The Human Element in Embedded Device Security: Insights from a Red Teamer

When it comes to securing embedded and connected devices, no amount of automation can replace human ingenuity. At Finite State, we believe that the key to meaningful product security lies not just in tools and data, but in people who know how to think like an adversary.

That’s where experts like Larry Pesce come in.

As VP of Services and a seasoned red teamer, Larry brings decades of hands-on offensive security experience, particularly in complex, resource-constrained environments such as medical devices, automotive systems, and industrial controls. Through Finite State’s penetration testing and validation services, Larry and his team work with product security leaders to uncover vulnerabilities, stress test assumptions, and improve resilience—before attackers do.

Here’s what we’ve learned from his approach.

What Red Teaming Looks Like in Embedded Environments

Red teaming in embedded systems isn’t your average network pen test. It’s hands-on, hardware-aware, and often constrained by legacy architectures, vendor tooling, and black-box components. As Larry puts it:

“Embedded device testing is less about ‘point-and-click’ exploits and more about understanding the ecosystem—firmware, cloud services, APIs, physical interfaces—and finding where assumptions break down.”

It’s this holistic mindset that separates real product security testing from checkbox compliance.

Finite State’s red teamers operate at every layer:

• Hardware interfaces: JTAG, UART, SWD, and side-channel access
  
• Firmware analysis: Binary diffing, configuration review, static analysis
  
• Cloud and mobile: Auth mechanisms, API endpoints, session management
  
• Radio and physical attack surfaces: BLE, Zigbee, Wi-Fi, cellular connectivity
  

The goal? Simulate real-world adversary behavior with the same constraints they face and uncover weaknesses across the full attack surface.

Why the Human Element Matters

Even with advanced automated tools and rich SBOM data, embedded device security still suffers from one major gap: context.

That’s where the human element comes in. Larry’s team doesn’t just scan, they explore. They ask:

• Does this vulnerability pose a real exploit path?
  
• What assumptions did the developer make?
  
• Can this issue cascade across components or devices?
  
• Would an attacker have motive, access, or opportunity?
  

This kind of reasoning is what makes red teaming so impactful. And it’s why Finite State Services doesn’t just deliver a list of findings—we provide insights that prioritize fixes, validate impact, and often uncover systemic issues product teams weren’t even aware of.

Why It Matters

Build secure products, not just secure features
By simulating adversaries early in the development process, teams can design with security in mind, rather than bolt it on later.

Accelerate regulatory readiness
Embedded red teaming maps closely to regulatory expectations for independent testing and validation under frameworks like the Cyber Resilience Act (CRA), FDA 524B, and the Cyber Trust Mark.

Strengthen your security culture
Red team exercises help engineering and product teams understand real-world threats and think defensively from the start.

Avoid costly surprises
Catching a critical issue before launch is far cheaper than patching it in the field or recovering from a breach.

Partner With Finite State’s Red Team Experts

Whether you’re launching a next-gen medical device, securing vehicle telematics, or bringing transparency to your firmware supply chain, our Services team is here to help.

We combine deep technical knowledge, an adversarial mindset, and a collaborative approach to help you uncover what matters and fix it fast.

🔍 Learn more about Finite State Penetration Testing or book a compliance consultation to get started