Frequently Asked Questions

An SBOM (Software Bill of Materials) is a complete inventory of all software components, libraries, and dependencies in your product. Medical device companies need SBOMs for compliance with FDA Cybersecurity Guidance, EU MDR requirements, and emerging AAMI standards. They help you track vulnerabilities, manage supply chain risk, and provide evidence of due diligence during audits and post-market surveillance. Learn more about SBOM best practices →

Threat modeling is the process of identifying potential security threats to your product architecture, analyzing their impact, and designing mitigations. For regulated medical devices, threat modeling demonstrates your due diligence in secure design practices required by FDA, EU MDR, and IEC 62304. It creates auditable evidence that you've systematically considered and addressed security risks before and after market launch. See our threat modeling guide →

CVSS (Common Vulnerability Scoring System) is a standardized method for rating the severity of security vulnerabilities on a scale of 0-10. Using CVSS helps you prioritize remediation efforts, communicate risk consistently across your organization, and demonstrate due diligence to regulators. It's the industry standard for vulnerability risk quantification in medical device cybersecurity. Explore our CVSS scoring guide →

Product Security Hub eliminates fragmented tools and spreadsheets by centralizing threat modeling, SBOM management, vulnerability tracking, and compliance evidence in one system. Teams get up to 50% efficiency gains by: avoiding duplicate documentation, automating traceability between components and threats, using AI to draft compliance evidence, and having a single source of truth for audits instead of piecing together data across multiple tools. Learn more about AI automation →

Product Security Hub is designed for teams managing medical device cybersecurity under FDA Cybersecurity Guidance (Pre- and Post-Market), EU MDR (Design & Post-Market Obligations), AAMI TIR57 (Secure-by-Design principles), and IEC 62304/IEC 62443-4-1 (Software Development Security & SW96 requirements). Every plan includes built-in compliance evidence features mapped to these frameworks. See audit preparation guide →

Complete traceability means every vulnerability traces back to SBOM components, which link to system architecture, which connect to threats and security requirements. During audits, you can instantly show regulators: what components are in your product, what vulnerabilities exist, what threats they address, and how you've mitigated risk. For post-market issues, you can immediately identify affected versions and provide regulatory-ready documentation. Explore vulnerability management →

Threat modeling is proactive—you design your architecture, identify theoretical threats, and build in mitigations before you code. Vulnerability management is reactive—you discover actual vulnerabilities (from SBOMs, security testing, or reports), prioritize them by CVSS, and track remediation. Product Security Hub connects both: threats from your model help you understand which vulnerabilities matter most, and real vulnerabilities feed back into threat model updates. Learn vulnerability triage →

Start with our free tier to scan your SBOM and see vulnerabilities against Google OSV. When you're ready to manage vulnerabilities over time and connect them to threat models, upgrade to Starter or Growth. Our team can help you build your initial architecture diagram and threat model. For Enterprise deployments, we provide dedicated onboarding to ensure your compliance program is properly configured from day one. See our getting started guide →

Yes. Product Security Hub feeds accurate, auditable compliance evidence into your Quality Management System (QMS) and existing workflows. You can export traceability reports, vulnerability summaries, and threat assessments in formats your team needs. Contact us to discuss specific integrations with your current security and compliance tools. Get in touch with our team →

Product Security Hub makes post-market response faster and more complete. You log the vulnerability, it automatically links to affected SBOM versions and components, your threat model shows you which architecture elements are impacted, and your compliance evidence repository updates with mitigation details. You instantly have the documentation needed for regulatory notification, customer communication, and ongoing surveillance. Learn about residual risk management →