Every term used on this site, defined once, in the same place.
Quick reference for security engineers who don't want to context-switch to look something up. Definitions are written the way I'd explain them in a working session, not the way they appear in a marketing glossary. If a term is missing, the contact at the bottom is the path to fixing that.
Device DNA™
A SHA-256 deterministic signature derived from the structured signal set the External Scan Engine (ESE) collects per device, combined with the matching record in CybrIQ's 750M+ device reference database. Patent-protected. Same inputs always produce the same signature; different physical devices produce different signatures.
External Scan Engine (ESE)
The CybrIQ software the customer runs on a small on-prem server (Linux or Windows). Polls the customer's managed switches continuously over the switch management plane, in read-only mode. One ESE handles up to 500 switches. No SPAN, no mirror, no inline insertion, no traffic injection. (Inventory and Device DNA are switch-derived; a separate small optional agent handles USB-threat detection on workstations.) Emits Device DNA records to the control plane over mTLS.
Reference database
CybrIQ's curated database of 750 million-plus device fingerprints and growing. Used to resolve the ESE's collected signal set into a specific device identity (vendor, model, NDAA status, firmware lineage). Every entry is human-reviewed before it lands in production; the database is not an ML model.
Similarity score
A 0 to 1 value indicating how similar a port's current Device DNA is to its prior signature. Computed via Jaccard distance over the signal set, averaged. Default substitution threshold: 0.65. Scores 0.85 to 0.95 are consistent with firmware updates; below 0.65 fires a device-substituted event.
Drift event
Any timestamped change to the per-port inventory. Twelve event types in the taxonomy. Each event carries the port, previous and current signatures, MITRE technique IDs, and framework-control tags.
Vendor hint
The vendor and model identity for a Device DNA signature, resolved via the 750M+ reference-database lookup. Each hint carries a confidence score 0 to 1; values at or above 0.85 are used for NDAA enforcement decisions.
RoomIQ
The per-conference-room product. ESE deployment scoped to AV-room switches. Per-room recurring SKU.
SpacesIQ
The building-wide product. ESE deployment scoped to every managed switch in the building. Per-deployment recurring SKU, sized by port count.
USB-threat agent
An optional small CybrIQ agent that runs on Windows and Linux workstations. Enumerates the USB-device tree and matches each connected device against a curated database of attack-tool signatures (Rubber Ducky, Flipper Zero, O.MG cables, BadUSB-class HID spoofers, rogue mass-storage). Emits usb-threat-detected events through the same syslog and REST API channels as the rest of the platform. Opt-in per host; typically scoped to privileged users, executive workstations, R&D, and finance rather than the whole fleet. The only place CybrIQ touches an endpoint; the inventory path remains switch-derived.
device-appeared
A new Device DNA observed on a port that previously had no device or a different one. Unenrolled-flag set if the device doesn't authenticate within the grace period (default 4h).
device-departed
A previously-stable device no longer responding on a port.
device-substituted
Same port, different DNA. Similarity score below substitution threshold. The canonical swap-attack signal.
port-topology-changed
The switch reports an additional downstream hop on a port. Usually an unauthorized switch insertion.
device-firmware-shift
Similarity score in the 0.65–0.85 range, consistent with firmware update, not substitution. Logged for audit but doesn't page.
ndaa-prohibited-detected
Vendor hint matches the NDAA Section 889 banned-vendor list (Huawei, ZTE, Hikvision, Dahua, Hytera, others) with confidence ≥0.85.
device-class-mismatch
The current device's vendor hint or behavior doesn't match the expected device class for the port (e.g., a router appearing on a port designated for AV-only).
device-silent-extended
A device has been physically connected (link up) but produced no upstream traffic for an extended period (default 7 days).
Switch-derived signal set
The structured collection of switch-side signals the ESE reads per device, refreshed continuously. The specific schema is proprietary; what matters architecturally is that it's switch-derived (not from traffic capture) and bounded (a fixed shape per device, not arbitrary telemetry).
Polling cycle
The ESE's continuous loop of reading the signal set from each switch in scope and shipping the resulting Device DNA records to the control plane. Read-only against the switch management plane; nothing the ESE does modifies switch state or alters traffic.
Identity resolution
The lookup that turns a collected signal set into a specific device record (vendor, model, NDAA status, firmware lineage) by deterministic match against the 750M+ reference database. Reproducible end to end: same signals plus same database snapshot produce the same identity.
Port topology
The device's physical location on the network: switch, port, and the neighbor relationships the switch reports. Used for distinguishing a device that legitimately moved to a different port from a clone/spoof appearing on multiple ports simultaneously.
NDAA Section 889
U.S. National Defense Authorization Act provision prohibiting federal contractors from using certain Chinese-manufactured telecom equipment. Banned vendors include Huawei, ZTE, Hikvision, Dahua, Hytera. CybrIQ's banned-vendor table tracks this list.
CMMC L2
Cybersecurity Maturity Model Certification, Level 2. Required for federal contractors handling Controlled Unclassified Information (CUI). Includes asset inventory requirements (CM.L2-3.4.1).
NIST 800-171
NIST publication providing security requirements for protecting CUI in non-federal systems. Inventory and change-control requirements at 3.4.1 and 3.4.2.
NIST CSF 2.0
NIST Cybersecurity Framework version 2.0. Identify-function controls ID.AM-1 and ID.AM-2 require inventory of physical devices and platforms.
PCI DSS 4.0
Payment Card Industry Data Security Standard. Inventory requirement at 12.5.1 (closed by CybrIQ). File and configuration change-detection at 11.5.1 (outside our scope; needs FIM tooling alongside). Network-segmentation review at 1.2.x (configuration territory; outside our scope).
SOC 2 Type II
System and Organization Controls audit examining the design AND operational effectiveness of controls over time. CybrIQ as a company maintains continuous SOC 2 Type II. Also: inventory and asset-management evidence is mapped to common-criteria controls CC6.1, CC6.6, CC7.1.
HIPAA Security Rule
Health Insurance Portability and Accountability Act security provisions. Inventory and audit-log evidence at 164.312(b) and 164.308(a)(1).
T1200 · Hardware Additions
Adversary introduces malicious hardware into the environment. CybrIQ's primary detection technique.
T1556 · Modify Authentication Process
Used as a secondary tag when a swap attack involves replacing a device that holds authentication credentials (e.g., a smart card reader, an authenticated endpoint).
T1199 · Trusted Relationship
Adversary exploits trusted relationships with third parties (e.g., supply-chain partners). CybrIQ uses this tag for NDAA / sanctioned-vendor detections.
T1542 · Pre-OS Boot
Compromise at the firmware level, below the operating system. Tag used for device-firmware-shift events.
NAC
Network Access Control. Enforces 802.1X policy on devices joining the network. Sees devices that authenticate. Does not see devices that don't (no MAB, no certificate, no agent).
EDR
Endpoint Detection & Response. Agent-based. Sees what's running on devices that run the agent. Does not see agentless devices (AV gear, biomed, OT, printers).
NDR
Network Detection & Response. Reads network traffic patterns, often at L4+. Frequently ML-based for anomaly detection.
SIEM
Security Information & Event Management. Aggregates and correlates security events. CybrIQ ships events to the SIEM via syslog or REST API.
SOAR
Security Orchestration, Automation & Response. Automates incident-response playbooks. CybrIQ events carry structured fields that drive SOAR branches.