top of page

FDA-Aligned Penetration Testing for Software-based Medical Devices

Cybersecurity is no longer just a technical concern — it’s a prerequisite for market access. The U.S. Food and Drug Administration (FDA) now expects manufacturers of connected and software-based medical technologies to deliver products that are secure by design, resilient to cyber threats, and supported by ongoing vulnerability management.​

​​

In today’s threat landscape, cyber incidents can halt hospital operations and compromise patient safety. FDA recognizes this reality — and requires that manufacturers back their claims with real-world, verifiable evidence. Without tangible evidence of cybersecurity controls, FDA submissions can face delays, additional information requests (AI letters), or post-market enforcement risks.

Talk to an expert

100+ Projects completed 

We don’t stop at compliance — we test for confidence

Alex
Dmytrii
Ellipse 79.jpg
kristina.jpg
sam.jpg

At Sekurno, we help you meet and exceed these expectations. Our FDA-aligned penetration testing is built to demonstrate real security through practical, risk-based evidence — empowering you to show that your device is resilient, your systems are trustworthy, and your submission is ready.

FDA cybersecurity expectations.
What needs to be proven?

Software validation and risk management are key elements of cybersecurity analyses and demonstrating whether a device has a reasonable assurance of safety and effectiveness.

Identification of security risks

Design requirements for how the risks will be controlled

Evidence that the controls function as designed and are effective in their environment of use for ensuring adequate security

fda-logo-png-transparent.png

Guidance outlines

The FDA’s premarket cybersecurity guidance outlines several core expectations that align with secure-by-design principles 

Cybersecurity Risk Management & Threat Modeling

Manufacturers must conduct cybersecurity risk assessments and threat modeling to identify potential exploit paths and implement mitigations.

Read document
Implementation of Security Controls

Devices must incorporate and validate controls like authentication, encryption, logging, and update mechanisms — not just in theory, but in practice.

Read document
Third-Party Software Risk Management

Submissions must include a description of how vulnerabilities in third-party components are managed.​

Read document
Cybersecurity Testing

Manufacturers are expected to provide objective evidence that cybersecurity controls have been verified and validated through appropriate testing.

Read document
Cybersecurity Management Plans

Manufacturers should provide a documented plan outlining how cybersecurity will be maintained across the product lifecycle — including responsibilities, sources, methods, and frequency for monitoring and identifying vulnerabilities.

Read document

Cybersecurity testing.
Verifying security assurance.

Verification and Validation (V&V) methods are used to ensure that cybersecurity controls in medical devices meet requirements and specifications and that they fulfill their intended security purpose. V&V are critical components of a quality management system and are particularly essential for demonstrating "reasonable assurance of cybersecurity" as emphasized in FDA's 2025 guidance.

Secure by Design 

Security is embedded in architecture, not added as an afterthought

Risk-Aware

Testing depth is proportional to device risk levels

Threat-Driven

Aligned with the device’s threat model and attack surface

Clinically Grounded

Effective in real-world healthcare environments

FDA-recommended cybersecurity testing

FDA-Recommended Security requirements.png
FDA-Recommended Threat mitigation.png

What should be verified?

The FDA recommends testing and documenting the functionality of key security mechanisms. This includes:

Authentication

Verifying credentials and access flows

Authorization

Confirming that user roles and privileges are enforced

Encryption

Ensuring correct and effective use of cryptographic protocols

Secure Communications

Validating TLS, VPNs, and channel integrity

Security Logging

Capturing access, updates, and critical security events

Input Validation

Blocking malformed or malicious input

Update Integrity

Testing secure software or firmware update delivery

Error Handling

Ensuring exceptions don’t leak sensitive data

Monitoring & Alerts

Confirming runtime visibility into security-relevant events

At Sekurno, we bring that independence and deep technical expertise — helping you turn cybersecurity testing into submission-ready evidence that builds regulator confidence and elevates patient safety.

To meet FDA expectations for reasonable assurance of cybersecurity, testing must go beyond internal verification. The FDA strongly encourages independent assessments that provide objective, expert-driven validation of security effectiveness. This means engaging qualified third parties to identify and characterize vulnerabilities through structured exploitation — not just theoretical checks.

Post-market vulnerability management

FDA’s cybersecurity expectations don’t stop at submission — they extend across the entire product lifecycle. Manufacturers must have documented processes for identifying, assessing, and remediating vulnerabilities after the device reaches the market.

Ongoing monitoring of vulnerability sources (e.g. NVD, CISA, vendor advisories)

Regular analysis of device-specific exposure to newly discovered threats

Periodic cybersecurity testing to revalidate controls and confirm resilience over time

Timely implementation of mitigations or software updates

Transparent communication with users and healthcare providers

At Sekurno, we support post-market resilience by uncovering vulnerabilities before attackers do — and helping you integrate testing insights into your broader cybersecurity risk management and PMS (post-market surveillance) programs. Our goal is not just to secure the premarket submission — but to future-proof your device in a dynamic threat environment.

Sekurno’s FDA-Aligned Penetration Testing Service

Tailored for software-based medical devices

We assess the full digital ecosystem where your software-based medical device lives, identifying exploitable vulnerabilities that could compromise safety, effectiveness, or data integrity.

Talk to our team

Leave your contact details and we will get in touch with you

Contact
K8S Configurations

Container isolation, configuration checks, network policies, role-based access control, etc.

Mobile Applications

Insecure local storage, root/jailbreak vulnerabilities, misuse of biometric APIs, session replay, or over-permissive access to device resources

Web Applications

Broken access controls (e.g., IDOR), insecure authentication flows, session hijacking, XSS/CSRF flaws, or unencrypted personal health data in transmission

Leaked or Weak Credentials

Credential reuse, hardcoded secrets in codebases or CI/CD, exposed secrets in containers, or credentials found in public repositories

Network Pentesting

Unfiltered ports, legacy or insecure protocols (e.g., FTP, Telnet), improper firewall zoning, or unsafe pathways from external interfaces to patient-impacting systems

Cloud Infrastructure

Public cloud storage with patient data, insecure backups, over-permissive IAM roles, missing encryption at rest, or logging gaps that hinder incident response

API Testing

Missing access validation, broken object-level authorization), insecure rate limits, weak cryptography, or exposure of health data through unprotected endpoints

FDA-focused, threat-driven testing methodology

Our penetration testing process is purpose-built to support FDA cybersecurity expectations. We combine real-world threat simulation with structured verification techniques to help you demonstrate that your security controls aren’t just present — they actually work. Every layer of testing is mapped to critical risk areas the FDA wants you to validate in your premarket submission

Threat Modeling

We analyze your architecture and threat model to ensure all credible abuse cases are addressed — aligning test efforts with identified risk vectors and clinical use environments

Manual Penetration Testing

Our hands-on testing simulates real-world exploitation attempts — targeting critical areas like authentication, authorization, firmware integrity, and secure update mechanisms to uncover gaps automation misses

Secure Code & Logic Review Testing

We inspect business logic, sensitive data handling, and session management for flaws that could compromise data confidentiality, system integrity, or patient safety — strengthening your design validation package

Automated Vulnerability Scanning

We perform static (SAST) and dynamic (DAST) analysis to identify known CVEs, OWASP Top 10 issues, and implementation bugs — supporting baseline hardening across the device stack

Third-Party & Component Risk Analysis

We assess embedded libraries and third-party modules for unpatched vulnerabilities and missing integrity checks — helping you build a trustworthy SBOM and meet FDA’s expectations for supply chain security

Methodology

True to our commitment, we don't merely reference methodologies like OWASP and PTES — we embody them. After thorough testing, we conclude with a detailed checklist, ensuring transparent and genuine adherence to these recognized standards

ptes
OWASP Mobile Security Testing Guide
OWASP Web Security Testing Guide
OWASP Application Security Verification Standard

Submission-ready reporting that builds FDA Confidence

Our deliverables are purpose-built to support FDA’s reasonable assurance of cybersecurity — helping you clearly demonstrate that security risks have been addressed, tested, and controlled across your SaMD or connected medical device

FDA-Aligned Penetration Testing Report
Penetration testing report 1.jpg

Detailed, audit-friendly documentation outlining test scope, methods, timelines, and findings, vulnerability descriptions and remediation recommendations prioritized by clinical impact and exploitability

Threat Model Document
Threat Modelling 1.jpg

Clear, visual mapping of how real-world threats could exploit weaknesses across your system — highlighting high-risk components

Testing Checklist
Threat modeling compressed.jpg

A structured breakdown of all tested layers to show how your security testing aligns with FDA’s expectations for thoroughness and transparency

Letter of Attestation
Letter of Attestation 1 (1).jpg

A formal statement confirming all critical and high-risk issues have been remediated and verified, providing independent validation of your system’s security posture

Case studies

An invaluable resource for staying up-to-date on the latest cybersecurity news, product updates, and industry trends

image 82.png
Continuous Pentesting Strengthens AdTech Security
More
kaunt.png
Enterprise-Grade Security in Finance & AI
More
coreway logo.png
MDR-Aligned Security Testing for Patient-Centric Health Apps
More

Compliance testing solutions beyond FDA

Our penetration testing services are designed to make your systems truly secure — not just technically compliant. By focusing on real-world threats and infrastructure risks, we help you meet and exceed the expectations of critical frameworks like GDPR, HIPAA, EU MDR/IVDR, ISO/IEC 27001, and SOC 2. Whether you're preparing for regulatory submissions, client due diligence, or certification audits, we ensure your cybersecurity posture delivers lasting protection and regulatory confidence

2020-AICPA-SOC-Logo.jpg
SOC 2
fda-logo-png-transparent.png
FDA
what-is-medical-device-regulation.webp
EU MDR/IVDR
ISO_27001_Final-Logo-1024x1024.jpg
iSO 27001

What our clients are saying

90% of our clients return

Sekurno exceeded our expectations, identifying critical vulnerabilities that neither we nor other vendors had detected, and providing actionable recommendations. Their team was responsive, flexible, and consistently provided valuable insights.

Sep 18, 2024

Markus_kobil.jpeg
Markus T.

Chief Technology Architect

kobil_logo_black 1.webp

If you are going to invest in penetration testing, make sure it is more than just a formality. Work with a partner who helps you learn something from the process and improves your actual security. With Sekurno, we received useful feedback and our team became more security aware as a result.

April 11, 2025

Mads-CTO-kaunt.jpeg
Mads

CTO

kaunt_logo.webp

Our collaboration with Sekurno has consistently been seamless.

Jun 12, 2023

Roy.jpeg
Roy

DG VP

Rak.webp

We were genuinely impressed; Sekurno identified vulnerabilities that even major cybersecurity companies within the Google group missed

April 11, 2025

Chan_Performica.jpeg
Chan S.

CEO

Performica testimonials.webp

Their expertise was evident in every aspect of the engagement.

Sep 18, 2024

Max_mgid.jpeg
Max, R.

Deputy CTO

testimonials_mgid

Talk to us

Chat with a cybersecurity expert. Schedule a call with us and we'll work with you to understand your specific needs and create a tailored solution for you

Book a call
bottom of page