Evaluation checklist
A one-page security-evaluation checklist for procurement and architecture teams.
The questions every diligence packet asks, answered as a single-page checklist your team can forward, print, or paste into the vendor questionnaire. Each row links to the page that documents the claim in depth.
Built for forwarding. Hit print on this page to get a clean two-page handout (the nav, footer, and CTA bands drop out). Or save the URL and forward it to procurement directly.
1. Architecture and access
✓
Read-only switch-management plane only.No SPAN, no mirror, no inline insertion, no traffic injection, no service account on endpoints.
✓
ESE is software, not appliance.Runs on a small customer-provided Linux or Windows server. One ESE polls up to 500 switches; scales horizontally.
✓
Cross-vendor switch support.Arista, Aruba, Cisco, HP, Huawei, Juniper, Meraki, Rockwell Automation, Ruijie Networks.
✓
No CybrIQ-side access to the customer environment.All install and operate by customer or integrator partner. CybrIQ staff have no path back in.
2. Endpoint posture
✓
No endpoint agent for inventory or Device DNA.Identity comes from the switch-derived signal set. Agentless device classes (codecs, biomed, OT, printers, cameras) are still seen.
✓
Optional small agent on workstations for USB-threat detection.Windows and Linux. Catches Rubber Ducky, Flipper Zero, O.MG cables, BadUSB-class HID spoofers, rogue USB mass-storage. Opt-in per host; scope to privileged users / executive / R&D / finance as needed.
3. Data residency and isolation
✓
Customer-chosen control-plane location.Cloud tenant (US, EU, or APAC), customer-hosted on-prem, or air-gapped. Residency stays in customer control across all three.
✓
Per-tenant isolation, AES-256 at rest, mTLS in transit.Audit log of every read on the customer tenant.
✓
Customer-controlled signal retention.No fixed retention window; bounded only by storage. Multi-year forensics if sized that way; smaller window if you prefer.
4. Identity resolution and detection
✓
Deterministic identity, no model in the path.Device DNA = SHA-256 over the switch-derived signal set combined with the matching record in the 750M+ device reference database. Same inputs always produce the same signature.
✓
Reference database updates twice a week, human-reviewed.Customer-facing dispute flow for incorrect resolutions; fixes ship in the next semi-weekly cycle.
✓
MITRE ATT&CK technique mapping per event.Twelve-event taxonomy, all mapped to technique IDs and framework controls.
5. Threat model and limits
✓
Trust zones documented.Three zones (switches + devices, ESE on customer server, control plane). Data crosses each boundary in one direction; CybrIQ staff have no path back into the customer network.
✓
Explicit list of attacks not defended against.Application-layer, malware, identity compromise, encrypted-traffic exfil, phishing, cloud/SaaS, insider with valid credentials. Use the right tool for each.
✓
Operational failure-mode runbook.ESE-host failure, network loss to control plane, control-plane outage, false positive, false negative, each with a documented recovery path.
6. AI exposure
✓
No model in detection or analysis path.Deterministic database lookup. No adversarial-ML evasion, no training-data poisoning, no model supply-chain risk, no prompt-injection surface, no hallucinated triage.
7. Compliance and evidence
✓
SOC 2 Type II continuous controls.Report under MNDA. Audit firm and reporting period available on request.
✓
Framework-mapped evidence pack.PCI 4.0, SOC 2 Type II, HIPAA Security Rule, NIST 800-171, CMMC L2, NIST CSF 2.0, NDAA Section 889. Pre-mapped controls, signed at the control plane.
✓
Auditor-ready exports.PDF for the auditor, signed JSON for your GRC tool. SHA-256 audit hash, control-plane signed.
8. Software supply chain
✓
Reproducible builds.SHA-256 hashes published per release on the public artifact registry. Customer can verify the binary on disk matches.
✓
SLSA Level 3 provenance attestation per release.Hermetic build environment. Public SBOM. Dependency tree auditable under MNDA.
✓
Signed releases, offline signing key.Hardware token, held offline at CybrIQ HQ. ESE refuses any unsigned image.
9. Integration surfaces
✓
Syslog (RFC 5424) for the event stream.UDP/514, TCP/1468, or TCP+TLS/6514. Splunk, Sentinel, Chronicle, Elastic, QRadar.
✓
REST API for query and SOAR action.Inventory, drift history, compliance export, NAC quarantine hand-off (Forescout, Cisco ISE).
✗
Not supported: webhooks, STIX/TAXII feeds.Intentionally not shipped. If a competitor matches on functionality but pitches these, that's a different product.
10. Disclosure and support
✓
Coordinated vulnerability disclosure policy.PGP-signed advisories. SLA: ack within 24 business hours, status within 5 business days, public disclosure coordinated with patch availability.
✓
Engineering-team-direct contact.seceng@cybriq.io is monitored by humans, not a chatbot. One-business-day response.
Forward this checklist. Schedule the working session when ready.
Procurement and security-architecture teams use this as the diligence anchor. When the boxes are checked and the questions are answered, the working session is where the specific deployment shape gets sketched.
Book the working session