What to Expect from a Medical Device Penetration Test

If you've never had a medical device penetration tested before, the process can feel opaque. This article walks through exactly what happens during a typical engagement so you know what to expect.

What We're Testing

A medical device pentest covers the full attack surface of your device:

• Network protocols: Wi-Fi, Bluetooth/BLE, Zigbee, cellular, and any wired network interfaces
• Firmware: We extract and reverse-engineer the firmware to look for hardcoded credentials, insecure update mechanisms, and exploitable vulnerabilities
• Physical hardware: JTAG ports, debug interfaces, USB attack vectors, and tamper resistance
• Cloud/backend: If your device communicates with a cloud service, we test the APIs, authentication, and data handling

Not every device needs every test type. During scoping, we'll work with you to determine which attack surfaces are relevant based on your device's architecture.

The Process

1. Scoping

Create an engagement on Thrombus, upload your documentation and source code, and select your test type — all self-service, on your schedule. No back-and-forth calls to get started.

2. Device Shipping

Ship the device to our hardware lab. We need a fully functional unit, any companion apps, and documentation about the device's architecture and intended use environment.

3. Testing (~4 Weeks)

Our researchers work through the test plan methodically. You can track progress in real-time on Thrombus. If we find critical issues early, we'll flag them immediately rather than waiting for the final report.

4. Report Delivery

You receive an FDA-compliant pentest report that includes:

• Executive summary with key findings
• Detailed methodology — exactly what we tested and how
• Findings with proof-of-concept — reproducible evidence for each vulnerability
• Risk assessment — findings prioritized by clinical impact, not just CVSS score
• Remediation guidance — specific, actionable fix recommendations including code-level suggestions where applicable

5. Remediation

Your engineering team addresses the findings using the remediation guidance in the report.

6. Re-Testing (~1 Week)

We re-test for free within 60 days to verify the fixes are effective.

7. Letter of Remediation

You receive a formal letter of remediation confirming that identified vulnerabilities have been resolved — ready to include alongside your pentest report in your FDA submission.

What Makes Medical Device Pentesting Different

Generic penetration testing firms test web apps and corporate networks. Medical device testing is fundamentally different:

• Physical hardware — we need a lab, specialized equipment, and hands-on access to the device
• Clinical context — a buffer overflow in a web app is a data breach; in an infusion pump, it's a patient safety issue
• Regulatory requirements — the report needs to map to FDA premarket cybersecurity guidance, not just list CVEs
• Embedded systems — most medical devices run on embedded platforms with custom firmware, not standard operating systems

This is why we focus exclusively on medical devices rather than trying to be a general-purpose pentest shop.

How Long Does It Take?

• Scoping: Self-service on Thrombus — instant
• Testing: ~4 weeks from device receipt
• Report delivery: Included at the end of testing
• Re-testing: ~1 week

Once we receive your device, plan for ~4 weeks to your initial report, plus remediation time on your end before re-testing.