You know your device. We handle the SBOM documentation.

FDA reviewers are pausing submissions with incomplete SBOMs and missing cybersecurity documentation. Threat Detective produces the evidence they expect, from the SBOM you already have.

Alan Parkinson, creator of Threat Detective

“I was tired of stitching reports together from pricey SBOM tool exports and spreadsheets. They weren't built for medical devices.

So I built Threat Detective to give us regulator-ready outputs in minutes, not days.”

Alan Parkinson
Creator of Threat Detective

SBOM and Cybersecurity Documentation

Upload your SBOM. See what needs your attention.

You already have an SBOM from your development process. Threat Detective validates it, matches components to known vulnerabilities, and shows you what needs documenting. You spend your time on decisions, not data entry.

Import SBOMs.
Upload your SBOM in CycloneDX or SPDX format. We check it against regulatory expectations and flag what's missing so you can fix it before submission.
Find what matters.
We scan your components against three vulnerability databases and surface what needs your attention. New findings appear as a tidy “Needs Decision” queue, not a wall of alerts.
Prioritise and analyse findings.
Prioritise findings by risk and exploitability. Record your decisions, document compensating controls, and apply the same rationale across multiple software versions. Full audit trail included.
Export reports and enriched SBOMs.
Generate FDA eSTAR sections, EU Notified Body summaries, and QMS-ready reports. No spreadsheet surgery.
See all SBOM features
Threat Detective components view showing SBOM management

Post-Market Surveillance

Your device is cleared. Your obligations aren't.

New vulnerabilities are disclosed every week against the components in your SBOM. Threat Detective monitors them continuously and alerts you when something needs a decision. Only the findings that matter.

Monitor every deployed version.
Track vulnerabilities across every software version in the field, from your current release to a legacy build still in clinics. Each version gets continuous surveillance without manual spreadsheet gymnastics.
Smart notifications, not noise.
Receive daily alerts only for Critical and High severity findings, plus a weekly summary. No constant interruptions, just the insights that matter for regulatory compliance.
Automated annual review alerts.
Regulators expect you to review your vulnerability decisions annually. Threat Detective tracks when reviews are due and alerts you before they lapse.
See all monitoring features
Threat Detective components view showing vulnerability monitoring

One price per device. Unlimited SBOMs.

No seat fees. Pricing scales with your device portfolio, not your team size.

Pre-Market

Get cleared

$189 /month

per device · cancel any time

Upload your SBOM, identify vulnerabilities, and produce eSTAR-ready documentation for your FDA submission.

Most popular
Post-Market

Stay cleared

$249 /month

per device · cancel any time

Everything in Pre-Market, plus continuous vulnerability monitoring and post-market surveillance reporting.

Private Cloud

Full control

From $1,245 /year

12-month contract. 5 devices included.

Private deployment, SSO, and data residency. For growing manufacturers managing multiple devices.

Let's talk

Hosted in EU, US, or UK

Compare all plans in detail