Frequently Asked Questions
Common questions about medical device penetration testing, FDA cybersecurity requirements, and how we work.
How much does medical device penetration testing cost?
We do flat-rate pricing on every engagement — no hourly billing, no surprise invoices, no scope creep fees. We believe in simple, no-bullshit pricing so you know exactly what you're paying before testing begins. Threat modeling is $15,000. Penetration testing is $45,000. A combined threat model and pentest is $55,000. Custom engagements are priced based on scope — contact us for a quote. All engagements include an FDA-compliant report and one free re-test within 60 days.
How long does a penetration test take?
Testing takes approximately 4 weeks from the time we receive your device. Scoping is self-service on Thrombus and instant. After testing, you receive your report immediately. Re-testing after remediation takes about 1 week. Total timeline from device receipt to letter of remediation depends on how quickly your team addresses findings.
What types of medical devices do you test?
We test all FDA-regulated connected medical devices including infusion pumps, patient monitors, imaging systems, implantable devices, wearables, connected diagnostics, and drug delivery systems. If your device has software, connects to a network, or could be vulnerable to cybersecurity threats, we can test it.
What's included in the penetration test report?
Every report includes an executive summary, detailed testing methodology, findings with proof-of-concept evidence, risk assessment prioritized by clinical impact, a remediation roadmap with code-level fix suggestions, and patient impact analysis. Reports are structured around FDA premarket cybersecurity guidance and are ready to include in your 510(k) or PMA submission.
What's the difference between a threat model and a penetration test?
A threat model is a structured analysis of your device's architecture, attack surfaces, and risk profile — it identifies what could go wrong before any hands-on testing begins. A penetration test is active, hands-on security testing in our hardware lab where we attempt to exploit vulnerabilities across network protocols, firmware, physical interfaces, and cloud components. Many manufacturers do both: threat modeling first to guide the scope, then a pentest to validate.
Do you test the cloud backend and mobile companion apps?
Yes. If your device communicates with a cloud service or has a companion mobile app, we test the full ecosystem — APIs, authentication flows, data handling, and the communication channel between the device and backend. Most modern medical devices have a cloud component, and the FDA expects it to be included in your cybersecurity testing.
What happens if the FDA sends us an ANIN cybersecurity letter?
An Additional Information (ANIN) letter means the FDA found deficiencies in your cybersecurity documentation. We help you understand exactly what the FDA is asking for, conduct targeted testing to address the specific gaps, and prepare updated documentation for resubmission. We've helped manufacturers respond to ANIN letters and get their submissions back on track.
Can I use your testing for a substantial equivalence claim?
Yes. We offer equivalency validation — cybersecurity testing specifically designed to support 510(k) substantial equivalence claims. We validate that your device meets the same security posture as the predicate device referenced in your submission and provide a comparative report the FDA expects to see.
What do I need to provide to get started?
Create an engagement on our Thrombus platform, upload your device documentation (architecture diagrams, user manuals), and provide your source code. Then ship the physical device to our lab. The more documentation and source code you provide upfront, the more thorough our testing will be.
Do you provide source code review as part of the pentest?
If you provide source code, we incorporate it into our testing methodology. Source code access allows us to identify vulnerabilities more efficiently and provide more specific remediation guidance with code-level fix suggestions. We handle all source code under strict confidentiality.
What standards and methodologies do you follow?
Our testing methodology draws from IEC 62443 (industrial/medical device cybersecurity), NIST Cybersecurity Framework, STRIDE and TARA for threat modeling, CVSS for vulnerability scoring, and FDA premarket cybersecurity guidance. We map all findings to clinical impact, not just technical severity.
What is the re-testing process?
After your engineering team remediates the findings in our report, we re-test the specific vulnerabilities within approximately 1 week. For software-only fixes, we can often complete re-testing with just source code updates — no need to ship the device again. If a hardware component was changed to mitigate an issue, we'll need the updated device back in our lab. One re-test is included free within 60 days of the initial report. Once everything passes, we issue a letter of remediation confirming the fixes — ready to include with your FDA submission.
How is your testing different from a generic penetration testing firm?
Generic pentest firms test web apps and corporate networks. Medical device testing requires a dedicated hardware lab, specialized equipment for firmware extraction and protocol analysis, understanding of clinical context (a buffer overflow in an infusion pump is a patient safety issue, not just a data breach), and reports that map to FDA premarket cybersecurity guidance. We focus exclusively on medical devices — it's all we do.
Do you handle post-market cybersecurity requirements?
We do both premarket and post-market testing. For post-market, we support differential testing — focused only on the parts of the device and software that have changed since the last test, so you're not paying for a full assessment every time you push an update. Or if you prefer, we can do a full reassessment. This is ideal for manufacturers with regular firmware or software release cycles. We also offer discounts for bundled tests when you commit to ongoing testing.
What is Thrombus?
Thrombus is our online pentest management platform at thrombus.io. It's where you create engagements, upload documentation and source code, track testing progress in real-time, review findings, download your FDA-compliant report, and pay. It replaces the back-and-forth emails and opaque timelines of traditional consulting engagements.
Is my data and source code kept confidential?
Yes. All documentation, source code, firmware images, and test results are treated as strictly confidential. Files uploaded to Thrombus are encrypted at rest. We do not share your information with third parties without your written consent, and all engagement terms are governed by the Statement of Work you sign before testing begins.