Everything you need to know about medical device penetration testing, FDA cybersecurity requirements, and working with Thrombus.
Yes. The FDA's premarket cybersecurity guidance, updated in September 2023, requires medical device manufacturers to provide evidence of security testing as part of 510(k), De Novo, and PMA submissions. This includes penetration testing to validate that identified threats have been adequately mitigated. The FDA expects manufacturers to demonstrate that their device has been tested against known vulnerability classes and that a comprehensive threat model has been developed. Devices submitted without adequate cybersecurity documentation are increasingly receiving Refuse to Accept (RTA) decisions, which can delay market entry by months.
The FDA expects several cybersecurity deliverables in a premarket submission: a threat model identifying potential attack vectors and their mitigations, a cybersecurity risk assessment mapping threats to patient safety impacts, a Software Bill of Materials (SBOM) listing all third-party components and their known vulnerabilities, evidence of security testing including penetration test results, and a plan for post-market vulnerability management. The penetration test report should document the methodology used, vulnerabilities discovered, their severity ratings, and evidence that critical findings have been remediated.
The primary guidance is "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (September 2023), which replaced the 2014 and 2018 guidances. This document outlines the FDA's expectations for both premarket submissions and ongoing security management. Additional relevant documents include the FDA's postmarket cybersecurity guidance, IEC 62443 for industrial control system security (increasingly referenced for medical devices), and AAMI TIR57 for medical device security risk management. The 2023 guidance was codified into law through the PATCH Act as part of the Consolidated Appropriations Act of 2023, making cybersecurity requirements mandatory rather than recommended.
Penetration testing provides concrete evidence that your device's security controls work as intended. The test report documents which attack vectors were tested, what vulnerabilities were found, their potential impact on patient safety, and how they were remediated. This directly addresses the FDA's requirement to demonstrate that security risks have been identified and mitigated. A well-structured pentest report can be included as-is in your submission package, saving weeks of documentation effort. It also demonstrates due diligence in your security testing process, which the FDA reviewers evaluate as part of your overall cybersecurity posture.
A comprehensive medical device penetration test covers four primary attack surfaces: network security (testing Wi-Fi, Bluetooth, BLE, Zigbee, cellular, and other communication protocols), firmware analysis (reverse engineering, binary analysis, cryptographic assessment, and secure boot verification), cloud and API security (assessment of cloud-connected components, backend APIs, and data transmission security), and physical security (tamper resistance, debug interface exposure, and physical access controls). The engagement produces a detailed report with vulnerability findings, severity ratings based on patient safety impact, and specific remediation guidance including code-level fixes.
We test all classes of FDA-regulated medical devices, including Class I, II, and III devices. This encompasses connected medical devices such as patient monitors, infusion pumps, diagnostic imaging systems, and surgical robots, as well as implantable devices with wireless interfaces like pacemakers and neurostimulators. We also test in-vitro diagnostic (IVD) devices, Software as a Medical Device (SaMD), and combination products. Our dedicated hardware lab is equipped to test devices with a wide range of communication protocols, physical interfaces, and form factors. If your device has any electronic or software component, we can test it.
A typical engagement takes 4-6 weeks from device receipt to final report delivery. This timeline includes initial scoping and environment setup (2-3 days), active testing across all attack surfaces (2-3 weeks), report writing and quality review (1 week), and client review and Q&A (1 week). Timelines can vary based on device complexity, number of communication interfaces, and whether source code is provided. Threat modeling engagements are typically shorter at 2-3 weeks. After remediation, re-testing is significantly faster since we focus only on verifying fixes for identified vulnerabilities.
The report includes an executive summary for leadership and regulatory reviewers, a detailed threat model mapping attack vectors to your device's architecture, comprehensive vulnerability findings with severity ratings, patient safety impact analysis for each finding, specific remediation guidance with code-level fixes where applicable, and a summary of the testing methodology and tools used. The report is formatted for direct inclusion in FDA premarket submissions and follows the structure recommended in the 2023 FDA cybersecurity guidance.
Yes. Every vulnerability finding includes specific remediation guidance, and for software vulnerabilities, we provide actual code fixes your engineering team can implement. After your team applies the fixes, you can request a re-test directly through the Thrombus portal. Re-testing is included with every engagement at no additional cost. Our AI-accelerated re-testing process focuses specifically on verifying that identified vulnerabilities have been properly addressed, which means re-tests are completed in days rather than weeks.
For the most comprehensive assessment, we need the physical device shipped to our hardware lab. This allows us to test physical security controls, debug interfaces, tamper resistance, and perform hands-on firmware extraction. However, certain testing components can be performed remotely: cloud and API security assessments, source code review, and testing of purely software-based devices (SaMD). We provide detailed shipping instructions and handle devices with the security appropriate for medical equipment.
Our pricing is transparent and available upfront through the Thrombus portal. A focused threat model starts at $15,000 and provides the architectural security analysis and threat identification that forms the foundation of your FDA submission. A full penetration test is $45,000 and includes hands-on testing across all attack surfaces with a comprehensive report. A combined threat model and penetration test is $55,000, which is the most common choice for manufacturers preparing initial 510(k) submissions. Custom engagements are available for devices with unique requirements or larger scope. All engagements include free re-testing after remediation.
Source code access is strongly recommended to meet FDA expectations for comprehensive cybersecurity validation. With source code and architectural visibility, we can validate that security controls are correctly implemented (not just externally observable), identify deeper or non-obvious vulnerabilities that black-box testing may miss, provide precise and actionable remediation guidance including code-level fixes, and ensure full coverage and traceability to identified threats and mitigations. Without source code, testing is limited to black-box and gray-box techniques such as reverse engineering and interface analysis. While still valuable, this approach may not fully demonstrate control effectiveness or uncover certain vulnerability classes, which can lead to gaps relative to FDA expectations.
After your engagement is confirmed and payment is received, you will receive detailed shipping instructions through the Thrombus portal. We accept shipments at our dedicated hardware lab facility. Devices should be shipped with all necessary accessories, power supplies, and configuration documentation needed to operate the device in a test environment. We require a tracked shipping service; insurance is optional and up to you. Once received, we confirm delivery in the portal and begin the testing process. After testing is complete, we securely return your device using the same level of care.
We accept ACH bank transfers, wire transfers, and credit cards through our Stripe-powered invoicing system. When you create an engagement through the Thrombus portal, a 50% deposit invoice is sent to your designated accounting contact. The remaining 50% is invoiced upon completion of the engagement. For custom engagements, payment terms are agreed upon during the scoping process. All invoicing is handled through our secure portal with full audit trails. We use Stripe, a PCI-compliant third-party payment provider, and do not process or store card details or bank account information on our platform.
Create your account and schedule a penetration test in minutes. Transparent pricing, no waiting for quotes.
Schedule a pentest