HTMwire
Virta Labs logo

Virta Labs

Device Security Platforms

HTMwire assessment

Virta Labs makes OpenSecOps, an API-first, MIT-licensed open-core security platform for healthcare infrastructure. It combines BlueFlow asset management, Tapirx passive medical device discovery, and VulnFWRD AI risk orchestration, with FDA SBOM generation and NIST CSF alignment. Hospitals can self-host it. The company is ARPA-H and NSF SBIR funded and was founded by University of Michigan medical-device-security researchers, aiming at HTM, clinical engineering, and IT teams that want inspectable, deployable device security.

Key Features

  • OpenSecOps API-first security platform (MIT-licensed open core)
  • BlueFlow asset management for healthcare infrastructure
  • Tapirx passive medical device discovery (no agent on devices)
  • VulnFWRD AI risk orchestration for vulnerability prioritization
  • FDA SBOM generation and NIST CSF alignment, self-hosted option

What It Helps You Do

Inventory devices passively Generate device SBOMs Prioritize device risk with AI

What Sets Them Apart

An open-source, self-hostable, API-first device security platform (BlueFlow + Tapirx + VulnFWRD) you can inspect and deploy on your own terms, from a team with deep academic roots in medical device security.

How Virta Labs Uses AI

Uses AI/ML Machine Learning

HTMwire's independent read on the technology — not the vendor's marketing claim.

Virta Labs ships VulnFWRD, an AI risk-orchestration engine that prioritizes device vulnerabilities and risk; it builds on the founders' machine-learning research in medical device and power analysis.

  • AI risk orchestration. VulnFWRD prioritizes device vulnerabilities and cyber risk so HTM and security teams focus remediation where it matters most.

Key Numbers

  • ARPA-H funded
  • NSF SBIR funded
  • MIT-licensed open core

Tags

medical-device-security asset-inventory sbom passive-discovery open-source

Trust Signals

Founders
Co-founded by Prof. Kevin Fu and Denis Foo Kune (University of Michigan medical-device-security researchers)
Customers
Healthcare delivery organizations (HTM, clinical engineering, and IT teams)
Investors / Funding
ARPA-H and NSF SBIR funded; University of Michigan spinout

Frequently Asked Questions

What is Virta Labs OpenSecOps?

OpenSecOps is Virta Labs' API-first, MIT-licensed open-core security platform for healthcare infrastructure. It bundles BlueFlow asset management, Tapirx passive medical device discovery, and VulnFWRD AI risk orchestration, with FDA SBOM generation and NIST CSF alignment. Hospitals can self-host it and inspect the source.

Does Virta Labs require agents or hardware on medical devices?

No. Its Tapirx component does passive device discovery with no agent or hardware on the devices, which matters for fragile clinical equipment that cannot tolerate active probing. That makes it lower-risk for inventorying and assessing connected medical devices.

Is Virta Labs open source?

Yes. Virta Labs uses an MIT-licensed open-core model, so you can inspect, extend, and self-host the platform. The company is ARPA-H and NSF SBIR funded, which is unusual among device-security vendors and appeals to teams that want transparency and control over deployment.

Does Virta Labs generate SBOMs and use AI?

Yes to both. The platform is FDA SBOM ready and generates software bills of materials for connected devices, and its VulnFWRD engine applies AI to orchestrate and prioritize device vulnerability and risk. It is built by University of Michigan medical-device-security researchers Kevin Fu and Denis Foo Kune.

Sources

  1. Virta Labs - OpenSecOps platform
  2. University of Michigan CSE - Virta Labs / PowerGuard

We cite a primary or named source for every claim on this page. How we evaluate →

Last updated: June 8, 2026