AI Security CoWorker Completes Vulnerability Assessment for BiPSEE's "VR Depression Treatment System (tentative)"
CoWorker Inc., an AI security solution provider, announced the completion of a black-box penetration test (vulnerability assessment) for BiPSEE Inc.'s "VR Depression Treatment System (tentative)," confirming no critical vulnerabilities.
📋 Article Processing Timeline
- 📰 Published: May 7, 2026 at 19:00
- 🔍 Collected: May 7, 2026 at 10:31
- 🤖 AI Analyzed: May 7, 2026 at 11:49 (1h 17m after Collected)
CoWorker Inc. (Headquarters: Shinjuku-ku, Tokyo; Representative Director: Kazuki Yamasato; hereinafter "the Company" or "CoWorker"), which develops and provides AI security solutions, announced that it has completed a third-party black-box penetration test (vulnerability assessment) for the "VR Depression Treatment System (tentative name) (hereinafter VR Depression Treatment System)" currently under development by BiPSEE Inc. (Shibuya-ku, Tokyo; Representative Director: Masayo Matsumura; hereinafter "BiPSEE").
This system is a VR depression treatment system (VR DTx) designated by the Ministry of Health, Labour and Welfare as a "priority review item for program medical devices." The Company supported the security assurance of this software medical device, which handles medical data, using its AI-powered autonomous vulnerability assessment platform "Red Agent."
*Reference
AI Security CoWorker Achieves Success Rate Exceeding "Skilled Pen Tester Level" in Black-Box Penetration Testing
https://prtimes.jp/main/html/rd/p/000000017.000156001.html
## Key Points
- Penetration Testing for a System Aiming to Become a Program Medical Device
BiPSEE's VR depression treatment system has been designated as a priority review item by the Ministry of Health, Labour and Welfare and aims for approval as a Class II medical device. To meet the high safety standards required for medical devices, the Company conducted a black-box vulnerability assessment targeting the system's external interfaces and communication processing.
- AI-Powered Autonomous Assessment Achieves Skilled Pen Tester Level Inspection in a Short Period
Utilizing CoWorker's "Red Agent," vulnerabilities were explored without referring to source code or internal structures. The assessment was completed in a few days, significantly reducing man-hours compared to traditional manual assessments while mitigating the risk of undetected vulnerabilities.
- Contribution to Data Protection and Patient Safety
The assessment found no critical vulnerabilities, confirming that the system meets security requirements. Minor improvements identified were shared with BiPSEE, and early action will contribute to protecting medical data and enhancing patient safety.
- Expanding Security Support for the Digital Therapy Sector
Against the backdrop of limited remission rates for standard antidepressant-centric treatments and a low domestic implementation rate of cognitive behavioral therapy (approximately 6%), BiPSEE's VR system is being developed as a solution using cognitive behavioral therapy methods, aiming for digitalization and personalization.
Through this verification, the Company emphasizes the importance of ensuring security in the rapidly growing digital therapy sector and will continue to strengthen its support for medical device development companies.
## Background: About the VR Depression Treatment System
Since 2020, BiPSEE has been conducting research and development of VR digital therapy for the treatment of depression. Approximately 5 million people in Japan and 300 million worldwide suffer from depression, with numbers increasing due to factors such as the COVID-19 pandemic. In many cases, traditional antidepressant treatments alone are not sufficiently effective, with only one in three patients achieving remission with the initial antidepressant. Furthermore, the domestic implementation rate of cognitive behavioral therapy remains low at 6%.
BiPSEE's VR depression treatment system aims to achieve personalized medicine for each patient using a digitalized cognitive behavioral therapy approach in a VR environment. Such program medical devices are Software as a Medical Device (SaMD), where the software itself is a medical device. The Ministry of Health, Labour and Welfare has been piloting a system for priority consultation and review since fiscal year 2022, based on requirements tailored to their characteristics. A Class II medical device manufacturing and sales business is responsible for the shipment and distribution of Class II medical devices (controlled medical devices), which are products with relatively low risk to the human body.
## Overview of Penetration Testing
CoWorker believes it is crucial to evaluate medical device security under the same conditions as real attackers. This test was conducted under the following conditions:
- Black-Box Assessment Conditions
The assessment explored attack paths based solely on public interfaces and operational logs, without any reference to the target system's source code or design information.
- Automated Assessment by Red Agent
The AI agent autonomously generated and executed multiple attack patterns to verify the presence of vulnerabilities. By applying flag-capture benchmark methods, a mechanism was introduced to automatically detect successful attacks.
- Test Period and Scope
The test was conducted in February 2026, covering web applications, API endpoints, user authentication, and more.
This system is a VR depression treatment system (VR DTx) designated by the Ministry of Health, Labour and Welfare as a "priority review item for program medical devices." The Company supported the security assurance of this software medical device, which handles medical data, using its AI-powered autonomous vulnerability assessment platform "Red Agent."
*Reference
AI Security CoWorker Achieves Success Rate Exceeding "Skilled Pen Tester Level" in Black-Box Penetration Testing
https://prtimes.jp/main/html/rd/p/000000017.000156001.html
## Key Points
- Penetration Testing for a System Aiming to Become a Program Medical Device
BiPSEE's VR depression treatment system has been designated as a priority review item by the Ministry of Health, Labour and Welfare and aims for approval as a Class II medical device. To meet the high safety standards required for medical devices, the Company conducted a black-box vulnerability assessment targeting the system's external interfaces and communication processing.
- AI-Powered Autonomous Assessment Achieves Skilled Pen Tester Level Inspection in a Short Period
Utilizing CoWorker's "Red Agent," vulnerabilities were explored without referring to source code or internal structures. The assessment was completed in a few days, significantly reducing man-hours compared to traditional manual assessments while mitigating the risk of undetected vulnerabilities.
- Contribution to Data Protection and Patient Safety
The assessment found no critical vulnerabilities, confirming that the system meets security requirements. Minor improvements identified were shared with BiPSEE, and early action will contribute to protecting medical data and enhancing patient safety.
- Expanding Security Support for the Digital Therapy Sector
Against the backdrop of limited remission rates for standard antidepressant-centric treatments and a low domestic implementation rate of cognitive behavioral therapy (approximately 6%), BiPSEE's VR system is being developed as a solution using cognitive behavioral therapy methods, aiming for digitalization and personalization.
Through this verification, the Company emphasizes the importance of ensuring security in the rapidly growing digital therapy sector and will continue to strengthen its support for medical device development companies.
## Background: About the VR Depression Treatment System
Since 2020, BiPSEE has been conducting research and development of VR digital therapy for the treatment of depression. Approximately 5 million people in Japan and 300 million worldwide suffer from depression, with numbers increasing due to factors such as the COVID-19 pandemic. In many cases, traditional antidepressant treatments alone are not sufficiently effective, with only one in three patients achieving remission with the initial antidepressant. Furthermore, the domestic implementation rate of cognitive behavioral therapy remains low at 6%.
BiPSEE's VR depression treatment system aims to achieve personalized medicine for each patient using a digitalized cognitive behavioral therapy approach in a VR environment. Such program medical devices are Software as a Medical Device (SaMD), where the software itself is a medical device. The Ministry of Health, Labour and Welfare has been piloting a system for priority consultation and review since fiscal year 2022, based on requirements tailored to their characteristics. A Class II medical device manufacturing and sales business is responsible for the shipment and distribution of Class II medical devices (controlled medical devices), which are products with relatively low risk to the human body.
## Overview of Penetration Testing
CoWorker believes it is crucial to evaluate medical device security under the same conditions as real attackers. This test was conducted under the following conditions:
- Black-Box Assessment Conditions
The assessment explored attack paths based solely on public interfaces and operational logs, without any reference to the target system's source code or design information.
- Automated Assessment by Red Agent
The AI agent autonomously generated and executed multiple attack patterns to verify the presence of vulnerabilities. By applying flag-capture benchmark methods, a mechanism was introduced to automatically detect successful attacks.
- Test Period and Scope
The test was conducted in February 2026, covering web applications, API endpoints, user authentication, and more.