Components are the building blocks of your security analysis. When you add a component with a specific Component Type, Product Security Hub automatically generates the threat model and recommended security requirements. This is where your architecture becomes a living security document.
You have a basic understanding of your product's components (hardware, software, external interfaces)
🔑 Key Concept: Component Types Drive Everything
Each Component Type in Product Security Hub is mapped to a curated library of threats and security requirements based on FDA guidance, industry standards, and real-world attack patterns. When you select a Component Type, you get expert-level security analysis without being a security expert.
Component Type Reference
Use the exact terminology below when adding components to draw.io diagrams in the app. Click on a category to expand and see all component types.
DataAccountsCredentialsandPasswords
An object or data that binds an identity to at least one authenticator (e.g., password) possessed and controlled by a subscriber (e.g., person, application, system service)
DataCryptographickeys
A secret used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm in such a way that an entity with knowledge of the key can reproduce or reverse the operation while an entity without knowledge of the key cannot
DataDICOM
Digital Imaging and Communications in Medicine (DICOM) is a standard and protocol for the communication and management of medical imaging information and related data, most commonly used for storing and transmitting medical images
DataPIIPHI
Any information that permits the identity of an individual or health attributes of an individual to be directly or indirectly inferred - including Personally Identifiable Information (PII), Personal Health Information (PHI), Individually Identifiable Health Information (IIHI), or Personal Data (as defined in GDPR)
DataQRCode
A Quick Response (QR) code is a printed pattern which often contains data for a locator, identifier, or tracker that points to a website or application
DataFlowComponenttoComponent
The device communications and interfaces between unique physical components within a system or device
The device communications and interfaces between external systems and other external entities
DataFlowUsertoWebApplication
The network based communication and transmission of data from a user interacting with a web application, typically through an internet browser
DataflowWireless
Wireless data flow refers to the communication and transfer of information among two or more devices without a wire. The most common wireless data flows use various forms of radio communications
DataStorageDatabase
An organized collection of structured information, or data, stored electronically in a computer system
DataStorageEEPROMFlashnonvolatilememory
Non-volatile memory (retains data without power) typically embedded on a circuit board
DataStorageHardDrive
Also called a Hard Disk - a magnetic disk within a drive unit used for storing data
DataStorageInternalFlashSD
Removable Flash memory (e.g., SD card) internal or external to the device
DataStorageNetwork
Storing data using a method that is made available to clients on a network, including Network Attached Storage (NAS) devices or general purpose computing devices and servers
Firmware
Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data (within firmware) cannot be dynamically written or modified during execution of the programs
HardwareBattery
A battery is a component that stores electrical energy, generally in the form of a chemical material that can be converted to electrical energy, enabling a device to be portable or otherwise operate without a wired electrical connection
HardwareeFuses
Also called electronic fuses - are integrated circuits used as a one-time programmable ROM
HardwareEmbeddedSingleBoardComputer
A complete computer built on a single circuit board, with microprocessor(s), memory, input/output and other features required of a functional computer
HardwareInterfaces
The interfaces used to connect two devices or components together, specifically with SoC (system on chip) peripherals and how they interact with a CPU or other device components
HardwareJTAGSWD
JTAG (Joint Test Action Group) is an industry standard that specifies the use of a dedicated debug port implementing a serial communications interface for low-overhead access without requiring direct external access to the system address and data buses. SWD is a low pin-count physical interface for JTAG debugging on ARM-processors
HardwareMicrocontroller
A microcontroller unit/MCU is a small computer on a single integrated circuit (IC) chip and contains one or more CPUs (processor cores) along with memory and programmable input/output peripherals
HardwarePINS
Printed Circuit Board (PCB) pins, also called general-purpose input/output (GPIO) pins, are an uncommitted digital signal pin on an integrated circuit or electronic circuit board which may be used as an input or output, or both
HardwarePortableStorageDevice
Portable device that can be connected to a computer, device, or network to provide data storage
HardwarePrintedCircuitBoardAssembly
A printed circuit board (PCB) or PCBA is hardware that affixes electronic components and connections to a board to provide reliable electrical connections and circuits between the circuit board components
HardwareSingleUseCartridge
A disposable component used for a single application of medication or other therapy
HardwareSpecializedServiceDeviceorPC
Devices used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
HardwareSystemonModule
A System-on-a-Chip (SOC) or System on Module (SOM) brings components of a computer into a single chip or integrated circuit, including CPU, RAM, ROM, and other peripherals
HardwareVirtualCOMport
Also called a virtual serial port, a virtual or emulated port for wired communications used due to a lack of a dedicated, physical communication interface
LabelingDocumentationandIFU
Documentation related to security such as the Instructions for Use (IFU), Manufacturer's Disclosure Statement for Medical Device Security (MDS2), and Software Bill of Materials (SBOM)
MobileAppBinary
The file format used to package and distribute mobile apps
MobileAppStore
A storefront provided by operating system providers (typically mobile devices such as Apple App Store and Google Play Store) to allow access to and purchase of software applications
OperatingSystemLinux
An open source Unix-like operating system based on the Linux kernel
OperatingSystemRTOS
A real-time operating system (RTOS) is an operating system (OS) for real-time applications that processes data and events that have critically defined time constraints
OperatingSystemSystemAccounts
User accounts and service/application accounts used within the Operating System
OperatingSystemWindows
Proprietary graphical operating system developed and marketed by Microsoft
PeripheralsLocalPrinter
A peripheral device attached via a physical wire or USB which prints information (makes a persistent representation of graphics or text on paper or other medium)
PeripheralsUserInterface
The physical means (buttons and switches without a display) by which users interact with a system or device
A physical device or feature (touchscreen, display, keyboard, mouse, barcode reader) by which users interact with a system or device
PortsEthernetPort
A wired computer networking technology commonly used in local area networks (LAN) and wide area networks (WAN) that implement IEEE 802.3
PortsUSBPort
A physical port to implement the Universal Serial Bus (USB) specification - for cables, connectors and protocols for connection, communication and power supply between computers, peripherals and other computers
PortsVideoPort
Also called a graphics port, a video port is used to connect a display to a device
ServicesActiveDirectory
A directory service developed by Microsoft for Windows domain networks that is primarily used to perform authentication and authorization for users, computers, permissions, file servers, and software applications
ServicesCodeSigningInfrastructure
Infrastructure (systems, tools, and processes) that support the process of using public key encryption to affix distributable files with digital signatures in order to prove to consumers that they are consuming the software in the state the publisher intended it to be consumed and has not been corrupted and tampered with after it was signed by the publisher
ServicesContainerRegistry
A repository to build, store, and manage container images and artifacts as well as provide connectivity and support for container orchestration platforms
ServicesMultifactorAuthenticationservice
An internal or external service provider for Multi-factor authentication - an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism
ServicesNetworkService
Network-based application service that enables access to a specific set of functionality and data. Network services are enabled on network ports and are often set by the operating system and some network facing applications
SoftwareAIModel
A program that has been trained on a set of data to recognize certain patterns or make certain decisions without human intervention
SoftwareAPI
An Application Programming Interface (API) allows services and products to communicate with each other and leverage each other's data and functionality through a shared software interface generally over a network
SoftwareBIOS
Basic Input/Output System (BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process
SoftwareBootLoader
Also called a boot manager, the bootloader is a small program that places the operating system (OS) into memory after a device is powered on and initialized by a BIOS
SoftwareContainer
A lightweight package of software that operates within an operating system and include system libraries, system tools, and other platform settings required by the software
SoftwareDesktop
Also called a program or application - is a set of code and instructions stored in and executed by a computing device assigned to an individual (e.g., a user's computer or workstation)
SoftwareFieldService
Software used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
SoftwareFirewall
An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network
SoftwareFirmwareControl
Software that is purpose built for controlling hardware through defined interfaces with firmware
SoftwareGateway
An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks
SoftwareGatewayWebClient
Software acting on behalf of a human user to access and make use of a published service (API) or web application provided by a Gateway
SoftwareLoginform
A software-based input form, generally included as part of an application or operating system, for entering authentication credentials to access a restricted area of software, application, or operating system
SoftwareMobileApp
A computer program or software application designed to run on a mobile device such as a phone, tablet, or watch
SoftwareMQTTClient
MQTT Clients can publish data to a topic to send messages to any subscribers through a MQTT Server/Broker and can subscribe to a topic to be notified when a message is published on a MQTT Server/Broker
SoftwareMQTTServerBroker
MQTT Servers, also called Brokers, are central software entities in the MQTT architecture. An MQTT broker is an intermediary entity that enables MQTT clients to communicate. MQTT brokers allow clients to make connection requests, perform authentication of clients, and stores, queues, and caches messages to clients. MQTT is a standard messaging protocol designed as an extremely lightweight publish/subscribe messaging transport
SoftwareOnProduct
Also called a program or application - is a set of code and instructions stored in and executed by the host computing device
SoftwareOPCUA
OPC Unified Architecture is a cross-platform, open-source, IEC62541 standard for data exchange from sensors to cloud applications
SoftwarePACSDICOMServer
Picture archiving and communication system (PACS) - a medical imaging technology which provides storage and network-based access to images from multiple source devices, generally in DICOM format
SoftwareRemoteAccess
Software that facilitates access to a device by a user through a non-organization-controlled network
SoftwareSFTPClient
File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for FTP clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSFTPServer
File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSSHServer
Software that provides access over a network to a SSH client - for securely exchanging data between two computers
SoftwareUpdatePackages
The package or files constituting a software update, which is a new, improved, or fixed software, which replaces older versions of the same software. May also be called a patch or service pack
SoftwareUserManagement
Software that provides the ability for administrators to create and manage users or staff identities, roles, permissions, and access management within a system, device, or software
SoftwareVPNClient
Client-side software for securing and encrypting IP communications to a VPN Server
SoftwareVPNServer
Server-side software for securing and encrypting IP communications with VPN Clients
SoftwareWebApplication
A set of code and instructions stored on a separate device and hosted by a Web Server so that users can access it through a web-browser or custom software client
SoftwareWebServer
Software that provides internet or intranet services, typically to provide access over the network for a Web Application or API
SupplyChainDevelopmentSystems
Systems, resources, and people involved in the development of components, including software, firmware, and hardware development
SupplyChainManufacturingSystems
Systems, resources, and people involved in the manufacturing of components, including software, firmware, and hardware development
SupplyChainServiceandOperationsSystems
Systems, resources, and people involved in the servicing or operations of components, including software, firmware, and hardware development
SupplyChainSuppliers
Suppliers of software, firmware, hardware, systems, resources, and people involved in the development, manufacturing, or operation of components
SupplyChainCodeRepository
A Cloud Code repository (e.g., Github) is a file repository hosted in the cloud where all the files/folders/packages related to your project are stored
SystemFilesBackups
The package or files constituting a backup, which is a copy of data and/or code taken and stored so that it may be used to restore the original after a data loss event
SystemFilesConfigurationFiles
The conditions, parameters, and specifications maintained in unique files (stored outside the core application's code) that apply to an information system or system component
SystemFilesDigitalCertificate
A set of data that uniquely identifies an asymmetric (public-private) cryptographic key pair owner that is authorized to use the key pair, contains the owner's public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner
SystemFilesLogFiles
Often stored in a file or database, the logs are records of events which happen while an operating system or software runs, and/or records of the communications between different components or users within a system
Tokens, essentially a data set, that are used to represent the previous authorization and expiration timeframe for access from a Multi-factor Authentication service provider
UsersCustomersStaff
Individual authorized to access a device or information system
UsersFieldServiceTechnician
Staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
WirelessBluetoothBLE
A wireless protocol that allows two Bluetooth or Bluetooth Low Energy (BLE) enabled devices to communicate with each other within a short distance
WirelessNFC
Near-field communication (NFC) is a wireless protocol that enables communication between two devices over a short distance (4 cm or less)
WirelessWirelessWiFi
A wireless network protocol based on IEEE 802.11 commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves
CloudAWSAPIGateway
Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale
CloudAWSAthena
Amazon Athena is an interactive query service that analyzes data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
CloudAWSCloudFront
Amazon CloudFront is a web service that speeds up distribution of static and dynamic web content, such as .html, .css, .js, and image files
CloudAWSDocumentDb
Amazon DocumentDB (with MongoDB compatibility) is a fast, reliable, and fully managed database service
CloudAWSEC2
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud
CloudAWSECR
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service
CloudAWSEFS
Amazon Elastic File System (Amazon EFS) provides a serverless, set-and-forget elastic file system for use with AWS Cloud services and on-premises resources
CloudAWSEKS
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that can run Kubernetes on AWS without needing to install, operate, and maintain Kubernetes control plane or nodes
CloudAWSElastiCache
Amazon ElastiCache is a web service that makes it easier to set up, operate, and scale a distributed cache in the cloud
CloudAWSELB
Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs)
CloudAWSFirehose
Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and any custom HTTP endpoint or HTTP endpoints owned by supported third-party service providers, including Datadog, Dynatrace, LogicMonitor, MongoDB, New Relic, and Sumo Logic
CloudAWSGlue
AWS Glue is a serverless data integration service that allows for analytics to discover, prepare, move, and integrate data from multiple sources
CloudAWSKinesis
Amazon Kinesis Data Streams collect and process large streams of data records in real time
CloudAWSLambda
AWS Lambda is a serverless, event-driven compute service that lets permits running code for many application types or backend services without provisioning or managing servers
CloudAWSNeptune
Amazon Neptune is a fully managed graph database service that makes permits building and running applications that work with highly connected datasets
CloudAWSRDS
Amazon Relational Database Service (Amazon RDS) is a web service that sets up, operates, and scales a relational database in the AWS Cloud
CloudAWSS3
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers scalability, data availability, security, and performance
CloudAWSSNS
Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers)
CloudAWSSQS
Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue that integrates and decouples distributed software systems and components
CloudAppService
Cloud App Services are a wide range of specific application services for applications deployed in cloud-based resources
CloudB2C
Azure Active Directory B2C provides business-to-customer identity as a service
CloudCloudPlatform
A Cloud Platform is a set of technologies for a wide range of tasks including developing and running applications, and storing and processing huge data assets, often provided by a 3rd party and available in public or private configurations
CloudContentDeliveryNetwork
A cloud content delivery network (CDN) is a distributed group of servers which work together to provide fast delivery of Internet content
CloudDatabaseBlobStorage
Blob storage is an object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data
CloudDatabaseCosmosDB
Cosmos DB is a fully managed, serverless NoSQL database for high-performance applications of any size or scale
CloudDatabaseSQLDB
Cloud SQL DBs are cloud based relational databases
CloudEventGrid
Event Grid is a highly scalable, serverless event broker that can be used to integrate applications using events
CloudFunctions
Cloud Functions (e.g., Azure Functions, Event Hubs, AWS Lambda) are event-driven serverless platforms for a lightweight solution to support individual services
CloudGoogleCloudPlatform
Google Cloud Platform (GCP) is a cloud computing platform developed by Google
CloudKeyVault
A cloud service for securely storing and accessing secrets
CloudManagementConsole
Cloud management consoles are how administrators control and orchestrate all products and services that operate in a cloud: the users and access control, data, applications, and services
CloudMonitor
Cloud Monitor (also known as Azure Monitor, Application Insights, Azure Log Analytics, AWS Cloudwatch, AWS Application Insights) provides Application Performance Monitoring (also known as "APM") features
Other
Use this generic component to build a unique component specific to your system
1
Navigate to the Components Tab
From your product page, click on the Components tab in the navigation bar. This takes you to the Components dashboard where you can add, view, and manage all components in your product.
You'll see the user instruction banner: "Add components based on your design". The dashboard displays a table with columns for ID, Component Name, Component Type, Hardware/Software, and Description.
2
Add a New Component Manually
Click the + Add a New Component button. A modal will appear with options to define your component.
In the Add Component modal:
Select a Component Type from the dropdown list. This is the critical field that determines what threats and requirements will be generated.
Enter a Component Name (optional). If left blank, the component type name will be used. Use a custom name to identify specific instances (e.g., "Main MCU" vs "Sensor MCU").
Click Add to create the component.
Once added, the component appears in the table with an auto-generated ID (e.g., A.286), the Component Type, Hardware/Software classification, and a default Description. You can click "Add addendum" to add additional notes.
3
Import Components from Diagram
If you've already built an architecture diagram with Component Types assigned (see Build Your Architecture), you can import those components directly.
To import from a diagram:
Click the + Add Components from Diagram button
Product Security Hub scans your diagram for shapes with Component Types
A review screen appears showing all discovered components
Review the list and click Save to import
💡 Smart Duplicate Detection
Product Security Hub automatically checks for existing components. If a component already exists in your product, it won't be added again—no duplicates to clean up!
🔄 Two-Way Sync
If you update a component's name on the Components page, that change will be reflected in the data type field on your diagrams. Your architecture stays in sync.
4
Bulk Import via Excel
Need to add many components at once? Use our Excel template for bulk import.
Bulk import process:
Download the Excel template from the Components page
Fill in your components with their types and names
Import the completed spreadsheet back into Product Security Hub
All components are created at once with their associated threats and requirements
💡 Tip: Great for migrations
If you have existing component lists in spreadsheets or other systems, the Excel import makes it easy to bring everything into Product Security Hub quickly.
5
What Happens When You Add a Component
This is where Product Security Hub saves you weeks of work. When you add a component:
Generates Threats
Relevant threats from our catalog are automatically associated with your component based on its type.
Suggests Requirements
Security requirements that address those threats are automatically suggested for your review.
Navigate to the Threats and Requirements tabs to review what Product Security Hub has generated. You can accept, modify, or dismiss these suggestions based on your product's specific context.
🚀 The Power of Component Types
Each Component Type is mapped to a curated library of threats and security requirements based on FDA guidance, industry standards, and real-world attack patterns. You get expert-level security analysis without being a security expert.
6
Deleting Components
To delete a component, click the trash icon (🗑️) in the component's row on the dashboard.
⚠️ Important: Cascade Delete Warning
When you delete a component, Product Security Hub will warn you that all associated data will also be deleted:
• Threats linked to this component
• Requirements addressing those threats
• Residual Risks associated with the component
• SBOM entries for the component
• Vulnerabilities identified for the component
• Patches tracked for the component
💡 Tip: Review before deleting
Before deleting a component, check the Threats and Requirements tabs to understand what will be removed. If you're unsure, consider marking items as "Not Applicable" instead of deleting.
Best Practices
Be specific with Component Types
Choose the most specific Component Type available. "Hardware - Microcontroller (MCU)" will generate more relevant threats than a generic "Hardware" type.
Use meaningful names
Name components based on their role: "Patient Data Database", "Wireless Communication Module", "Firmware Update Service".
Start with your diagram
Build your architecture diagram first with Component Types, then import. This keeps your visual architecture and component list in sync.
Include external systems
Don't forget to add external systems your product communicates with—cloud services, mobile apps, hospital networks. These interfaces are often attack vectors.
What's Next?
Now that you've added components, explore what Product Security Hub has generated:
Accept or modify auto-generated security requirements
Firmware
Firmware
Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data (within firmware) cannot be dynamically written or modified during execution of the programs
Hardware
HardwareBattery
A battery is a component that stores electrical energy, generally in the form of a chemical material that can be converted to electrical energy, enabling a device to be portable or otherwise operate without a wired electrical connection
HardwareeFuses
Also called electronic fuses - are integrated circuits used as a one-time programmable ROM
HardwareEmbeddedSingleBoardComputer
A complete computer built on a single circuit board, with microprocessor(s), memory, input/output and other features required of a functional computer
HardwareInterfaces
The interfaces used to connect two devices or components together, specifically with SoC (system on chip) peripherals and how they interact with a CPU or other device components
HardwareJTAGSWD
JTAG (Joint Test Action Group) is an industry standard that specifies the use of a dedicated debug port implementing a serial communications interface for low-overhead access without requiring direct external access to the system address and data buses. SWD is a low pin-count physical interface for JTAG debugging on ARM-processors
HardwareMicrocontroller
A microcontroller unit/MCU is a small computer on a single integrated circuit (IC) chip and contains one or more CPUs (processor cores) along with memory and programmable input/output peripherals
HardwarePINS
Printed Circuit Board (PCB) pins, also called general-purpose input/output (GPIO) pins, are an uncommitted digital signal pin on an integrated circuit or electronic circuit board which may be used as an input or output, or both
HardwarePortableStorageDevice
Portable device that can be connected to a computer, device, or network to provide data storage
HardwarePrintedCircuitBoardAssembly
A printed circuit board (PCB) or PCBA is hardware that affixes electronic components and connections to a board to provide reliable electrical connections and circuits between the circuit board components
HardwareSingleUseCartridge
A disposable component used for a single application of medication or other therapy
HardwareSpecializedServiceDeviceorPC
Devices used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
HardwareSystemonModule
A System-on-a-Chip (SOC) or System on Module (SOM) brings components of a computer into a single chip or integrated circuit, including CPU, RAM, ROM, and other peripherals
HardwareVirtualCOMport
Also called a virtual serial port, a virtual or emulated port for wired communications used due to a lack of a dedicated, physical communication interface
Labeling
LabelingDocumentationandIFU
Documentation related to security such as the Instructions for Use (IFU), Manufacturer's Disclosure Statement for Medical Device Security (MDS2), and Software Bill of Materials (SBOM)
Mobile App
MobileAppBinary
The file format used to package and distribute mobile apps
MobileAppStore
A storefront provided by operating system providers (typically mobile devices such as Apple App Store and Google Play Store) to allow access to and purchase of software applications
Operating System
OperatingSystemLinux
An open source Unix-like operating system based on the Linux kernel
OperatingSystemRTOS
A real-time operating system (RTOS) is an operating system (OS) for real-time applications that processes data and events that have critically defined time constraints
OperatingSystemSystemAccounts
User accounts and service/application accounts used within the Operating System
OperatingSystemWindows
Proprietary graphical operating system developed and marketed by Microsoft
Peripherals
PeripheralsLocalPrinter
A peripheral device attached via a physical wire or USB which prints information (makes a persistent representation of graphics or text on paper or other medium)
PeripheralsUserInterface
The physical means (buttons and switches without a display) by which users interact with a system or device
A physical device or feature (touchscreen, display, keyboard, mouse, barcode reader) by which users interact with a system or device
Ports
PortsEthernetPort
A wired computer networking technology commonly used in local area networks (LAN) and wide area networks (WAN) that implement IEEE 802.3
PortsUSBPort
A physical port to implement the Universal Serial Bus (USB) specification - for cables, connectors and protocols for connection, communication and power supply between computers, peripherals and other computers
PortsVideoPort
Also called a graphics port, a video port is used to connect a display to a device
Services
ServicesActiveDirectory
A directory service developed by Microsoft for Windows domain networks that is primarily used to perform authentication and authorization for users, computers, permissions, file servers, and software applications
ServicesCodeSigningInfrastructure
Infrastructure (systems, tools, and processes) that support the process of using public key encryption to affix distributable files with digital signatures in order to prove to consumers that they are consuming the software in the state the publisher intended it to be consumed and has not been corrupted and tampered with after it was signed by the publisher
ServicesContainerRegistry
A repository to build, store, and manage container images and artifacts as well as provide connectivity and support for container orchestration platforms
ServicesMultifactorAuthenticationservice
An internal or external service provider for Multi-factor authentication - an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism
ServicesNetworkService
Network-based application service that enables access to a specific set of functionality and data. Network services are enabled on network ports and are often set by the operating system and some network facing applications
Software
SoftwareAIModel
A program that has been trained on a set of data to recognize certain patterns or make certain decisions without human intervention
SoftwareAPI
An Application Programming Interface (API) allows services and products to communicate with each other and leverage each other's data and functionality through a shared software interface generally over a network
SoftwareBIOS
Basic Input/Output System (BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process
SoftwareBootLoader
Also called a boot manager, the bootloader is a small program that places the operating system (OS) into memory after a device is powered on and initialized by a BIOS
SoftwareContainer
A lightweight package of software that operates within an operating system and include system libraries, system tools, and other platform settings required by the software
SoftwareDesktop
Also called a program or application - is a set of code and instructions stored in and executed by a computing device assigned to an individual (e.g., a user's computer or workstation)
SoftwareFieldService
Software used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
SoftwareFirewall
An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network
SoftwareFirmwareControl
Software that is purpose built for controlling hardware through defined interfaces with firmware
SoftwareGateway
An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks
SoftwareGatewayWebClient
Software acting on behalf of a human user to access and make use of a published service (API) or web application provided by a Gateway
SoftwareLoginform
A software-based input form, generally included as part of an application or operating system, for entering authentication credentials to access a restricted area of software, application, or operating system
SoftwareMobileApp
A computer program or software application designed to run on a mobile device such as a phone, tablet, or watch
SoftwareMQTTClient
MQTT Clients can publish data to a topic to send messages to any subscribers through a MQTT Server/Broker and can subscribe to a topic to be notified when a message is published on a MQTT Server/Broker
SoftwareMQTTServerBroker
MQTT Servers, also called Brokers, are central software entities in the MQTT architecture. An MQTT broker is an intermediary entity that enables MQTT clients to communicate. MQTT brokers allow clients to make connection requests, perform authentication of clients, and stores, queues, and caches messages to clients. MQTT is a standard messaging protocol designed as an extremely lightweight publish/subscribe messaging transport
SoftwareOnProduct
Also called a program or application - is a set of code and instructions stored in and executed by the host computing device
SoftwareOPCUA
OPC Unified Architecture is a cross-platform, open-source, IEC62541 standard for data exchange from sensors to cloud applications
SoftwarePACSDICOMServer
Picture archiving and communication system (PACS) - a medical imaging technology which provides storage and network-based access to images from multiple source devices, generally in DICOM format
SoftwareRemoteAccess
Software that facilitates access to a device by a user through a non-organization-controlled network
SoftwareSFTPClient
File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for FTP clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSFTPServer
File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSSHServer
Software that provides access over a network to a SSH client - for securely exchanging data between two computers
SoftwareUpdatePackages
The package or files constituting a software update, which is a new, improved, or fixed software, which replaces older versions of the same software. May also be called a patch or service pack
SoftwareUserManagement
Software that provides the ability for administrators to create and manage users or staff identities, roles, permissions, and access management within a system, device, or software
SoftwareVPNClient
Client-side software for securing and encrypting IP communications to a VPN Server
SoftwareVPNServer
Server-side software for securing and encrypting IP communications with VPN Clients
SoftwareWebApplication
A set of code and instructions stored on a separate device and hosted by a Web Server so that users can access it through a web-browser or custom software client
SoftwareWebServer
Software that provides internet or intranet services, typically to provide access over the network for a Web Application or API
Supply Chain
SupplyChainDevelopmentSystems
Systems, resources, and people involved in the development of components, including software, firmware, and hardware development
SupplyChainManufacturingSystems
Systems, resources, and people involved in the manufacturing of components, including software, firmware, and hardware development
SupplyChainServiceandOperationsSystems
Systems, resources, and people involved in the servicing or operations of components, including software, firmware, and hardware development
SupplyChainSuppliers
Suppliers of software, firmware, hardware, systems, resources, and people involved in the development, manufacturing, or operation of components
SupplyChainCodeRepository
A Cloud Code repository (e.g., Github) is a file repository hosted in the cloud where all the files/folders/packages related to your project are stored
System Files
SystemFilesBackups
The package or files constituting a backup, which is a copy of data and/or code taken and stored so that it may be used to restore the original after a data loss event
SystemFilesConfigurationFiles
The conditions, parameters, and specifications maintained in unique files (stored outside the core application's code) that apply to an information system or system component
SystemFilesDigitalCertificate
A set of data that uniquely identifies an asymmetric (public-private) cryptographic key pair owner that is authorized to use the key pair, contains the owner's public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner
SystemFilesLogFiles
Often stored in a file or database, the logs are records of events which happen while an operating system or software runs, and/or records of the communications between different components or users within a system
Tokens, essentially a data set, that are used to represent the previous authorization and expiration timeframe for access from a Multi-factor Authentication service provider
Users
UsersCustomersStaff
Individual authorized to access a device or information system
UsersFieldServiceTechnician
Staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
Wireless
WirelessBluetoothBLE
A wireless protocol that allows two Bluetooth or Bluetooth Low Energy (BLE) enabled devices to communicate with each other within a short distance
WirelessNFC
Near-field communication (NFC) is a wireless protocol that enables communication between two devices over a short distance (4 cm or less)
WirelessWirelessWiFi
A wireless network protocol based on IEEE 802.11 commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves
Cloud
CloudAWSAPIGateway
Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale
CloudAWSAthena
Amazon Athena is an interactive query service that analyzes data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
CloudAWSCloudFront
Amazon CloudFront is a web service that speeds up distribution of static and dynamic web content, such as .html, .css, .js, and image files
CloudAWSDocumentDb
Amazon DocumentDB (with MongoDB compatibility) is a fast, reliable, and fully managed database service
CloudAWSEC2
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud
CloudAWSECR
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service
CloudAWSEFS
Amazon Elastic File System (Amazon EFS) provides a serverless, set-and-forget elastic file system for use with AWS Cloud services and on-premises resources
CloudAWSEKS
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that can run Kubernetes on AWS without needing to install, operate, and maintain Kubernetes control plane or nodes
CloudAWSElastiCache
Amazon ElastiCache is a web service that makes it easier to set up, operate, and scale a distributed cache in the cloud
CloudAWSELB
Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs)
CloudAWSFirehose
Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and any custom HTTP endpoint or HTTP endpoints owned by supported third-party service providers, including Datadog, Dynatrace, LogicMonitor, MongoDB, New Relic, and Sumo Logic
CloudAWSGlue
AWS Glue is a serverless data integration service that allows for analytics to discover, prepare, move, and integrate data from multiple sources
CloudAWSKinesis
Amazon Kinesis Data Streams collect and process large streams of data records in real time
CloudAWSLambda
AWS Lambda is a serverless, event-driven compute service that lets permits running code for many application types or backend services without provisioning or managing servers
CloudAWSNeptune
Amazon Neptune is a fully managed graph database service that makes permits building and running applications that work with highly connected datasets
CloudAWSRDS
Amazon Relational Database Service (Amazon RDS) is a web service that sets up, operates, and scales a relational database in the AWS Cloud
CloudAWSS3
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers scalability, data availability, security, and performance
CloudAWSSNS
Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers)
CloudAWSSQS
Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue that integrates and decouples distributed software systems and components
CloudAppService
Cloud App Services are a wide range of specific application services for applications deployed in cloud-based resources
CloudB2C
Azure Active Directory B2C provides business-to-customer identity as a service
CloudCloudPlatform
A Cloud Platform is a set of technologies for a wide range of tasks including developing and running applications, and storing and processing huge data assets, often provided by a 3rd party and available in public or private configurations
CloudContentDeliveryNetwork
A cloud content delivery network (CDN) is a distributed group of servers which work together to provide fast delivery of Internet content
CloudDatabaseBlobStorage
Blob storage is an object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data
CloudDatabaseCosmosDB
Cosmos DB is a fully managed, serverless NoSQL database for high-performance applications of any size or scale
CloudDatabaseSQLDB
Cloud SQL DBs are cloud based relational databases
CloudEventGrid
Event Grid is a highly scalable, serverless event broker that can be used to integrate applications using events
CloudFunctions
Cloud Functions (e.g., Azure Functions, Event Hubs, AWS Lambda) are event-driven serverless platforms for a lightweight solution to support individual services
CloudGoogleCloudPlatform
Google Cloud Platform (GCP) is a cloud computing platform developed by Google
CloudKeyVault
A cloud service for securely storing and accessing secrets
CloudManagementConsole
Cloud management consoles are how administrators control and orchestrate all products and services that operate in a cloud: the users and access control, data, applications, and services
CloudMonitor
Cloud Monitor (also known as Azure Monitor, Application Insights, Azure Log Analytics, AWS Cloudwatch, AWS Application Insights) provides Application Performance Monitoring (also known as "APM") features
Other
Other
Use this generic component to build a unique component specific to your system
1
Navigate to the Components Tab
From your product page, click on the Components tab in the navigation bar. This takes you to the Components dashboard where you can add, view, and manage all components in your product.
You'll see the user instruction banner: "Add components based on your design". The dashboard displays a table with columns for ID, Component Name, Component Type, Hardware/Software, and Description.
2
Add a New Component Manually
Click the + Add a New Component button. A modal will appear with options to define your component.
In the Add Component modal:
Select a Component Type from the dropdown list. This is the critical field that determines what threats and requirements will be generated.
Enter a Component Name (optional). If left blank, the component type name will be used. Use a custom name to identify specific instances (e.g., "Main MCU" vs "Sensor MCU").
Click Add to create the component.
Hardware
• Microcontroller (MCU)
• Printed Circuit Board (PCBA)
• Embedded Single Board Computer
• System on Module (SOM/SOC)
• Battery
• eFuses
• PINS
• Interfaces (UART, SPI, I2C, etc.)
• JTAG/SWD
• Single-Use Cartridge
• Specialized Service Device/PC
• Virtual COM Port
Data Storage
• Database
• EEPROM/Flash/Non-volatile
• Hard Drive
• Internal Flash/SD
• Network Storage
• Portable Storage (USB, DVD, Flash)
Software
• API
• AI Model
• BIOS / Boot Loader
• Container
• Desktop Application
• Firewall
• Firmware Control
• Mobile App
• Web Application / Server
• MQTT Client/Server
• OPC UA
• VPN Client/Server
• SSH/SFTP Client/Server
• Update Packages
• User Management
Operating Systems
• Linux
• Windows
• RTOS
• System Accounts
Data Types
• Accounts, Credentials & Passwords
• Cryptographic Keys
• DICOM
• PII/PHI
• QR Code
Data Flows
• Component to Component
• Component to External Entity
• User to Web Application
• Wireless (WiFi, Bluetooth, NFC)
Ports & Interfaces
• Ethernet Port
• USB Port
• Video Port
Wireless
• Bluetooth/BLE
• NFC
• Wi-Fi
Peripherals
• Local Printer
• User Interface (Buttons)
• User Interface (Display/Touch)
Cloud Platforms
• AWS (20+ service types)
• Azure (10+ service types)
• Google Cloud Platform (GCP)
• Generic Cloud Platform
• CDN
• Key Vault
• Monitoring Services
Services
• Active Directory
• Code Signing Infrastructure
• Container Registry
• Multi-factor Authentication
• Network Service
• PACS/DICOM Server
System Files
• Backups
• Configuration Files
• Digital Certificates
• Log Files
• MFA Access Tokens
Supply Chain
• Development Systems
• Manufacturing Systems
• Service & Operations
• Suppliers
Users & Actors
• Customer/Staff
• Field Service Technician
Other
• Certifications (ISO 27001, SOC2)
• Firmware
• Labeling & Documentation (IFU)
• Mobile App Binary/Store
• Custom Components
Once added, the component appears in the table with an auto-generated ID (e.g., A.286), the Component Type, Hardware/Software classification, and a default Description. You can click "Add addendum" to add additional notes.
3
Import Components from Diagram
If you've already built an architecture diagram with Component Types assigned (see Build Your Architecture), you can import those components directly.
To import from a diagram:
Click the + Add Components from Diagram button
Product Security Hub scans your diagram for shapes with Component Types
A review screen appears showing all discovered components
Review the list and click Save to import
💡 Smart Duplicate Detection
Product Security Hub automatically checks for existing components. If a component already exists in your product, it won't be added again—no duplicates to clean up!
🔄 Two-Way Sync
If you update a component's name on the Components page, that change will be reflected in the data type field on your diagrams. Your architecture stays in sync.
4
Bulk Import via Excel
Need to add many components at once? Use our Excel template for bulk import.
Bulk import process:
Download the Excel template from the Components page
Fill in your components with their types and names
Import the completed spreadsheet back into Product Security Hub
All components are created at once with their associated threats and requirements
💡 Tip: Great for migrations
If you have existing component lists in spreadsheets or other systems, the Excel import makes it easy to bring everything into Product Security Hub quickly.
5
What Happens When You Add a Component
This is where Product Security Hub saves you weeks of work. When you add a component:
Generates Threats
Relevant threats from our catalog are automatically associated with your component based on its type.
Suggests Requirements
Security requirements that address those threats are automatically suggested for your review.
Navigate to the Threats and Requirements tabs to review what Product Security Hub has generated. You can accept, modify, or dismiss these suggestions based on your product's specific context.
🚀 The Power of Component Types
Each Component Type is mapped to a curated library of threats and security requirements based on FDA guidance, industry standards, and real-world attack patterns. You get expert-level security analysis without being a security expert.
6
Deleting Components
To delete a component, click the trash icon (🗑️) in the component's row on the dashboard.
⚠️ Important: Cascade Delete Warning
When you delete a component, Product Security Hub will warn you that all associated data will also be deleted:
• Threats linked to this component
• Requirements addressing those threats
• Residual Risks associated with the component
• SBOM entries for the component
• Vulnerabilities identified for the component
• Patches tracked for the component
💡 Tip: Review before deleting
Before deleting a component, check the Threats and Requirements tabs to understand what will be removed. If you're unsure, consider marking items as "Not Applicable" instead of deleting.
Best Practices
Be specific with Component Types
Choose the most specific Component Type available. "Hardware - Microcontroller (MCU)" will generate more relevant threats than a generic "Hardware" type.
Use meaningful names
Name components based on their role: "Patient Data Database", "Wireless Communication Module", "Firmware Update Service".
Start with your diagram
Build your architecture diagram first with Component Types, then import. This keeps your visual architecture and component list in sync.
Include external systems
Don't forget to add external systems your product communicates with—cloud services, mobile apps, hospital networks. These interfaces are often attack vectors.
What's Next?
Now that you've added components, explore what Product Security Hub has generated:
