Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · Penetration Testing

    Penetration Testing Scope for FDA Submissions: A 510(k) / De Novo / PMA Guide

    How to scope penetration testing for an FDA submission so the report holds up under reviewer scrutiny. Required attack surfaces, evidence depth, and how scope differs by pathway.

    Hero illustration for the article: Penetration Testing Scope for FDA Submissions: A 510(k) / De Novo / PMA Guide
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • Reviewers expect **full-attack-surface** coverage: firmware, hardware interfaces, wireless, mobile companion app, APIs, and cloud backend.
    • White-box is the default - reviewers explicitly expect testers to leverage source code, threat models, and architecture documentation.
    • A reviewer-ready engagement always produces a **Letter of Attestation** signed by the engagement lead.
    • Scope depth differs by pathway: 510(k) maps to the predicate; De Novo and PMA require deeper architectural justification; IDE focuses on study-subject safety.

    Pillar Guide · Updated 2026 · 18 min read

    Talk to a MedTech cybersecurity expert

    What "full attack surface" means

    FDA's 2026 final premarket cybersecurity guidance expects the test report to demonstrate coverage of every interface a threat actor could reach. In practice, that means six distinct test domains:

    • Firmware - secure boot, debug interfaces (JTAG/SWD/UART), update integrity, key storage, runtime integrity.
    • Hardware - chip-level attack surface, side channels, fault injection where relevant to threat model.
    • Wireless - BLE, Wi-Fi, cellular, NFC, proprietary RF. Pairing, encryption, GATT permissions, rogue-AP scenarios.
    • Mobile companion app - iOS and Android: storage, transport, IPC, biometric handling, jailbreak/root checks.
    • APIs - REST/GraphQL endpoints: authn, authz, IDOR, mass assignment, rate limiting, BAA-relevant logging.
    • Cloud backend - tenancy isolation, IAM configuration, key management, logging integrity, data export paths.

    White-box vs black-box: why white-box wins for FDA

    The 2026 guidance says reviewers expect testers to leverage source code, threat models, and architecture documentation. That is white-box testing by definition. Black-box testing simulates an external attacker but consistently misses logic flaws in firmware update validation, key management, secure boot, and inter-component trust assumptions - exactly the controls that matter for patient safety. Default to white-box for premarket, reserve black-box for adversary-simulation scenarios after clearance.

    Scope by submission pathway

    510(k)

    Full attack surface, white-box. Test plan should explicitly compare the cybersecurity attack surface to the predicate device, especially where you have added connectivity, mobile, or cloud beyond the predicate's footprint. Reviewers cite 'predicate divergence not addressed' often.

    De Novo

    Full attack surface, white-box, plus an architectural-justification section because there is no predicate. The pen test report should map findings against the security architecture you proposed in the De Novo classification request.

    PMA

    Deepest documentation requirement. Pen test evidence flows into the design history file with full traceability. PMA reviewers frequently coordinate with non-cyber reviewers (risk management, human factors) so the pen test report should be cross-referenced from the security risk assessment and the ISO 14971 risk file.

    IDE

    Scope focuses on whether unresolved cybersecurity risks could expose study subjects to unreasonable risk under 21 CFR §812.42. Pen testing must validate that compensating controls in the clinical environment are sufficient before enrollment.

    The Letter of Attestation

    A signed document from the testing firm stating that testing was conducted in accordance with the FDA premarket cybersecurity guidance, that the full attack surface was covered, and that every finding has been remediated or formally risk-accepted. Reviewers look for it because it confirms the test meets FDA-specific expectations rather than general IT-security best practice. Without one, expect a deficiency.

    What a reviewer-ready report contains

    1. Executive summary with risk-rated findings and Letter of Attestation reference.
    2. Methodology section documenting white-box approach, tools, and standards (NIST SP 800-115, OWASP MASVS, OWASP ASVS, OWASP API Top 10).
    3. Attack surface inventory with coverage notes per interface.
    4. Findings written with severity (CVSS + clinical impact under ISO 14971), reproduction steps, evidence (screenshots, packet captures, code references), remediation, status.
    5. Traceability appendix linking findings back to threat-model entries.
    6. Signed Letter of Attestation.

    Scope mistakes that get cited

    • Mobile app tested but not in source-leveraged white-box mode (jailbreak detection bypassed in 30 minutes during reviewer follow-up).
    • Cloud testing limited to OWASP API Top 10 scan - no tenancy or IAM validation.
    • Wireless tested in protocol stack only, not at the radio layer.
    • Firmware tested via released binary - secure boot and key storage not exercised.
    • No Letter of Attestation - or a Letter that does not enumerate scope.

    Frequently asked questions

    Where to go next

    Suggested reading

    Related guides

    Guide
    FDA Pathway Cybersecurity Differences: 510(k), De Novo, PMA, HDE, IDE, Q-Sub, PDP
    Guide
    eSTAR Cybersecurity Readiness Checklist (510(k) & De Novo)
    Guide
    Full-Service Cybersecurity for PMA Submissions
    Guide
    Penetration Test Refresh Guide
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.