What does a pen test for your device actually look like?
Six questions mapped to the SPDF and FDA premarket guidance. Get a planning-grade scope, depth, and timeline - then a tailored proposal.
What is the device's submission pathway?
White-box vs grey-box vs black-box
For medical devices, both Blue Goat and the FDA recommend white-box testing. Reviewers expect testers to leverage source, firmware, and threat models - black-box alone routinely leads to deficiencies.
| Capability | Black-box | Grey-box | White-box |
|---|---|---|---|
| Source code access | |||
| Firmware / binaries | |||
| Threat model & architecture | |||
| Authenticated test paths | |||
| Deep logic + business-flow flaws | |||
| Aligned with FDA expectations | |||
| Scope coverage per test-day |
Why FDA and AAMI point to white-box
Premarket guidance and consensus standards both expect testers to leverage source code, design artifacts, and threat models, not just an external view of the device.
- FDA Premarket Cybersecurity Guidance (Feb 3, 2026 final)
Calls for security testing that demonstrates device resilience using design documentation, threat models, and source-level analysis, not black-box probing alone.
- FD&C Act Section 524B (Cyber Devices)
Requires sponsors to provide reasonable assurance that the device and related systems are cybersecure - which reviewers read as evidence-backed, white-box-informed testing.
- AAMI TIR57: Principles for Medical Device Security - Risk Management
Frames security testing as an output of threat modeling and architecture analysis. That is white-box by definition.
- AAMI TIR97: Principles for Medical Device Security - Postmarket Risk Management
Postmarket monitoring and vulnerability handling assume testers have access to internals - the same access white-box pen testing uses premarket.
Make sure you're testing the right things.
The estimator gives you a planning number. These resources help you sharpen scope before kickoff.
FDA cybersecurity readiness quiz
2-minute self-assessment to score your submission against current FDA guidance.
Learn moreMedical device penetration testing
Our SPDF-aligned methodology, deliverables, and reviewer-ready report format.
Learn moreThreat modeling services
STRIDE-based modeling - the input that lets a pen test test the right things.
Learn moreFDA premarket cybersecurity
Full SPDF + eSTAR-ready submission package aligned to FDA guidance.
Learn moreCost-of-delay calculator
Quantify what every week of submission slip costs in revenue and runway.
Learn moreWhite-box penetration testing
Our recommended depth for medical devices - and the FDA's preference. Full source, firmware, and threat-model access for deeper findings.
Learn morePen testing methodology
How we plan, execute, and report - designed for FDA reviewer scrutiny.
Learn more