Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    GoatWatch by Blue Goat CyberSBOM Risk Management for Medical Devices

    Build a submission-ready SBOM. Keep its risk current.Premarket through end of life.

    GoatWatch is Blue Goat's SBOM risk management platform for medical device software, used on both sides of clearance. Premarket, it produces the FDA-aligned SBOM and vulnerability baseline your submission needs. Postmarket, it keeps that SBOM current, watches every component for new vulnerabilities, and tells you which ones actually matter for your device, judged against your architecture and the patient-harm pathway, not a raw severity score.

    250+ FDA submissions supported · 0 cybersecurity rejections · Live and in use today.

    NVD + CISA KEV CorrelationDevice-Context TriageVEX-Ready Evidence
    • Senior engineer owns your account
    • Standalone or bundled with postmarket
    • Fixed-fee per device, no hourly billing
    • SDVOSB, US-based, MedTech-only
    Free Guide · No Email Required

    The MedTech SBOM Compliance Playbook

    What FDA actually expects for SBOMs, vulnerability monitoring, and postmarket cybersecurity, in plain English, with templates you can use this week.

    • Section 524B and the Feb 2026 FDA guidance, decoded
    • Five SBOM artifacts every submission needs
    • Continuous monitoring without the noise
    • A 90-day compliance roadmap

    Aligned to FDA Feb 2026 guidance · v1.1

    MedTech compliance standards we follow

    FDA Section 524BIEC 81001-5-1IEC 62304ISO 14971EU MDR / IVDRAAMI TIR57
    What it does

    What GoatWatch does for you

    Whether you need premarket SBOM creation or postmarket continuous monitoring, GoatWatch covers both - standalone or as part of our full postmarket service.

    SBOM Ingestion & Maintenance

    Import a CycloneDX or SPDX bill of materials, or have us build one. Components are normalized, version-resolved, and maintained against FDA's three-tier support taxonomy: actively maintained, no longer maintained, and abandoned.

    Continuous Vulnerability Correlation

    Every component is matched against the NIST NVD and upstream supplier advisories, so a new disclosure against your dependency tree surfaces without you going looking for it.

    CISA KEV Tracking

    Known Exploited Vulnerabilities are treated as a separate, higher-priority signal because FDA treats them that way. A KEV match on one of your components becomes an explicit action item.

    Device-Context Triage

    Not every vulnerability matters equally. GoatWatch prioritizes by exploitability in your specific architecture and the patient-harm pathway, cutting the noise raw CVE feeds produce.

    VEX & Exportable Evidence

    Vulnerabilities that do not apply are documented as not affected, with a justification. Findings, decisions, and SBOM change history are exportable as evidence for FDA postmarket and audits.

    End-of-Life (EOL) Tracking

    Every component is tracked against its published end-of-life date. Components approaching EOL are flagged early so you can plan a replacement before the vendor stops shipping the product entirely.

    End-of-Support (EOS) Tracking

    EOS dates are monitored per component, because a product that is still installed but no longer receiving security patches is a postmarket cyber risk regardless of whether a CVE exists today.

    Level-of-Support (LOS) Tracking

    Each component is classified against the FDA's three-tier taxonomy: actively maintained, limited support, or unsupported. Level-of-support changes trigger alerts so triage and lifecycle plans stay accurate.

    Why SBOM risk management, why now

    Three forces converging on your device

    SBOM rigor stopped being optional the moment regulators, buyers, and attackers started asking the same question at the same time: what is actually running inside this device?

    SBOM
    Force 1

    FDA enforcement

    Cybersecurity is a Refuse-to-Accept criterion, not a recommendation. The Feb 2026 guidance gave reviewers a sharper checklist and stricter cross-reference rules.

    No SBOM, no submission. Reviewers screen for it before the 180-day clock starts.

    Force 2

    Health-system procurement

    Hospitals increasingly require current SBOMs and MDS2 forms as a condition of purchase, often as RFP-gating items before contracts move forward.

    Buyers now ask for the SBOM alongside the price sheet.

    Force 3

    Threat reality

    Ripple20, Log4Shell, Curl CVE-2023-38545, and the XZ Utils backdoor each touched hundreds of device models. Manufacturers without SBOMs spent weeks just checking exposure.

    When the next CVE lands, an SBOM turns weeks of scrambling into hours of triage.

    What you get

    Everything the FDA expects, in one workspace

    The submission artifacts reviewers look for, a live checklist to score your readiness, and a component inventory view that mirrors what ships in every GoatWatch account.

    What reviewers look for

    Five artifacts every premarket submission needs

    The FDA's Feb 2026 guidance maps each artifact to an eSTAR v7.0 cybersecurity slot. Missing or contradictory ones are the most common cause of AI-letter delays.

    LegendSlot XRequired fieldsCommon gap
    01Slot 5

    Machine-readable SBOM

    CycloneDX 1.5+ / SPDX 2.3+

    Required fields

    Supplier, component, version, PURL/CPE, hash, dependency graph, author, timestamp

    Common gap

    Hand-edited JSON; missing hashes or transitive deps.

    02Slot 5

    Component support status

    Table or appendix

    Required fields

    Level of Support (LOS), End of Support (EOS), End of Life (EOL) per component

    Common gap

    No LOS / EOS / EOL dates for OSS or COTS dependencies.

    03Slot 5 / 6

    Known-vulnerability list + VEX

    VEX (CycloneDX VEX or CSAF)

    Required fields

    CVE ID, CVSS, affected component + version range, VEX status, justification

    Common gap

    Stale CVE lookup; no VEX status at submission.

    04Slot 6

    Safety & security rationale

    Narrative per finding

    Required fields

    Exploitability in device context, patient-harm pathway, residual risk, compensating controls

    Common gap

    Generic 'not exploitable' with no device or harm context.

    05Slot 4

    Update mechanism description

    SPDF + architecture view

    Required fields

    Delivery channel, cadence, authentication, rollback, evidence patches reach fielded devices

    Common gap

    No evidence patches actually reach fielded devices.

    How SBOM risk management works

    Premarket help, postmarket peace of mind.

    FDA expects SBOM rigor before clearance - and continuous vigilance after launch. GoatWatch covers both sides of the lifecycle.

    EOLEnd-of-Life

    Vendor stops selling or producing the component. Existing installs may keep running.

    EOSEnd-of-Support

    Vendor stops issuing security patches or fixes. This is where postmarket risk quietly accumulates.

    LOSLevel-of-Support

    FDA's Feb 2026 three-tier signal: actively maintained, limited, or unsupported. Regulators key on this.

    Premarket

    Submission-Ready SBOMs

    Build a complete, FDA-aligned SBOM before you submit. We help you validate component data, resolve unknowns, and produce a baseline cybersecurity risk assessment that holds up under review.

    • CycloneDX & SPDX validation
    • Known-vulnerability baseline
    • Submission documentation pack
    Postmarket

    Continuous CVE Monitoring

    After clearance, your SBOM keeps working. GoatWatch monitors every component daily, prioritizes exploitable risks, and gives you the evidence trail regulators expect.

    • Daily CVE & KEV matching
    • VEX-ready triage workflow
    • Audit logs for postmarket reporting
    How it works

    From SBOM to evidence in four steps

    Step 1

    Import Your SBOM

    Upload or generate your SBOM - we support CycloneDX, SPDX, and custom formats.

    Step 2

    Analyze & Map Risks

    GoatWatch maps every component to known CVEs, vendor advisories, and end-of-life status.

    Step 3

    Monitor Continuously

    Post-launch, receive prioritized alerts when new vulnerabilities affect your device.

    Step 4

    Export Evidence

    Generate audit-ready reports for FDA postmarket submissions and compliance reviews.

    90-day roadmap

    From zero to defensible compliance in 90 days

    The sequence we use with clients starting from a blank slate on a single device line.

    LegendDays X–YPhase iconDeliverable
    1. Days 0–15

      Phase 1 · Discover

      Inventory build systems, identify third-party components and firmware blobs, choose SBOM format (CycloneDX 1.5+ preferred).

      Deliverable · Signed inventory of build systems, chosen SBOM format decision memo.

      Days 0–15

      Phase 1 · Discover

      Inventory build systems, identify third-party components and firmware blobs, choose SBOM format (CycloneDX 1.5+ preferred).

      Deliverable · Signed inventory of build systems, chosen SBOM format decision memo.

    2. Days 15–35

      Phase 2 · Generate

      Integrate SBOM generation into CI/CD. Validate completeness against build artifacts. Produce the first VEX baseline.

      Deliverable · Reproducible SBOM emitted per build + first VEX baseline (CycloneDX VEX or CSAF).

      Days 15–35

      Phase 2 · Generate

      Integrate SBOM generation into CI/CD. Validate completeness against build artifacts. Produce the first VEX baseline.

      Deliverable · Reproducible SBOM emitted per build + first VEX baseline (CycloneDX VEX or CSAF).

    3. Days 35–60

      Phase 3 · Monitor

      Stand up daily CVE ingestion against the SBOM. Define triage criteria, severity thresholds, and named owners.

      Deliverable · Daily CVE feed wired to the SBOM, written triage SOP with named owners.

      Days 35–60

      Phase 3 · Monitor

      Stand up daily CVE ingestion against the SBOM. Define triage criteria, severity thresholds, and named owners.

      Deliverable · Daily CVE feed wired to the SBOM, written triage SOP with named owners.

    4. Days 60–80

      Phase 4 · Evidence

      Implement versioning and retention. Document the process in a Cybersecurity Management Plan (eSTAR v7.0 Slot 8).

      Deliverable · Versioned SBOM archive + Cybersecurity Management Plan document (eSTAR v7.0 Slot 8).

      Days 60–80

      Phase 4 · Evidence

      Implement versioning and retention. Document the process in a Cybersecurity Management Plan (eSTAR v7.0 Slot 8).

      Deliverable · Versioned SBOM archive + Cybersecurity Management Plan document (eSTAR v7.0 Slot 8).

    5. Days 80–90

      Phase 5 · Operate

      Run a tabletop exercise on a simulated CVE. Refine the playbook. You are now defensibly compliant.

      Deliverable · Completed tabletop exercise report + refined incident-response playbook.

      Days 80–90

      Phase 5 · Operate

      Run a tabletop exercise on a simulated CVE. Refine the playbook. You are now defensibly compliant.

      Deliverable · Completed tabletop exercise report + refined incident-response playbook.

    Why GoatWatch

    GoatWatch vs generic SBOM scanners & DIY tracking

    A side-by-side look at what you actually get with med-device-specific SBOM risk management.

    Capability
    GoatWatch★ Recommended
    Generic Scanner / DIY(industry average)
    1
    SBOM Coverage
    How completely your software supply chain is mapped.
    SPDX & CycloneDX Ingestion
    SBOM Generation if You Don't Have One
    Most scanners assume you already have a clean SBOM
    Component Normalization & Version Resolution
    Raw SBOMs are noisy. We clean them before monitoring.
    Firmware & Embedded Component Tracking
    DIY trackers and IT-focused scanners miss firmware components
    2
    Vulnerability Triage
    Turning raw CVE noise into decisions your team can act on.
    Continuous CVE & Advisory Monitoring
    Device-Context Impact Triage
    We factor in network exposure, exploitability, and clinical risk - not just CVSS
    Patient-Safety Linked (ISO 14971)
    Cyber risk tied to patient harm, not just data confidentiality
    End-of-Life (EOL) Tracking
    Per-component EOL dates surfaced before they become a postmarket risk
    End-of-Support (EOS) Tracking
    Alerts when vendors stop shipping security patches, even if EOL is years away
    Level-of-Support (LOS) Tracking
    FDA three-tier taxonomy: actively maintained, limited support, unsupported
    Vendor Advisory Ingestion
    Expert-Led Triage (Not Just a Dashboard)
    A senior med-device cyber expert reviews findings with you
    3
    Regulatory & Audit Readiness
    What FDA reviewers and notified bodies actually expect.
    FDA Postmarket Cyber Guidance Aligned
    Section 524B, RTA-ready evidence
    IEC 62304 / IEC 81001-5-1 Mapping
    EU MDR Postmarket Surveillance Support
    Audit-Ready Vulnerability Timelines
    Triage decisions, remediation actions, SBOM change history
    Exportable Evidence Packs
    4
    Service & Terms
    How we work - built for med-device teams, not enterprise IT.
    Senior MedTech Cyber Expert Leads
    Senior MedTech expert owns your account, not a generic SOC tier-1
    Fixed-Fee Pricing per Device
    No hourly billing, no scope creep
    Onboarding in 1-2 Weeks
    Enterprise SBOM platforms typically take months
    SDVOSB Certified Vendor
    Federally certified, advantageous for federal MedTech contracts
    Standalone or Bundled with Postmarket Service
    1
    SBOM Coverage
    How completely your software supply chain is mapped.
    SPDX & CycloneDX Ingestion
    GoatWatch
    Generic / DIY
    SBOM Generation if You Don't Have One
    Most scanners assume you already have a clean SBOM
    GoatWatch
    Generic / DIY
    Component Normalization & Version Resolution
    Raw SBOMs are noisy. We clean them before monitoring.
    GoatWatch
    Generic / DIY
    Firmware & Embedded Component Tracking
    DIY trackers and IT-focused scanners miss firmware components
    GoatWatch
    Generic / DIY
    2
    Vulnerability Triage
    Turning raw CVE noise into decisions your team can act on.
    Continuous CVE & Advisory Monitoring
    GoatWatch
    Generic / DIY
    Device-Context Impact Triage
    We factor in network exposure, exploitability, and clinical risk - not just CVSS
    GoatWatch
    Generic / DIY
    Patient-Safety Linked (ISO 14971)
    Cyber risk tied to patient harm, not just data confidentiality
    GoatWatch
    Generic / DIY
    End-of-Life (EOL) Tracking
    Per-component EOL dates surfaced before they become a postmarket risk
    GoatWatch
    Generic / DIY
    End-of-Support (EOS) Tracking
    Alerts when vendors stop shipping security patches, even if EOL is years away
    GoatWatch
    Generic / DIY
    Level-of-Support (LOS) Tracking
    FDA three-tier taxonomy: actively maintained, limited support, unsupported
    GoatWatch
    Generic / DIY
    Vendor Advisory Ingestion
    GoatWatch
    Generic / DIY
    Expert-Led Triage (Not Just a Dashboard)
    A senior med-device cyber expert reviews findings with you
    GoatWatch
    Generic / DIY
    3
    Regulatory & Audit Readiness
    What FDA reviewers and notified bodies actually expect.
    FDA Postmarket Cyber Guidance Aligned
    Section 524B, RTA-ready evidence
    GoatWatch
    Generic / DIY
    IEC 62304 / IEC 81001-5-1 Mapping
    GoatWatch
    Generic / DIY
    EU MDR Postmarket Surveillance Support
    GoatWatch
    Generic / DIY
    Audit-Ready Vulnerability Timelines
    Triage decisions, remediation actions, SBOM change history
    GoatWatch
    Generic / DIY
    Exportable Evidence Packs
    GoatWatch
    Generic / DIY
    4
    Service & Terms
    How we work - built for med-device teams, not enterprise IT.
    Senior MedTech Cyber Expert Leads
    Senior MedTech expert owns your account, not a generic SOC tier-1
    GoatWatch
    Generic / DIY
    Fixed-Fee Pricing per Device
    No hourly billing, no scope creep
    GoatWatch
    Generic / DIY
    Onboarding in 1-2 Weeks
    Enterprise SBOM platforms typically take months
    GoatWatch
    Generic / DIY
    SDVOSB Certified Vendor
    Federally certified, advantageous for federal MedTech contracts
    GoatWatch
    Generic / DIY
    Standalone or Bundled with Postmarket Service
    GoatWatch
    Generic / DIY
    Why teams switch to GoatWatch

    The postmarket workload, minus the postmarket panic.

    What SBOM ownership looks like when the monitoring, triage, and evidence layer is doing the work for you.

    Daily
    CVE + KEV re-triage

    Every component re-checked every day against NVD, CISA KEV, and vendor advisories. No quarterly gaps.

    Hours
    not weeks, to a VEX-ready log

    Triage that used to take a security engineer weeks of spreadsheet work is ready the same shift.

    One
    audit-ready evidence pack

    Postmarket reporting artifacts assembled continuously. Pull the pack when the FDA, an auditor, or a customer asks.

    Zero
    silent EOS surprises

    LOS, EOS, and EOL changes flag the day the vendor publishes them, not the day a reviewer spots them.

    Onboarding

    From first call to continuous monitoring in 2 weeks

    Most SBOM platforms put you in a multi-month onboarding queue. We start this week.

    01

    Discovery Call

    30 minutes

    Talk directly with a senior medical device cyber expert. We learn your device, SBOM status, and postmarket risk profile - no sales reps.

    02

    SBOM Onboarding

    Week 1

    We ingest your existing SBOM (SPDX/CycloneDX) or generate one. Components are normalized, version-resolved, and mapped to your device context.

    03

    Continuous Monitoring Live

    Week 2

    GoatWatch goes live, tracking CVEs, vendor advisories, and EOL/EOS/LOS notices. Triage rules tuned to your risk profile, alerts routed to your team.

    04

    Audit-Ready Evidence

    Ongoing

    Vulnerability timelines, triage decisions, remediation actions, and SBOM change history - exportable for FDA, notified bodies, and internal QMS.

    Customer voice

    Trusted by MedTech security teams

    "GoatWatch gave us visibility into our SBOM risks that we simply didn't have before. When the FDA asked about our postmarket surveillance process, we had audit-ready evidence on day one."

    VP of Regulatory Affairs

    Class III Medical Device Manufacturer

    "We used to track CVEs in spreadsheets, and it was a nightmare. GoatWatch's device-context triage means we focus on real threats, not noise. It has been a game-changer for our team."

    Director of Product Security

    Connected Health Platform

    "Blue Goat handled our premarket SBOM analysis and transitioned us seamlessly into GoatWatch for postmarket monitoring. The continuity from submission to surveillance is exactly what we needed."

    Head of Quality & Compliance

    Surgical Robotics Company

    FAQ

    GoatWatch questions

    More from Blue Goat Cyber

    Need more than monitoring?

    GoatWatch is one piece of our full medical device cybersecurity offering.

    Ready to monitor your SBOM

    Already have an SBOM? Let's monitor it.

    30 minutes with a senior medical device cybersecurity expert. We'll review your SBOM, scope ongoing monitoring, and send a fixed-fee quote in 24 hours.