The terms, defined plainly.

Layer 1

The physical layer of a network. Where electrical signals are sent across copper or fiber. The OSI model puts seven layers on top: switching at Layer 2, IP routing at Layer 3, TCP at Layer 4, all the way up to applications at Layer 7. Most security tools work at Layer 2 and above. CybrIQ works at Layer 1, which is why it can identify devices that disagree with what they say about themselves at higher layers.

Device DNA™

CybrIQ's patented signature for each connected device, derived from switch-side signals pulled with read-only switch access: link negotiation pattern, MAC OUI, LLDP/CDP announcements, port-stats footprint, and VLAN/topology context as the switch records them. The signature does not depend on what the device says about itself, which is why it catches devices whose self-reported descriptors are wrong, spoofed, or modified upstream.

Drift

A change between the device that was previously known on a port and the device that is currently on it. The codec was swapped, the port was repurposed, an unmanaged switch appeared, a contractor laptop showed up. CybrIQ detects drift by comparing the current Layer 1 fingerprint to the prior one, and surfaces it as a discrete event the security team can act on.

NAC (Network Access Control)

A class of security tooling that controls which devices are allowed onto the corporate network. NAC operates at Layer 2 and above; it sees the corporate VLAN and enforces admission policy on it. NAC does not see Layer 1 behavior, which is why unmanaged switches behind a single drop look like one endpoint to NAC and four endpoints to CybrIQ.

EDR (Endpoint Detection and Response)

A class of security tooling that runs an agent on managed endpoints (laptops, servers) to detect and respond to threats on those endpoints. EDR sees what the agent sees. Devices that ship without an agent class (codecs, signage, IoT, biomed gear, kiosks) are outside EDR's coverage. CybrIQ identifies them by the wire, not by an agent.

Audit-defensible Layer 1 evidence

A per-device, per-port, dated record of what was on the network and how its identity was verified, in a form an audit firm takes at face value. Distinct from "operational status" (the control system says the room is green). The audit asks for the wire; CybrIQ produces it.

Visibility gap

The space between what NAC, EDR, and asset-management tooling can see, and what is actually on the network. Conference-room codecs, unmanaged switches, contractor gear, vendor-managed devices, IoT sensors that ship without an agent class. The visibility gap is where audit findings come from and where attackers walk in.

Asset register

The internal list of devices the organization believes it has on the network. Built from procurement records, deployment tickets, and biomed/HTM inventories. Authoritative on day one and fiction by next quarter, because the network changes faster than the spreadsheet. Read more in "The asset register lies."

Working session

CybrIQ's framing for a 30-minute scoped engagement. Five minutes of scoping, twenty minutes of running the platform live against one of the customer's environments, five minutes of decision. The artifact at the end (a Device DNA™ inventory of one room or one building) stays with the customer either way.

Layer 1 record

The continuously maintained, per-device, per-port output of the CybrIQ platform. Different scopes (RoomIQ at the room level, SpacesIQ at the building level) feed the same record. The record is the underlying fact base that the audit-evidence pack, the drift events, and the framework mappings all draw from.

NDAA Section 889

A US federal regulation prohibiting covered telecommunications equipment from Huawei, ZTE, Dahua, Hikvision, and Hytera in federal contractor environments. CybrIQ identifies these vendors by Device DNA™ regardless of label, and policies block them on detection. See NDAA 889 Enforcement for detail.

Device fingerprint

A signature derived from how a device behaves on the network, used to identify it. Behavioral fingerprinting (used by classification platforms) reads behavior at higher layers. Layer 1 fingerprinting (CybrIQ's Device DNA™) reads electrical behavior at the wire. The two are complementary.

Agent

A piece of software installed on a device to monitor or manage it. Many security tools depend on agents for their visibility (EDR, MDM, agent-based asset management). Devices that cannot accept an agent (codecs, IoT sensors, biomed gear, signage players) are outside agent-based coverage. CybrIQ does not require an agent on monitored endpoints.

Layer 2

The data-link layer of a network. Where switches forward frames using MAC addresses. NAC operates at Layer 2 and above. The visibility gap CybrIQ closes is everything below it.

Evidence pack

CybrIQ's audit-defensible artifact: a per-device, per-port, dated record scoped to the customer's environment and pre-mapped to the framework being audited. The shape audit firms increasingly accept on first reading.

Compliance frameworks

The audit and regulatory regimes the rest of the site cites.

SOC 2

A widely-used audit framework for service providers that store or process customer data. Covers five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports cover a sustained operating period (typically six to twelve months) and are the version enterprise customers ask for in security questionnaires. CybrIQ produces audit-defensible Layer 1 evidence that maps directly to SOC 2 CC6 (logical access) and CC7 (system operations) controls.

HIPAA

The US federal regulation governing the privacy and security of protected health information (PHI). The HIPAA Security Rule requires technical safeguards including access control, audit controls, and integrity monitoring. CybrIQ contributes the device-inventory and access-evidence layer that the Security Rule's risk-analysis requirement increasingly assumes is present.

CMMC

Cybersecurity Maturity Model Certification. A US Department of Defense framework that defines required security controls for organizations handling Controlled Unclassified Information (CUI). CMMC 2.0 has three levels; Level 2 (the most common requirement for federal contractors) maps to the NIST 800-171 control set. Continuous device inventory is required at Level 2 and above.

SOX

The Sarbanes-Oxley Act, US federal regulation requiring public companies to maintain internal controls over financial reporting. SOX 404 audits review the IT general controls (ITGC) that govern systems involved in financial reporting. Access control and asset inventory are recurring SOX deficiency categories. CybrIQ produces the per-port inventory ITGC reviewers ask to see.

FedRAMP

The Federal Risk and Authorization Management Program. A US federal program that standardizes security assessment and authorization for cloud services used by federal agencies. CybrIQ deploys as customer-installed software inside the customer's own environment, not as a cloud SaaS, so most federal deployments don't require FedRAMP authorization. For federal customers whose deployment posture does require FedRAMP, an agency-sponsored path is currently under evaluation. CybrIQ produces equivalent NIST 800-171 / NIST 800-53 control evidence today.

PCI DSS

The Payment Card Industry Data Security Standard, mandated for any organization that stores, processes, or transmits cardholder data. PCI DSS 4.0.1 (in effect since 2024) added explicit requirements for asset-inventory completeness, continuous monitoring of all in-scope systems, and network-device discovery. CybrIQ produces the device-inventory evidence PCI 4.0.1 assessors now request on first reading.

ISO 27001

The international standard for information security management systems (ISMS). Defines a control framework (Annex A) and requires the organization to maintain an asset register that includes every information asset in scope. Enterprise customers often hold ISO 27001 alongside SOC 2 for global coverage. CybrIQ supplies the network-asset inventory the ISMS scope requires.

GLBA

The Gramm-Leach-Bliley Act, US federal regulation requiring financial institutions to protect customer financial information. The Safeguards Rule (revised in 2023) requires written information security programs, a designated qualified individual, and continuous monitoring of network assets. Asset inventory is one of the gating Safeguards Rule controls.

NIST 800-171

A US federal control catalog defining the security controls for non-federal systems that handle Controlled Unclassified Information (CUI). The basis for CMMC Level 2. 110 controls across 14 families; the asset-management and configuration-management families require maintained inventories that include every device authorized to connect.

NYDFS

New York Department of Financial Services. New York's financial-services regulator. The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) requires covered institutions to maintain accurate IT asset inventories with owner, location, sensitivity, vendor-support expiration, and recovery time objectives for every asset. The first annual asset-inventory certification was due April 15, 2026. Penalties run up to $250,000 per day for ongoing non-compliance.

OCR

Office for Civil Rights, the US Department of Health and Human Services agency that enforces HIPAA. OCR is the audit body for healthcare HIPAA breach investigations. OCR breach-investigation closing letters increasingly cite asset-inventory and unmanaged-device findings as contributing factors. See the article What OCR keeps citing.

Network and security terms

The acronyms the existing entries assume you already know.

LLDP

Link Layer Discovery Protocol. An IEEE standard where network devices announce their identity, capabilities, and neighbors at Layer 2. Most enterprise switches and AV devices speak LLDP, which is how the switch learns what's plugged into each port. One of the signal streams CybrIQ reads when building Device DNA.

CDP

Cisco Discovery Protocol. Cisco's proprietary equivalent of LLDP. Older Cisco-heavy networks rely on CDP for neighbor discovery; CybrIQ reads both CDP and LLDP to cover mixed-vendor environments.

MAC OUI

Organizationally Unique Identifier. The first 24 bits of every MAC address, assigned by the IEEE to the device manufacturer. The OUI is who made the network hardware (Cisco, Crestron, Apple, etc.). One of the inputs to Device DNA, but on its own easily spoofable, which is why Device DNA combines OUI with several independent switch-side signals.

SNMP

Simple Network Management Protocol. A widely-deployed protocol for reading status data from and (optionally) writing configuration to network devices. SNMP is bidirectional by design. CybrIQ uses read-only switch access by default: read-only credentials scoped to the switch-fabric data the platform needs for inventory and audit evidence. Optional enforcement (port disable, quarantine, ACL) is available on customer opt-in and uses a separately scoped write community. The deployment never uses traffic mirroring, SPAN ports, or packet capture.

SIEM

Security Information and Event Management. A class of platforms that ingest logs and security events from across the environment for correlation, alerting, and historical search (Splunk, Sentinel, QRadar, Elastic Security, etc.). SIEM is downstream of asset visibility. Every alert resolves to an asset, and missing assets in the SIEM means missing alerts. CybrIQ feeds verified Layer 1 inventory into the SIEM so the asset context behind each alert is correct.

VLAN

Virtual LAN. A way to logically segment a single physical network into multiple broadcast domains for security or operational separation (corporate VLAN, guest VLAN, AV VLAN, IoT VLAN, etc.). NAC enforces admission policy on VLANs. CybrIQ surfaces what is actually on each VLAN at Layer 1, including devices on VLANs that shouldn't have them.