Comparison

Threat Detective vs Dependabot.

Dependabot keeps your dependencies updated. Threat Detective turns your SBOM into the FDA cybersecurity evidence regulators need.

A free alert service vs a regulatory documentation platform

GitHub Dependabot

Dependency update and alert service

Dependabot is a free GitHub service that monitors your repository dependencies for known vulnerabilities and creates pull requests to update them. It works within the GitHub ecosystem and covers common package managers.

Automated pull requests for dependency updates
Vulnerability alerts for supported package ecosystems
Free on all GitHub plans (public and private repos)
Integrated into the GitHub development workflow
Limited to GitHub-reviewed advisories only

Threat Detective

Medical device cybersecurity platform

Threat Detective is purpose-built for medical device manufacturers who need to produce cybersecurity documentation for FDA, EU MDR, and UKCA regulatory submissions. It takes your existing SBOM and generates the evidence regulators expect.

SBOM validation against NTIA minimum elements
Vulnerability scanning across NVD, GitHub Advisories, and OSV
Submission-ready documentation in FDA eSTAR format
Post-market surveillance monitoring and reporting
Per-project pricing from £149/month with unlimited team members

Why Dependabot alone is not enough for medical devices

The FDA cybersecurity guidance (updated February 2026) requires medical device manufacturers to submit an SBOM, document known vulnerabilities with evidence of risk assessment, and provide evidence of ongoing monitoring as part of premarket submissions.

Dependabot is a useful development tool that many teams already have enabled on their GitHub repositories. It catches known vulnerabilities in supported package ecosystems and automates dependency updates. For day-to-day development hygiene, it is genuinely valuable.

However, Dependabot has significant coverage gaps for medical devices. It does not support C or C++ (common in firmware and embedded software), cannot scan Docker container images for OS-level vulnerabilities, and does not cover operating system packages. It only alerts on GitHub-reviewed advisories, meaning some NVD entries never trigger a notification.

There is also a fundamental architecture limitation. Dependabot security alerts only run against the default branch of a repository. Medical devices are not cloud services with a single deployed version. A manufacturer may have v1.2, v1.3, and v2.0 all actively deployed in hospitals simultaneously. When a new vulnerability is disclosed, teams need to know which versions are affected. Dependabot cannot provide this visibility across release branches.

When a vulnerability is found, Dependabot lets you dismiss it with a short predefined reason. FDA reviewers expect far more: risk scoring using the MITRE CVSS rubric, documented rationale for each accepted vulnerability, mitigations in place, and the assessed residual risk. Dependabot was not designed to produce this evidence.

Threat Detective fills these gaps. It accepts SBOMs from any source (including third-party vendors), scans against NVD, GitHub Advisories, and OSV, covers all component types, and produces the submission-ready documentation FDA reviewers expect.

Dependabot ecosystem coverage gaps for medical devices

Medical devices often combine web application code, embedded firmware, container images, and third-party vendor components. Dependabot covers common package managers but leaves gaps in the ecosystems medical device teams rely on.

Ecosystem	Threat Detective	Dependabot
npm / Node.js	Yes	Yes
Python (pip, poetry)	Yes	Yes
Go modules	Yes	Yes
Rust (Cargo)	Yes	Yes
Ruby (Bundler)	Yes	Yes
Java (Maven, Gradle)	Yes	Yes
.NET (NuGet)	Yes	Yes
PHP (Composer)	Yes	Yes
C / C++	Yes	No
Docker container images	Yes	Tag updates only
OS packages (apt, yum, apk)	Yes	No
Vendor / third-party SBOMs	Yes	No

npm / Node.js

Dep.

Python (pip, poetry)

Dep.

Go modules

Dep.

Rust (Cargo)

Dep.

Ruby (Bundler)

Dep.

Java (Maven, Gradle)

Dep.

.NET (NuGet)

Dep.

PHP (Composer)

Dep.

C / C++

Dep.

Docker container images

Dep.

Tag updates only

OS packages (apt, yum, apk)

Dep.

Vendor / third-party SBOMs

Dep.

Medical device SBOM tools: feature-by-feature comparison

Dependabot is a free dependency management tool built into GitHub. Threat Detective is purpose-built for medical device teams who need SBOM management, CVSS risk scoring, and cybersecurity documentation for regulatory submissions.

Feature	Threat Detective	Dependabot
SBOM management
Upload and validate existing SBOMs GitHub can export an SBOM from the dependency graph but does not accept externally produced SBOMs for analysis or validation.	Yes	No
SBOM export (CycloneDX and SPDX) GitHub SBOM export is free on all plans and produces SPDX format only. Threat Detective supports both CycloneDX and SPDX.	Both formats	SPDX only
NTIA minimum element validation GitHub exports an NTIA-compliant SBOM but does not validate whether an imported SBOM meets NTIA minimum elements.	Yes	No
PURL and CPE identification for component matching Dependabot uses package ecosystem identifiers. It does not generate CPE identifiers needed for matching against the NVD.	Yes	Partial
Support for third-party and vendor SBOMs Medical devices often include third-party components with supplier-provided SBOMs. Dependabot only analyses code in your own GitHub repositories.	Yes	No
Vulnerability scanning
GitHub Advisory Database (reviewed advisories)	Yes	Yes
NVD vulnerability database (full coverage) Dependabot only alerts on GitHub-reviewed advisories. Unreviewed NVD entries are imported into the database but do not trigger Dependabot alerts, leaving potential gaps in coverage.	Yes	Partial
OSV (Open Source Vulnerabilities)	Yes	No
C and C++ dependency scanning Dependabot does not support C or C++ ecosystems. This is a significant gap for medical device firmware and embedded software.	Yes	No
Docker container image vulnerability scanning Dependabot can update Docker base image tags but does not scan container images for OS-level vulnerabilities. Medical devices with containerised components need separate tooling.	Yes	No
OS-level package vulnerabilities (apt, yum) Dependabot does not scan operating system packages. Devices running Linux-based firmware have dependencies that fall outside its scope.	Yes	No
Regulatory documentation
FDA eSTAR-format cybersecurity documentation Dependabot does not generate documentation in any regulatory format.	Yes	No
MITRE CVSS rubric for cybersecurity risk scoring Threat Detective implements the MITRE CVSS rubric used by FDA reviewers to evaluate cybersecurity risks, and documents the scoring process as evidence for your submission.	Yes	No
Vulnerability triage with eSTAR-grade evidence Dependabot alerts can be dismissed with a reason (fix started, tolerable risk, inaccurate, no bandwidth), but this does not produce the structured risk-acceptance evidence that FDA expects in an eSTAR. There is no documentation of mitigations, residual risk, or clinical context.	Yes	Partial
Submission-ready PDF reports	Yes	No
Post-market surveillance reports	Yes	No
Audit trail for compliance evidence Dependabot alert history is available in GitHub but is not designed for regulatory audit trails. Alert dismissals lack the structured rationale regulators expect.	Yes	Limited
Post-market monitoring
Monitor multiple software versions simultaneously Dependabot security alerts only run against the default branch. Medical devices typically have multiple software versions deployed in hospitals at the same time (e.g. v1.2, v1.3, v2.0). Dependabot cannot monitor older release branches for new vulnerabilities, creating blind spots in post-market surveillance. Threat Detective monitors each SBOM version independently.	Yes	No
Continuous CVE monitoring after device clearance Dependabot monitors for new vulnerabilities only on the default branch, and only in supported ecosystems. It does not monitor third-party SBOMs, unsupported ecosystems, or older release branches.	Yes	Default branch only
Alerting for newly disclosed vulnerabilities Both platforms alert on new disclosures, though Dependabot is limited to GitHub-reviewed advisories in supported ecosystems on the default branch only.	Yes	Yes
Periodic post-market reports for regulators	Yes	No
Pricing and access
Vulnerability alerts included free Dependabot alerts and security updates are free for all public and private repositories on GitHub. Threat Detective offers a 14-day free trial with full platform access.	14-day trial	Yes
SBOM export included free Both platforms include SBOM export. GitHub exports from the dependency graph in SPDX format. Threat Detective supports both CycloneDX and SPDX.	Yes	Yes
Regulatory documentation included FDA-ready documentation, CVSS rubric scoring, and submission-ready reports are included in all Threat Detective plans. Dependabot does not offer regulatory documentation.	Yes	No
Unlimited team members Threat Detective allows unlimited team members on all plans. GitHub team member limits depend on your GitHub plan.	Yes	Varies by plan

SBOM management

Upload and validate existing SBOMs

GitHub can export an SBOM from the dependency graph but does not accept externally produced SBOMs for analysis or validation.

Threat Detective

Dependabot

SBOM export (CycloneDX and SPDX)

GitHub SBOM export is free on all plans and produces SPDX format only. Threat Detective supports both CycloneDX and SPDX.

Threat Detective

Both formats

Dependabot

SPDX only

NTIA minimum element validation

GitHub exports an NTIA-compliant SBOM but does not validate whether an imported SBOM meets NTIA minimum elements.

Threat Detective

Dependabot

PURL and CPE identification for component matching

Dependabot uses package ecosystem identifiers. It does not generate CPE identifiers needed for matching against the NVD.

Threat Detective

Dependabot

Partial

Support for third-party and vendor SBOMs

Medical devices often include third-party components with supplier-provided SBOMs. Dependabot only analyses code in your own GitHub repositories.

Threat Detective

Dependabot

Vulnerability scanning

GitHub Advisory Database (reviewed advisories)

Threat Detective

Dependabot

NVD vulnerability database (full coverage)

Dependabot only alerts on GitHub-reviewed advisories. Unreviewed NVD entries are imported into the database but do not trigger Dependabot alerts, leaving potential gaps in coverage.

Threat Detective

Dependabot

Partial

OSV (Open Source Vulnerabilities)

Threat Detective

Dependabot

C and C++ dependency scanning

Dependabot does not support C or C++ ecosystems. This is a significant gap for medical device firmware and embedded software.

Threat Detective

Dependabot

Docker container image vulnerability scanning

Dependabot can update Docker base image tags but does not scan container images for OS-level vulnerabilities. Medical devices with containerised components need separate tooling.

Threat Detective

Dependabot

OS-level package vulnerabilities (apt, yum)

Dependabot does not scan operating system packages. Devices running Linux-based firmware have dependencies that fall outside its scope.

Threat Detective

Dependabot

Regulatory documentation

FDA eSTAR-format cybersecurity documentation

Dependabot does not generate documentation in any regulatory format.

Threat Detective

Dependabot

MITRE CVSS rubric for cybersecurity risk scoring

Threat Detective implements the MITRE CVSS rubric used by FDA reviewers to evaluate cybersecurity risks, and documents the scoring process as evidence for your submission.

Threat Detective

Dependabot

Vulnerability triage with eSTAR-grade evidence

Dependabot alerts can be dismissed with a reason (fix started, tolerable risk, inaccurate, no bandwidth), but this does not produce the structured risk-acceptance evidence that FDA expects in an eSTAR. There is no documentation of mitigations, residual risk, or clinical context.

Threat Detective

Dependabot

Partial

Submission-ready PDF reports

Threat Detective

Dependabot

Post-market surveillance reports

Threat Detective

Dependabot

Audit trail for compliance evidence

Dependabot alert history is available in GitHub but is not designed for regulatory audit trails. Alert dismissals lack the structured rationale regulators expect.

Threat Detective

Dependabot

Limited

Post-market monitoring

Monitor multiple software versions simultaneously

Dependabot security alerts only run against the default branch. Medical devices typically have multiple software versions deployed in hospitals at the same time (e.g. v1.2, v1.3, v2.0). Dependabot cannot monitor older release branches for new vulnerabilities, creating blind spots in post-market surveillance. Threat Detective monitors each SBOM version independently.

Threat Detective

Dependabot

Continuous CVE monitoring after device clearance

Dependabot monitors for new vulnerabilities only on the default branch, and only in supported ecosystems. It does not monitor third-party SBOMs, unsupported ecosystems, or older release branches.

Threat Detective

Dependabot

Default branch only

Alerting for newly disclosed vulnerabilities

Both platforms alert on new disclosures, though Dependabot is limited to GitHub-reviewed advisories in supported ecosystems on the default branch only.

Threat Detective

Dependabot

Periodic post-market reports for regulators

Threat Detective

Dependabot

Pricing and access

Vulnerability alerts included free

Dependabot alerts and security updates are free for all public and private repositories on GitHub. Threat Detective offers a 14-day free trial with full platform access.

Threat Detective

14-day trial

Dependabot

SBOM export included free

Both platforms include SBOM export. GitHub exports from the dependency graph in SPDX format. Threat Detective supports both CycloneDX and SPDX.

Threat Detective

Dependabot

Regulatory documentation included

FDA-ready documentation, CVSS rubric scoring, and submission-ready reports are included in all Threat Detective plans. Dependabot does not offer regulatory documentation.

Threat Detective

Dependabot

Unlimited team members

Threat Detective allows unlimited team members on all plans. GitHub team member limits depend on your GitHub plan.

Threat Detective

Dependabot

Varies by plan

Dependabot vs Threat Detective: pricing comparison

Dependabot is free. But free vulnerability alerts without regulatory documentation still leaves a gap that medical device teams need to fill manually.

GitHub Dependabot

Included with GitHub

Dependabot alerts: Free (all plans)
Security updates (auto PRs): Free (all plans)
SBOM export: Free (all plans)
FDA documentation: Not available

Dependabot is free but produces no regulatory documentation. Medical device teams must manually create eSTAR submissions, CVSS risk assessments, and post-market reports from Dependabot output.

Threat Detective pricing

Per medical device project

Self-Guided: £149/month
Accelerated Programme: £1,750 first month
then £149/month
Private Cloud: From £14,400/year

All plans include full SBOM management, vulnerability scanning across all ecosystems, regulatory documentation, and unlimited team members. See full pricing details.

When Dependabot is the right tool

This is not an either-or decision. Most medical device teams using GitHub should keep Dependabot enabled alongside Threat Detective.

Keep Dependabot enabled for day-to-day development. It automatically creates pull requests when dependencies have known vulnerabilities, keeping your codebase current. It is free, low-friction, and already integrated into your GitHub workflow. For development hygiene, it is a sensible default.

Add Threat Detective when you need to produce cybersecurity documentation for a regulatory submission. Dependabot alerts tell your developers what to fix. Threat Detective tells your regulators what you found, how you assessed the risk using the MITRE CVSS rubric, what you decided to accept or mitigate, and provides the formatted evidence for your eSTAR submission. It also covers the ecosystems Dependabot misses: C/C++, container images, OS packages, and third-party vendor SBOMs.

Use both together for a complete workflow: Dependabot catches issues during development, and Threat Detective documents everything for your submission and ongoing post-market surveillance. If you need help setting up this workflow, our consulting team can advise.

Considering other tools? See how Threat Detective compares to Snyk, a commercial developer security platform.

Ready to get your SBOM submission-ready?

Start a 14-day free trial. Upload your SBOM, run vulnerability analysis, and generate your first regulatory report. No credit card required.