Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K

    Press kit: MedTech Vulnerability Landscape Report

    The most common vulnerabilities found in medical device penetration tests, broken out by device class.

    Media contact

    Email [email protected] for interviews, custom data cuts, or fact-check requests. We respond same-day for active stories. Lead author for this report: Trevor Slattery, COO.

    Quote-ready findings

    • "Pending legal review."

    Charts (embed-friendly)

    Free to re-use with attribution. Drop the iframe snippet into any CMS that allows HTML — the chart will render at the correct aspect ratio with our methodology footer baked in.

    Top 10 CWE categories across all engagements

    internal extract pending

    Share of total findings by CWE family.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: % of findings

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/top-cwe-overall" width="100%" height="420" style="border:0" loading="lazy" title="Top 10 CWE categories across all engagements"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/top-cwe-overall

    Findings per engagement by device class

    internal extract pending

    Average findings per engagement, broken out by device class and severity.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: findings per engagement

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/findings-by-device-class" width="100%" height="420" style="border:0" loading="lazy" title="Findings per engagement by device class"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/findings-by-device-class

    Severity distribution of findings

    internal extract pending

    Share of findings rated Critical, High, Medium, or Low.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: % of findings

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/severity-distribution" width="100%" height="420" style="border:0" loading="lazy" title="Severity distribution of findings"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/severity-distribution

    BLE/RF findings by device class

    internal extract pending

    Average BLE or radio findings per engagement, by device class.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber BLE/RF testing subset, 2022–2025. · Unit: findings per engagement

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/ble-rf-by-class" width="100%" height="420" style="border:0" loading="lazy" title="BLE/RF findings by device class"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/ble-rf-by-class

    Most common vulnerable components observed in SBOMs

    internal extract pending

    Share of analyzed SBOMs containing a known-vulnerable version of the listed component.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber SBOM analysis dataset, 2023–2025. · Unit: % of SBOMs

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/sbom-vulnerable-components" width="100%" height="420" style="border:0" loading="lazy" title="Most common vulnerable components observed in SBOMs"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/sbom-vulnerable-components

    Average remediation time by severity

    internal extract pending

    Median days from finding disclosure to client-confirmed remediation.

    Pending data extract — chart will render once the analyst team and legal review approve the underlying numbers.

    Source: Blue Goat Cyber retest dataset, 2022–2025. · Unit: days (median)

    <iframe src="https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/remediation-time" width="100%" height="420" style="border:0" loading="lazy" title="Average remediation time by severity"></iframe>

    Direct chart URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026/embed/remediation-time

    Citation

    Blue Goat Cyber. (2026). MedTech Vulnerability Landscape Report. https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026

    Canonical report URL: https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026

    Download PDFDownload anonymized CSVBack to full report