Company overview · 2026 · v1.9

Secure by design. Cleared by the FDA.

The cybersecurity partner medical device manufacturers trust from first 510(k) to postmarket maturity. Senior-led, MedTech-only, fixed-fee.

Download the PDF Open in a new tab

SDVOSB FDA 524B AAMI SW96 AAMI TIR57/97 IEC 81001-5-1 ISO 14971 ISO 27001

Track record

At a glance

250+

FDA submissions supported across 510(k), De Novo, and PMA

Zero

Cybersecurity rejections to date across every submission

48 hr

Median first-pass FDA deficiency response

Fixed

Fee, scoped revisions, no surprise change orders

80+

Med Device Cyber Podcast episodes published

2015

MedTech security roots, narrowed to MedTech-only by 2017

Public, regulated MedTech

Representative clients

A sample of manufacturers we've supported through FDA cybersecurity submissions, pen testing, threat modeling, and postmarket programs.

2025 – 2026

Recent recognition

MedTech World North America 2026

Cybersecurity Partner of the Year

Medical Tech Outlook 2026

Solution of the Year, cover story

MedTech World Malta 2025

Service Provider Excellence

Healthcare Business Review 2025

Cybersecurity Company of the Year

12 modalities

Clinical indications we support

Cardiovascular

Pacemakers, ICDs, cardiac monitors, AEDs

Surgical Robotics

Robot-assisted surgery, navigation, energy devices

Infusion & Drug Delivery

Smart pumps, insulin systems, auto-injectors

Diagnostic Imaging

MRI, CT, ultrasound, X-ray, AI-assisted reads

Wearables & RPM

Patches, continuous monitors, remote patient programs

In Vitro & Molecular Dx

Lab analyzers, point-of-care, genomics, NGS

Neuromodulation

DBS, SCS, vagus and peripheral nerve stimulators

SaMD & AI/ML

Decision support, image analysis, PCCP-enabled devices

Respiratory & Pulmonary

Oxygen concentrators, ventilators, breath analysis

Ophthalmic & Vision

Surgical, diagnostic, and vision-care systems

Orthopedics & Spine

Navigation, implants, ortho and dental systems

Digital Therapeutics

Prescription DTx and connected therapy apps

Engagement shapes

Delivery models

Four engagement shapes, pick what matches your milestone, not what fills a retainer. Every engagement is fixed-fee, scoped before kickoff, with a 24-hour proposal SLA.

Model	Best for	Typical timeline
FDA Premarket Package (flagship)	End-to-end 510(k)/De Novo/PMA cyber submission	6 to 8 weeks
Single-deliverable	One artifact (pen test, threat model, SBOM)	2 to 6 weeks
Deficiency surge	Active FDA cybersecurity AI letter	48 hr to 30 days
Postmarket retainer	Cleared device, ongoing obligations	Continuous

Lifecycle

Where you fit in

Concept & Design

Premarket Submission

FDA Submission

FDA Response

Postmarket

The cost of waiting

Relative cost to remediate · by lifecycle stage

The later a cybersecurity gap surfaces, the more it costs to fix, and the more it threatens your clearance timeline. Engaging at concept is the cheapest insurance you can buy.

Illustrative. Industry studies consistently show 10–100× remediation cost between design and postmarket stages.

Factors that compound the cost

Schedule slip

Each FDA deficiency round adds 30 to 90 days of review clock. In-field findings stop shipments.

Rework cost

Late-stage fixes touch firmware, architecture, and labeling. Engineering hours scale with how late they land.

Patient-safety exposure

A vulnerability that surfaces postmarket can trigger a Safety Communication, recall, or 522 order.

Resubmission risk

Deficiency letters that bounce a second time force a new 90-day review cycle and reset the clearance plan.

Regulatory & legal

Postmarket incidents pull in MDR reporting, FDA Form 483 observations, and potential plaintiff exposure.

FDA 524B aligned

Methodology: 5-phase SPDF

Mapped 1:1 to FDA Section 524B and the Feb 3, 2026 premarket cybersecurity guidance. Every phase produces evidence the FDA will ask for, in the format reviewers expect.

Phase 01

Scope & Threat Model

Design-input review, asset inventory, STRIDE + patient-safety threat model, and a defensible attack surface map. Output: threat model document and security risk registry.

Phase 02

Architecture & Controls

Security architecture views, control selection (IEC 81001-5-1), data-flow diagrams, and trust-boundary documentation aligned with the risk management file.

Phase 03

Verify & Validate

SBOM generation (CycloneDX/SPDX), VEX statements, static/dynamic analysis, and full penetration testing across hardware, firmware, wireless, mobile, cloud, and AI/ML surfaces.

Phase 04

Submit & Defend

Submission package drafting, eSTAR mapping, reviewer Q&A, and rapid response to any cybersecurity deficiency letter, typically within 48 hours.

Phase 05

Sustain (Postmarket)

CVD program, SBOM/VEX maintenance, KEV monitoring, incident playbooks, and annual reassessment aligned with the FDA's postmarket guidance.

Receipts

Proof

250+

FDA submissions supported

Cyber-related submission failures

48 hr

Median deficiency response

100%

Senior-led, US-based delivery

Representative case study

Class II wearable, first 510(k), zero cyber deficiencies.

A pre-revenue wearable startup engaged us 9 weeks before submission with no formal threat model, an incomplete SBOM, and zero pen test evidence. We delivered the full 524B package: STRIDE plus patient-safety threat model, CycloneDX SBOM with VEX, hardware, firmware, and mobile pen test, architecture views, and labeling. All eSTAR-ready in 7 weeks. The device cleared on first review with zero cybersecurity deficiencies.

"Their report helped us achieve FDA clearance without any additional questions. It was a truly seamless experience."

Anna NormanVP of Product, InfoBionic.Ai

08b

Stages, panels, podiums

In the field

We earn trust the same way we earn submissions, by showing up. Recent moments from MedTech World North America, EU, and partner stages.

Christian and Melissa Espinosa accepting MedTech World North America 2026 Cybersecurity Partner of the Year — MedTech World North America 2026 · Partner of the Year

Christian Espinosa on the main stage panel at MedTech World 2026 — Main stage panel · MedTech World 2026

Christian Espinosa moderating the Blue Goat Cyber × CS Lifesciences panel — BGC × CS Lifesciences panel

Christian Espinosa answering audience questions at MedTech World — Audience Q&A · MedTech World

Christian Espinosa on a fireside panel at MedTech World — Fireside panel · MedTech World

Blue Goat Cyber leadership at the MedTech World gala — MedTech World gala

Christian Espinosa with Myles Kellerman at the MedTech World gala — With CTO Myles Kellerman

Christian and Melissa Espinosa at the MedTech World gala — Christian & Melissa Espinosa

Senior-led delivery

Leadership

Every engagement is led by someone on this page. The same people who scope your project are the ones writing your threat model, running your pen test, and defending your submission.

Christian Espinosa

Founder & CEO · MBA, CISSP

U.S. Air Force Academy graduate and veteran, 30+ years in cybersecurity. Founded Alpine Security (acquired by CISO Global, 2020), then Blue Goat Cyber in 2022. Author of the forthcoming Medical Device Cybersecurity (2026). 250+ FDA submissions supported, zero cyber rejections.

Full bio

Myles Kellerman

CTO · Head of Penetration Testing

Heads Blue Goat's penetration testing practice across hardware, firmware, wireless, mobile, cloud, and AI/ML, plus red-team and physical assessments and product security consulting. 18+ years in IT, 13+ in cybersecurity. Previously Principal Consultant at Cerberus Sentinel; led pen testing at Alpine Security.

Jordan John

VP, Regulatory Affairs & Compliance

Owns the regulatory and compliance lane across FDA premarket and postmarket submissions. Aligns cybersecurity evidence with Section 524B, eSTAR, and the broader regulatory file so every package holds together end-to-end.

Melissa Espinosa

VP, Strategic Partnerships

Builds and grows Blue Goat's channel and partner network. Former cardiac stepdown nurse, brings clinical insight to MedTech partnerships with consultants, regulatory experts, and technology vendors.

Kristy Kennedy

VP, Sales

Global commercial leader with 25+ years across life sciences, medical device, and MedTech. Background spans sales, marketing, business development, and operations, including product launches and go-to-market strategy.

Michelle Hughes

Director of Project Management

Drives complex MedTech cybersecurity engagements from kickoff through FDA clearance. Coordinates technical, QA, and regulatory workstreams to keep submissions moving and clients informed at every checkpoint.

Sarah Beach

Senior Project Manager

Owns engagement timelines, deliverables, and FDA interactions end-to-end. Keeps threat models, pen tests, SBOMs, and submission packages on rails so engineering and regulatory teams stay aligned without surprises.

Five steps, no friction

How to engage

30 min

Discovery call

Scope your device, indication, and target submission date.

24 hr

Proposal

Fixed-fee proposal with deliverables and timeline, signed before kickoff.

Week 1

Kickoff

Senior team mobilized, design inputs reviewed, threat model started.

6 to 8 wks

Delivery

Submission-ready artifacts produced in the format CDRH reviewers expect.

Ongoing

Submit & beyond

Deficiency response inside the FDA's clock, then postmarket sustain.

v1.9 · June 2026

Get the full company overview

Download the designed PDF to share with stakeholders, procurement, and regulatory teams.

Download the PDF

Learn more

About Blue Goat Cyber

Full story, mission, and the team behind the work.

Founder bio

Christian Espinosa, USAFA, CISSP, MBA, 30+ years in cyber.

Services

Premarket, postmarket, pen testing, SBOM, and more.

Case studies

Anonymized outcomes from real FDA submissions.

Why Blue Goat

What sets our methodology apart from generalist firms.

Contact

Scope an engagement or request a fixed-fee proposal.

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services