HTMwire assessment
Virta Labs makes OpenSecOps, an API-first, MIT-licensed open-core security platform for healthcare infrastructure. It combines BlueFlow asset management, Tapirx passive medical device discovery, and VulnFWRD AI risk orchestration, with FDA SBOM generation and NIST CSF alignment. Hospitals can self-host it. The company is ARPA-H and NSF SBIR funded and was founded by University of Michigan medical-device-security researchers, aiming at HTM, clinical engineering, and IT teams that want inspectable, deployable device security.
An open-source, self-hostable, API-first device security platform (BlueFlow + Tapirx + VulnFWRD) you can inspect and deploy on your own terms, from a team with deep academic roots in medical device security.
HTMwire's independent read on the technology — not the vendor's marketing claim.
Virta Labs ships VulnFWRD, an AI risk-orchestration engine that prioritizes device vulnerabilities and risk; it builds on the founders' machine-learning research in medical device and power analysis.
OpenSecOps is Virta Labs' API-first, MIT-licensed open-core security platform for healthcare infrastructure. It bundles BlueFlow asset management, Tapirx passive medical device discovery, and VulnFWRD AI risk orchestration, with FDA SBOM generation and NIST CSF alignment. Hospitals can self-host it and inspect the source.
No. Its Tapirx component does passive device discovery with no agent or hardware on the devices, which matters for fragile clinical equipment that cannot tolerate active probing. That makes it lower-risk for inventorying and assessing connected medical devices.
Yes. Virta Labs uses an MIT-licensed open-core model, so you can inspect, extend, and self-host the platform. The company is ARPA-H and NSF SBIR funded, which is unusual among device-security vendors and appeals to teams that want transparency and control over deployment.
Yes to both. The platform is FDA SBOM ready and generates software bills of materials for connected devices, and its VulnFWRD engine applies AI to orchestrate and prioritize device vulnerability and risk. It is built by University of Michigan medical-device-security researchers Kevin Fu and Denis Foo Kune.
We cite a primary or named source for every claim on this page. How we evaluate →