Meet CybrIQ at InfoComm 2026 · Booth C5052 · June 16–19 · Las Vegas · opens in · Pre-book a working session →
CybrIQ
Technology

A device can lie about what it is. It cannot lie about how it behaves on the wire.

Device DNA™ is a Layer-1 fingerprint matched against a 750-million-device reference library. Spoof-resistant, agentless, switch-side, trafficless. The audit team calls it “the only inventory I haven’t had to argue with.”

Book a Working Session Get the Datasheet
A CybrIQ discovered-assets view with high-risk findings expanded. Five devices flagged for review including a Cisco Catalyst 2960 switch, a Raspberry Pi 4 Model B, a Proxycast PocketPort2, and a Packet Squirrel known attack tool. The right-hand panel resolves the Packet Squirrel into its threat and anomaly indicators with general device details.
What Device DNA™ Observes

Five markers, observed at Layer 1, combined into one signature.

Device DNA does not depend on what the device says about itself. It depends on what the switch already knows about the device, observed through standard read-only management protocols. Five markers are combined into a single signature, which is rebuilt every time a port is validated.

  1. 01 Link negotiation pattern.

    How the device negotiates speed, duplex, and auto-negotiation with the switch. A managed Crestron codec negotiates differently than a 5-port unmanaged switch, even if both report the same MAC. The switch records this; we read it back.

  2. 02 MAC OUI and identity descriptors.

    The vendor block and the descriptors the device presents on connection. Useful as one input, never trusted as the only input. Spoofable in software, which is why it is one of five inputs and not the only one.

  3. 03 LLDP, CDP, and management-plane announcements.

    Devices announce themselves to the switch through LLDP, CDP, and similar discovery protocols whenever they connect. The exact advertisements (which TLVs are present, the chassis-ID format, the system descriptor) vary meaningfully by device family. The switch logs all of it as part of its normal operation.

  4. 04 Port-stats and switch-side behavior.

    The switch maintains counters, error rates, frame-size distributions, and link-flap history for every port as a side effect of its own operation. A codec under a live call leaves a different counter footprint than a workstation generating burst traffic. We pull those counters from the switch read-only.

  5. 05 VLAN and topology context.

    Where the device sits in the network: VLAN membership, spanning-tree role, neighbor port relationships, BPDU patterns. The switch records all of this as part of running the network. Two devices with otherwise-similar profiles diverge here, which is what surfaces sophisticated impostors.

Why Layer 1 Matters

Higher layers ask the device. Layer 1 watches the device.

Network access control sees the corporate VLAN at Layer 2 and above. EDR sees endpoints with an agent on them. Asset management sees what was registered the last time someone updated the spreadsheet. None of these see the actual electrical behavior of the device when it draws a link.

Device DNA observes the wire. The wire does not lie. A device that has been physically modified, replaced, or substituted produces a different fingerprint regardless of what it tells the operating system.

Compliance mapping screen drawing on Device DNA fingerprints to satisfy specific HIPAA Security Rule controls per device.
Deployment

Non-invasive by design.

The platform reads from the network without changing how it behaves. No agent on the endpoint. No rewiring. No changes to switch configuration that would risk an outage.

Side-by-side architecture comparison of CybrIQ's two deployment shapes. Left column shows the cloud-hosted shape: the CybrIQ main instance lives in CybrIQ-managed cloud infrastructure (SOC 2 Type II audited, US-region hosted) and identification records flow over TLS on port 443 down through the customer's edge firewall (outbound HTTPS to cybriq.io only, no inbound) into the External Scan Engine running on a small Linux VM (~2 vCPU / 4 GB / 40 GB) on customer hardware, which then reads each managed switch via SNMP read-only. Right column shows the on-premise shape, marked for regulated environments: the entire stack lives inside the customer network. The customer-installed main instance (~8 vCPU / 16 GB / 200 GB, no outbound CybrIQ dependency) connects over the internal LAN to the same External Scan Engine, which reads the customer's managed switches the same way. Both shapes terminate at the customer's managed switch fabric. A callout on the on-prem column lists when to choose it: federal/classified/FedRAMP-equivalent posture, data-residency policies that prohibit vendor-cloud egress, and air-gapped or DMZ-isolated networks. Footer notes that both shapes feed identical output: signed monthly inventory exports (PDF + CSV + JSON with SHA-256), identity events into Cisco ISE / Forescout / Aruba ClearPass, and SIEM feeds into Splunk / Sentinel / QRadar. No agents on endpoints. No SPAN port. No traffic capture.
RoomIQ

Conference-room scope.

RoomIQ is software with two components: an External Scan Engine (ESE) that polls the room's managed switch with read-only access, and a main instance where device discovery and identity resolution happen. Setup is measured in hours, per room.

SpacesIQ Fabric

Across the building's switch fabric.

SpacesIQ extends the same Device DNA approach across a building's existing switch fabric. The platform scales from a single floor to multi-campus deployments on the same instance.

Data Residency

Cloud-hosted by default. On-premise when required.

The default deployment is cloud-hosted (CybrIQ-managed, your choice of US, EU, or Canadian region; SOC 2 Type II audited). Customers with FedRAMP-equivalent posture, data-residency requirements that exclude vendor-cloud entirely, or air-gapped networks deploy the main instance fully on-premise. Encryption at rest, role-based access control, and per-export audit logs are standard in both shapes. A SOC 2 Type II aligned program runs against the platform itself, with formal attestation on the roadmap.

Patent & IP

The technical core is patented.

The Device DNA™ approach is the subject of CybrIQ's foundational patent. The patent covers the method of deriving a device signature from observable Layer 1 behavior and using it for continuous validation. Detailed patent and IP information is available under NDA on the demo call.

Watch · 90 Seconds

Device DNA™ in motion.

What the platform sees the moment a device draws a link.

CybrIQ Device DNA video thumbnail. The platform's network-infrastructure view of a Cisco Catalyst switch, with detected devices, port IDs, and per-port risk scores. The presenter is visible in a corner overlay.

See Device DNA™ on your environment, not in a slide.

The 30-minute working session runs the platform live against one of your rooms or one floor of one of your buildings. You see the signatures, the validation events, and the audit-evidence pack on your own gear.

Book a Working Session See All Solutions
Patented Device DNA™ SOC 2 Type II aligned NDAA 889 aligned Trust & posture › InfoComm 2026 · Booth C5052