When should we conduct penetration testing?

Ideally, penetration testing should be performed during development (shift-left approach) and before regulatory submission. Regular testing is also recommended for post-market surveillance.

What's the difference between vulnerability scanning and penetration testing?

Vulnerability scanning uses automated tools to identify known vulnerabilities. Penetration testing involves manual testing by security experts who attempt to exploit vulnerabilities and chain attacks, providing deeper insights into real-world risks.

How do you ensure patient safety during testing?

We always conduct tests in isolated environments using test devices. We never test on production systems or devices actively used for patient care. Our methodology prioritizes safety and follows medical device testing best practices.

What deliverables do we receive?

You receive a detailed technical report with vulnerability descriptions, proof-of-concept code, risk ratings, and specific remediation guidance. We also provide an executive summary and support for regulatory submissions.

Can you help with regulatory submissions?

Yes, our reports are designed to support regulatory submissions. We provide detailed test evidence and technical findings that demonstrate compliance with cybersecurity requirements for MDR and other EU regulations.

HEALTHCARE CYBERSECURITY EXPERTS

Secure in use.
Secure in your audit.

We give MDR manufacturers the audit-ready cybersecurity evidence their Notified Body demands under IEC 81001-5-1 — from pentests and secure code reviews to the compliance documentation that makes them count. Hospitals turn to us for §17 MPBetreibV assessments; healthcare cloud operators for C5 readiness.

Book an intro call

01100101 01111000 01110000 01100101 01110010 01110100 01110011 01100101 01100011 01110101 01110010 01101001 01110100 01111001 01110011 01100101 01110010 01110110 01101001 01100011 01100101 01110011 01100100 01100001

Trusted by MedTech Innovators

WHO WE SERVE

Three audiences. One specialty.

You build a medical device

Your Notified Body demands cybersecurity evidence under IEC 81001-5-1. We deliver it — pentests, secure code reviews, and the compliance documentation that makes them count.

MDR cybersecurity

You run IT in a hospital or clinic

§17 MPBetreibV requires independent security assessments for medical device software in clinical operation. We handle them and deliver reports for your device logbook.

§17 MPBetreibV testing

You process patient data in the cloud

§393 SGB V makes a C5 Type 2 attestation mandatory. We prepare you end-to-end — from control mapping to audit-ready evidence.

C5 readiness

Our Team

Meet our qualified experts who combine academic research with years of practical cybersecurity experience, specializing in medical device security and compliance.

Dr. rer. nat. Simon Weber

Senior Penetration Tester & Security Researcher

PhD security researcher who found critical vulnerabilities in hospital systems and contributed to the B3S hospital security standard (BAK MV). Simon turns academic rigor into audit-ready results that protect real patients.

Education:PhD in Network Security, Heinrich Heine University Düsseldorf. M.Sc. Computer Science

Experience:IT Security Advisor at HHU Rectorate, CERT team member, Alumni of the THB MedSec research group, responsible disclosure of vulnerabilities in open-source healthcare software, gematik Security Heroes

Specialization:Medical device security, hospital IT security, MDR compliance

Dipl.-Inf. Volker Schönefeld

Senior Penetration Tester & Application Security Expert

20+ years as CTO. 50+ million app downloads. Teams up to 35 experts. IoT fleets with thousands of devices. Volker brings deep security expertise and makes complex compliance simple.

Education:Diploma in Computer Science (equiv. Master's), RWTH Aachen University. Research at UC San Diego (UCSD) during diploma thesis.

Professional Development:Certified Web Exploitation Specialist (CWES) with continuous security research and practical skills development through various platforms and methodologies, gematik Security Heroes

Specialization:Medical device security (penetration testing, DiGA assessments), enterprise security (IoT, secure architecture, SDLC consulting), application security (mobile, web, AI)

PROOF, NOT PROMISES

Critical vulnerabilities in healthcare,
responsibly disclosed.

We don't just test: we find critical vulnerabilities in healthcare systems and coordinate their disclosure with vendors and authorities. Our public track record across gematik, Orthanc, DCMTK, and the Robert Koch Institute is how our clients know our pentests find what matters.

Published advisories

Critical severity

High severity

Vendors coordinated

Recognition

gematik Security Heroes

Named Security Heroes by gematik for coordinated disclosure of critical vulnerabilities in Germany's healthcare authentication infrastructure.

See all advisories

What Our Clients Say

Hear from teams we've worked with

“We have been working with Machine Spirits for several years and value their technical expertise and straightforward collaboration. Their actionable recommendations have been instrumental in sustainably strengthening the protection of the patient data entrusted to us.”

Lucas Habrich

CTO, dermanostic GmbH

“As a security partner for our DiGA, Machine Spirits impressed us with their in-depth pentests. Their competent TR-03161 consulting and clear recommendations were crucial in meeting the demanding BSI requirements quickly and securely.”

Leon Hillebrandt

CTO, Elona Health GmbH

“Machine Spirits helped uncover vulnerabilities in our platform early with a structured and in-depth pentest before we went through MDR certification. The clear reports and pragmatic communication helped us quickly close security gaps and efficiently update our documentation.”

Marcus Hott

CTO, Noah Labs GmbH

View All Testimonials

Our Expertise

We specialize in cybersecurity for healthcare: medical devices, hospital infrastructure, and cloud compliance.

Contact Us

Get in touch to discuss your security requirements.

Phone

+49 221 65031192

Email

[email protected]

Response Time

We typically respond to all inquiries within 24 hours during business days.

Average response time: 6-12 hours

Call Us Email Us

Secure in use.
Secure in your audit.

Three audiences. One specialty.

You build a medical device

You run IT in a hospital or clinic

You process patient data in the cloud

Our Team

Dr. rer. nat. Simon Weber

Dipl.-Inf. Volker Schönefeld

Critical vulnerabilities in healthcare,
responsibly disclosed.

What Our Clients Say

Our Expertise

MDR Penetration Testing

DICOM & PACS Security

Secure Code Review

Hospital IT Security

C5 Cloud Compliance

AI & LLM Security

Contact Us

Phone

Email

Response Time

Send Us a Message

Secure in use.Secure in your audit.

Three audiences. One specialty.

You build a medical device

You run IT in a hospital or clinic

You process patient data in the cloud

Our Team

Dr. rer. nat. Simon Weber

Dipl.-Inf. Volker Schönefeld

Critical vulnerabilities in healthcare,responsibly disclosed.

What Our Clients Say

Our Expertise

MDR Penetration Testing

DICOM & PACS Security

Secure Code Review

Hospital IT Security

C5 Cloud Compliance

AI & LLM Security

Contact Us

Phone

Email

Response Time

Send Us a Message

Secure in use.
Secure in your audit.

Critical vulnerabilities in healthcare,
responsibly disclosed.