Insights

Field notes from the MedTech security trenches.

Deep dives on FDA expectations, threat modeling, penetration testing, SDLC, and the standards your team is being asked to meet.

All (265)Primer (118)FDA (45)Risk (19)Testing (13)Pen Testing (11)Standards (11)AI & ML (5)Identity & Access (5)IoT (5)Lifecycle (5)Networking (5)Best Practices (4)Quality (3)SDLC (3)Strategy (3)Threat Modeling (3)Cryptography (2)SBOM (2)Audits (1)Threat Intel (1)Web Security (1)

Showing 12 of 265 articles · Page 1 of 23

SBOM· May 17, 2026

5 VEX Mistakes That Trigger FDA Cybersecurity Deficiencies

The 5 VEX document mistakes we see the FDA flag in cybersecurity deficiency letters — and exactly how to fix each one before you submit.

#SBOM #VEX #FDA

Read article

SBOM· May 17, 2026

SBOM vs VEX: What's the Difference? (Medical Device Guide)

SBOM vs VEX explained for medical device submissions. What each document does, how they pair, and what the FDA actually expects in your 510(k) package.

#SBOM #VEX #FDA

Read article

FDA· May 15, 2026

FDA Deficiency Letter vs RTA vs Hold Letter: What's the Difference?

FDA Deficiency Letter, RTA, and Hold Letter explained side-by-side. What each one means, the clock impact, and how to respond without losing months.

#FDA #Deficiency Response #510(k)

Read article

FDA· May 14, 2026

FDA Cybersecurity Review Timeline: What to Expect in 2024

Learn the actual timelines for FDA cybersecurity review. Understand 510(k) and De Novo clock stops, RTA hold periods, and how to avoid costly delays.

#FDA #Premarket #510(k)

Read article

FDA· May 10, 2026

Preparing Your eSTAR 510(k) Cybersecurity Documentation

What FDA reviewers expect in eSTAR Section Q: SBOM, threat model, SPDF evidence, pen test reports, and a traceability matrix that survives RTA screening.

#FDA #eSTAR #510(k)

Read article

Threat Modeling· May 8, 2026

Brainjacking: The Real Cyber-Physical Threat to NeuroTech

Brainjacking is the unauthorized control of an implanted neurostimulator. We unpack the attack vectors, clinical consequences, and what manufacturers must build into DBS, SCS, and BCI products.

#Threat Modeling

Read article

FDA· Apr 10, 2026

Postmarket Cybersecurity for Medical Devices: The FDA Roadmap

FDA clearance is the beginning of your cybersecurity obligations, not the finish line. Postmarket cybersecurity for medical devices is an active, continuous requirement that most manufacturers underestimate until a problem forces their hand. Most invest significant resources building premarket docum

#FDA #Postmarket

Read article

Pen Testing· Apr 10, 2026

Medical Device Pen Testing: Choosing the Right Provider

When penetration test reports are vague, incomplete, or written to enterprise IT standards rather than medical device requirements, FDA reviewers issue deficiencies that can delay clearance, sometimes requiring a full re-test before you can respond. If you're selecting a provider for medical device

#Pen Testing

Read article

FDA· Apr 10, 2026

How to Respond to an FDA Cybersecurity AI Request

Receiving an FDA cybersecurity Additional Information Request (AIR) doesn't mean your submission is dead. It means the clock is ticking, and the next move has to be precise. FDA issues these requests when reviewers find specific, documented gaps in your cybersecurity package, and they expect every g

#FDA #AI

Read article

FDA· Apr 10, 2026

Why ISO 27001 and SOC 2 Are Not Enough for FDA Medical Device Cybersecurity

Here's a pattern Blue Goat Cyber sees regularly: a medical device manufacturer arrives at premarket submission with an ISO 27001 certificate in hand, convinced their cybersecurity story is complete. Weeks later, a deficiency letter arrives. The FDA isn't questioning their information security postur

#FDA #Standards

Read article

Threat Modeling· Apr 10, 2026

Threat Modeling Connected & Implantable Devices

If you're asking how to conduct a cybersecurity threat model for a connected or implantable medical device, the first thing to understand is that this is not the same exercise as modeling a web application or enterprise network. The stakes are categorically different. A missed attack vector on a hos

#Threat Modeling #IoT

Read article

FDA· Apr 9, 2026

What Triggers FDA Cybersecurity Deficiencies for Devices

Understanding what causes the FDA to issue a cybersecurity deficiency for medical devices starts with one uncomfortable truth: most deficiencies have nothing to do with a bad device. The device might be perfectly secure. The submission just didn't prove it. FDA reviewers work from documentation, not

#FDA

Read article

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services