Four times a year we publish anonymized findings from inside our practice — what FDA reviewers flag, what penetration testers find, and how engagement timing changes outcomes. Cite us, link us, push back on us.
Vulnerabilities, FDA expectations, and real-world findings on AI-enabled medical devices.
A focused review of cybersecurity findings, FDA review patterns, and emerging risks for AI/ML-enabled Software as a Medical Device. Synthesizes Blue Goat Cyber's 2026 engagement data with public FDA AI/ML guidance updates and CVE disclosures relevant to AI inference stacks.
Quantifying submission delay, deficiency rate, and remediation cost for teams that engage cybersecurity early vs. late.
An analysis of how the timing of cybersecurity engagement — relative to design freeze and submission filing — correlates with FDA deficiency rates, time-to-clearance, and remediation cost. Engagements are bucketed into four timing tiers based on when cybersecurity work was initiated.
The most common vulnerabilities found in medical device penetration tests, broken out by device class.
Aggregate findings from medical device penetration tests conducted by Blue Goat Cyber between 2022 and 2025. Vulnerabilities are categorized by CWE family and broken out across cardiac, surgical robotics, in-vitro diagnostic, infusion, imaging, wearable, and SaMD device classes.
What FDA reviewers flag most in cybersecurity submissions, by pathway, with average resolution time.
An analysis of cybersecurity-related deficiencies issued by FDA across 510(k), De Novo, and PMA submissions handled by Blue Goat Cyber. The report quantifies the most frequent deficiency categories, average time to resolution by category, and how deficiency rates differ by submission pathway and device class.
Every published report draws from one of these internal datasets. Anonymized CSV slices are made available to academic researchers where defensible — see Data hub.
Anonymized FDA deficiency letter content across Blue Goat Cyber-supported submissions, categorized by content area and submission pathway.
CWE-categorized findings from medical device penetration tests, broken out by device class and severity.
Aggregate counts of known-vulnerable components observed in MedTech SBOMs analyzed by Blue Goat Cyber.
Per-engagement time-to-clearance keyed to when cybersecurity engagement began relative to design freeze.
Median days from finding disclosure to client-confirmed remediation, broken out by severity.
Common gaps observed in incoming client threat models, bucketed by MedTech segment.
Email [email protected] for early access, interviews, or quote requests.
