When managing vulnerabilities in complex medical devices, context is everything. While traditional tools focus on whether a vulnerable function or dependency is used through static code analysis, binary reverse engineering, or runtime instrumentation they often fail...
Meeting FDA Vulnerability Metrics with ELTON
As of 2025, regardless of Cyber Device classification, as part of your FDA premarket submission, you submitted a Vulnerability Management Plan and likely also maintain a quality system SOP. This plan includes all of the metrics required to be tracked and evidenced for each software release of every product during premarket development and postmarket monitoring. At ELTON, we’ve found these metrics to be unsustainable to collect manually due to the sheer volume of vulnerabilities constantly discovered for an existing medical device. ELTON streamlines metrics by automating most categories and providing defensible evidence when a fix is not performed ensuring compliance without overwhelming your team.
The FDA’s 2025 premarket cybersecurity guidance makes one thing clear: compliance is no longer about checking a box—it’s about demonstrating measurable performance. Manufacturers must now quantify how they manage vulnerabilities over time using a defined set of metrics. These metrics enable regulators to assess whether a product’s cybersecurity risk is being properly monitored and mitigated not just once, but throughout the entire product lifecycle.
At ELTON, we’ve built our solution to automatically capture and report on each of these metrics, so your team can focus on security not spreadsheets. Below, we break down each FDA-defined metric and how ELTON delivers automated, audit-ready compliance.
1. Time-to-Remediation
What it means: How long it takes from the identification of a vulnerability to the time it is mitigated or patched.
How ELTON helps: ELTON tracks the full lifecycle of each vulnerability—including discovery date, triage decision, remediation plan, and closure. Our system calculates Time-to-Remediation automatically for each finding and provides trend reports across products and releases.
2. Time-to-Triage
What it means: The time it takes from discovering a new vulnerability (e.g., from SBOM monitoring or pen testing) to making a triage decision (e.g., fix, defer, accept risk).
How ELTON helps: As new CVEs emerge, ELTON continuously ingests, matches, and contextualizes them against your product SBOMs and digital twin models. It automatically logs when a vulnerability is first detected and when a triage decision is made—providing an accurate, traceable Time-to-Triage metric.
3. Vulnerability Density
What it means: The number of unresolved vulnerabilities per product, per version, or per codebase—an indicator of cybersecurity hygiene.
How ELTON helps: ELTON calculates vulnerability density across your product portfolio and highlights concentrations by product, release, or component. You get a portfolio-wide heatmap of risk exposure, with the ability to drill down to root causes.
4. Patch Adoption Rate
What it means: The percentage of released patches that have been deployed across affected devices in the field.
How ELTON helps: For connected or actively supported devices, ELTON tracks whether patches associated with CVEs have been implemented. It enables you to link CVE closure to specific patch releases, providing evidence of coverage and helping assess field update adoption rates over time.
5. Frequency of Periodic Testing
What it means: How often a product undergoes penetration testing or security assessment, as required by the FDA’s lifecycle approach.
How ELTON helps: ELTON automatically logs each penetration test, fuzzing engagement, or SAST/DAST session performed across the device lifecycle. Our dashboard shows when testing occurred, how frequently, and what was covered—allowing you to demonstrate periodicity compliance without manual tracking.
6. Coordinated Vulnerability Disclosure (CVD) Response Timelines
What it means: The speed and thoroughness with which the manufacturer responds to third-party or external vulnerability disclosures.
How ELTON helps: ELTON integrates with coordinated disclosure workflows to timestamp external submissions, log responses, and track mitigation progress. Whether you use a third-party CVD program or internal intake, ELTON ensures that all actions are documented and reportable to FDA timelines.
7. Residual Risk Status
What it means: A snapshot of the cybersecurity risk that remains in the system after mitigations have been applied.
How ELTON helps: ELTON’s living vulnerability reports and CVSSv4 contextual scoring make it easy to quantify residual risk. You’ll see whether risks are still exploitable or reachable in the system architecture, and if not, ELTON captures the justification and evidence for “no-fix-needed” determinations—ideal for submission or audit review.
Final Thoughts
The FDA’s new expectations require a level of visibility, automation, and traceability that goes beyond traditional tools and manual spreadsheets. ELTON is purpose-built for this challenge. By capturing all seven required metrics across the entire product lifecycle and tying them to real security outcomes ELTON helps manufacturers stay compliant, reduce risk, and build safer devices.
