DCT
3:25-cv-04833
Netskope Inc v. Kmizra LLC
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Netskope, Inc. (Delaware)
- Defendant: K.Mizra LLC (Delaware)
- Plaintiff’s Counsel: Perkins Coie LLP
- Case Identification: 5:25-cv-04833, N.D. Cal., 06/06/2025
- Venue Allegations: Plaintiff Netskope alleges venue is proper in the Northern District of California because Defendant K.Mizra is subject to personal jurisdiction in the district, a substantial part of the events giving rise to the claim (including sending a threat letter to Netskope's California headquarters) occurred there, and K.Mizra has purposefully directed enforcement activities at companies in the district.
- Core Dispute: Plaintiff Netskope seeks a declaratory judgment that its Zero Trust Network Access products do not infringe Defendant K.Mizra's patent related to network security and quarantining potentially infected computers.
- Technical Context: The patent addresses methods for identifying potentially non-compliant or infected computers attempting to join a network and isolating them until they can be remediated, a foundational concept in modern "Zero Trust" cybersecurity architectures.
- Key Procedural History: This is a declaratory judgment action filed by Netskope following receipt of a letter from K.Mizra on March 25, 2025, which accused Netskope's products of infringement and included a claim chart. The complaint notes that K.Mizra is a non-practicing entity that has previously sued at least seven other major technology companies over the same patent.
Case Timeline
| Date | Event |
|---|---|
| 2004-09-27 | ’705 Patent Priority Date |
| 2012-01-01 | Netskope, Inc. founded (inception in 2012) |
| 2012-07-31 | ’705 Patent Issued |
| 2013-01-01 | Netskope releases its first product |
| 2019-01-01 | K.Mizra LLC founded |
| 2020-11-06 | K.Mizra sues Cisco Systems, Inc. over the ’705 Patent |
| 2021-06-22 | K.Mizra sues HP Inc. over the ’705 Patent |
| 2021-07-08 | K.Mizra sues Fortinet, Inc., Forescout Techs., and Broadcom Inc. over the ’705 Patent |
| 2021-08-09 | K.Mizra sues Hewlett Packard Enterprise Co. over the ’705 Patent |
| 2025-01-10 | K.Mizra sues SonicWall Inc. over the ’705 Patent |
| 2025-02-18 | K.Mizra sues Google LLC over the ’705 Patent |
| 2025-03-25 | K.Mizra sends letter to Netskope alleging infringement of the ’705 Patent |
| 2025-04-24 | K.Mizra sues Citrix Systems, Inc. over the ’705 Patent |
| 2025-06-06 | Complaint for Declaratory Judgment Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,234,705 - "Contagion Isolation and Inoculation"
- Patent Identification: U.S. Patent No. 8,234,705, "Contagion Isolation and Inoculation", issued July 31, 2012.
The Invention Explained
- Problem Addressed: The patent addresses the security threat posed by mobile or stationary computers that may become infected with malware (e.g., viruses, worms) when connected to untrusted networks. When these compromised systems later connect to a protected enterprise or service provider network, they risk harming network resources before the infection can be detected and contained (’705 Patent, col. 1:13-41).
- The Patented Solution: The invention proposes a system for "contagion isolation and inoculation" where a host attempting to connect to a protected network is first assessed for security compliance (’705 Patent, col. 3:7-10). If the host is deemed insecure (e.g., infected or not fully patched), it is quarantined, given only limited network access sufficient to remedy the problem (e.g., to download a software patch from a remediation server), and prevented from communicating with other hosts on the protected network (’705 Patent, col. 3:10-23; Fig. 10B). A core part of this assessment involves the host providing a "valid digitally signed attestation of cleanliness" generated by a trusted component within the host itself (’705 Patent, col. 19:62-20:4).
- Technical Importance: This approach of pre-connection verification and conditional access is a key principle of "network access control" (NAC) and "zero trust" security, which assumes no device is inherently trustworthy and must prove its compliance before being granted access.
Key Claims at a Glance
- The complaint seeks a declaratory judgment of non-infringement as to all claims of the patent, with a specific focus on claim 19, which was charted in K.Mizra's letter (Compl. ¶¶ 21, 39). Independent claims 1, 12, and 19 are explicitly mentioned (Compl. ¶ 35).
- Independent Claim 1 (Method):
- Detecting an insecure condition on a first host attempting to connect to a protected network, which includes contacting a "trusted computing base" within the host and receiving a response.
- Determining if the response includes a "valid digitally signed attestation of cleanliness", which itself includes an attestation that the host is not infested and/or has a certain patch level.
- When the attestation is not valid, "quarantining" the first host by preventing it from sending data to other hosts.
- The quarantining step includes serving a "quarantine notification page" for web requests and, for DNS queries, providing the IP of a quarantine server unless the query is for a "remediation host".
- Permitting the first host to communicate with the "remediation host".
- The complaint does not explicitly reserve the right to address dependent claims but seeks a declaration of non-infringement for "any claim of the '705 Patent" (Compl. ¶ 39).
III. The Accused Instrumentality
Product Identification
- Netskope's "NetskopeOne Zero Trust Access ('ZTNA')" product and platform (Compl. ¶¶ 18, 20).
Functionality and Market Context
- The complaint describes Netskope as an innovator in cloud security services since 2012, developing a homegrown security platform to help businesses secure applications and services as they migrate to the cloud (Compl. ¶¶ 10, 12).
- The accused ZTNA product is part of this platform and is used during "device identification and enrollment" (Compl. ¶ 35).
- Netskope alleges its products are highly regarded, citing recognition from industry analysts like IDC and Forrester and a large customer base including over 25 of the Fortune 100 companies (Compl. ¶¶ 14, 16).
IV. Analysis of Infringement Allegations
Netskope's complaint seeks a declaratory judgment of non-infringement. The following table summarizes Netskope's argument that its ZTNA product does not meet the limitations of the asserted claims, focusing on the elements of independent claim 1.
No probative visual evidence provided in complaint.
’705 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Non-Infringing Functionality (per Netskope) | Complaint Citation | Patent Citation |
|---|---|---|---|
| ...determining whether the response includes a valid digitally signed attestation of cleanliness... | Netskope alleges its ZTNA product is used for device identification and enrollment and "does not provide a 'digitally signed attestation of cleanliness.'" | ¶35 | col. 20:5-7 |
| ...wherein the valid digitally signed attestation of cleanliness includes at least one of an attestation that the trusted computing base has ascertained that the first host is not infested, and an attestation that the trusted computing base has ascertained the presence of a patch or a patch level associated with a software component on the first host... | As its ZTNA product allegedly does not provide the required attestation, Netskope consequently argues that it does not provide an attestation with the specific content required by the claim regarding infestation or patch level. | ¶35 | col. 20:7-14 |
| ...quarantining the first host, including by preventing the first host from sending data to one or more other hosts... | The complaint does not provide specific details on Netskope's quarantining functionality but makes a general denial of infringement of any claim. | ¶35 | col. 20:15-18 |
- Identified Points of Contention:
- Scope Questions: The central dispute appears to be whether the functionality of Netskope's ZTNA product falls within the scope of a "valid digitally signed attestation of cleanliness" as claimed in the patent. The case will question what technical features meet this definition.
- Technical Questions: What is the precise mechanism by which the Netskope ZTNA product performs "device identification and enrollment"? What specific data, if any, does it collect from a device to assess its security posture, and is any of that data "digitally signed" by a "trusted computing base" in a manner that could be argued to meet the claim limitation? The complaint asserts it does not, but provides minimal technical detail on what it does instead (Compl. ¶ 35).
V. Key Claim Terms for Construction
- The Term: "valid digitally signed attestation of cleanliness"
- Context and Importance: This term is the lynchpin of the dispute. Netskope's primary non-infringement argument is that its ZTNA product does not provide this feature (Compl. ¶ 35). The definition of this multi-part term—what constitutes an "attestation," what makes it "digitally signed" in the context of the patent, and what is meant by "cleanliness"—will be dispositive for infringement.
- Intrinsic Evidence for Interpretation:
- Evidence for a Narrower Interpretation: The patent specification repeatedly links the concept to specific, hardware-based security technologies. It gives examples of a "trusted computing base" as the "Paladium security initiative under development by Microsoft" or technologies compliant with "TCG specifications" (’705 Patent, col. 13:58-14:5). This suggests the "attestation" must originate from a specific type of secure hardware module (a Trusted Platform Module or TPM) that can cryptographically sign assertions about the system's state, such as its patch level or the absence of known malware (’705 Patent, col. 14:6-9, 20:7-14).
- Evidence for a Broader Interpretation: A party could argue that the term should not be limited to the specific examples in the specification. The claim language itself does not explicitly name "Palladium" or "TCG." An argument could be made that any cryptographically signed message from a client device that vouches for its security status (e.g., a software agent signing a report of installed patches) constitutes a "valid digitally signed attestation of cleanliness," even if it does not use a hardware-based trusted platform module as described in the preferred embodiments.
VI. Other Allegations
- Indirect Infringement: Netskope seeks a declaration that it does not "directly or indirectly infringe" (Compl. ¶ 39). The complaint specifically denies that any third party infringes by using the ZTNA product and asserts that Netskope has not "caused, directed, requested, or facilitated any such infringement, much less with specific intent to do so" (Compl. ¶ 36). It further states the ZTNA product has substantial non-infringing uses, a direct rebuttal to potential claims of induced or contributory infringement (Compl. ¶ 36).
- Willful Infringement: As a declaratory judgment plaintiff, Netskope does not allege willfulness. However, it preemptively requests that the court declare the case "exceptional under 35 U.S.C. § 285" and award attorneys' fees, framing K.Mizra's litigation conduct as aggressive and its claims as "baseless" (Compl. ¶¶ 6, 10-11 at p.8).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of claim construction: Can the term "valid digitally signed attestation of cleanliness", which the patent specification links to specific hardware-based trusted computing modules, be construed more broadly to encompass software-based device posture assessments common in modern Zero Trust Network Access systems?
- A key evidentiary question will follow: Assuming a claim construction is adopted, does the accused Netskope ZTNA product, during its "device identification and enrollment" process, in fact generate and transmit a message that meets all elements of the construed "attestation" claim limitation? Netskope's complaint creates a clear factual dispute on this point that will require discovery into the product's technical operation.