%207652%20x%201422%20Res_%202.jpg){kind=small}
We built a better cybersecurity testing model. One that speaks to engineers and regulators, like the FDA.
Engineering-First, Regulatory-Aligned Designed from the ground up to match FDA expectations by people who advised and drafted the Premarket and Postmarket cybersecurity guidance
Reduce Regulatory Friction Reports formatted for submission and design-history files, in language that engineers and regulators can easily digest, to ease paperwork burdens
Prioritized Toward What Matters Findings relevant to patient safety and clinical effectiveness, rather than an abstract concept of cybersecurity, eliminating unnecessary engineering and documentation
Standards-Aware Cybersecurity testing methodologies that can fit within broader standards and frameworks, such as those from ISO, IEC, AAMI, UL, and NIST.
Scoping and Threat Modeling
Identify exposure surfaces aligned to device architecture, intended use, and risk controls. This key step ensures testing coverage matches what the FDA expects to see.
1
Cybersecurity Testing
Evaluate the device for potential threats to safety and effectiveness, including those identified in the prior phase, and capture evidence to contextualize findings appropriately. Our methodology includes the following types of testing, as called out in FDA premarket guidance.​
-
Automated Scanning Run tools to examine device interfaces (such as network ports, WiFi, and Bluetooth) for known vulnerabilities and to map exposure surfaces in greater detail.
-
Static & Dynamic Analysis Review binary and code of key components, including embedded, mobile, and web or APIs, to identify weaknesses or entrypoints, including credentials, opcodes, cryptographic flaws, and authentication bypasses.
-
Fuzz Testing & Protocol Analysis Stress-test communication layers (BLE, Wi-Fi, proprietary RF, and TCP/IP) and other interfaces.
-
Penetration Testing Simulate and emulate adversarial techniques, which can include known patterns, emergent techniques, and custom pathways.
-
Vulnerability Chaining Detail pathways, techniques, and conditions required to identify findings to ensure context is accurately described.
2
Reporting, Remediation, and Retest
Formal reports focus on empirical evidence, showing effects testing was (and was not) able to achieve without guesswork or assumptions. Each finding is contextualized, including detailed descriptions of the activity and conditions required to produce the finding, as well as traceability to the relative harm, hazard, or threat.
​
As the FDA expects to see remediation and retesting cycle for any findings, Stratigos keeps you apprised of progress and findings along the way, as well as tailored guidance for addressing them. A retesting addendum report shows the FDA your processes can effectively address identified cybersecurity issues.
3
Regulatory Support
Stratigos can help as you prepare documentation demonstrating how the cybersecurity testing aligns to FDA guidance, such as evaluating the effectiveness of threat scenario identification, design requirement implementation, boundary analysis, and cybersecurity risk controls measures. In addition, this documentation can provide additional context around any findings, remediation, and future cybersecurity plans - heading off any questions from the FDA in advance.
4
Each step is designed to provide high assurance of a full end-to-end cybersecurity test, tailored to your hazard analysis and threat modeling. This reduces overall time and cost while ensuring your cybersecurity documentation matches the FDA guidance and expectations.
Built by FDA Advisors
Trusted by Innovators Like You
“We interviewed 27 different penetration-testing firms before finding Stratigos. They were the only one who knew what we needed to do and how to get it done.”
​
— Director of Software Engineering, MedTech Startup
Get to Know Us
Regulatory Fluency Our experts include former FDA employees who informed and drafted their cybersecurity guidance, so we understand what reviewers look for.
Engineer-to-Engineer Testing We speak your language — firmware, cloud, and clinical workflows — and can frame results in ways regulators understand.
Startup Speed We deliver actionable reports and remediation paths in weeks, not months.
Proven Track Record We have helped over a dozen manufacturers get clearance and approval without undue cybersecurity-related delays.
If you're building a life saving device, we'll help you get it to people who need it - quickly and without undue cost or risk.