Fast Track · FDA deficiency letters & submissions

On the clock with your FDA SBOM?
Get it submission-ready, fast.

Fast Track pairs an expert with your team to get your medical device SBOM and vulnerability evidence submission-ready in two to four weeks, and leaves your team ready to keep it current long after clearance.

Free 30-minute scoping call · Fixed fee, quoted up front · You keep every artifact

Who this suits

When the SBOM is what’s holding you up.

You’ve had an FDA letter

An Additional Information or deficiency letter cites cybersecurity gaps in your SBOM, and your clearance is on hold until you answer.

You’re weeks from submitting

The date is set, and the SBOM and its vulnerability evidence are the last piece between you and filing.

What Fast Track is

Done with you, not for you.

Fast Track is short, focused, expert help for one job: getting your SBOM and its vulnerability evidence submission-ready. We work on it with you inside Threat Detective, validating the SBOM against the FDA’s expectations, triaging the vulnerabilities that matter, and producing the audit-ready evidence a reviewer looks for. Then we hand you the keys. This isn’t a consultant on retainer. It’s time-boxed, fixed-scope, and built to leave your team self-sufficient. You don’t need a security hire. If you can describe your device’s software, you can do the work; the judgment calls are what the workshops are for.

How we work

Live sessions with your team, Slack in between.

The engagement runs to your deadline, usually two to four weeks, in a steady rhythm: a live session with your team, homework in the platform, a review in Slack, then the next session. Expect to put in more hours than we do. That’s by design. It’s how your team learns to run it without us.

Between sessions

A dedicated channel.

Slack or Teams, whichever your team uses. Post your homework as you go, ask questions, get a quick review. You keep momentum between sessions, and nothing waits a week for an answer.

Who you’ll work with

Alan Parkinson

Alan Parkinson.

Founder of Threat Detective, with over 25 years in regulated software engineering. He runs every Fast Track engagement personally.

  1. Before we start

    Scoping call

    Free, 30 minutes

    Where your SBOM stands, what the FDA asked, and a fixed-fee quote. No obligation.

  2. Week one

    Validate the SBOM

    Workshop

    We align on your device and the finish line, bring your SBOM into the platform, and run it against the FDA’s expectations.

    Your homework

    Chase the supplier and version data and close the gaps the validation found, with us reviewing in Slack.

  3. Week two

    Triage together

    Workshop

    We make the first exploitability calls and write the first rationale together, so your team learns the method.

    Over to you

    Work the remaining queue and draft the rationale for each decision, posting it as you go for review.

  4. Final week

    Review and harden

    Workshop

    We go through your calls together, tighten the judgment where it needs it, and generate your submission documentation.

    Handover

    We walk through the maintenance loop, so your team runs it from here.

  5. Submission-ready.

    Your evidence is ready, monitoring is on, and your team owns it.

A bigger SBOM or a longer letter adds workshop weeks in the middle. The shape stays the same.

What we do

The work, and what each part is for.

Understand your device
A working session on your software, components, and regulatory pathway, and any FDA letter you have had.
Bring your SBOM into the platform
Load your CycloneDX or SPDX, or generate one if you do not have it yet.
Check it against FDA expectations
Validate to the NTIA minimum elements, and find the gaps reviewers send back.
Close the gaps reviewers reject
Missing versions, unidentified components, absent suppliers.
Find the vulnerabilities
Match every component against NVD, GitHub Advisory, and CISA KEV.
Triage what matters, together
Decide what is genuinely exploitable in your device, and cut the noise to the decisions that count.
Document every decision
Captured with its rationale, audit-ready, with a full trail.
Produce your submission documentation
SBOM and vulnerability assessment ready for your eSTAR submission, with VEX or VDR where relevant.
Check against common deficiencies
Review against the SBOM and vulnerability issues the FDA most often cites.
Cover every cited item
If you have had a letter, we check that each SBOM and vulnerability item it cites is answered by your evidence.
Hand it over
Walk your team through it, and switch on continuous monitoring.
What you’ll receive

Named deliverables, all yours.

Threat Detective generates the documentation from the work we do together, and everything stays yours after the engagement ends.

  • A validated, submission-ready SBOM (CycloneDX or SPDX).
  • A documented vulnerability assessment: triage decisions, exploitability rationale, and a full audit trail.
  • Your SBOM and vulnerability documentation, ready for your eSTAR submission, with VEX or VDR where relevant.
  • Continuous monitoring configured in Threat Detective.
  • A six-month Pre-Market subscription to Threat Detective, included in the price.
  • A team that can maintain it, because they did it with us.
Expert help, without the dependency

You keep the evidence and the tool.

A consultant leaves a point-in-time report that is stale the next time a CVE drops. Fast Track leaves the evidence and the tool that keeps it current, because the whole thing is built on a platform you keep using. You get the same depth you would from a consultant, without the dependency.

Scope

What this covers, and what it doesn’t.

Fast Track is the SBOM and its vulnerability evidence, end to end. Being clear about where we stop is how you can rely on what we deliver.

What Fast Track covers

  • Your SBOM, validated against the NTIA minimum elements.
  • The vulnerability evidence: triage, exploitability rationale, audit trail.
  • Submission documentation ready for eSTAR, VEX or VDR where relevant.
  • A check against the deficiencies the FDA most often cites.

What it doesn’t

  • The wider cybersecurity file: threat model, security risk management, architecture views, cybersecurity management plan.
  • Penetration testing.
  • Drafting your formal response letter to the FDA, though the evidence will answer each cited item.
  • Non-cybersecurity parts of your submission.

If you need that, we’ll say so on the call, and point you in the right direction.

The engagement

$3,995.

Fixed fee · two-week engagement

  • Three workshops and a handover session, live with your team.
  • A dedicated channel between sessions, Slack or Teams.
  • Six months of the Pre-Market plan (a $1,134 value).
  • Everything generated stays yours.

Need longer? A larger SBOM or a longer letter adds workshop weeks at a fixed fee, agreed up front.

Why this price

A consultant charges up to $6,000 to produce SBOM documentation once, as a static report. Fast Track is $3,995 and leaves your team able to maintain it. The included plan becomes paid only if you choose to continue.

Alan takes two engagements a month, so dates are settled on the scoping call.

Free 30-minute scoping call · Fixed fee, quoted up front · You keep every artifact

Questions

Straight answers.

Do I need an SBOM already?
No. If you have one in CycloneDX or SPDX, we validate it. If you do not, we help you generate one as part of the engagement.
How much of my team’s time does it take?
Plan on the live session each week, plus a few focused hours per person between sessions: chasing supplier and version data, preparing triage decisions, drafting rationale. Your team does most of the hours, with our guidance. That is what makes them able to maintain it afterward.
How fast can we start?
We take two engagements a month, and when a slot is open we can usually start within a week of the scoping call. If you are working to an FDA response deadline, say so on the call and we plan the schedule around it.
What do you need from us before week one?
Your SBOM, or the ability to generate one. Someone who knows your device’s software. Your FDA letter, if you have one. That is it.
Does this cover the whole cybersecurity file?
No. Fast Track is the SBOM and its vulnerability evidence. If you need the wider file, we will tell you on the call and point you in the right direction.
Do you guarantee FDA clearance?
No one honestly can. We stand behind the process, the deliverables, and the speed: your SBOM and vulnerability evidence will be submission-ready.
What if I have time to do it myself?
Then use the product. It is built for exactly that, and it costs a fraction of an engagement. Fast Track is for when you don’t have that time.
What if we need more time?
Most teams will not. The workshops take on the hard problems first, so what remains at the end is the simple tail, and you will be equipped to finish it. If you want us longer, you can add a week for a fixed fee.

On the clock?
Let’s talk today.

A free 30-minute scoping call with Alan Parkinson, who delivers every engagement himself and takes two a month. You’ll leave knowing what’s involved, what it costs, and how soon we can start.

Not ready to talk? Start with the free SBOM checklist.