Six conversations I've had with security teams in the last year. One of them is probably yours.
Each card below is a real evaluation conversation, condensed. The structure is the same one I use on the call: this is the gap, this is what your team is doing today, this is what we do instead, this is the shape of what lands in your SIEM. If you recognize your problem in one of these, the working session can pick up where the card ends.
"My asset register doesn't match the wire."
The gap. CMDB says 1,247 devices in scope. Vulnerability scanner finds 1,089. NAC log shows 942 active sessions yesterday. None of those numbers agree, and nobody can explain why. The auditor is asking which number is correct.
What your team is doing today. Quarterly manual reconciliation. Spreadsheet rituals. Calls to integrators. Best guess. The auditor accepts it because there's nothing better, but the auditor knows it's a best guess too.
What CybrIQ does instead. Continuous Layer 1 observation of every port. Per-port, per-device record with Device DNA, last-seen timestamp, vendor hint. The "live count" of devices is one queryable number, refreshed continuously.
What lands in your SIEM. Daily reconciliation report: every device in the CybrIQ inventory that's NOT in the CMDB, every device in the CMDB that's NOT on the wire. Drift events when the delta changes.
"How would I know if a device was physically swapped?"
The gap. A malicious-twin device replaces the legitimate one. Same MAC. Same VLAN. Same certificate. EDR agent uninstalled and re-installed with the right ID. Everything above Layer 1 sees no change.
What your team is doing today. Periodic physical audits, which mostly miss it. Trust the certificate. Hope the EDR catches anomalous behavior after the swap has happened. This is the use case I get the most pushback on at first; nobody wants to admit their environment is vulnerable to it. Most are.
What CybrIQ does instead. The Layer 1 fingerprint (the switch-derived signal set that resolves to the prior device) doesn't match the prior device's. The swap fires device-substituted within one 30-second validation cycle.
What lands in your SIEM. Near-real-time event (sub-minute end-to-end under typical SIEM ingest) with both prior and current DNA, similarity score, vendor-hint comparison, MITRE T1200 + T1556. SOAR playbook can quarantine the port via the NAC API in under a minute.
"Has anyone plugged in a switch where there shouldn't be one?"
The gap. An attacker (or an unauthorized contractor) inserts a small unmanaged switch into a wall jack to bridge a personal laptop onto the production VLAN. The downstream device still authenticates normally; the switch is transparent above L2.
What your team is doing today. Nothing automated. You catch it on a quarterly physical walkthrough, maybe. Maybe after an incident. The first unmanaged switch we surfaced for one customer had been in place for over a year.
What CybrIQ does instead. Layer 1 topology probe sees one more hop between the wall jack and the endpoint than before. port-topology-changed fires.
What lands in your SIEM. Topology-changed event with the new hop's signature, previous topology, and recommended action. Cross-checks against open change-management tickets for auto-suppression.
"Are any banned-vendor components on our production network?"
The gap. NDAA Section 889 (and adjacent regulations) prohibits specific vendor hardware on federally-connected networks. The asset register doesn't reliably flag this, especially for AV gear, cameras, and components that get relabeled by integrators.
What your team is doing today. Periodic procurement audits. Vendor questionnaires. Trusting that the integrator was honest. No real-time detection. The relabeling case is real; we've seen a batch of switches that the supplier had relabeled after overseas manufacturing, and the only thing that surfaced it was the Layer 1 fingerprint not matching the label.
What CybrIQ does instead. The reference-database lookup resolves the underlying silicon and firmware regardless of how a vendor relabels the product. The banned-vendor table is maintained against the federal list and updates regularly.
What lands in your SIEM. ndaa-prohibited-detected event when a vendor-hint matches the list with ≥0.85 confidence. Tagged for CMMC L2 and NIST 800-171 controls. Auto-escalates per policy.
"The audit is in six weeks and I can't reconstruct another inventory."
The gap. Quarterly or annual audit demands a current, defensible, per-device inventory. Last time, prep took six weeks of full-time effort and the result was still a best-effort snapshot.
What your team is doing today. Manual reconstruction. Coordinating with integrators. Asking for screenshots from device dashboards. Hoping the auditor doesn't dig. This is the use case where the budget conversation is easiest: nobody on the security team has fond memories of a six-week audit prep.
What CybrIQ does instead. The inventory is continuously maintained and framework-control mapped. Every device row carries the SOC 2 / PCI / HIPAA / NIST / CMMC controls it satisfies. The auditor asks for evidence; you query the API and export.
What lands in your SIEM. Evidence-pack export is available 24/7 via the dashboard or API. Audit teams have queried CybrIQ directly during a control walk-through; no auditor has rejected the output.
"We just acquired a company. What's on their network?"
The gap. An M&A close brings in a network you don't trust, with an asset register you can't validate. Integration risk and compliance exposure are real. The acquirer's security team gets weeks to assess.
What your team is doing today. Vendor-supplied documentation that the acquired company's IT team produced under deal pressure. Spot-check scans. Wait for something to break and then find out about it.
What CybrIQ does instead. SpacesIQ deploys building-wide, scoped per acquired site. Day-one inventory of every wired device, with NDAA-prohibited callouts, unmanaged-switch detection, and a baseline for ongoing validation.
What lands in your SIEM. Same data model as your existing CybrIQ deployment. Acquired-site inventory merges into the parent tenant; the SOC sees both fleets in one console.
If your use case isn't on this list
I kept the list to the six conversations that come up most often. If you have a specific gap (regulatory, operational, post-incident) and you want to know whether this is the right tool for it, ask and I'll tell you yes, no, or partially, with engineering detail. The "partially" answers are the ones I find most useful on the call; they let us scope the working session around the part we can actually move.
Pick the use case closest to your problem.
30-minute working session against your actual environment. We will demonstrate the scenario you picked using your own data, then size a 30-day pilot.
Book a working session