Is this aligned with current FDA cybersecurity expectations?

Yes. Postmarket SBOM Monitoring & VEX Automation is delivered against the FDA's 2026 premarket cybersecurity guidance, ANSI/AAMI SW96, ISO 14971, IEC 62304, and IEC 81001-5-1 - and structured to land cleanly in eSTAR.

How is the engagement priced and how long does it take?

Fixed-fee, scoped after a free 30-minute Discovery Session. Most premarket engagements (penetration testing, threat modeling, SBOM, deficiency response) complete in 4-8 weeks. We typically start within 1-2 weeks of contract signature.

What if the FDA still pushes back after we submit?

We back our work with a no failed-clearance guarantee. If your submission is delayed because of a cybersecurity deficiency in our deliverables, we resolve it at no additional cost until your device is cleared.

Postmarket & Legacy

Postmarket SBOM Monitoring & VEX Automation

Operational postmarket cybersecurity for cleared medical devices: continuous SBOM diffing against NVD/CISA-KEV/OSV, automated VEX triage, CVE-to-patient-harm risk scoring, and CAPA-ready evidence packs - aligned with FDA postmarket guidance, ANSI/AAMI SW96, and ISO 14971 risk management.

250+ FDA submissions. Zero rejections.

Senior team
Fixed-fee
Reviewer-ready
Re-test included

Book Strategy Session

Free 30-min call
No obligation
Senior expert, not a sales rep
Fixed-fee quote in 24 hours
NDA available on request

Trusted by leading MedTech companies

Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

Last reviewed

Attack surface

What continuous SBOM + VEX monitoring covers

Postmarket SBOM monitoring is more than re-running a generator. The pipeline produces a fresh inventory per release, correlates it against current CVE feeds, produces VEX statements for each affected component, and feeds the postmarket plan SLAs.

01Build-time SBOM generator (CycloneDX 1.5 / SPDX 2.3)
02Release-to-release SBOM diff
03CVE feeds (NVD, OSV.dev, GHSA, vendor advisories)
04KEV + EPSS enrichment
05VEX statement authoring + publication (CSAF 2.0)
06Triage workflow + reviewer queue
07Customer notification path
08QMS evidence pack

Layers shown outermost (top) to innermost (bottom). Dashed rows are part of the surrounding system but out of scope for this view.

What's included

Reviewer-ready deliverables in one engagement

Every postmarket sbom monitoring & vex automation engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

Continuous SBOM ingestion (SPDX 2.3 / CycloneDX 1.5+) and diff-on-build
Automated VEX (Vulnerability Exploitability eXchange) statements per CVE
CVE-to-patient-harm risk scoring traced into ISO 14971 risk file
CISA-KEV, NVD, OSV, GitHub Advisory feed monitoring
CAPA-ready evidence packs with auditor-grade traceability
FDA postmarket cybersecurity report draft for material changes

Notable incidents

Public postmarket cybersecurity history

Recalls, CISA ICS-MA advisories, and disclosed research that shape what reviewers ask about - and what this engagement is built to cover.

curl maintainers + NVD·2023

curl CVE-2023-38545 SBOM stress test

A single library disclosure that touched essentially every connected device. Teams without continuous SBOM + VEX could not answer 'are we affected' inside the FDA's expected response window.

Advisory
GitHub + Sonatype·2022-2024

PyPI / npm typosquatting supply-chain incidents

Ongoing supply-chain incidents make package-provenance and version pinning a postmarket-monitoring concern, not just a build-time one. The pipeline must flag dependency drift between releases.