If it plugs in anywhere in your building, SpacesIQ knows.
Printers in hallways. Displays in cafeterias. Sensors on the warehouse floor. Badge readers, kiosks, HVAC controllers, contractor laptops on a live port. SpacesIQ extends Device DNA™ to every switch port, on every floor, in every building.
The devices NAC was never going to find.
Network Access Control sees the corporate VLAN. EDR sees the endpoints with an agent on them. The visibility gap is everything in between: unmanaged switches in closets, contractor gear on live ports, IoT devices that ship without an agent class, vendor equipment that nobody on the IT team commissioned.
The asset register lies, quietly, all the time.
The spreadsheet is updated when somebody remembers to update it. The wire is updated whenever anybody plugs anything in. The two stop matching the day the building is commissioned and never reconcile again on their own.
SpacesIQ closes the gap by treating the wire as the source of truth. Every linked port, fingerprinted continuously, validated against what was there yesterday, surfaced as a discrete event when it changes.
One inventory. Five frameworks. The same record.
HIPAA, PCI, SOC 2, NIST, CMMC each ask a slightly different question about the network. They all need the same underlying answer: what is actually connected, in what state, with what posture, right now.
SpacesIQ produces that record once, then lets the audit teams map it to whichever framework they are reporting against. The reconstruction work that consumes a compliance team the night before the visit is done in advance, by the platform, continuously.
Four capabilities, working continuously, on every linked port.
SpacesIQ operates as a continuous verification layer that bridges the gap between network visibility and physical device awareness. Each of the four capabilities below runs continuously; together they produce the inventory the security and audit teams can both work from.
Electrical-signature detection.
Each device connected to the switch draws a unique electrical pattern. SpacesIQ learns that fingerprint, recognizes it instantly, and flags anything new or abnormal. The signature is what catches devices that otherwise look identical on paper.
Port-level awareness.
SpacesIQ maps every switch port in real time. What is connected, where, and when, across multiple floors and multiple buildings on the same instance. The map updates continuously as the network changes.
Instant anomaly detection.
When an unrecognized device connects, or an existing one starts behaving differently, SpacesIQ triggers an alert before the device can communicate widely or spread. Detection happens at first contact, not at the next periodic scan.
Automated trust scoring.
Every device receives a trust score based on its signature, behavior, and connection history. The score is what helps the IT team decide what to allow, what to quarantine, and what to investigate, without inspecting each new device by hand.
What the wire actually sees.
Device DNA derives each device's signature from switch-side signals read in read-only mode: link negotiation pattern, MAC OUI, LLDP and CDP announcements, the port-stats and counter footprint the switch already keeps, and the device's VLAN and topology context. The signature is rebuilt every time the platform validates a port, which is why a device swap shows as a new signature within seconds.
The signature does not depend on an agent installed on the device. It does not depend on the device self-reporting its identity. It depends on what the switch already knows about the device through standard read-only network management. That is why Device DNA catches the cases NAC and EDR miss: an unmanaged switch behind a contractor's drop, an IoT sensor with no agent class, a kiosk that reports as one thing and behaves as another.
Deployment is non-invasive. SpacesIQ is software with two components: External Scan Engines (ESEs) that poll the building's managed switches with read-only access, and a main instance where device discovery and identity processing happen. Both run on customer-provided compute. No SPAN port, no traffic mirror, no inline tap, no agent on the endpoint, no rewiring of the building. Deployments scale from a single floor to multiple campuses on one main instance.
Layer 1 truth, every floor, current as the network.
Continuous fingerprinting on a 30-second poll
Every device, even the unmanaged and quiet ones. Device DNA™ does not depend on an agent, a NAC enrollment, or a self-reported MAC. It depends on what the switch already knows about the device through standard read-only management.
Drift detection that fires once
A device swapped, a port repurposed, a contractor laptop on a live drop. Each surfaces as a discrete event the security team can act on. No log diving, no alert noise.
Audit-defensible record
Per-device, per-port, per-floor history. Dated, scoped, exportable. The format the audit team can use directly, mapped to the framework they need.
Building-wide deployment
One platform across every facility in the portfolio. Not a per-room sale. Not a stitched-together pilot. The whole real-estate footprint, on the same Layer 1 truth.
Capability summary table
| Capability | What It Delivers |
|---|---|
| Real-time device fingerprinting | Detects every device instantly, even unmanaged ones. No agent on the endpoint, no waiting for a periodic scan. |
| Continuous port monitoring | Identifies what is connected, when, and where. Drift events surface as first-class records the security team can act on. |
| Trust scoring and alerts | Flags unauthorized or suspicious behavior automatically. The trust score is what cuts the false-positive burden NAC and EDR tend to produce. |
| Scalable visibility | Extends RoomIQ coverage across every building and every network segment in the portfolio, on a single platform instance. |
| Compliance assurance | Provides verifiable, dated, exportable data for the security and audit teams. Mapped to HIPAA, PCI, SOC 2, NIST CSF, CMMC, and ISO 27001. |
The verticals where the visibility gap is loudest.
Different industries, same underlying problem: the network has more devices than anyone has counted, and the audit will find them before the IT team does.
Unmanaged medical devices, shared clinic networks.
Infusion pumps, imaging stations, biomedical equipment, tablets at the bedside. SpacesIQ produces the per-device evidence HIPAA and HITRUST audits ask for, without depending on a clinical-engineering team that does not work for IT.
Sensors on the warehouse floor, vendor gear on live ports.
Industrial controllers, environmental sensors, contractor laptops connected during a maintenance window. NIST CSF and CMMC need the inventory. SpacesIQ produces it without an OT/IT cooperation project.
Open ports, contractor traffic, BYOD on the network.
Buildings with thousands of drops, contractors in and out daily, no consistent endpoint stance. SpacesIQ closes the visibility gap without trying to enforce a uniform endpoint policy first.
Multi-site portfolios with mixed-vintage infrastructure.
Headquarters, regional offices, satellite locations. SpacesIQ unifies device visibility across the portfolio in one platform instance, including the older buildings nobody has fully inventoried since the last lease renewal.
Point-of-sale stacks across hundreds of stores.
Card readers, kiosks, vendor-managed displays, contractor laptops on the back-of-house drop. SpacesIQ produces the per-store evidence PCI DSS audits ask for, without store-by-store reconstruction.
What security and compliance leaders ask on the first call.
Does SpacesIQ replace our NAC, EDR, or asset-management tooling?
No. SpacesIQ fills the visibility gap underneath them. The comparison table on the Solutions page shows the specific capabilities each tool covers and where SpacesIQ is additive.
Which compliance frameworks are mapped?
HIPAA Security Rule, PCI DSS, SOC 2 Common Criteria, NIST CSF, CMMC, and ISO 27001 are mapped at deployment. New framework mappings are added quarterly. The screenshot above shows the HIPAA view.
How long does it take to onboard a building?
The first floor typically returns its initial inventory in 24 to 72 hours after the working session. A full multi-floor building onboards inside week two. The first audit-evidence pack is produced by month one.
What does the deployment look like physically?
SpacesIQ extends across the building's existing switch fabric. No rewiring, no required changes to switch configuration, no agent on the endpoints. The platform reads from the network by default; optional enforcement actions (port disable, quarantine, ACL) are available if you choose to enable them.
How does SpacesIQ integrate with our existing GRC platform?
Evidence packs export to ServiceNow, Archer, Vanta, Drata, and the major SIEMs. APIs are available for custom GRC tooling. Per-export audit logging is standard.
How is the Layer 1 data secured?
Device DNA™ fingerprints are stored cloud-hosted by default (CybrIQ-managed, your choice of US, EU, or Canadian region; SOC 2 Type II audited). On-premise storage is available for organizations with FedRAMP-equivalent posture, data-residency requirements that exclude vendor-cloud entirely, or air-gapped networks. Encryption at rest, role-based access control, and per-export audit logs are standard. A SOC 2 Type II aligned program runs against the platform itself, with formal attestation on the roadmap.
What is the pricing shape?
SpacesIQ is priced by deployment scale: per building, per floor count, or per managed switch port. Detailed pricing is shared on the demo call once we understand the environment.
Pick a building. We will tell you what is actually on it.
Connect SpacesIQ to one floor or one campus. By the end of the working sprint you will know exactly what is on every port, what changed, and what your audit team needs to see. From there, the deployment compounds across the rest of the portfolio.