What is a Letter of Attestation and why does FDA expect it?

A Letter of Attestation is a signed document from the penetration testing firm stating that testing was conducted in accordance with FDA's premarket cybersecurity guidance, that the full attack surface was covered (firmware, hardware interfaces, wireless, mobile, APIs, cloud), and that every finding has been remediated or formally risk-accepted. FDA reviewers look for it because it confirms the test meets their specific expectations rather than general IT-security best practice. The Letter is signed by the senior engineer who led the engagement, references the device, the test plan, and the report, and is included in every Blue Goat engagement at no additional cost.

Can the pen test be scoped to a specific attack surface - firmware only, for example?

Yes - but with an important tradeoff. A scoped engagement (firmware-only, BLE-only, cloud-only) is appropriate for targeted risk assessment, postmarket vulnerability validation, or filling a specific deficiency from a prior submission. It will not satisfy FDA's premarket requirement for full-attack-surface testing, which expects the report to demonstrate coverage across every interface a threat actor could reach. We will scope to whatever you need and clearly mark in the Letter of Attestation which interfaces were in scope, so you know exactly what the report supports for regulatory purposes.

How is medical device pen testing different from a standard IT penetration test?

Three core differences. First, availability constraints: a deployed medical device often cannot be taken offline mid-test, so testing is paced and coordinated to avoid clinical disruption. Second, patient safety: every exploit attempt is evaluated against ISO 14971 patient-harm impact, not just CIA triad confidentiality/integrity/availability. Third, deliverable format: FDA reviewers expect a structured report with a Letter of Attestation, traceability to the threat model, and evidence linked to Section 524B requirements - a generic IT pen test report rebadged for a device will be rejected. Healthcare and clinical-environment testing follows the same constraints.

What if critical findings come up during testing?

Findings are triaged in real time, not held until the end. High and critical severity items are flagged to your engineering lead within one business day with reproduction steps, suggested remediation, and a recommended fix timeline. We then agree the remediation plan with you before the report is finalised, retest the fix at no additional cost, and only issue the Letter of Attestation once every high or critical finding is either resolved or formally risk-accepted with a documented justification. This avoids the common scenario where a clean-looking report hides unresolved critical issues.

Why do you recommend white-box testing for medical devices?

FDA's premarket cybersecurity guidance explicitly states reviewers expect testers to leverage source code, threat models, and architecture documentation - that is white-box testing by definition. Black-box testing simulates an external attacker but consistently misses logic flaws in firmware update validation, key management, secure boot, and inter-component trust assumptions. White-box reaches the controls that actually matter for patient safety and produces evidence reviewers can trace back to specific design decisions. We default to white-box for premarket and reserve black-box for adversary-simulation scenarios after a device is already cleared.

How long does a typical medical device penetration test take?

Most engagements run 3 to 5 weeks end to end. The first week is scoping, threat-model review, and test environment setup. Weeks two and three are active testing across firmware, hardware interfaces, wireless (BLE/Wi-Fi/cellular), mobile companion app, APIs, and cloud backend. Week four is remediation coordination and retesting of fixes. Week five is final report production, Letter of Attestation, and debrief. Larger systems with cloud + mobile + multi-modality wireless can run 6 to 8 weeks. Fixed-fee scope and timeline are confirmed within 24 hours of the discovery call.

What does a pen test cost for a typical Class II connected device?

Pricing is fixed-fee and depends on the attack surface in scope. A device-only firmware and BLE engagement typically lands in the low-five-figures. A full-coverage engagement spanning firmware, hardware, BLE/Wi-Fi, mobile companion app, REST APIs, and cloud backend typically runs mid-five-figures. Larger ecosystems (multi-device platforms, AI/ML inference services, complex cloud architectures) move higher. The fixed fee includes the Letter of Attestation, retesting of high/critical fixes, and an FDA-formatted report - no separate retest invoices, no surprise add-ons.

What's included in the final pen test report?

An executive summary with risk-rated findings, a methodology section documenting the white-box approach and tools used, a complete attack surface inventory with coverage notes per interface, every finding written with severity (CVSS + clinical impact under ISO 14971), reproduction steps, evidence (screenshots, packet captures, code references), recommended remediation, and remediation status (fixed/risk-accepted). The report ends with the signed Letter of Attestation. The whole package is formatted for FDA reviewer consumption - no rewriting required when your regulatory team drops it into the eSTAR submission.

Do you re-test after we fix the findings, and is that included?

Yes - retesting of every high and critical finding is included in the fixed fee, with no per-retest invoices. Once your engineering team ships fixes, we retest each item against the original exploit, document the outcome (resolved, partially resolved, or risk-accepted), and update the finding's status in the report. The Letter of Attestation is only issued after every high or critical item is resolved or formally risk-accepted with a documented justification. Medium and low findings are also retested when fixes are delivered before report finalisation.

Can you test a device that's already deployed in clinical environments?

Yes, with a structured approach. Postmarket pen testing of deployed devices runs against a representative non-clinical unit (a lab or engineering sample) wherever possible to avoid any patient-safety risk. When clinical-environment testing is genuinely required - typically for cloud and network-facing components - we coordinate windows with your operations team, scope tests narrowly, and use only non-disruptive techniques. Healthcare penetration testing in clinical environments follows the same availability and patient-safety constraints as bench testing, just with tighter operational coordination.

How do you handle wireless protocol testing - BLE, Wi-Fi, cellular, NFC?

We test the actual radio interface, not just the protocol stack on paper. BLE testing covers pairing modes, GATT service enumeration, characteristic permission abuse, and known-vulnerability checks against the chipset firmware. Wi-Fi covers WPA2/WPA3 configuration, certificate handling, and rogue-AP scenarios. Cellular (LTE/NB-IoT) covers SIM provisioning, baseband attack surface, and carrier-network assumptions. NFC covers tag spoofing and relay attacks where the device uses NFC as a trust anchor. Each protocol gets a dedicated section in the report with reproduction evidence.

Will the pen test report satisfy EU MDR notified body expectations as well as FDA?

Yes. The report is structured for FDA premarket review (Section 524B alignment, Letter of Attestation, threat-model traceability) but the same evidence satisfies EU MDR Annex I cybersecurity requirements, IEC 81001-5-1 verification expectations, and IEC 62443-4-1 secure development lifecycle testing requirements. Notified bodies focus more on the secure development process evidence and lifecycle integration than FDA does, so we include a process-evidence appendix that covers their additional questions. One pen test, one report, multi-region acceptance.

FDA-Compliant Penetration Testing

Medical Device Penetration Testing - White-Box, FDA-Ready Reports & Letter of Attestation.

Struggling to meet the FDA's cybersecurity testing requirements? We identify vulnerabilities and deliver FDA-ready reports - fast, accurate, and aligned with current guidance. We recommend white-box testing for medical devices, and so does the FDA.

250+ Devices Secured. Zero FDA Rejections.

White-box recommended
Hardware + firmware
Companion app & cloud
FDA-ready reports
Re-test included

Book a free pen testing strategy call

Free 30-min call
No obligation
Expert-led from minute one
Fixed-fee quote in 24 hours
NDA available on request

Trusted by leading MedTech companies

Reviewed by Trevor Slattery · COO

Last reviewed May 2026

Why Most Pen Testing Fails Medical Devices

Generic penetration testing firms lack the understanding of unique device architecture, patient risks, and regulatory demands. Their reports may be thorough, but not FDA-compliant - and they almost always default to black-box only.

Black-box-only testing

The FDA expects testers to leverage source code, threat models, and architecture (white-box). Black-box-only engagements miss the deep flaws reviewers ask about - and lead to deficiencies.

Incomplete Testing

Generic vendors miss firmware, wireless, and embedded paths unique to medical devices.

Wrong Reporting Format

Reports without FDA-aligned structure, traceability, and evidence get rejected by reviewers.

Test depth

White-box vs gray-box vs black-box

For medical devices, both Blue Goat and the FDA recommend white-box testing. Reviewers expect testers to leverage source, firmware, and threat models - black-box alone routinely leads to deficiencies.

Capability	Black-box	Gray-box	White-box
Source code access
Firmware / binaries
Threat model & architecture
Authenticated test paths
Deep logic + business-flow flaws
Aligned with FDA expectations
Scope coverage per test-day

Yes Partial No

References

Why the FDA and AAMI point to white-box

Premarket guidance and consensus standards both expect testers to leverage source code, design artifacts, and threat models, not just an external view of the device.

FDA Premarket Cybersecurity Guidance (Feb 3, 2026 final)
Calls for security testing that demonstrates device resilience using design documentation, threat models, and source-level analysis, not black-box probing alone.
FD&C Act Section 524B (Cyber Devices)
Requires sponsors to provide reasonable assurance that the device and related systems are cybersecure - which reviewers read as evidence-backed, white-box-informed testing.
AAMI TIR57: Principles for Medical Device Security - Risk Management
Frames security testing as an output of threat modeling and architecture analysis. That is white-box by definition.
AAMI TIR97: Principles for Medical Device Security - Postmarket Risk Management
Postmarket monitoring and vulnerability handling assume testers have access to internals - the same access white-box pen testing uses premarket.

What's included

Reviewer-ready deliverables in one engagement

Every medical device penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

Device, firmware, and embedded testing
Companion app and cloud API coverage
FDA-ready penetration test reports
Remediation guidance and re-test included

Why teams choose us

250+ FDA submissions, zero rejections
Fixed-fee pricing - no surprises
Clearance guarantee included
Aligned to FDA Feb 2026 guidance
Senior expert on every call
US-based team
Letter of Attestation included in every engagement - formatted for FDA premarket review, not a generic IT security report
Manual testing across hardware, firmware, BLE/RF, mobile, APIs, and cloud - every attack surface FDA expects to see tested

Get a fixed-fee quote

Free 30-min call · No obligation

Reference

Relevant standards

Standards this service maps to

Every medical device penetration testing engagement produces evidence aligned to the regulatory and consensus standards FDA reviewers and notified bodies expect to see - traceable, complete, and ready to drop into your ISO 13485 quality system.

Featured site-wide

FDA 2026 Guidance Featured

FDA Premarket Cybersecurity Guidance (Feb 3, 2026)

Defines the SPDF, Section 524B submission package, threat modeling, SBOM, security architecture views, and cybersecurity testing every cyber device submission must include.

ANSI/AAMI SW96 Featured

Medical Device Security Risk Management

The consensus standard for medical device security risk management - asset, threat, vulnerability, likelihood, severity, and residual risk acceptability.

ISO 14971 Featured

Medical Device Risk Management

Foundational risk management standard. Cybersecurity risk is tied directly to patient-safety risk in the 14971 file.

IEC 62443-4-1

Secure Product Development Lifecycle

Industrial-strength secure-development-lifecycle requirements applied to connected medical devices.

NIST SP 800-115

Technical Guide to Information Security Testing

Reference methodology for planning, executing, and reporting security testing.

Our recommended approach

Why we lead with white-box for FDA submissions

White-box is our default for premarket cyber devices - it's the only depth that gives FDA reviewers full coverage evidence. Gray-box adds credentialed ecosystem testing where it matters. Black-box is reserved for specific post-market or adversary-simulation scenarios.

Recommended

White-box pen testing

Full source, firmware, and architecture access. The only depth that gives FDA reviewers full coverage evidence for cyber devices.

Learn more

Gray-box pen testing

Partial credentials and architecture insight. A credentialed ecosystem add-on alongside white-box.

Learn more

Black-box pen testing

Zero prior knowledge. Reserved for adversary-simulation drills and specific post-market scenarios - not sufficient on its own for FDA.

Learn more

Our 7-phase methodology

Aligned to FDA Feb 2026 guidance, §524B, AAMI TIR57, ANSI/AAMI SW96, with CVSS v4.0 scoring.

Learn more

Devices Secured

FDA Rejections

Success Rate

0+ yrs

MedTech Cyber

Unique deliverable

The Letter of Attestation FDA reviewers expect

Most pen test firms ship a report. FDA reviewers are trained to look for something more specific - a signed Letter of Attestation in the format the premarket guidance describes. It's included in every Blue Goat engagement, no additional request required.

What it is

A signed regulatory artifact

A signed document from the pen testing firm attesting that testing was conducted in accordance with FDA's premarket cybersecurity guidance, that the full attack surface was covered (firmware, hardware interfaces, wireless, mobile, APIs, cloud), and that every finding has been remediated or formally risk-accepted.

Why FDA expects it

Reviewer-trained format

FDA's premarket cybersecurity guidance specifies that pen testing results should be documented in a format reviewers can audit. The Letter of Attestation is the standard format for that documentation - without it, the report often triggers a deficiency asking for one.

Why most reports don't include one

Generic IT firms ≠ MedTech

Generic IT security firms produce reports in their own format, not the format FDA reviewers are trained to evaluate. A Letter of Attestation in the correct format is included in every Blue Goat engagement - signed by the senior engineer who led the test, with no additional request required.

How we stack up

Blue Goat Cyber vs. typical pen test vendors

A transparent, side-by-side look at what you actually get - no vague promises.

Capability

Blue Goat Cyber

Typical Vendor

Technical Capabilities

12+ Years Exclusively Testing Medical Devices

Included

Not offered

Medical Protocol Testing (DICOM, HL7/FHIR, BLE Medical)

Included

Not offered

Hardware/Firmware Analysis & Protocol Fuzzing

Included

Not offered

Full Ecosystem (Device + Cloud + Mobile App)

Included

Partial

FDA Submission Support

FDA 2026 Premarket Cybersecurity Guidance Aligned

Included

Partial

eSTAR-Ready FDA Submission Documentation

Included

Partial

Dedicated FDA Deficiency Letter Response

Included

Not offered

Business Terms

Guaranteed FDA Cybersecurity Clearance

Included

Not offered

Fixed-Fee Pricing with Unlimited Retests

Included

Not offered

Senior Expert Assigned (No Junior Handoff)

Included

Partial

Schedule Discovery Session

How we cleared real submissions

Anonymized engagements, from kickoff to FDA clearance

Class II · 510(k)

Wearable Cardiac Monitor

The Problem

Pre-submission penetration test required, with a tight 6-week window before FDA filing. Prior vendor returned a generic scan report that wouldn't satisfy 2026 guidance.

Our Testing

Firmware extraction and binary analysis
BLE pairing and protocol fuzzing
Mobile companion app reverse engineering
Cloud telemetry API authentication review

FDA Outcome

11 findings surfaced, 2 critical pre-filing
FDA-ready report delivered in 4 weeks
510(k) cleared on first review, no cyber deficiencies

Class III · PMA

Implantable Neurostimulator Platform

The Problem

Complex multi-component system (implant, programmer, clinician portal) with PMA filing under FDA 2026 guidance. Needed full SBOM, threat model, and pen test evidence.

Our Testing

Hardware-level analysis of implant and programmer
Proprietary RF protocol security review
End-to-end threat modeling against eSTAR template
Cloud and clinician portal application testing

FDA Outcome

23 findings across 4 components, all remediated pre-filing
SBOM and cybersecurity documentation accepted as filed
PMA reviewed without a single cybersecurity deficiency letter

Real findings

Vulnerabilities we've caught - before the FDA did

A sample of the kinds of issues we surface during medical device penetration tests. Devices and identifiers are redacted.

CriticalWearable cardiac monitor

Hardcoded credentials in BLE pairing

Allowed any nearby attacker to pair and exfiltrate ECG telemetry without user consent.

CriticalClass II infusion pump

Unauthenticated firmware update endpoint

Remote attacker on hospital network could push unsigned firmware, altering dosing logic.

HighContinuous glucose monitor

Plaintext PHI in mobile companion app cache

Patient identifiers and readings recoverable from a lost or stolen phone with no jailbreak.

HighRemote patient monitoring platform

Predictable session tokens on cloud API

Session prediction allowed cross-tenant access to clinician dashboards.

MediumSurgical robotics controller

Debug interface enabled in production firmware

JTAG/UART left open allowed local code extraction and reverse engineering.

MediumConnected diagnostic imaging device

Outdated TLS configuration on telemetry channel

TLS 1.0 fallback exposed device-to-cloud channel to downgrade attacks.

Want the full playbook? Read 12 Critical Findings

Devices we've helped secure

Over 200 FDA and global premarket clearances - from startups to global leaders

Robotic Surgical SystemsIoT-Enabled DiagnosticsImplantable DevicesWearable Health TechComplex IVD SystemsAI-Enabled SaMD

Cost of an FDA cyber deficiency

What does a rejection actually cost?

Plug in your monthly burn, expected launch revenue, and delay window. Most manufacturers see $1M+ exposure on a single cyber hold. Most engagements are a small fraction of that.

3-9 mo

Typical hold

$1M+

Exposure

24h

Quote turnaround

Run the calculator

2-minute readiness quiz

Get a tailored testing recommendation

Answer a few quick questions about your device classification, connectivity, and FDA path. We'll suggest the right testing track and surface the fastest wins for your submission.

Class I, Class II (510(k)/De Novo), or Class III (PMA)
Mapped to FDA 2026 premarket guidance
Surfaces the 3 fastest wins for your submission

Take the 2-min quiz

Offensive security credentials

The certifications that actually break into devices

Our team holds the offensive security certifications real attackers respect, backed by hands-on U.S. government red team and military cyber operations experience.

CISSP

Certified Information Systems Security Professional

CSSLP

Certified Secure Software Lifecycle Professional

OSWE

Offensive Security Web Expert

CRTE

Certified Red Team Expert

CRTL

Certified Red Team Lead

CARTP

Certified Azure Red Team Professional

CBBH

Certified Bug Bounty Hunter

U.S. Government Red Team Experience Military Cyber Operations Manual Business Logic Testing

Industry recognition

Award-winning. Globally recognized.

Our work has been honored by the leading voices in medical device cybersecurity.

2026

Medical Device Cybersecurity Solution of the Year

Medical Tech Outlook

Cover story profiling Blue Goat Cyber as a top industry leader

2025

MedTech Service Provider Excellence Award of the Year

MedTech World Malta 2025

Sponsored by the Malta Medicines Authority

2025

Medical Device Cybersecurity Services Company of the Year

Healthcare Business Review

Recognized for 250+ cleared FDA submissions and end-to-end medical device cybersecurity from premarket through postmarket

MedTech segments

Medical Device Penetration Testing for these segments

See how this service applies to your specific MedTech segment.

Neurotechnology & Brain-Computer Interfaces Cardiovascular Devices Diabetes & Continuous Glucose Monitoring Surgical Robotics Wearables & Remote Patient Monitoring Ophthalmic Devices Hearing Devices Orthopedic & Implantable Devices

Medical Device Penetration Testing library

Resources on this topic

Curated reading for teams working on medical device penetration testing — grouped by format so you can jump to what you need.

Guides

Articles

Medical Device Penetration Testing Cost: Pricing Guide

FAQ

Medical device penetration testing FAQs

In their words

Backed by MedTech leaders.

"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."

Hank Tucker

CEO · MedTech Manufacturer

Ready to start Medical Device Penetration Testing?

Medical Device Penetration Testing - scoped, fixed-fee, FDA-ready.

Book a free pen testing strategy call See all services

Medical Device Penetration Testing - White-Box, FDA-Ready Reports & Letter of Attestation.

Why Most Pen Testing Fails Medical Devices

Black-box-only testing

Incomplete Testing

Wrong Reporting Format

White-box vs gray-box vs black-box

Why the FDA and AAMI point to white-box

Reviewer-ready deliverables in one engagement

Standards this service maps to

FDA Premarket Cybersecurity Guidance (Feb 3, 2026)

Medical Device Security Risk Management

Medical Device Risk Management

Secure Product Development Lifecycle

Technical Guide to Information Security Testing

Why we lead with white-box for FDA submissions

White-box pen testing

Gray-box pen testing

Black-box pen testing

Our 7-phase methodology

The Letter of Attestation FDA reviewers expect

A signed regulatory artifact

Reviewer-trained format

Generic IT firms ≠ MedTech

Blue Goat Cyber vs. typical pen test vendors

Anonymized engagements, from kickoff to FDA clearance

Wearable Cardiac Monitor

Implantable Neurostimulator Platform

Vulnerabilities we've caught - before the FDA did

Hardcoded credentials in BLE pairing

Unauthenticated firmware update endpoint

Plaintext PHI in mobile companion app cache

Predictable session tokens on cloud API

Debug interface enabled in production firmware

Outdated TLS configuration on telemetry channel

Over 200 FDA and global premarket clearances - from startups to global leaders

What does a rejection actually cost?

Get a tailored testing recommendation

The certifications that actually break into devices

Award-winning. Globally recognized.

Medical Device Cybersecurity Solution of the Year

MedTech Service Provider Excellence Award of the Year

Medical Device Cybersecurity Services Company of the Year

Related services mapped to the same standards

Pen Testing Methodology

Penetration Testing Services

White Box Penetration Testing

Medical Device Penetration Testing for these segments

Resources on this topic

Guides

Articles

Medical device penetration testing FAQs

What is a Letter of Attestation and why does FDA expect it?

Can the pen test be scoped to a specific attack surface - firmware only, for example?

How is medical device pen testing different from a standard IT penetration test?

What if critical findings come up during testing?

Why do you recommend white-box testing for medical devices?

How long does a typical medical device penetration test take?

What does a pen test cost for a typical Class II connected device?

What's included in the final pen test report?

Do you re-test after we fix the findings, and is that included?

Can you test a device that's already deployed in clinical environments?

How do you handle wireless protocol testing - BLE, Wi-Fi, cellular, NFC?

Will the pen test report satisfy EU MDR notified body expectations as well as FDA?

Backed by MedTech leaders.

Medical Device Penetration Testing - scoped, fixed-fee, FDA-ready.