Cisco IQ: Repricing the Economics of Infrastructure Support

On Monday morning, 1^st June, 2026, a total of 1,500 customers had self-onboarded onto Cisco IQ. By evening, it was 1,600. Tuesday morning, 1,700. By the time I left Cisco Live 2026 in Las Vegas, Tuesday evening, I was told the number had crossed 2,000.

But I am getting ahead of myself.

The Constraint Cisco IQ Removes

Enterprise support has been a reactive business for twenty years, and not for lack of ambition. It was reactive because it was blind. Between audits, no vendor had an accurate, up-to-date picture of what a customer was running, which devices were exposed, and which had drifted out of compliance. Support waited for the failure and billed to fix it. That blindness, not the absence of AI, is the constraint that defined the category.

Cisco IQ removes the constraint. At its simplest, it is an intelligence layer that sits over a customer’s entire Cisco estate. Strip away the module names, and what it does is make that estate continuously legible. It fuses asset telemetry pulled from the live network, contract and entitlement records, and two decades of support history into a single, always-current model of what the customer runs, and it reasons over that model without waiting to be asked. The AI is the visible part, but it sits atop the harder thing: a reconciled, constantly updated model of the estate. That model is what competitors cannot easily reproduce, because it is built from years of data rather than shipped as a feature.

The platform expresses this through three modules, and the first is the most revealing. The Assets module does not trust the customer’s own inventory. It builds its picture from the union of what the customer believes it owns and what Cisco observes on the wire, then treats its own reconciled model as the source of truth. In one early trial that surfaced a finding the customer could not have reached alone: 750 switches whose support was being paid for by a different company, the residue of an unreconciled divestiture. By treating its own model as authoritative, Cisco is in effect claiming to know the customer’s Cisco environment better than the customer’s CMDB does, and the 750 switches suggest it often does. Assessments turn that legible estate into prioritized action against advisories, hardening baselines, and cryptographic posture. Support uses it, so a case opens with the customer’s topology and history already loaded, without having to rebuild it from scratch.

Two decisions reveal the strategy more than any feature does. By making its model the system of record rather than deferring to the underlying tools, Cisco shifts from support vendor to the authoritative record of the customer’s estate, which is a much stickier place to sit. And by bundling Cisco IQ into its support tiers (Basic, Standard, Signature) rather than charging for it as a premium SKU, Cisco turns free distribution into a monetization strategy. Once the platform is the source of truth, renewals and refreshes route through it. The trade is near-term license revenue for installed-base visibility.

That capability is the spine of the four announcements, which share a single engine pointed at different problems. A continuously legible estate enables Cisco to prevent incidents rather than resolve them, defend an attack surface that patching alone cannot close, and prepare for a cryptographic transition that is too fast to handle by hand. The first application reprices the business. The others carry the same logic into security and cryptography.

Why the Adoption Curve Is the Story, Not the Headline

That reframing is why the onboarding numbers matter more than they first appear. Seeing 1,800 self-service onboardings in the six weeks leading up to the event, climbing at 175 a day against an internal forecast of a few hundred, and culminating in the 2,036 Liz Centoni cited from the mainstage, tells you the blindness was real and that customers felt it acutely enough to fix it themselves. Demand that moves this fast without a sales motion behind it points to a constraint that had been holding it back.

It also carries a warning that the keynote did not voice. An entire layer of the market exists to sell the visibility Cisco just gave away inside the support contract: third-party maintainers and discovery-and-audit shops that bill by the day to tell a customer what it owns. The adoption curve is the leading indicator of that layer’s compression. When Cisco itself underestimated the demand by an order of magnitude, the signal is that the market is pulling this rather than Cisco pushing it.

What the demand is buying is a shift in what support measures. Cisco has stopped measuring support by how fast it resolves incidents and started measuring it by how many it prevents. The platform today deflects roughly 3% of high and critical TAC cases before they are opened, with a July target of 10% and a twelve-month target of 30%. Because a high-severity case carries real cost in engineering hours and downtime, deflecting 30% of them changes the unit economics instead of merely trimming them, and it leaves the break-fix model looking like a business someone will eventually disrupt. What gives the decision weight is that break-fix is a meaningful slice of Cisco’s own services revenue and a much larger slice of its partners’. Cisco is choosing to compress a profitable motion before a competitor does. This is the point at which I stop calling Cisco a support company. It now runs an intelligence business, and support has become one of its outputs.

Prevention, Pointed at Security

Repricing support is the first thing a continuously legible estate makes possible. The next is a higher-stakes form of prevention. Resilient Infrastructure Services applies the prevention thesis to security, the one place where waiting for the incident means absorbing a breach. Most coverage will file it as a standalone security launch. It is the same legible estate pointed at the attack surface.

Mythos, the AI-enabled framework that maps and exploits a network at machine speed, matters because it inverts an asymmetry. The attacker now has continuous, machine-speed legibility of where a defender is weak, while the defender is still working from last quarter’s spreadsheet. Cisco cites Talos data that 40% of the most-targeted vulnerabilities last year sat on end-of-life devices, a meaningful share of them more than a decade old, and Techaisle’s own research finds a majority of mid-market and enterprise organizations still running 20% to 30% of their network infrastructure beyond meaningful support windows. Those are the devices an AI-enabled tool finds first, because they are the softest targets and they sit at the edge where lateral movement begins. The defender is rarely short of patches. What the defender lacks is the speed of visibility to know where to apply them before the attacker does.

This is where Resilient Infrastructure connects directly to Cisco IQ rather than sitting alongside it. The response restores symmetry by giving the defender the same continuous legibility that the attacker already has, and the remediation playbook executes within the platform rather than arriving as a PDF for an overwhelmed security team.  The starting point is, in effect, the Assets module: complete asset clarity. Bhaskar Jayakrishnan, who runs CX engineering, drew the line that the rest of the industry keeps blurring.

Patching is essential hygiene, but it is not enough. Resilience is not a reaction to an event. It is an architecture.

The three phases follow from that. Exposure Assessment surfaces advisories, end-of-support devices, and zero-trust gaps. Infrastructure Modernization rebuilds with micro-segmentation and CI/CD pipelines. Defense Resiliency stands up an agentic SOC response. As security products, they are familiar. They matter because prevention is worth most where failure costs most, and nowhere does failure cost more than in security.

Prevention, Pointed at the Cryptographic Transition

If security aims at the estate of threats already in the network, the cryptographic transition aims at one whose deadline is fixed and approaching. Quantum readiness looks like a tangent but works as the strongest test of the same idea, because crypto-agility is an inventory problem long before it is a cryptography problem. You cannot transition encryption you cannot find, and a device’s cryptographic posture stays invisible without the continuous estate model the platform already maintains. A quantum assessment that did not sit on top of that model would have little to work with. That is why it belongs inside Cisco IQ: it is the Assets module extended to include cryptographic assets, producing a Cryptography Bill of Materials, just as the platform already produces a hardware inventory.

Quantum is usually where my skepticism starts, since the topic is distant enough that no one is held accountable and frightening enough to justify a budget line. The difference here is that Cisco is not selling Q-Day. Harvest Now, Decrypt Later attacks are already underway, with nation-state actors recording encrypted traffic today on the expectation that it becomes readable within years rather than decades. The timeline compresses the rest. In the past, when encryption standards evolved to counter increasing compute capacity, typically by doubling key sizes, organizations had five to seven years to migrate; post-quantum transitions will happen in months, and an organization that cannot see its cryptographic estate today will not have time to inventory it when the deadline lands, let alone fix it. Visibility has to come before the urgency, and that is the work the platform has been doing.

Cisco’s assessment scores each device on three dimensions: secure communications across the data, control, and management planes; secure platforms, meaning root of trust and signed images; and crypto-agility, the ability to swap algorithms without re-architecting. For a global enterprise facing different post-quantum standards by jurisdiction, cryptography is the easy part. The hard part is knowing, device by device and against a given standard, where you stand, and the platform can answer that because it already holds the inventory.

The Economics That Make Prevention Credible

Every number in the prevention story so far, the 3-to-10-to-30 deflection curve, and the 15% of cases that already close without a human, rests on automation that holds up as it scales. Cisco used the summit to admit something most vendors avoid saying out loud: past a certain point, adding AI makes the support economics worse. Carlos Pereira, Cisco Fellow and Chief Architect, calls it the Overwatch Scaling Paradox, and it explains why so many AI-support claims fall apart at volume.

When AI drafts a response that a human must review before it reaches the customer, there is a break-even point beyond which the AI adds total human effort rather than removing it. A complex case that takes 120 minutes by hand and 15 minutes to review as a draft saves real time. A simple case that takes 20 minutes by hand still carries the same 15-minute review, so the pairing barely pays off, and simple cases make up the bulk of the volume. Most copilot deployments end up optimizing the rare expensive case and quietly taxing the common cheap one. It is the mechanism behind Pilot Purgatory, and behind Cisco’s own figure that 95% of pilots deliver zero financial impact: the AI is bolted onto a workflow nobody redesigned. Trimming a 120-minute proposal cycle to 20 minutes looks like an 83% win, while the workflow and its downstream bottlenecks stay exactly as they were. The saving is real, and it changes nothing.

Cisco’s response is the engine under the deflection numbers. It redesigned the workflow so the machine can own it, in what it calls Case-Based Agentic Systems: the case holds the state, agents act on its transitions under confidence gates, and every action is auditable and safe to repeat. The agents carry the workflow, and the human steps in for judgment and exceptions. This is where what I call Operationalization Premium shows up: the return from rebuilding the workflow rather than speeding up the old one. It is also why a 30% deflection target from Cisco reads as credible, whereas the same number from a competitor would not. Cisco put the economics problem on a slide and then showed the architecture that answers it.

What This Means If You Are a Customer

If you are a CIO or CISO, the thesis converts into four decisions.

First, treat onboarding as a low-regret decision rather than a project. Cisco IQ is bundled into the Standard and Signature support tiers, not gated behind a premium SKU, so if you already pay for Cisco support and are not using it, you are paying for intelligence you have chosen not to collect.

Second, treat the Resilient Infrastructure playbook as your post-Mythos remediation roadmap. The devices most likely to hurt you are the ones your last audit missed, the ones sitting past their last day of vulnerability support that AI-enabled tooling can find faster than your team can.

Third, open the quantum-readiness conversation now. Crypto-agility cannot be retrofitted under pressure, and the assessment gives you a board-ready read on where you stand before the window closes.

Fourth, reset what support is supposed to mean. If your support experience still starts from zero, with 35 to 40 minutes spent collecting show-tech and uploading logs before the first line of troubleshooting, you are running a 2015 operating model against a 2026 threat. That lost time is a Friction Tax paid on every case. Cisco IQ collapses it by routing the case to the right engineer 88% of the time and briefing that engineer before the call begins.

What This Means If You Are a Partner

For partners, the same move cuts both ways, because the visibility Cisco gave away is the visibility partners used to sell. Cisco IQ is at once the largest opportunity and the largest threat the partner ecosystem has faced in a decade.

The opportunity is structural, representing a clear shift toward what I categorize as Ecosystem Intelligence. Cisco laid out three service pillars partners can build on to capitalize on this shift. Strategic Lifecycle Management covers compliance audits, software entitlement optimization, technical debt reduction, and Green IT, all built on the platform’s landscape clarity. Managed Business Continuity covers security agility against Mythos-class threats, quantum-readiness assessment, posture benchmarking, and managed hardening. Architectural Transformation covers automated compliance, business-intent validation, high-velocity migration, and shift-left network operations through CI/CD pipelines. These are productized frameworks with the intelligence layer already built, not hypothetical categories.

The threat is the same legibility seen from the other side. The intelligence that arms partners also exposes the inefficiencies that some have built their business models around. When the platform identifies in minutes what once took days of manual discovery, the value of discovery-as-a-service collapses, the same channel compression the adoption curve signaled earlier. When customers self-onboard at 175 a day with no partner involved, no partner can assume it remains the only conduit for this intelligence.

The partners’ early field trial starts in July, with general availability roughly a quarter later. The API-first design, with MCP and Agent-to-Agent protocol support, lets partners embed Cisco IQ programmatically into their own platforms. Partners that move early will build defensible positions. Those who wait may find their customers better informed about their own infrastructure than the partner managing it.

What I Am Watching

None of this means Cisco has solved the problem. It has built the capability; whether customers use it differently is an open question. Five things will tell over the next twelve months.

The onboarding-to-activation gap. 2,000 customers onboarded is real, but onboarding is not activation, and the distance between the two is what I call the Activation Void. How many of these customers are remediating the vulnerabilities the platform surfaces, and how many are generating another report that ages in a queue? The 3-to-10-to-30 deflection curve is the right metric, and whether Cisco hits it is the thing to watch.

The Overwatch break-even in the field. Cisco has been transparent about the paradox, but confidence-gated autonomy with dynamic thresholds has never run at this scale across this much heterogeneity. A threshold that is safe for a thin-margin logistics operator like Geodis can be dangerously aggressive for a semiconductor fab running zero maintenance windows, like GlobalFoundries, or for a regulated bank. Calibration at scale is the hard part.

The multi-vendor blind spot. Cisco IQ produces extraordinary intelligence about Cisco infrastructure, but most enterprises are heterogeneous, and a legible estate that stops at the Cisco boundary is only partly legible. Until the platform can ingest and contextualize third-party telemetry, the complete-landscape-clarity claim carries an asterisk. The extensibility roadmap for APIs, MCP, and A2A signals awareness; execution will decide whether it closes.

Partner readiness and the two-speed ecosystem. Large global integrators will absorb this quickly. The long tail of smaller partners, many of whom built profitable businesses on the manual audit work the platform now automates, faces real model disruption. Cisco reports more than 16,000 Black Belt certifications across its partner services, but a certification is not a business model, and the enablement has to match the ambition.

The durability of the economics. Bundling Cisco IQ into existing tiers is the right call for adoption velocity, but continuous telemetry processing, ML inference, agentic workflows, and quantum cryptographic analysis are not cheap to deliver at scale. Either Cisco has built that into its long-term cost model, or the most valuable intelligence eventually migrates behind premium entitlements, at which point the free-distribution strategy quietly reverses. That is the signal I am watching for.

The Bigger Picture

Twelve months ago, I argued that the future of enterprise support lay in prevention rather than faster resolution, and that Cisco’s pairing of deterministic ML with generative reasoning was a real architectural difference, not a slogan. Cisco Live 2026 was that argument meeting reality, and the through-line was simpler than the four announcements made it look. Cisco built a continuously legible estate and aimed it at prevention, then at security, then at the cryptographic transition, with the same capability under each.

2,036 onboardings in six weeks have moved well past vision-slide territory, and 15% of cases closing with no human is no longer a pilot result. What I trust most is the willingness to put the Overwatch paradox on stage at all. An organization that shows you its hardest unsolved problem is usually an engineering-led one, and that tells you more than any demo did.

Cisco shipped working capability while much of the field is still announcing intentions. The harder question now belongs to the customers and partners who have to operationalize what Cisco made visible, and that is what I will be tracking.