DJI has released the findings of the most extensive independent security assessment ever conducted on its drone systems, and the headline result: It seems there are zero critical, high, or medium-risk security findings across five months of adversarial testing by a U.S. cybersecurity firm.
The findings are relevant to anyone following the FCC’s December 2025 foreign drone ban — and to anyone who has been flying DJI hardware and wondering whether the security concerns underpinning the ban have any technical basis.
The assessment was conducted by a security firm called OnDefend, which tested the following drones: the DJI Air 3S with RC 2 controller and the DJI Matrice 4E with RC Plus 2 Enterprise controller. Testing ran from October 2025 through March 2026. Consumer units were purchased directly from retail outlets without pre-notification to DJI; enterprise units came from existing dealer stock. Standard U.S. market distribution products, not specially prepared samples. OnDefend also used the study to explicitly recommend ongoing continuous testing as firmware updates are released.
“This is the most comprehensive independent security assessment ever undertaken on our products,” said Adam Welsh, DJI’s Head of Global Policy.
Now to be clear, DJI itself commissioned and paid for this assessment, so it should met with some degree of skepticism. OnDefend conducted their study independently — and the retail purchase methodology theoretically offers a safeguard against DJI preparing special clean units for testing.
Still, the fundamental dynamic of a company funding its own security audit is worth holding onto. After all, companies don’t commission audits they expect to fail.
Why the audit was necessary
The anti-DJI case has also never been particularly grounded in documented technical evidence, and that matters too.
The FCC added DJI to the Covered List in December 2025 without identifying a single specific security vulnerability. The designation was purely based on categorical concerns about Chinese-manufactured technology, rather than any documented exploit, backdoor, or data exfiltration incident. DJI has been asking for an evidence-based technical review since the ban was announced, yet the FCC hasn’t produced one.
As far as real-world impacts of the ban go, it’s been bleak for drone pilots (and taxpayers or customers who indirectly benefit from drones). More than 80% of the 1,800-plus state and local law enforcement agencies that use drones said they rely on DJI drones specifically for search and rescue, accident reconstruction, and tactical overwatch. A Pilot Institute survey found 43% of drone business users believe they would face extremely negative or business-ending consequences from DJI restrictions.
As far as where we are today, DJI’s lawsuit against the FCC is ongoing. The FCC reconsideration process — which received over 3,000 public comments — is still pending. The Drone Advocacy Alliance celebrated the recent software update waiver extension to 2029 as a partial win while acknowledging the core ban remains in place.
This security assessment commissioned by DJI lands at a moment when the FCC is actively reconsidering its position. And with this, a clean audit from credible testers — even a company-funded one — makes it harder for the FCC to maintain that its Covered List designation is grounded in documented technical risk.
The post DJI paid for a security audit of its own drones, and here’s what it found appeared first on The Drone Girl.