DJI Cybersecurity Assessment: What the OnDefend Audit Means for Public Safety and Enterprise Drone Programs
Introduction
DJI recently released the results of an independent cybersecurity assessment conducted by the U.S.-based cybersecurity firm OnDefend, whose team includes cybersecurity professionals with military, intelligence, and government security backgrounds, on the DJI Air 3S and DJI Matrice 4E.
The timing matters.
Agencies, infrastructure operators, and enterprise UAV teams are under increasing pressure to account for cybersecurity risk, procurement restrictions, and long-term fleet planning as FCC scrutiny and NDAA-related concerns continue shaping the drone industry in the U.S.
Many departments still rely heavily on DJI systems because the platforms are already embedded into day-to-day operations. Search and rescue workflows, thermal response deployments, mapping missions, pilot training, battery inventories, reporting software. Replacing that ecosystem is rarely simple.
Most organizations are not asking whether DJI aircraft are widely used. They already know the answer.
The harder question is what these findings actually change operationally.
The OnDefend assessment adds meaningful technical analysis to a discussion that has often been driven more by procurement policy and public speculation than publicly released forensic testing. It does not automatically settle agency policy debates or future regulatory direction in the U.S.
DJI Cybersecurity Assessment At a Glance
| Topic | Key Takeaway |
|---|---|
| Assessment Scope | DJI Air 3S and Matrice 4E evaluated by OnDefend |
| Main Finding | No critical, high, or medium-risk vulnerabilities reported |
| What Was Tested | Firmware, network traffic, RF communications, hardware, and applications |
| What It May Help Support | Internal cybersecurity reviews and fleet risk assessments |
| What the Assessment Does Not Change | NDAA restrictions, Blue UAS requirements, or procurement policies |
Quick Answer
The OnDefend cybersecurity assessment did not identify critical, high, or medium-risk vulnerabilities in the DJI Air 3S or DJI Matrice 4E during testing.
According to DJI’s published findings, the assessment did not uncover:
- Evidence of data transmission outside the United States.
- Backdoors or unauthorized remote access mechanisms
- Unexplained RF emissions or covert RF channels
- Supply chain tampering or unauthorized hardware modifications
For agencies and enterprise drone teams already operating DJI systems, the findings may help support internal cybersecurity reviews and fleet risk assessments. The assessment does not change existing procurement restrictions or agency-specific policies in the U.S.
What OnDefend Tested Across DJI Hardware, Software, and Communications
According to DJI and OnDefend, the review covered both consumer and enterprise systems, specifically the DJI Air 3S with the RC 2 controller and the DJI Matrice 4E with the RC Plus 2 Enterprise controller.
Testing reportedly ran from October 2025 through March 2026 and focused on how the aircraft, controllers, applications, firmware, and communications systems behaved under different security conditions.
That distinction matters.
A lot of public discussion around drone cybersecurity stays vague. General claims. Broad assumptions. This review looked directly at how the systems handled communications, software behavior, and simulated attack attempts during operation.
Areas Evaluated During Testing
| Test Area | What It Evaluates |
|---|---|
| Firmware analysis | Malicious code or unexpected behavior |
| Network traffic monitoring | Unauthorized outbound communications |
| Application security testing | Software vulnerabilities and exploit risks |
| Hardware teardown inspections | Suspicious or unauthorized components |
| RF spectrum analysis | Hidden or unexpected wireless transmissions |
| Simulated replay/injection attacks | System response to spoofing or tampering attempts |
| Jailbreak and tampering tests | Resistance to unauthorized modification |
OnDefend also performed both static and dynamic analysis.
Static analysis reviews software code and system components without running the application live. Dynamic analysis looks at how the software behaves during actual operation. Together, those methods help identify suspicious activity, unexpected communications behavior, or abnormal outbound traffic.
The review also included RF spectrum testing from 1 MHz to 6 GHz to check whether the systems transmitted signals outside expected communications channels.
Investigators also performed hardware teardown inspections to examine internal components and look for unauthorized hardware modifications or suspicious embedded systems.
In practical terms, the testing was designed to determine whether the DJI systems showed signs of hidden data transmission, malicious firmware behavior, unauthorized communications activity, or exploitable security weaknesses during operation.
None of this means the platforms are immune from future cybersecurity risk. No connected system is.
Still, the scope of testing was broader and more technically detailed than most public discussions around drone security usually acknowledge.
Key Findings From the OnDefend Assessment
What Did the OnDefend Assessment Actually Find?
Based on DJI’s published findings, OnDefend did not uncover:
- Evidence of data transmission outside the United States
- Hidden RF communications
- Malicious firmware behavior
- Suspicious hardware components
- Critical, high, or medium-risk vulnerabilities
DJI stated that the DJI Air 3S and DJI Matrice 4E showed no critical, high, or medium-risk vulnerabilities during the assessment period.
The review also identified 10 low-risk findings and 13 observations. DJI stated the issues were consistent with industry norms for complex mobile and embedded systems and did not pose a realistic threat to safe drone operation or broad exposure of confidential information.
The report also stated that testing did not uncover evidence of unauthorized outbound communications, hidden RF activity, malicious firmware behavior, or suspicious hardware components within the evaluated systems.
Commercial UAV News, which independently reviewed the assessment findings, reported that the evaluation included firmware analysis, network traffic monitoring, hardware teardown inspections, RF spectrum testing, and adversarial attack simulations conducted over a five-month period. The publication noted that the testing focused on three areas often raised in national security discussions: data sovereignty, hardware vulnerabilities, and drone manipulation risks.
OnDefend also stated it identified no viable pathways for hijacking or weaponization during the testing window.
Key Findings At a Glance
| Test Area | Reported Finding |
|---|---|
| Network traffic analysis | No unauthorized outbound transmissions detected |
| Firmware inspection | No malicious code identified |
| RF spectrum testing | No hidden RF communications detected |
| Hardware teardown analysis | No suspicious hardware components identified |
| Application security testing | No critical, high, or medium-risk vulnerabilities reported |
These findings matter because much of the public discussion around DJI security has relied on speculation, procurement concerns, or political debate rather than publicly released forensic testing.
It does not mean DJI systems are risk-free. No connected platform is.
But based on the published findings, OnDefend did not uncover technical evidence supporting many of the commonly repeated claims surrounding hidden data transmission or malicious behavior within the tested DJI systems.
What the Findings Actually Mean for Existing DJI Fleet Operators
For organizations already operating DJI aircraft, the OnDefend assessment is less about approving a future purchase and more about managing current operational risk.
Many agencies and enterprise UAV teams already depend on DJI systems for:
- Search and rescue
- Infrastructure inspections
- Utility operations
- Mapping and surveying
- Emergency response
- Daily flight missions
In many cases, those aircraft are tied directly into pilot training, payload setups, reporting software, response procedures, and day-to-day workflows.
That changes the conversation.
For some departments and enterprise operators, the findings may help support:
- Internal cybersecurity reviews
- IT and legal discussions
- Risk management planning
- Fleet continuity discussions
- Executive oversight conversations
Operational Reality for Existing DJI Fleets
| Operational Concern | What the Assessment May Help Address |
|---|---|
| Internal IT/security reviews | Adds independent technical findings |
| Existing fleet risk assessments | Provides third-party testing data |
| Leadership concerns | Helps separate technical findings from speculation |
| Operational continuity planning | May reduce pressure for immediate fleet disruption |
Many organizations are not deciding whether to buy their first drone.
They are trying to manage fleets already built into operational workflows.
And replacing those fleets affects far more than the aircraft itself.
A platform transition can affect:
- Pilot certifications and retraining
- Thermal payload compatibility
- Mapping and inspection workflows
- Evidence management procedures
- Software ecosystems
- Battery inventories
- Maintenance operations
- Emergency response timelines
For agencies running DFR programs or operators managing inspection deliverables, even small workflow disruptions can create immediate operational problems.
Most departments are not looking at cybersecurity in isolation anymore. They are trying to balance security requirements with operational readiness, procurement rules, and the reality of keeping existing drone programs running.
Why DJI Security Concerns Still Affect Public Safety and Enterprise Procurement
Even with the OnDefend findings, DJI security concerns are not going away anytime soon in public safety and enterprise procurement discussions.
The reason is simple. Many of the restrictions affecting DJI were never based only on cybersecurity testing.
They are also tied to:
- Federal procurement policy
- Supply chain concerns
- Data sovereignty discussions
- NDAA restrictions
- FCC scrutiny
- Agency risk tolerance
This is where a lot of drone discussions start falling apart.
People often treat cybersecurity findings and procurement policy like they are the same thing. They are not.
Cybersecurity Review vs Procurement Restriction
| Cybersecurity Review | Procurement Restriction |
|---|---|
| Technical evaluation of system security | Policy-based purchasing limitation |
| Focuses on vulnerabilities and data handling | Focuses on compliance and supply chain concerns |
| Can support internal IT assessments | Does not guarantee purchasing approval |
A cybersecurity assessment looks for evidence of vulnerabilities, malicious behavior, hidden communications activity, or unauthorized data transmission during testing.
Procurement decisions are broader. They often involve manufacturer origin, federal guidance, supply chain exposure, funding rules, and long-term policy considerations.
Why Procurement Concerns Still Remain
| Concern Area | Why It Still Matters |
|---|---|
| FCC scrutiny | Regulatory discussions are still ongoing |
| NDAA restrictions | Some agencies still face procurement limitations |
| Blue UAS requirements | Certain government programs require approved platforms |
| Agency policy | Internal procurement rules vary widely |
| Fleet planning | Departments still need to account for future restrictions |
DJI systems still remain operationally attractive for many agencies because of their mature payload ecosystem, flight performance, software tools, and deployment history.
But operational capability is no longer the only factor driving procurement decisions.
Departments now have to account for procurement rules, long-term platform support concerns, internal cybersecurity policies, and the reality that regulations can shift faster than operational workflows.
What the OnDefend Audit Does Not Resolve
The OnDefend review adds independent technical analysis to the DJI security discussion. It does not resolve every issue affecting drone programs in the U.S.
Most importantly, the findings do not override existing procurement policies, federal restrictions, or agency-specific requirements already in place.
What the Assessment Does Not Change
| Area | Current Reality |
|---|---|
| NDAA restrictions | Still apply where required |
| Blue UAS requirements | Remain unchanged |
| FCC scrutiny | Regulatory discussions are still ongoing |
| Agency procurement policy | Still varies by organization |
| Future legislation | Regulatory direction may continue shifting |
The review also does not guarantee that future vulnerabilities will never be discovered.
Like any connected technology platform, drone systems still require:
- Firmware management
- Cybersecurity oversight
- Operational controls
- Ongoing risk monitoring
Cybersecurity is not a one-time certification. It is part of long-term operational management.
For agencies and enterprise UAV operators, the report is best viewed as another technical data point. Not a final answer that settles every procurement debate or future regulatory concern surrounding DJI systems in the U.S.
What Public Safety and Enterprise Teams Should Evaluate Before Expanding or Replacing Drone Fleets
Cybersecurity is now part of the drone procurement conversation whether agencies want it there or not.
But decisions driven mostly by headlines or political pressure can create operational problems later.
Before expanding, replacing, or restricting fleets, departments need to account for cybersecurity concerns alongside real operational requirements.
Key Areas to Evaluate
| Evaluation Area | Why It Matters |
|---|---|
| Data handling policies | Determines how flight data, imagery, and logs are stored or transmitted |
| Offline flight capability | Important for sensitive or restricted operations |
| Cloud syncing controls | Helps manage internal cybersecurity requirements |
| Fleet management tools | Affects operational oversight and maintenance |
| Payload compatibility | Impacts existing workflows and mission capability |
| Pilot retraining requirements | Replacing platforms affects training time and operational readiness |
| Software ecosystem changes | Mapping, inspection, reporting, and evidentiary workflows may need rebuilding |
| Long-term procurement risk | Future restrictions could affect fleet continuity |
For many agencies, the biggest challenge is not buying a new aircraft.
It is replacing an operational ecosystem that already works.
A fleet transition can affect everything from pilot training and payload compatibility to software workflows, maintenance procedures, and operational readiness. For many agencies, the challenge is not replacing a drone. It is replacing an ecosystem.
For departments operating DFR programs or enterprise teams managing inspection deliverables, even small workflow disruptions can create immediate operational consequences.
Operational Continuity Matters
In some cases, replacing aircraft too quickly can create more operational risk instead of reducing it.
An alternative platform may satisfy procurement requirements while still introducing:
- Reduced payload capability
- Workflow disruption
- Longer deployment timelines
- Additional pilot training burdens
- Software compatibility gaps
- DFR continuity issues
Cybersecurity still matters. Procurement compliance still matters.
But fleet decisions also have to account for mission readiness, workflow stability, staffing limitations, and the reality of keeping operations running without disruption.
Drone Fleet Replacement Checklist
Before replacing operational drone systems, evaluate:
- Pilot retraining requirements
- Payload interoperability
- Mapping workflow compatibility
- Evidence management systems
- Software licensing impacts
- Battery and charging ecosystem changes
- Cybersecurity controls
- Procurement compliance requirements
- Operational downtime risk
When DJI Still Makes Sense and When Agencies May Need Alternatives
The OnDefend findings may ease cybersecurity concerns for some departments already operating DJI fleets. That does not automatically make DJI the right fit for every organization moving forward.
A lot depends on procurement rules, mission requirements, funding sources, and how the aircraft are being used operationally.
DJI Fit by Operational Environment
| Operational Scenario | DJI Enterprise Fit | Alternative Consideration |
|---|---|---|
| Public safety agency without procurement restrictions | Strong fit | Optional |
| Federal procurement environment | Limited | Blue UAS or NDAA-compliant platforms may be required |
| Private infrastructure inspection | Strong fit | Depends on client requirements |
| Utility and energy operations | Case-by-case | Depends on internal cybersecurity policy |
| Mapping and surveying programs | Strong fit | Depends on contract or government requirements |
For organizations without federal procurement restrictions, DJI systems still remain attractive because of their payload ecosystem, mapping tools, thermal imaging options, flight reliability, and deployment history.
Other agencies may still need alternatives regardless of the assessment findings.
That can happen when:
- Procurement policies require Blue UAS-approved platforms
- Federal funding restrictions apply
- Client contracts limit equipment selection
- Internal cybersecurity rules prohibit certain manufacturers
- Fleet diversification becomes part of long-term planning
For many departments, the conversation is no longer just about aircraft capability.
Teams also have to account for:
- Workflow compatibility
- Procurement compliance
- Payload interoperability
- Software ecosystem impacts
- Long-term vendor stability
Most agencies are no longer assuming one platform will fit every mission profile. DJI may still make operational sense in some environments. Others may need alternative systems simply because procurement realities leave little room for flexibility.
What the Findings Mean Across Different Industries
The impact of the OnDefend assessment will depend heavily on how drone systems are being used operationally.
For some sectors, the findings may help during internal cybersecurity reviews. In others, procurement restrictions, client requirements, or operational demands may still outweigh the audit itself.
Public Safety
Law enforcement, fire, and search and rescue teams usually prioritize deployment speed, thermal imaging capability, mapping workflows, and response reliability when selecting drone platforms.
For agencies already operating DJI systems, the findings may help during internal cybersecurity and fleet risk discussions. But grant requirements, procurement policies, and long-term platform planning still remain major factors.
Surveying and Mapping
Surveying and mapping operations tend to focus on workflow efficiency, payload compatibility, accuracy, and software integration.
Teams already using DJI systems for photogrammetry, LiDAR, or infrastructure mapping may view the assessment as additional technical validation. Still, government contracts and client procurement standards can heavily influence platform selection regardless of operational preference.
Critical Infrastructure and Industrial Operations
Utility providers, energy operators, construction firms, and industrial inspection teams rely on drones for asset inspections, maintenance planning, and site monitoring where downtime carries real operational cost.
For these infrastructure operators, the conversation is often less political and more practical. Cybersecurity controls, vendor reliability, software stability, and operational uptime usually matter more than broader public debate.
Media and Content Production
Media and production teams may look at the findings differently because procurement restrictions are often less rigid outside government environments.
For many production workflows, camera performance, deployment flexibility, and reliability still drive purchasing decisions. Larger enterprise media organizations, however, may still factor cybersecurity and internal IT policy into equipment planning.
What Happens Next for DJI in the U.S.?
The OnDefend findings will likely become part of future procurement and cybersecurity discussions surrounding DJI in the U.S. But the bigger shift may be what buyers now expect from drone manufacturers overall.
Public safety agencies, utilities, infrastructure operators, and enterprise UAV teams are asking harder questions about:
- Independent cybersecurity testing
- Data handling policies
- Security documentation
- Offline operational controls
- System communications visibility
That pressure is not going away.
What Organizations Will Likely Continue Evaluating
| Ongoing Concern | Why It Still Matters |
|---|---|
| Future procurement restrictions | Could affect long-term fleet planning |
| Cybersecurity oversight | Departments still require internal controls and risk management |
| Operational continuity | Fleet transitions remain costly and disruptive |
| Alternative platform maturity | Some replacement ecosystems are still developing |
| Vendor transparency | Buyers increasingly expect independent validation and documentation |
The broader drone market is also starting to shift toward:
- Hybrid fleet strategies
- Procurement diversification
- Stronger cybersecurity documentation
- More vendor transparency
- Independent third-party assessments
DJI has also positioned the assessment as part of its ongoing appeal regarding its FCC Covered List designation, arguing that future policy decisions should rely on transparent technical evidence and independent testing.
DJI still remains deeply embedded across large parts of the commercial drone industry because of its mature ecosystem, payload options, software tools, and operational track record.
For many operators, the discussion is no longer about whether cybersecurity matters. It is about how agencies and enterprise teams keep operational drone programs running while procurement requirements, cybersecurity expectations, and regulatory pressure continue evolving around them.
What Public Safety and Enterprise Leaders Should Take Away From the OnDefend Audit
The OnDefend assessment adds meaningful independent technical analysis to the DJI security discussion. That matters because public debate around drone cybersecurity has often moved faster than publicly released forensic testing.
The findings also do not settle every concern surrounding DJI systems in the U.S.
Agencies and enterprise UAV teams still need to account for:
- Internal cybersecurity requirements
- Procurement policies
- Operational risk
- Fleet continuity
- Long-term deployment planning
That is where most departments are now stuck.
The report adds third-party technical findings to the discussion, but operational decisions still involve far more than cybersecurity testing alone.
For teams already operating DJI systems, the challenge is no longer deciding whether drones are simply “safe” or “unsafe.”
The harder problem is keeping operational drone programs running while procurement rules, cybersecurity expectations, and regulatory pressure continue shifting around them.
Need Help Evaluating Drone Fleet Options?
Fleet decisions now involve more than aircraft performance alone. Agencies and enterprise teams also have to account for cybersecurity requirements, procurement rules, software compatibility, payload integration, and the reality of keeping operations running without disruption.
Reviewing existing DJI deployments or transitioning to alternative platforms is rarely a simple aircraft swap. In many cases, entire workflows are tied into the ecosystem already in place.
At DSLRPros, we work with public safety agencies, utilities, infrastructure operators, and enterprise UAV teams across the U.S. to help assess drone platforms based on mission requirements, operational needs, and deployment realities.
If your team needs help reviewing fleet options or mission-specific drone solutions, speak with a DSLRPros specialist to discuss the right fit for your operation.
Frequently Asked Questions
Did the DJI cybersecurity assessment find spyware or hidden data transmission?
According to DJI’s published findings, OnDefend did not identify evidence of data transmission outside the United States, hidden RF communications, backdoors or unauthorized remote access mechanisms, or suspicious hardware modifications in the tested systems.
What is the OnDefend DJI assessment?
The OnDefend review was an independent cybersecurity evaluation of the DJI Air 3S and DJI Matrice 4E. Testing reportedly included firmware analysis, network monitoring, RF scanning, application security testing, hardware teardown inspections, and simulated attack attempts.
Does the assessment mean DJI drones are completely secure?
No connected platform is completely risk-free. The findings mean OnDefend did not identify critical, high, or medium-risk vulnerabilities during testing. Drone programs still require cybersecurity controls, firmware management, and operational oversight.
Does the audit remove NDAA restrictions or Blue UAS requirements?
No. The findings do not change existing NDAA restrictions, Blue UAS requirements, FCC scrutiny, or agency-specific procurement policies in the U.S.
Are DJI drones banned in the United States?
DJI drones are not broadly banned for all commercial or public safety operations in the U.S. However, some federal agencies, state governments, and organizations operate under procurement restrictions or internal policies limiting certain platforms.
Why are public safety agencies still using DJI drones?
Many agencies continue using DJI systems because of flight reliability, thermal imaging capability, mapping workflows, payload ecosystems, and operational maturity. Replacing fleets can also disrupt training, software compatibility, and emergency response procedures.
What should enterprise drone teams evaluate before replacing fleets?
Teams should account for cybersecurity requirements, procurement rules, software compatibility, payload interoperability, retraining costs, workflow disruption, and long-term fleet stability before replacing operational drone systems.
Does the OnDefend assessment change future regulatory uncertainty around DJI?
No. Regulatory discussions surrounding DJI and Chinese-made drone systems are still ongoing. The findings add technical analysis to the discussion, but future procurement and regulatory decisions may still change over time.
