CybrIQ
● Engineering reference, for security engineers, SOC analysts, and detection-engineering teams.
Engineering site Company Products (RoomIQ / SpacesIQ)
Products

Two products, the same Device DNA™ engine underneath. Pick the one whose scope matches the gap you're trying to close.

RoomIQ covers AV conference rooms one room at a time. SpacesIQ covers every switch port in a building. The data model, SIEM integrations, and threat-model boundaries are identical; the only thing that changes is how many devices are in scope. Pick by the audit finding or insurance question that brought us to the call.

Quick pick
If the conversation started with an AV-network audit finding or per-room compliance evidence → RoomIQ.
If it started with building-wide NDAA scope, cyber-insurance renewal, M&A integration, or "we don't know what's on the network" → SpacesIQ.
Same engine underneath. The full decision matrix is below.

What the deployment actually looks like

The External Scan Engine (ESE) is software, not an appliance. The customer runs it on a small Linux or Windows server in their environment. One instance polls up to 500 switches; larger fleets scale horizontally.

CUSTOMER ENVIRONMENT small on-prem server Linux or Windows runs ESE software switch 1 switch 2 ... switch 500 (max) read-only polling switch-management plane mTLS CybrIQ control plane cloud / on-prem No SPAN. No mirror. No traffic injection. No endpoint agent for inventory.
RoomIQ

Per-room AV-network observability

A single ESE polls every AV-room switch in scope; billing is per room. One ESE can cover many rooms (up to its 500-switch capacity); the SKU is the commercial shape, not a per-room deployment unit. The deployment inventories every device on each room's switching: codecs, control processors, displays, room cameras, mics, scheduling tablets, plus anything unauthorized that's been plugged in. This is the SKU AV-integrator partners use when the security gap lives specifically in the conference-room and AV-equipped-space footprint.

Security questions it answers:

  • Is every device in this room the one we deployed?
  • Was any room device swapped or modified since the last cycle?
  • Are there unauthorized devices on the in-room network?
  • Which AV components in this room are on the NDAA banned list?

Pricing shape: per room, recurring.

Typical scope: 5 to 50 rooms in the first deployment; expand by floor or building.

SpacesIQ

Building-wide every-switch-port observability

The ESE scoped to every managed switch in a building or campus. One ESE polls up to 500 switches; larger environments scale horizontally with additional ESE instances. Sees every device drawing a link anywhere on the wired network: AV, corporate endpoints, biomed, OT, BYOD, contractor laptops, every printer, every wall jack.

Security questions it answers:

  • What is actually on our network right now, across every port?
  • Where do our asset register and our actual inventory disagree?
  • Are there unmanaged switches inserted anywhere in the building?
  • Which floors are running NDAA-prohibited equipment?

Pricing shape: per deployment, recurring; tier sized by total port count.

Typical scope: one building or campus initially; expand site-by-site.

Which one first?

For security teams specifically, the deployment-order question turns on which gap your stack has today.

If your problem is...Start withWhy
An audit finding on AV network inventory RoomIQ Smallest footprint that closes the specific control. Pilots in 30 days per site.
NDAA Section 889 compliance across the enterprise SpacesIQ Banned-vendor scanning has to cover every port, not just AV.
Cyber-insurance renewal asking for continuous inventory SpacesIQ Carriers want building-wide; per-room won't satisfy the questionnaire.
M&A diligence on a network you just acquired SpacesIQ Fast inventory across the whole footprint reduces integration risk and audit surprises.
You suspect rogue devices but don't know where to start SpacesIQ Per-port visibility surfaces the rogue regardless of room or floor.
Per-room compliance evidence pack for a regulated industry RoomIQ HIPAA, PCI, SOX evidence is per-room granular; matches the regulator's view.

Deployment posture

Same posture for both products; just different ESE quantity and placement.

  • Read-only polling only. The ESE reads from the switch management plane in read-only mode. No traffic injection, no SPAN, no mirror, no inline insertion, no service account on endpoints.
  • No endpoint agent for the inventory path. Identity comes from the switch-derived signal set, not from anything running on the device itself. Devices that can't run an agent (codecs, controllers, mics, biomed gear, OT, displays) are still seen. A separate small optional agent handles USB-threat detection on workstations; that's the only place CybrIQ touches the endpoint.
  • Customer-hosted ESE. The ESE is CybrIQ software the customer runs on a small Linux or Windows server in their environment. Integrator partner or in-house team handles install. No CybrIQ staff access to the customer network.
  • Customer-controlled data residency. All Layer 1 records live in the customer tenant. Cloud-hosted control plane is the default; on-prem control plane is available for environments where outbound connectivity is restricted.
  • Air-gapped supported. For environments without internet access, the ESE stores records locally and is queried via local API. Trade-off: SIEM integration becomes pull-only.

How many ESEs for a multi-site deployment?

One ESE polls up to 500 managed switches. Beyond that, you scale horizontally with additional ESE instances. Sizing usually turns on switch count, site topology, and the management-network reachability between sites.

ScenarioSwitches in scopeTypical ESE shape
Single building, mid-size up to 500 1 ESE polls the whole site
Single building, large campus floor count 500 to 1,500 2 to 3 ESEs, each scoped to a slice of the switch fabric. Control plane aggregates the records.
Multi-site, sites have direct management-network reach across the WAN Co-locate ESEs near the largest switch concentrations. One ESE can poll across the WAN if latency is reasonable; most customers prefer per-site instances for predictable failure isolation.
Multi-site, sites are isolated (no inter-site management routing) per site, varies One ESE per site, each reporting to the same control plane. Per-site failure isolation, single pane of glass at the tenant.
Global enterprise, many regions 5,000+ across regions Per-region ESE fleet, sized to switch count. Regional control planes available where data-residency requirements demand them; otherwise the cloud tenant of choice handles the aggregate.
Air-gapped site any size, no outbound One ESE per site, local control plane. Records stay inside the site; aggregation across air-gapped sites is manual (an operational tradeoff documented in threat-model).

The pattern across the table: switch count, failure isolation, and data residency drive the decision. We sketch the actual ESE placement during the working session against your switch-fabric topology.

Walk us through your network and we'll size the deployment.

Bring your switch fabric topology and the audit or insurance question driving the conversation. We'll sketch the ESE placement, the SIEM integration shape, and the first 30-day pilot scope.

Sketch the deployment with us