How the Goat Feed is built
The Goat Feed is the MedTech cybersecurity feed of record. Every item links to a primary source. Every Notable or Critical item carries a short analyst note from Blue Goat Cyber Research. When we get something wrong, we log the correction publicly. This page documents exactly how that works.
Sources → category mapping
Every row in the feed traces back to one of these primary sources. Each card shows the ingest cadence, the scope we keep, which feed categories the source can populate, and how severity is decided.
-
CISA KEV (Known Exploited Vulnerabilities)Daily JSON pull
Scope - Entries whose vendor/product/CVE text matches our MedTech vendor list or device-relevant software stack (operating systems, runtimes, comms libraries, common OT components).
Severity - Always Critical - active in-the-wild exploitation by definition.
-
CISA ICS Medical Advisories (ICS-MA)RSS, ingested on publish
Scope - Every ICS-MA advisory; no filtering. These are inherently device-relevant.
Severity - Notable by default. Upgraded to Critical when paired with a KEV add or active exploitation.
-
FDA Medical Device Safety CommunicationsFirecrawl scrape, multiple times per day
Scope - All safety communications; cyber-flagged items elevated.
Feeds intoFDASeverity - Critical when the communication is cyber-flagged. Notable for material device safety issues with a cyber angle. Info otherwise.
-
openFDA Device RecallsDaily JSON pull, last 30 days by event_date_posted
Scope - All device recall events; classification used to derive severity.
Severity - Class I → Critical. Class II → Notable. Class III → Info. Recalls referencing firmware/software defects are tagged Software Quality.
-
openFDA 510(k) ClearancesDaily JSON pull
Scope - Filtered to connected, software, AI/ML, or device categories with a known cyber surface (no purely mechanical clearances).
Severity - Info by default. Tagged 524B when the clearance falls under Section 524B cyber device scope (signal for future postmarket monitoring).
-
openFDA MAUDE (adverse events)Daily JSON pull
Scope - Adverse event reports with cyber-related keywords (unauthorized access, malware, ransomware, network outage, integrity failure, etc.) in narrative text.
Severity - Notable when the report describes a confirmed cyber signal. Info for ambiguous software-quality reports flagged for review.
-
MHRA Drug & Device Alerts (UK)RSS, ingested on publish
Scope - Field Safety Notices and National Patient Safety Alerts for medical devices.
Severity - Notable for cyber-relevant FSNs. Info for general device alerts referenced for context.
-
NVD (MedTech-vendor filter)Daily JSON pull
Scope - Newly published CVEs whose CPE strings match our MedTech vendor list.
Severity - Notable when CVSS ≥ 7.0 or EPSS percentile ≥ 90. Info otherwise. Upgraded to Critical on subsequent KEV add.
-
AAMI standards updatesManual review on publication
Scope - New or revised TIR57, TIR97, SW68, SW96, and related MedTech security standards.
Feeds intoGuidanceSeverity - Notable for new or revised standards with binding-by-reference impact. Info for drafts and committee notes.
-
IMDRF documentsManual review on publication
Scope - International Medical Device Regulators Forum publications, including the IMDRF cybersecurity working group.
Feeds intoGuidanceSeverity - Notable for final documents. Info for consultation drafts.
Coverage roadmap: BfArM / ANSM / Swissmedic ingest, FDA 483 inspection findings, and deeper EPSS-driven CVE triage are scheduled additions. The legacy short-form sources list is preserved below for citation.
Citation reference
Direct links to the primary upstream feeds and endpoints we pull from, for citation and independent verification.
- CISA KEV (Known Exploited Vulnerabilities) - daily json pull
- CISA ICS Medical Advisories (ICS-MA) - rss, ingested on publish
- FDA Medical Device Safety Communications - firecrawl scrape, multiple times per day
- openFDA Device Recalls - daily json pull, last 30 days by event_date_posted
- openFDA 510(k) Clearances - daily json pull
- openFDA MAUDE (adverse events) - daily json pull
- MHRA Drug & Device Alerts (UK) - rss, ingested on publish
- NVD (MedTech-vendor filter) - daily json pull
- AAMI standards updates - manual review on publication
- IMDRF documents - manual review on publication
Severity rubric
Every item gets one of three severities at ingest. Severity is recomputed if the underlying signal changes (e.g. a CVE moves to KEV, a recall is upgraded).
- Active in-the-wild exploitation (CISA KEV add, public PoC + attack telemetry).
- Class I recall (reasonable probability of serious adverse health consequences or death).
- FDA Safety Communication flagged as cybersecurity-related.
- Regulatory deadline shift inside 90 days (e.g. 524B enforcement change).
- CISA ICS Medical Advisory affecting a named device or platform.
- Class II recall.
- FDA Warning Letter on device, QSR (21 CFR 820), or cybersecurity grounds.
- Newly disclosed CVE in a MedTech-relevant component (no in-the-wild evidence yet).
- 510(k) clearance for a connected device (signal for future scope).
- Class III recall.
- General FDA medical device news without a cyber angle.
The Blue Goat take
The Blue Goat take is the analyst note that appears under Notable and Critical items. It is the editorial value-add that distinguishes this feed from a raw aggregator.
- Only added to items at severity Notable or Critical. Routine recalls stay clean.
- Drafted by an AI agent on ingest, then reviewed and edited by a Blue Goat Cyber analyst when material.
- Marked Analyst edited when a human has overridden the AI draft.
- Never invents CVE numbers, dates, FDA guidance versions, or vendor names. The model is grounded against the source excerpt and is rejected if it includes banned marketing language or em-dashes.
Corrections policy
Every material edit to a published item is logged with the field changed, the before and after, and the reason. Items with a logged correction show a Corrected badge. If you spot something wrong, tell us and we will correct it and credit you on request.
Contact
Source suggestions, corrections, and tips: research@bluegoatcyber.com.
One short email each week
Notable and critical items from the past seven days, with the Blue Goat take included.