enrolled in the EDR or asset register.

Observable. device-appeared event with the unenrolled flag set after a configurable grace period (default 4h).

False-positive control. Lab/sandbox VLANs are excluded by tag. Devices that authenticate within the grace period are dropped from the report.

Analyst response. Verify whether the device should be on the network. If yes, push it through the onboarding flow. If no, isolate at the port.

USB-attack device plugged into a workstation

T1200 · Hardware Additions · T1056 · Input Capture

What this catches. Rubber Ducky, Flipper Zero, O.MG cables, BadUSB-class HID-spoofing devices, and rogue USB mass-storage plugged into a Windows or Linux workstation. Any of these can be used as initial-access tooling or insider-threat hardware, and none of them show up on Layer 1 because they ride a port that already had a legitimate workstation on it.

How. An optional small CybrIQ agent runs on Windows and Linux workstations. It enumerates the USB-device tree, compares each device against a curated database of attack-tool signatures, and emits a usb-threat-detected event when a match lands. It is the only place CybrIQ touches an endpoint; the inventory path is still switch-derived.

Observable. usb-threat-detected event carrying the full USB descriptor (vendor ID, product ID, device class, serial), the matched attack-tool class, the host that observed it, the user logged in at the time, and the action taken.

False-positive control. Allow-listing supports legitimate dev/test tools (hardware engineers, red teams, security researchers). The agent is opt-in per host and can be scoped to high-risk groups (privileged users, executive workstations, R&D, finance) rather than the whole fleet.

Analyst response. Treat as initial access. Pull the host out of the production VLAN via NAC, image the workstation, interview the user. Rubber Ducky and Flipper Zero are not legitimate productivity devices on a corporate endpoint; an alert here means either a deliberate red-team exercise (verify against the test schedule) or an actual intrusion attempt.

Persistence & Defense Evasion (TA0003 / TA0005)

NDAA-prohibited component detected

T1199 · Trusted Relationship · Compliance-driven

Trigger. Reference-database lookup matches the NDAA Section 889 banned-vendor list (Huawei, ZTE, Hikvision, Dahua, Hytera, others).

Observable. ndaa-prohibited-detected event with vendor and confidence.

False-positive control. Vendor hints carry a confidence score (0.0–1.0). Events fire only when confidence ≥ 0.85. Lower-confidence matches surface in the dashboard but do not page.

Analyst response. Federal contractors: this is an immediate compliance failure. Private sector: depends on policy. Either way, the device should not be on the network in scope; isolate at the port and confirm via physical inspection.

Device DNA stability shift consistent with firmware tampering

T1542 · Pre-OS Boot · T1601 · Modify System Image

Trigger. The DNA shifts within a confidence window that's wider than vendor-OEM firmware updates typically produce, but narrower than a full device substitution. The traffic-shape profile changes in characteristic ways (new beaconing, new control-plane targets).

Observable. device-firmware-shift event with the similarity delta logged.

False-positive control. Cross-reference with the change-management log. If a documented firmware roll-out is in flight, attribute the shift to that and suppress.

Analyst response. If no documented firmware update covers the device, treat as suspected supply-chain or in-place modification. Capture a forensic image where possible.

Lateral Movement & Collection (TA0008 / TA0009)

Rogue endpoint plugged into restricted port

T1078 · Valid Accounts · T1021 · Remote Services

Trigger. A port designated for a specific device class (e.g., AV-only, control-plane-only, OOB) shows a device drawing a link with a DNA that does not match the expected device class.

Observable. device-class-mismatch event with expected and observed DNAs.

False-positive control. Port classification is a deliberate config step; a device class change is itself a security event.

Analyst response. Always investigate. Out-of-band ports especially, those are designed to be isolated from production traffic and an unexpected device on one indicates either a misconfig or a deliberate bypass.

Silent AV codec, device present but no traffic

Operational visibility · Layer 1 only

Trigger. A conference-room codec is connected (drawing PoE, link is up) but produces no upstream traffic for a configurable period (default 7 days). The asset register lists it as active; nothing else can tell whether it's actually receiving inputs.

Observable. device-silent-extended event.

Why it's a security event. A codec that's "live" but invisible to NDR is a perfect lateral-movement staging point, an attacker can use it for C2 beaconing without anyone above L2 noticing. Also: it's just useful operationally to know which rooms aren't being used.

Analyst response. Validate. If it's a dormant room, deprioritize. If it's supposed to be active, investigate why traffic stopped.

Event schema

Same structured fields whether you consume via syslog or the REST API. Sample device-substituted event below; the full field reference is on the Syslog & API page.

// device-substituted event (REST API JSON; syslog carries the same fields in RFC 5424 structured data)
{
  "event":        "device-substituted",
  "severity":     "high",
  "timestamp":    "2026-05-10T17:08:12Z",
  "port":         "sw-bldg-3-fl-2/port-47",
  "site":         "NYC-HQ",
  "previous_dna": "dna:7a4f-1c91-...",
  "current_dna":  "dna:5b8e-2a4f-...",
  "similarity":   0.31,
  "threshold":    0.65,
  "previous_vendor": "Crestron DM-MD8x8",
  "current_vendor":  "unknown, confidence 0.42",
  "mitre":        ["T1200", "T1556"],
  "controls":     ["PCI-4.0/12.5.1", "SOC2/CC6.1"]
}

Detection control panel

Defaults are the values that produce the lowest false-positive rate in our reference customer set. Override per-environment as needed.

Parameter	Default	Effect
`dna_similarity_threshold`	0.65	DNA shifts below this score fire `device-substituted`
`unenrolled_grace_period_h`	4	Delay before `unenrolled` flag fires on `device-appeared`
`silent_device_days`	7	Days of zero upstream traffic before `device-silent-extended`
`vendor_hint_confidence`	0.85	Minimum confidence before `ndaa-prohibited-detected` pages
`change_window_lookback_h`	24	Suppression window for events that match approved change tickets

What this won't catch

By design. Everything below this line operates above Layer 1 and belongs to other tools. If your problem lives in this list, this is not the first tool to evaluate.

Application-layer attacks (SQLi, XSS, RCE), use WAF
Malware execution on the device, use EDR
Lateral movement via valid credentials at L4+, use NDR or UEBA
Data exfiltration in encrypted traffic, use DLP / NDR with cert inspection
DNS-based C2, use DNS security
Email-based attacks, use SEG
Cloud / SaaS attacks, use CSPM / CASB

Want to see a detection fire against your own environment?

30-day pilot in one site, no fee. We deploy a passive External Scan Engine, ingest 30 days of Layer 1 observations, and demonstrate at least one of the detections on this page against your actual devices.

Walk through detections on your environment