Section 524B(b)(2) coverage
The pen test must demonstrate the device is 'cyber secure' - meaning every attack surface in the threat model has been exercised by an independent tester, not just a vendor self-attestation.
Scope tied to the threat model
Reviewers expect a one-to-one mapping: every STRIDE threat → at least one test case → a documented result. A pen test that ignores threats in your own model is a near-automatic deficiency.
All connected interfaces in scope
Device firmware, cloud backend + APIs, mobile companion apps, BLE/Wi-Fi/RF, and OTA update channels. Web-app-only testing on a connected medical device will be rejected.
Methodology documented
Reviewers want to see the methodology (e.g. OWASP, PTES, NIST 800-115), tools used, test cases run, and the rationale for what was in/out of scope - not just a list of findings.
Reviewer-format report + evidence
Executive summary, scope, methodology, findings with CVSS, remediation, retest results, and tester credentials - formatted to be dropped straight into the eSTAR cybersecurity attachments.
Independent tester
FDA expects testing performed by qualified personnel independent of the development team. Self-tests by the dev team rarely satisfy reviewers and frequently trigger deficiency letters.