510(k), De Novo, PMA, HDE, Breakthrough, Pre-Sub - each pathway has a different timeline, a different bar, and a different cybersecurity package. This is the working guide we use with our clients.
Click through the seven stages every connected medical device walks - from scoping to postmarket. See what's due, where cyber lifts the bar, and the traps we see most often.
1. Define & Scope
Goal: Lock the device description, intended use, and patient/clinical risk profile so every downstream decision has a stable anchor.
You'll produce
Each row is a cybersecurity artifact reviewers expect to see. Each column is a stage of the pathway. The current stage is highlighted - markers show where an artifact starts, gets iterated, or is finalized.
| Artifact | |||||||
|---|---|---|---|---|---|---|---|
| Start | Iterate | Iterate | Iterate | - | Submit | Iterate | |
| Start | - | - | Iterate | - | Submit | - | |
| - | Start | Iterate | Iterate | Iterate | Submit | Iterate | |
| - | - | Start | Iterate | Iterate | Submit | Iterate | |
| - | - | - | Start | Iterate | Submit | Iterate | |
| - | - | - | Start | Iterate | Submit | Iterate | |
| - | - | - | Start | - | Submit | - | |
| - | - | - | - | Start | Submit | - | |
| - | - | - | - | Start | Submit | - | |
| - | - | - | Start | - | Submit | Iterate | |
| - | - | Start | Iterate | - | Submit | Iterate | |
| - | - | Start | Iterate | - | Submit | Iterate |
At Scope · 2 artifacts active
Start drafting(2)
Iterate / expand(0)
Finalize / submit(0)
Answer 2–4 quick questions. We'll recommend a pathway and the exact cybersecurity artifacts FDA will expect - no email required.
This is the FDA's threshold question for whether something is a medical device.
The pathway you pick drives your timeline, your user fee, and the depth of your cybersecurity package. All connected medical devices fall under Section 524B regardless of pathway, but reviewer expectations scale with risk.
Best for: Most Class II devices that are substantially equivalent to a legally marketed predicate.
Cybersecurity lift: Section 524B applies in full. Reviewers expect SPDF evidence, machine-readable SBOM, threat model, and a postmarket plan in the eSTAR.
Examples: Patient monitors, infusion pumps, connected wearables, imaging software (CADx).
Fee: Standard / small business user fees apply.
Best for: Novel low-to-moderate risk devices (Class I/II) with no valid predicate. Establishes a new classification.
Cybersecurity lift: Cybersecurity expectations equal to 510(k); novelty often draws additional reviewer attention to threat model rigor and ML/AI threats.
Examples: First-of-kind digital therapeutics, novel SaMD diagnostics, AI-enabled triage tools.
Fee: Higher than 510(k); special small-business waivers available.
Best for: Class III devices - those supporting/sustaining human life or presenting potential unreasonable risk.
Cybersecurity lift: Highest cybersecurity bar. Manual penetration testing, deep traceability (threat → requirement → design control → V&V), and an active CVD program are effectively required.
Examples: Implantable cardiac devices, neurostimulators, life-supporting infusion systems, certain AI/ML diagnostics.
Fee: Highest user fee tier.
Best for: Devices for rare conditions affecting fewer than 8,000 patients/year in the US. Requires HUD designation first.
Cybersecurity lift: Cybersecurity requirements still apply. Connectivity profile and patient-safety impact drive the depth of evidence expected.
Examples: Pediatric implants for rare disorders, niche neuromodulation devices.
Fee: Reduced.
Best for: Devices providing more effective treatment/diagnosis of life-threatening or irreversibly debilitating conditions.
Cybersecurity lift: Speed does not relax cyber expectations. Build the SPDF + threat model + SBOM in parallel - late additions cause schedule slips.
Examples: Novel cancer dx, first-line stroke detection AI, BCI devices for paralysis.
Fee: Same as underlying pathway; benefits include sprint discussions and priority review.
Best for: Getting written FDA feedback on your strategy before you file. Free and underused.
Cybersecurity lift: Best place to align on cybersecurity evidence depth, AI/ML threat scope, and acceptable VEX justifications before you commit to a build plan.
Examples: Used at concept, before pivotal study, before submission of any pathway above.
Fee: Free.
Classification is risk-based. The higher the class, the higher the controls and the deeper the cybersecurity evidence reviewers expect.
Low risk
Moderate risk
High risk / life-supporting
The single biggest mistake we see: cybersecurity treated as a final-mile add-on. The pathways above all reward teams that build evidence in parallel with engineering.
Use the FDA product classification database and the MDCC crosswalk (linked below) to confirm your product code, regulation number, and class. Class drives pathway, evidence depth, and timeline.
510(k) if a defensible predicate exists. De Novo if novel and low-to-moderate risk. PMA if Class III. Consider Breakthrough designation if eligible - file Q-Sub feedback before committing.
Every pathway above triggers Section 524B cyber-device requirements. Build the SPDF, SBOM, threat model, and postmarket plan in parallel with engineering - not at the end.
A Q-Sub is the cheapest reviewer feedback you'll ever get. Use it to validate the cybersecurity scope, AI/ML threat coverage, and acceptable VEX justifications before you build evidence at scale.
Cybersecurity risk assessment, threat model, SBOM (CycloneDX 1.5), pen test report, postmarket plan, labeling. Each artifact has a specific eSTAR slot - see our FDA 2026 Decoder.
When you're working a multi-jurisdiction submission (FDA + CE + IEC 62304 + AAMI TIR57 + ISO 14971), the MDCC Crosswalk is the cleanest way to see where standards align and where they don't. We use it on real client engagements alongside our own evidence-mapping templates.
30 minutes with a senior medical device security engineer. We'll review your device profile, recommend the pathway, and identify the cybersecurity evidence you need.
