Last reviewed: May 1, 2026
A real penetration test for a connected medical device is not a $5,000 vulnerability scan. This guide explains what the work actually costs in 2026, the variables that move the number, and how to scope a test that satisfies the FDA's February 2026 final guidance and Section 524B.
Last updated: May 2026. Ranges reflect U.S. market pricing for FDA-targeted engagements.
1. The Honest Price Range
| Device profile | Typical scope | Price range |
|---|---|---|
| Simple connected device (single interface, no RF, no mobile) | Web/API + basic network | $15K–$25K |
| Class II connected monitor or therapy device | Web/API + BLE + USB + cloud config | $35K–$55K |
| Class II with mobile companion app | Above + iOS/Android + mobile API | $50K–$75K |
| Class III implantable with RF telemetry | RF/SDR + firmware + companion + cloud | $75K–$120K |
| SaMD (cloud-only, no hardware) | Web + API + cloud config + IAM review | $25K–$45K |
| Fleet / multi-device portfolio | Shared platform + per-device deltas | Custom |
These ranges are for submission-grade engagements: scoped to FDA expectations, executed by senior testers, documented for reviewer consumption.
2. What Drives the Number
Interface and protocol count
Every external interface is a separate test surface. A device with Wi-Fi, BLE, USB, NFC, and a cellular fallback has five attack surfaces, not one. Reviewers expect each to be tested.
Protocol complexity
Standard web and BLE testing is well-trodden. Proprietary RF, custom binary protocols, DICOM, HL7/FHIR, and medical-specific protocols add tester time and specialized tooling (Wireshark dissectors, SDR setups, fuzzing harnesses).
Firmware depth
Black-box firmware testing is fast and shallow. Reviewers increasingly expect grey-box with firmware extraction and analysis (Ghidra, Binary Ninja, JTAG/UART access) — that adds 20–40% to the test.
Mobile companion app
iOS + Android adds a mobile-platform skill set, MobSF + Frida + objection tooling, and platform-specific deliverables (jailbreak/root detection, certificate pinning, secure storage).
Cloud and identity
Modern device platforms live in AWS, Azure, or GCP with an IdP. A cloud configuration review (CSPM-style) and IAM/OAuth flow testing are now standard expectations, not extras.
Remediation retest
A clean submission includes the remediation retest. Most vendors price it at 15–25% of the original engagement; some bundle one retest in the base price.
3. The Toolchain Reviewers Recognize
Submission-grade reports name the tooling. Expect to see:
- Nessus or OpenVAS — network and infrastructure vulnerability scanning
- Burp Suite Pro — web and API testing (the default expectation)
- OWASP ZAP — secondary web testing or automation
- Nmap — service enumeration
- Wireshark — protocol capture and analysis
- Frida / objection / MobSF — mobile runtime analysis
- Ghidra / Binary Ninja / IDA — firmware reverse engineering
- HackRF / Ubertooth / nRF Sniffer — RF / BLE capture
- Postman / mitmproxy — API flow analysis
A report that names only one tool reads as a vulnerability scan, not a pen test.
4. What a Real Engagement Looks Like
A typical 6-week submission-grade engagement:
- Week 1 — Scoping and threat modeling. Architecture review, interface inventory, abuse cases.
- Weeks 2–4 — Active testing. Network, web/API, BLE/RF, USB, firmware, mobile, cloud.
- Week 5 — Reporting. Findings, CVSS, exploitability narrative, remediation guidance, traceability to security requirements.
- Week 6 — Remediation support and retest. Validate fixes, update report for submission.
5. Common Scope Gaps That Cause Deficiencies
- Network-only testing on a device with BLE and a mobile app
- Web-only testing on a device with a cloud control plane
- No firmware analysis on a device that ships firmware
- Generic web app report with no reference to the device, intended use, or AAMI SW96 risk file
- No CVSS or exploitability narrative — reviewers cannot triage a finding list without it
6. Why "Cheap" Tests Cost More
A $7,500 "pen test" is usually a Nessus scan with a cover page. It will not survive the substantive review, you will pay for a real test anyway, and the submission timeline slips by a quarter. The cheap test is the expensive option.
7. How to Get an Accurate Quote
A defensible quote needs:
- Device architecture diagram (or at minimum, interface list)
- Intended use and risk classification
- Firmware availability (yes/no, JTAG accessible, signed)
- Cloud and mobile components (yes/no, platforms)
- Submission target (510(k) / De Novo / PMA) and target date
With those five inputs, an experienced firm can quote within 24–48 hours.
Frequently asked questions
Is penetration testing required by the FDA?
Yes for every cyber device under Section 524B. The depth scales with risk; see the premarket submission checklist.
Can I use the same test for FDA and EU MDR?
Usually yes. The same evidence satisfies MDCG 2019-16 with minor reformatting.
How long is a test valid?
Reviewers expect the test to reflect the as-submitted software version. A retest is required if the device changes materially between testing and submission.
Do I need a third-party tester?
The FDA does not literally mandate third-party testing, but in practice reviewers expect independence. Internal-only test reports draw deficiencies.
What about postmarket?
Re-test annually at a minimum, and after any material architectural change. Section 524B postmarket monitoring assumes the test is kept current.
How Blue Goat Cyber helps
Blue Goat Cyber runs medical device penetration testing as a 100% MedTech-focused practice — RF, firmware, BLE, mobile, and cloud, all under one roof, with reports written for FDA reviewers rather than IT auditors.
Sources & primary references
- FDA, Cybersecurity in Medical Devices (final guidance, February 2026)
- Section 524B, Federal Food, Drug, and Cosmetic Act
- AAMI SW96:2023; IEC 81001-5-1:2021
- OWASP Web Security Testing Guide; OWASP MASTG (mobile)
- NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment