Hardware security testing lab with medical devices, oscilloscopes, and diagnostic equipment

What We Do

Security Testing for
Medical Devices

We test medical devices in our hardware lab — network, firmware, physical, and cloud — and deliver FDA-compliant reports. We also help manufacturers respond to FDA ANIN cybersecurity letters and perform testing for equivalency validation.

Medical Device Penetration Testing

Comprehensive validation of life-critical medical devices across the entire hardware and software stack.

Network & Protocols

Firmware & Hardware

Cloud Ecosystem

Physical Access Vectors

Deliverables

FDA-Mapped FindingsRemediation RoadmapCode-Level Fix Suggestions

Start an Engagement

Threat Modeling & Risk Assessment

Structured risk analysis of your device's architecture and attack surfaces before testing begins.

Methodology

STRIDE-based Analysis
Attack Tree Mapping

FDA ANIN Response

Received an Additional Information (ANIN) cybersecurity letter from the FDA? We help manufacturers address the specific deficiencies identified in your review, conduct the required testing, and prepare documentation for resubmission.

Gap analysis of FDA feedback

Targeted testing to address deficiencies

Updated documentation for resubmission

Get Help With Your ANIN →

Equivalency Validation

Cybersecurity testing for substantial equivalence claims. We validate that your device meets the same security posture as the predicate device referenced in your 510(k) submission, providing the comparative evidence the FDA expects.

Predicate device security comparison

Equivalency-focused test methodology

FDA-ready comparative report

Discuss Your Submission →

FDA-Ready Reports

Every engagement includes a report mapped to FDA premarket cybersecurity guidance. Suitable for inclusion in 510(k) and PMA submissions.

Included with every engagement

What We Test

Infusion pumps, patient monitors, imaging systems, implantables, wearables, connected diagnostics, and more.

Hardware LabDedicated Facility

Experience100+ Device Types

Custom Engagements

Have a unique device or testing scope? We'll work with you to define a custom engagement with tailored pricing.

Your device isn't generic. Neither is our testing.

Every medical device has a unique threat profile based on its intended use, connectivity, and patient interaction. We build a custom testing methodology for each engagement so you get findings that matter to your device, not a recycled checklist.

An insulin pump, a cardiac monitor, and a diagnostic imaging system all face different risks. Our methodology adapts to yours, giving you results, not noise.

Device-Specific Scoping

Attack surface analysis based on your device's architecture, communication protocols, and clinical context.

Targeted Test Cases

Test cases derived from your device's threat model and intended use environment, not a one-size-fits-all script.

Patient Impact Analysis

Every finding is assessed for clinical impact, so your team can prioritize what matters most to patient safety.

Signal, Not Noise

No padded reports with irrelevant findings. Every vulnerability in your report is relevant to your device and its regulatory context.

Code-Level Remediation

Every finding includes suggested code fixes and patches your engineering team can apply directly. Not generic advice, actionable changes you can merge. Spend less time interpreting results and more time shipping secure code.

ble_auth.c

uint8_t validate_pairing(conn_t *conn) {
- if (conn→pin == DEFAULT_PIN) {-   return AUTH_OK;+ if (!validate_oob_token(conn)) {+   return AUTH_REJECTED;}

How It Works

Define

Create an engagement on Thrombus and tell us about your device

Logistics

Ship your device to our lab

Testing

We test it over ~4 weeks

Reporting

Review findings and download your FDA-compliant report

Verification

Re-test for free within 60 days after you remediate

Security Testing forMedical Devices