Meet CybrIQ at InfoComm 2026 · Booth C5052 · June 13–19 · Las Vegas · Pre-book a working session →
CybrIQ
Article · Layer 1 Evidence

"Looks good" is not Layer 1 evidence.

The AV control system shows the boardroom green. The codec is online, the displays are awake, the audio is passing through. The CISO walks in and asks how the room is secured. The control surface cannot answer that question. Here is the difference between operational status and security evidence, and why auditors stopped accepting the first one a long time ago.

By the CybrIQ team · 7 minute read

A CybrIQ discovered-assets view filtered to high-risk findings. Among the devices flagged is a Packet Squirrel attack tool that appeared on the network reporting innocuous descriptors. The right-hand detail panel shows the Packet Squirrel resolved as a known attack tool, threat indicator triggered, anomaly indicator triggered.

What the control surface is for.

Crestron, Extron, Q-SYS, Poly by HP, and Neat control systems are excellent at the job they were built for. They run the room. They confirm that the codec is reachable, that the camera is live, that the displays are up, that the microphone is in range, that the meeting can start. When something stops working, they tell the operations team where to look first.

None of that is security evidence. The control surface watches the room work. It does not watch the network the room sits on, and it has no way to know whether the device on a given port is the device that was installed there last quarter.

Three things "all green" does not prove.

A green status on the control system means three things, none of which are what the auditor or the CISO is asking about.

  1. The device is reachable. Reachable is not authentic. A device that responds on the expected IP can be a substitute, an impostor, or a known asset that has had its firmware tampered with upstream of the install.
  2. The room is functional. Functional is not bounded. A meeting can run perfectly while the network drop behind the codec also hosts an unmanaged switch with four contractor laptops on it. The control surface only sees the codec.
  3. The asset is registered. Registered is not validated. The asset register lists what was bought. The wire shows what is plugged in. Those are different lists, and the gap between them is exactly where the audit findings live.

The supply-chain implant case.

A global enterprise rolled out hundreds of identical conference kits across its sites. Procurement records were complete. Serial numbers matched. Software validation cleared every device. Every control system reported green.

CybrIQ flagged one camera in the fleet whose electrical fingerprint did not match the rest. It looked identical to the others on every check the higher-layer tools were designed to run. The camera was a supply-chain implant, modified upstream of the install, designed to capture more than meeting minutes. Without physical-layer validation, it would have stayed in the room for years.

Every other piece of evidence said the camera was fine. Only Layer 1 told the truth.

What the auditor is actually asking for.

Audit frameworks have moved past "trust the operator's attestation." HIPAA, PCI, SOC 2, NIST CSF, and CMMC each, in their own language, require evidence that the inventory is verifiably current and that controls have been continuously enforced over the audit period.

That is not a screenshot of a green dashboard. That is a per-device, per-port, dated record showing what was on the wire, when, and how its identity was verified. It is the kind of evidence a control system was never designed to produce, because that was never the control system's job.

The board, the carrier, and the regulator.

The same gap shows up in every executive conversation about security posture. The board wants assurance. The cyber-insurance carrier wants posture inputs. The regulator wants control evidence. Three different audiences asking for three different shapes of the same artifact: what is on the network and how do you know?

A green status does not answer that question. A continuous Layer 1 record does. CybrIQ's per-device, per-port history is structured for the audit to take at face value, formatted for the board to read in five minutes, and machine-readable for the carrier's risk model. One source, three audiences.

The takeaway. The control surface tells you the room is working. The Layer 1 record tells you what is connected to it. Those are different questions. The first one was solved a decade ago. The second one is the one the audit, the board, and the carrier are actually asking.

Further reading

  • The asset register lies. Why the spreadsheet drifts from the wire on day one and never reconciles on its own.
  • Five reports, one truth. Mapping a single Layer 1 record to HIPAA, PCI, SOC 2, NIST CSF, and CMMC without rebuilding it five times.

Bring the room. We will produce the evidence.

A 30-minute working session against one of your conference rooms. By the end, you will have a per-device record dated and signed by the wire, not by the control surface.

Book a Working Session See RoomIQ
Patented Device DNA™ SOC 2 Type II aligned NDAA 889 aligned Engineered for the AV channel InfoComm 2026 · Booth C5052