On this page
Published: July 7, 2026
Key Takeaways
- MedCrypt is a product-security SDK and CVE monitoring platform, not a [threat modeling](/services/threat-modeling-services "medical device threat modeling") or penetration testing vendor.
- Finite State is a binary SBOM and supply-chain visibility platform, it does not deliver FDA-defensible manual pen testing.
- Blue Goat Cyber is a services firm delivering the manual deliverables (threat models, manual pen tests, deficiency response) that both platforms explicitly do not produce.
- Automated tools alone do not clear FDA cybersecurity review, reviewers require manual, methodology-mapped evidence.
- The mature stack is complementary: platform tooling for continuous monitoring plus a services partner for submission-ready deliverables.
MedCrypt, Finite State, and Blue Goat Cyber are not competitors, they solve different parts of the medical device cybersecurity problem. MedCrypt is a product-security SDK and monitoring platform for cryptography, key management, and CVE tracking. Finite State is a binary analysis and SBOM management platform focused on software supply chain visibility. Blue Goat Cyber is a services firm that delivers FDA-required deliverables, threat models, manual penetration testing, and deficiency response, that neither tool produces. Most mature medical device programs use a combination.
Sponsors comparing these three vendors are usually asking the wrong question. It is rarely "which one do we pick?" It is "which capability gap are we solving, and which vendor category fills it?"
MedCrypt and Finite State are software products with recurring subscription revenue. Blue Goat Cyber is a professional services firm that ships the human-generated evidence, threat models, manual penetration testing, deficiency responses, that FDA reviewers require and that no software tool produces on its own.
This post lays out what each actually delivers, where the boundaries are, and how the three fit together in a defensible FDA submission and postmarket program.
Table of Contents
- What Each Vendor Actually Delivers
- Side-by-Side Capability Matrix
- MedCrypt: When It Is the Right Fit
- Finite State: When It Is the Right Fit
- Blue Goat Cyber: When It Is the Right Fit
- How the Three Fit Together
Why This Matters
The February 3, 2026 FDA final premarket cybersecurity guidance is explicit about what a cyber device submission requires: a threat model built from the device's actual architecture (not a template), an SBOM with vulnerability triage, a penetration test with a defined methodology traced back to the threat model, a vulnerability management plan, and security architecture views including the new global, multi-patient harm, and updateability views.
Section 524B of the FD&C Act gives FDA the statutory authority to refuse submissions that do not include these artifacts. Reviewers routinely cite AAMI SW96:2023, AAMI TIR57, IEC 81001-5-1, and ISO 14971 in deficiency letters.
Understanding which vendor category actually produces which artifact is the difference between a clean submission and a 6-month deficiency loop. Automated binary scanners produce inventory data. Cryptography SDKs produce runtime security controls. Neither produces a threat model or a manual pen test, and reviewers can tell the difference.
What Each Vendor Actually Delivers
MedCrypt is a product-security software company focused on cryptographic controls and CVE monitoring for medical devices. Its core offerings include the Cryptography SDK (Guardian) for embedded devices, Helm for key lifecycle management, and Vigilant for CVE monitoring against a device SBOM. MedCrypt sells to device manufacturers as an OEM component, not as a services firm.
Finite State is a software supply chain security platform focused on binary analysis and SBOM management. Its platform ingests firmware images, extracts a component-level SBOM, and cross-references components against known vulnerabilities. Finite State is used both by manufacturers (to generate SBOMs from binaries when source is unavailable) and by hospitals and integrators (to assess third-party devices).
Blue Goat Cyber is a professional services firm exclusive to medical device cybersecurity. The team ships FDA-defensible deliverables: threat models mapped to AAMI TIR57, manual penetration testing mapped to NIST SP 800-115 and PTES, SBOM/VEX packages, security architecture views, deficiency responses, and postmarket monitoring programs. Blue Goat Cyber does not sell software licenses.
Side-by-Side Capability Matrix
| Capability | MedCrypt | Finite State | Blue Goat Cyber |
|---|---|---|---|
| Cryptography SDK / runtime controls | ✅ Core product | ❌ Not offered | ❌ Not offered |
| Automated SBOM generation | ⚠️ From provided data | ✅ From firmware binaries | ⚠️ Delivered as artifact |
| CVE / vulnerability monitoring | ✅ Vigilant platform | ✅ Platform-based | ✅ Service-delivered |
| Threat modeling (AAMI TIR57) | ❌ Not a deliverable | ❌ Not a deliverable | ✅ Core deliverable |
| Manual penetration testing | ❌ Not offered | ❌ Not offered | ✅ Core deliverable |
| Hardware / firmware / radio testing | ❌ Not offered | ⚠️ Static analysis only | ✅ Full lab testing |
| Security architecture views (2026 guidance) | ❌ Not a deliverable | ❌ Not a deliverable | ✅ Core deliverable |
| FDA deficiency letter response | ❌ Not offered | ❌ Not offered | ✅ Core service |
| Postmarket monitoring program | ✅ Vigilant | ✅ Platform | ✅ Service-delivered |
| Commercial model | Software license | Software license | Fixed-fee services |
Building the mature stack for your device?
Blue Goat Cyber is a medical-device-only cybersecurity firm. We deliver the manual FDA-required artifacts, threat models, pen testing, deficiency responses, that complement whatever SBOM or monitoring platform you use. → Medical Device Penetration Testing
MedCrypt: When It Is the Right Fit
MedCrypt is the right fit when the problem is cryptographic implementation on the device itself, key generation, secure boot, mutual TLS, code signing, or when you want a productized platform for continuous CVE monitoring against a maintained SBOM.
Manufacturers who ship connected devices without in-house embedded cryptography expertise use Guardian to avoid rolling their own crypto. Vigilant is used as a postmarket monitoring platform, often alongside a services partner that produces the underlying SBOM and threat model.
MedCrypt does not produce threat models, penetration tests, or FDA deficiency responses. The company partners with services firms (including Blue Goat Cyber in some engagements) for those deliverables.
Finite State: When It Is the Right Fit
Finite State is the right fit when the problem is software supply chain visibility at scale, particularly when you need to generate SBOMs from binaries because source or component data is unavailable, or when you are a hospital or integrator assessing third-party devices.
Its binary analysis is genuinely differentiated: it can extract component-level inventory from firmware without a source SBOM. That capability is valuable in acquisitions, in legacy platform assessments, and in postmarket monitoring at fleet scale.
See also: When to Start Medical Device Cybersecurity, CVSS 3.1 vs 4.0 for Medical Devices, and Hire Cybersecurity Consultant vs. In-House.
Finite State does not produce a threat model, does not perform manual penetration testing (dynamic testing against hardware, radios, and mobile apps), and does not draft deficiency responses. Its output is inventory data and CVE mapping, which is one input to a submission but not the submission itself.
Blue Goat Cyber: When It Is the Right Fit
Blue Goat Cyber is the right fit when the deliverable in question is a document a FDA reviewer will read, a threat model, a manual penetration test report, a deficiency response package, a security architecture view. It is also the right fit when a submission is already in a deficiency loop and needs a 48-hour gap analysis and rebuild.
The team is medical-device-only, has shipped 250+ FDA cybersecurity submissions across 510(k), De Novo, PMA, and EU MDR, and delivers on fixed-fee scope. Every artifact is mapped to the February 2026 FDA guidance, AAMI SW96, TIR57/TIR97, IEC 81001-5-1, and ISO 14971 with citations embedded.
Blue Goat Cyber does not sell a software platform. Sponsors who need continuous monitoring tooling are typically pointed at MedCrypt Vigilant or Finite State depending on the use case.
How the Three Fit Together
The mature stack for a Class II or above connected medical device typically looks like this:
- Development-phase cryptography and secure boot → MedCrypt Guardian (or in-house implementation)
- Firmware SBOM generation when source data is incomplete → Finite State binary analysis
- Threat model, security risk assessment, security architecture views → Blue Goat Cyber
- Manual penetration testing (hardware, radios, firmware, mobile, cloud) → Blue Goat Cyber
- FDA submission package assembly and deficiency response → Blue Goat Cyber
- Postmarket CVE monitoring and VEX maintenance → MedCrypt Vigilant or Finite State, coordinated with the services partner
The vendors are complementary, not substitutable. Sponsors who try to use a platform tool as a substitute for a services deliverable end up in the deficiency queue. Sponsors who try to use a services firm as a substitute for continuous monitoring tooling end up with stale SBOMs six months after launch.
How Blue Goat Cyber Approaches This
Every engagement is led by a senior medical-device security engineer with direct FDA submission experience. Deliverables are scoped fixed-fee, mapped to current standards, and produced inside your QMS with traceability from requirement → test → residual risk.
For sponsors comparing us against a platform vendor, the honest answer is that we are usually complementary. Our FDA Premarket Cybersecurity Services covers the full Appendix 1 artifact set; Medical Device Penetration Testing is a standalone entry point; and FDA Cybersecurity Deficiency Response is where sponsors already in a deficiency loop start. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.
Frequently Asked Questions
Is MedCrypt a competitor to Blue Goat Cyber?
No. MedCrypt is a product-security software company (Cryptography SDK, key management, CVE monitoring). Blue Goat Cyber is a professional services firm delivering threat models, manual pen testing, and FDA deficiency responses. The two are frequently used together on the same device program.
Can Finite State replace a manual penetration test?
No. Finite State performs static binary analysis and generates SBOMs from firmware images. It does not perform dynamic testing against hardware interfaces, radios, mobile companions, or cloud APIs, which is what FDA reviewers require in a penetration test mapped to NIST SP 800-115 or PTES.
Which vendor produces the threat model FDA requires?
Neither MedCrypt nor Finite State produces an FDA-defensible threat model as a deliverable. Threat modeling is a manual engineering exercise mapped to AAMI TIR57 and STRIDE, tied to the device's actual architecture. This is a services deliverable, Blue Goat Cyber's core offering.
How much does each cost?
Platform tools (MedCrypt, Finite State) are typically subscription-based, ranging from tens of thousands to low six figures per year depending on scope and device count. Blue Goat Cyber services are fixed-fee per engagement, a manual penetration test runs $25K–$150K depending on device class, and a full premarket cybersecurity package $60K–$180K.
Can I clear an FDA submission using only automated tools?
Not since Section 524B took effect. FDA reviewers explicitly cite the need for manual, methodology-mapped evidence, particularly for threat modeling and penetration testing. Automated tool output is one input, but a submission built exclusively on tool output routinely draws Major deficiencies.
Who owns the SBOM in a combined stack?
The manufacturer always owns the SBOM as a regulated artifact. Finite State can generate it from binaries, MedCrypt Vigilant can monitor it, and Blue Goat Cyber can package and defend it in the submission, but the SBOM lives in your QMS and moves with the device through its lifecycle.
CTA
If you are scoping the vendor stack for your device program and want an honest read on which deliverables are services versus tooling, we do free 30-minute scoping calls. Bring your device profile and target submission pathway. Request a scoping call.
About the author
Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance, with 250+ device submissions across 510(k), De Novo, PMA, and EU MDR pathways. Read more about Christian.


