Which services should we start with for an FDA submission?

Most premarket programs combine threat modeling, an SBOM, and penetration testing - all packaged against the FDA's 2026 premarket guidance and ANSI/AAMI SW96. We map the right starting point in the Discovery Session.

Can we engage you for just one piece, like pen testing or SBOM?

Yes. Every service is scoped and priced as a standalone engagement with a fixed fee, so you can pull in only the piece you need - or layer them into a full SPDF program.

Do you only work on premarket, or also postmarket?

Both. Premarket: pen testing, threat modeling, SBOM, deficiency response, secure-by-design. Postmarket: GoatWatch monitoring, patch and vulnerability management, legacy device cybersecurity, and CVD program support.

How do you keep services consistent across a multi-device portfolio?

We standardize the SPDF artifacts (threat model, SBOM, test plan, traceability) so they reuse cleanly across families of devices - only the device-specific risks and surfaces change.

How is the engagement priced and how long does it take?

Fixed-fee, scoped after a free 30-minute Discovery Session. Most premarket engagements (penetration testing, threat modeling, SBOM, deficiency response) complete in 4-8 weeks. We typically start within 1-2 weeks of contract signature.

What if the FDA still pushes back after we submit?

We back our work with a 100% success guarantee. If your submission is delayed because of a cybersecurity deficiency in our deliverables, we resolve it at no additional cost until your device is cleared.

Services

Cybersecurity for every stage of your device lifecycle.

Premarket through postmarket - one team, one accountable partner for medical device cybersecurity. Fixed-fee pricing, FDA-ready deliverables.

Premarket

34 services

FDA Submissions

Full-Service FDA Premarket Cybersecurity

Full-service: we own 100% of SPDF, SBOMs, threat modeling, pen testing, and eSTAR documentation.

Explore Full-Service FDA Premarket Cybersecurity

FDA Deficiency Response

Got an FDA hold or AI letter? We close cybersecurity deficiencies fast.

Explore FDA Deficiency Response

FDA-Compliant SBOM Services

Create, validate, and maintain SBOMs for premarket and postmarket.

Explore FDA-Compliant SBOM Services

Secure Design & Documentation

Secure MedTech Product Design

Bake cybersecurity into your device from day one.

Explore Secure MedTech Product Design

Medical Device Threat Modeling

FDA-aligned threat models that identify risks early and speed approvals.

Explore Medical Device Threat Modeling

AI/ML Medical Device Security

Defend AI/ML SaMD against adversarial attacks - and meet FDA's PCCP, GMLP, and 2025 AI-enabled device guidance.

Explore AI/ML Medical Device Security

SaMD Cybersecurity

End-to-end FDA premarket cybersecurity package for Software as a Medical Device - cloud, mobile, and web SaMD.

Explore SaMD Cybersecurity

Penetration Testing

Penetration Testing Services

Black, gray, and white box testing for compliance and real-world defense.

Explore Penetration Testing Services

Medical Device Penetration Testing

FDA-compliant device, firmware, app, and cloud testing.

Explore Medical Device Penetration Testing

Device Vulnerability & Pen Testing

10+ years testing medical devices for 510(k) and PMA clearance.

Explore Device Vulnerability & Pen Testing

BLE & RF Penetration Testing

Wireless interface testing for BLE, Wi-Fi, Zigbee, NFC, and proprietary RF.

Explore BLE & RF Penetration Testing

Firmware Penetration Testing

Embedded firmware extraction, reverse engineering, and exploitation.

Explore Firmware Penetration Testing

PHI Cloud Backend Penetration Testing

Cloud backend testing for connected devices that store or transmit PHI.

Explore PHI Cloud Backend Penetration Testing

Black Box Penetration Testing

External, unauthenticated testing of internet-facing systems.

Explore Black Box Penetration Testing

Gray Box Penetration Testing

Authenticated testing for insider threat and application scenarios.

Explore Gray Box Penetration Testing

White Box Penetration Testing

Full-knowledge testing with administrator access and source code.

Explore White Box Penetration Testing

Application Security

Application Penetration Testing

Thick client, thin client, mobile, and web app coverage.

Explore Application Penetration Testing

Web Application Penetration Testing

Front-end, back-end, API, and mobile coverage in one engagement.

Explore Web Application Penetration Testing

API Penetration Testing

REST and GraphQL API testing with fuzzing and auth analysis.

Explore API Penetration Testing

Mobile Application Penetration Testing

iOS and Android testing covering storage, network, and platform.

Explore Mobile Application Penetration Testing

Static Application Security Testing (SAST)

Code-level vulnerability discovery to support FDA expectations.

Explore Static Application Security Testing (SAST)

Dynamic Application Security Testing (DAST)

Runtime testing combined with manual penetration testing.

Explore Dynamic Application Security Testing (DAST)

Network & Infrastructure Testing

Network Penetration Testing

External and internal testing of your network systems.

Explore Network Penetration Testing

Internal Penetration Testing

Insider-threat simulation against your enterprise environment.

Explore Internal Penetration Testing

Wireless Penetration Testing

Secure your Wi-Fi and wireless attack surface.

Explore Wireless Penetration Testing

HIPAA Penetration Testing

Penetration testing scoped to HIPAA Security Rule expectations.

Explore HIPAA Penetration Testing

SOC 2 Penetration Testing

AICPA-aligned penetration testing scoped to your SOC 2 system boundary - auditor-ready report, free retest.

Explore SOC 2 Penetration Testing

Go-To-Market Compliance

MedTech Compliance Bundle

One program covering FDA Clearance, SOC 2, HIPAA, HITRUST, and GDPR - run in parallel for hospital-ready and EU-ready launch.

Explore MedTech Compliance Bundle

SOC 2 Type II for MedTech

SOC 2 Type II readiness, control build, and audit support so HDO procurement stops blocking your contracts.

Explore SOC 2 Type II for MedTech

HITRUST Readiness (e1 / i1 / r2)

HITRUST CSF readiness and certification support for MedTech selling into IDNs, AMCs, and large health systems.

Explore HITRUST Readiness (e1 / i1 / r2)

GDPR for Connected Medical Devices

GDPR readiness aligned to MDR/IVDR: RoPA, Article 32 controls, DPIAs, breach response, SCCs, and DPAs.

Explore GDPR for Connected Medical Devices

HIPAA Compliance Program for MedTech

End-to-end HIPAA Security Rule program for MedTech, SaMD, and digital health Business Associates.

Explore HIPAA Compliance Program for MedTech

EU Cyber Resilience Act (CRA) for Medical Devices

CRA readiness for connected medical devices: essential cybersecurity requirements, vulnerability handling, and CE-mark conformity before December 11, 2027.

Explore EU Cyber Resilience Act (CRA) for Medical Devices

MDS2 & HSCC Procurement Disclosure Service

We complete your MDS2 (Manufacturer Disclosure Statement for Medical Device Security) and HSCC procurement responses so hospital security reviews stop blocking deals.

Explore MDS2 & HSCC Procurement Disclosure Service

Postmarket

3 services

Postmarket & Legacy

FDA Postmarket Cybersecurity

Continuous compliance, monitoring, and vulnerability response.

Explore FDA Postmarket Cybersecurity

Legacy Device Protection

Reduce risk on fielded devices - no redesign, no new submission, no downtime.

Explore Legacy Device Protection

Postmarket SBOM Monitoring & VEX Automation

Continuous SBOM monitoring, automated VEX triage, and CAPA-ready evidence for cleared devices - so postmarket cybersecurity stops being a quarterly fire drill.

Explore Postmarket SBOM Monitoring & VEX Automation

GoatWatchby Blue Goat Cyber

Stay ahead of CVEs. Audit-ready always.

Continuous SBOM monitoring for medical devices. Daily CVE matching, device-context triage, and VEX-ready evidence aligned to FDA Section 524B - without the noise.

Daily CVE MatchingDevice-Context TriageVEX-Ready Evidence

Explore GoatWatch bluegoatcyber.com/products/goatwatch

Live MonitoringACTIVE

FDA Submissions: Zero rejections
Section 524B: Postmarket ready
Setup: Fixed-fee

FAQ

Common questions about our services

How engagements are scoped, sequenced, and priced - straight answers from a senior team.

In their words

Backed by MedTech leaders.

"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."

Hank Tucker

CEO · MedTech Manufacturer

Pick the right starting point

Not sure which service you need?

A 30-minute scoping call gets you a recommended package and a fixed-fee SOW - no hourly meters, no surprises.

Scope my engagement See methodology