DCT
1:23-cv-00758
Orca Security Ltd v. Wiz Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Orca Security Ltd. (Israel)
- Defendant: Wiz, Inc. (Delaware)
- Plaintiff’s Counsel: Morris, Nichols, Arsht & Tunnell LLP; Latham & Watkins LLP
- Case Identification: 1:23-cv-00758, D. Del., 10/10/2023
- Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant Wiz, Inc. is a Delaware corporation and is therefore subject to personal jurisdiction in the state.
- Core Dispute: Plaintiff alleges that Defendant’s cloud security platform infringes six patents related to agentless, snapshot-based methods for analyzing virtual cloud assets to detect and prioritize cybersecurity vulnerabilities.
- Technical Context: The technology resides in the cloud cybersecurity sector, focusing on agentless security assessments that provide visibility into dynamic cloud environments without the performance degradation or deployment complexity of traditional security agents.
- Key Procedural History: The complaint alleges a history of direct interaction and copying, asserting that Defendant’s founders received a presentation on Plaintiff’s technology in May 2019 before founding Defendant in January 2020. It further alleges that Defendant hired the same patent attorney who prosecuted Plaintiff's patents and copied patent figures, marketing materials, and technical concepts. Plaintiff also states it sent cease-and-desist letters regarding certain patents prior to filing the operative complaint, which may be relevant to allegations of willful infringement.
Case Timeline
| Date | Event |
|---|---|
| 2019-01-28 | Earliest Priority Date for all Asserted Patents |
| 2019-05-01 | Plaintiff allegedly presents its technology to Defendant’s future founders |
| 2019-06-12 | Plaintiff announces its platform with "patent-pending SideScanning™ technology" |
| 2020-01-01 | Defendant Wiz, Inc. is founded |
| 2023-05-30 | U.S. Patent No. 11,663,031 Issues |
| 2023-05-30 | U.S. Patent No. 11,663,032 Issues |
| 2023-07-04 | U.S. Patent No. 11,693,685 Issues |
| 2023-07-12 | Plaintiff files Original Complaint |
| 2023-08-15 | U.S. Patent No. 11,726,809 Issues |
| 2023-08-29 | U.S. Patent No. 11,740,926 Issues |
| 2023-09-12 | Plaintiff sends cease-and-desist letter regarding the ’685, ’809, and ’926 Patents |
| 2023-10-03 | U.S. Patent No. 11,775,326 Issues |
| 2023-10-10 | Plaintiff files Second Amended Complaint |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,663,031 - "Techniques for Securing Virtual Cloud Assets at Rest Against Cyber Threats"
- Patent Identification: U.S. Patent No. 11,663,031, "Techniques for Securing Virtual Cloud Assets at Rest Against Cyber Threats," issued May 30, 2023 (’031 Patent).
The Invention Explained
- Problem Addressed: The patent’s background section describes the inadequacy of traditional cybersecurity solutions for cloud environments, noting that traffic monitoring fails to detect vulnerabilities in inactive data ("data at rest") and that agent-based solutions are cumbersome and resource-intensive, often taking months to deploy in large data centers ('031 Patent, col. 1:44-2:41).
- The Patented Solution: The invention proposes an agentless method for securing virtual assets while they are inactive or "at rest." The system determines the location of a virtual disk for a protected asset, accesses a "view" or snapshot of that disk, and analyzes the snapshot for vulnerabilities without requiring any interaction from the live asset, thereby avoiding performance impact ('031 Patent, Abstract; col. 2:56-68).
- Technical Importance: This out-of-band, snapshot-based approach enables comprehensive security scanning of entire cloud estates without the performance overhead and operational complexity associated with installing and maintaining agents on every virtual asset (Compl. ¶40).
Key Claims at a Glance
- The complaint asserts independent claim 9 (Compl. ¶42).
- The essential elements of claim 9, a method, include:
- establishing an interface between a client environment and security components;
- using the interface and cloud platform APIs to identify and query the location of virtual disks;
- receiving an identification of the location of the virtual disks;
- emulating the virtual disks;
- performing at least one of (i) taking or (ii) requesting the taking of a snapshot of the virtual machine while it is "at rest";
- analyzing the snapshot to detect vulnerabilities while the virtual machine is "inactive"; and
- reporting the detected vulnerabilities as alerts.
- The complaint reserves the right to assert additional claims upon discovery (Compl. ¶55).
U.S. Patent No. 11,663,032 - "Techniques for Securing Virtual Machines by Application Use Analysis"
- Patent Identification: U.S. Patent No. 11,663,032, "Techniques for Securing Virtual Machines by Application Use Analysis," issued May 30, 2023 (’032 Patent).
The Invention Explained
- Problem Addressed: Beyond mere detection, a key challenge in cybersecurity is prioritizing the vast number of identified vulnerabilities to avoid "alert fatigue" for security teams. Traditional methods lack the context to distinguish critical threats from theoretical ones (Compl. ¶78; '032 Patent, col. 8:51-56).
- The Patented Solution: The invention refines snapshot analysis by adding a contextual prioritization layer. After identifying a vulnerable application on a virtual disk snapshot, the method determines if that specific application is actually "used" by the asset. It then prioritizes the vulnerability based on this "use determination" before reporting it, ensuring that security teams focus on applications that pose a tangible risk ('032 Patent, Abstract; col. 2:15-37).
- Technical Importance: This method improves the actionability of security alerts by filtering out noise from vulnerabilities in unused software, allowing security teams to focus resources more effectively (Compl. ¶78).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶80).
- The essential elements of claim 1, a method, include:
- determining the location of a snapshot of a virtual disk using a cloud environment API;
- accessing the snapshot;
- analyzing the snapshot by matching installed applications against a known list of vulnerable applications;
- determining the existence of potential vulnerabilities based on the matching;
- determining whether the matching installed applications are "used" by the asset;
- prioritizing the vulnerabilities based on these "use determinations"; and
- reporting the vulnerabilities as prioritized alerts according to the use determinations.
- The complaint reserves the right to assert additional claims upon discovery (Compl. ¶91).
U.S. Patent No. 11,693,685 - "Virtual Machine Vulnerabilities and Sensitive Data Analysis and Detection"
- Patent Identification: U.S. Patent No. 11,693,685, "Virtual Machine Vulnerabilities and Sensitive Data Analysis and Detection," issued July 4, 2023 (’685 Patent) (Compl. ¶110).
- Technology Synopsis: This patent describes a system for agentless security assessment that analyzes snapshots of virtual disks. The analysis detects not only software vulnerabilities but also the presence of "sensitive data," requires no interaction with the live virtual machine, determines a risk level, and reports the findings as filtered and prioritized alerts (Compl. ¶113).
- Asserted Claims: Independent claim 1 is asserted (Compl. ¶115).
- Accused Features: The complaint accuses Wiz’s platform, which allegedly performs an "agentless scan of cloud metadata and workloads," including "[s]ecrets scanning in data assets" and detecting "sensitive data and secrets exposure" (Compl. ¶117, ¶123).
U.S. Patent No. 11,726,809 - "Techniques for Securing Virtual Machines by Application Existence Analysis"
- Patent Identification: U.S. Patent No. 11,726,809, "Techniques for Securing Virtual Machines by Application Existence Analysis," issued August 15, 2023 (’809 Patent) (Compl. ¶145).
- Technology Synopsis: This patent details an agentless method that enhances vulnerability analysis by adding network context. After finding vulnerabilities on a snapshot, the method correlates them with the "network location of the protected virtual cloud asset" to determine the overall risk to the environment before prioritizing and reporting alerts (Compl. ¶148, ¶150).
- Asserted Claims: Independent claim 1 is asserted (Compl. ¶150).
- Accused Features: The complaint points to Wiz’s functionality that allegedly "correlates vulnerabilities to other risk factors such as public exposure" and uses a "Wiz Security Graph" to visualize risk and attack paths corresponding to network locations (Compl. ¶157; Compl. Ex. 5 at 14).
U.S. Patent No. 11,740,926 - "Techniques for Securing Virtual Machines by Analyzing Data for Cyber Threats"
- Patent Identification: U.S. Patent No. 11,740,926, "Techniques for Securing Virtual Machines by Analyzing Data for Cyber Threats," issued August 29, 2023 (’926 Patent) (Compl. ¶180).
- Technology Synopsis: The patent describes a method for snapshot-based analysis focused on finding threats based on data stored on the virtual disk itself. It claims analysis for a plurality of threats including "unencrypted sensitive data, unencrypted system credentials, weak passwords," and personally identifiable information, followed by risk determination and prioritized reporting (Compl. ¶183, ¶185).
- Asserted Claims: Independent claim 1 is asserted (Compl. ¶185).
- Accused Features: The complaint alleges Wiz's platform infringes by identifying risks associated with "exposed secrets, access keys, credentials, or weak passwords" and using a "Data Security" dashboard to prioritize these data-centric issues (Compl. ¶191, ¶193).
U.S. Patent No. 11,775,326 - "Techniques for Securing a Plurality of Virtual Machines in a Cloud Computing Environment"
- Patent Identification: U.S. Patent No. 11,775,326, "Techniques for Securing a Plurality of Virtual Machines in a Cloud Computing Environment," issued October 3, 2023 (’326 Patent) (Compl. ¶214).
- Technology Synopsis: This patent claims a method for securing a "plurality" of virtual assets. It involves receiving a request to scan multiple assets, and for each one, determining a snapshot location, analyzing the snapshot for vulnerabilities, determining a risk level for the asset, and reporting the findings in a prioritized manner across the plurality of assets (Compl. ¶217, ¶220).
- Asserted Claims: Independent claim 1 is asserted (Compl. ¶220).
- Accused Features: The complaint accuses Wiz’s platform of infringing by performing an "agentless scan" of a customer's entire cloud environment, which inherently involves a plurality of assets, and then prioritizing and reporting risks across that environment (Compl. ¶223, ¶229).
III. The Accused Instrumentality
Product Identification
The accused instrumentality is Defendant Wiz’s cloud security platform, referred to as its Cloud Security Platform (CSP), Cloud Native Application Protection Platform (CNAPP), and associated services (Compl. ¶41, ¶79).
Functionality and Market Context
The complaint alleges that the Wiz platform connects to a customer’s cloud environment (e.g., AWS, Azure, GCP) via APIs to perform "agentless scanning" of metadata and workloads (Compl. ¶45). This process involves taking snapshots of virtual machine disks and analyzing them "out of band" to identify vulnerabilities, misconfigurations, and other security risks (Compl. ¶50, ¶52). The complaint provides a diagram from Wiz's materials illustrating this "agentless scan of cloud metadata and workloads" (Compl. p. 18). A core feature is the ability to scan assets even when they are offline (Compl. ¶52). The results are then compiled into a "graph" that provides context and prioritizes risks for security teams (Compl. ¶46). The complaint alleges the product has achieved rapid market success, becoming the "fastest-growing software company ever" (Compl. ¶15).
IV. Analysis of Infringement Allegations
’031 Patent Infringement Allegations
| Claim Element (from Independent Claim 9) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| establishing an interface between a client environment and security components | Wiz's platform connects to a customer's cloud environment via cloud service provider APIs. | ¶45 | col. 8:50-56 |
| using the interface to utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment | Wiz uses APIs to create a graph of a client environment that includes identifying virtual disks of virtual machines. | ¶46 | col. 8:50-56 |
| performing at least one of: (i) taking at least one snapshot, and (ii) requesting taking at least one snapshot of the virtual machine at rest... | Wiz takes snapshots of virtual disks to analyze the operating system and application layers of virtual machines. | ¶50 | col. 10:18-24 |
| analyzing the at least one snapshot to detect vulnerabilities, wherein during the detection of the vulnerabilities by analyzing the at least one snapshot, the virtual machine is inactive | Wiz analyzes snapshots of machines that are not online and/or before they are deployed to the runtime environment. | ¶52 | col. 10:41-44 |
| reporting the detected vulnerabilities as alerts | Wiz reports detected vulnerabilities as alerts in its platform's dashboard, such as the "CISA Known Exploited Vulnerability Catalog CVEs dashboard." | ¶53 | col. 10:45-47 |
- Identified Points of Contention:
- Scope Questions: Claim 9 requires "emulating the virtual disks for the virtual machine." The complaint alleges this step "on information and belief," stating that an offline resource's disks "will need to be emulated before scanning" (Compl. ¶49). A potential dispute may arise over whether Wiz's process of mounting and analyzing a data snapshot meets the technical and legal definition of "emulating" as used in the patent.
- Technical Questions: What evidence does the complaint provide that Wiz's analysis occurs specifically when the virtual machine is "inactive" as required by the claim? The complaint cites Wiz marketing material stating it analyzes workloads "even if a resource isn’t online," which may support this element but could be subject to factual dispute (Compl. ¶52).
’032 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| determining, using an API or service provided by the cloud computing environment, a location of a snapshot of at least one virtual disk of a protected virtual cloud asset... | Wiz uses cloud provider APIs to perform "snapshot scanning" of instantiated virtual cloud assets. | ¶83 | col. 8:10-18 |
| analyzing the snapshot of the at least one virtual disk by matching installed applications with applications on a known list of vulnerable applications | Wiz analyzes snapshots by matching installed applications against its "vulnerability catalog consist[ing] of more than 70,000 supported vulnerabilities," including the CISA KEV catalog. | ¶85 | col. 8:33-40 |
| determining whether the matching installed applications are used by the protected virtual cloud asset | Wiz determines what vulnerabilities "pose the highest risk" by assessing the context of applications within the cloud environment. | ¶87 | col. 8:51-56 |
| prioritizing the potential cyber vulnerabilities based on the use determinations | Wiz prioritizes vulnerabilities based on "Severity," "Score," and "exploitability" ratings to mitigate critical risks. | ¶88 | col. 8:57-61 |
| reporting the determined potential cyber vulnerabilities, as prioritized alerts according to the use determinations | Wiz reports prioritized vulnerabilities in its "CISA Known Exploited Vulnerability Catalog CVEs dashboard." | ¶89 | col. 8:62-65 |
- Identified Points of Contention:
- Scope Questions: A central dispute may be the construction of "determining whether the matching installed applications are used." The complaint alleges Wiz prioritizes based on factors like "Severity" and "exploitability" (Compl. ¶88). The question for the court will be whether these general risk factors satisfy the more specific claim requirement of determining if an application is "used."
- Technical Questions: What technical evidence links Wiz's prioritization scheme to a specific determination of "use"? The complaint points to a Wiz dashboard showing prioritized CVEs, but the underlying logic connecting that prioritization to application "use" as claimed may require further evidence (Compl. p. 41).
V. Key Claim Terms for Construction
The Term: "emulating the virtual disks" (from ’031 Patent, claim 9)
Context and Importance: This term describes an active process. The infringement analysis for the ’031 Patent may depend on whether merely accessing and analyzing data from a snapshot file is sufficient to constitute "emulating" the disk. Practitioners may focus on this term because the complaint supports its satisfaction only "on information and belief" (Compl. ¶49), suggesting it could be a point of non-infringement.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent does not appear to provide an explicit definition of "emulating," which could support an argument that the term should be given its plain and ordinary meaning in the context of making a disk's contents available for analysis.
- Evidence for a Narrower Interpretation: The specification distinguishes between a "snapshot" (a copy of a disk at a point in time) and a "view" (a stored query), but uses both concepts ('031 Patent, col. 9:35-51). A defendant might argue that "emulating" requires more than simply reading a static snapshot file and implies creating a functional or interactive representation of the disk, a step not explicitly detailed in the complaint's allegations.
The Term: "determining whether the matching installed applications are used" (from ’032 Patent, claim 1)
Context and Importance: This limitation is the core of the ’032 Patent's claimed point of novelty—prioritization based on actual use. The outcome of the case regarding this patent may hinge on whether Wiz's risk-based prioritization (e.g., based on "Severity" or "exploitability") is legally equivalent to a determination of "use."
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent's specification explains that the purpose of this step is to reduce the priority for a "vulnerable version or module not in use" ('032 Patent, col. 8:51-56). Plaintiff may argue that any contextual analysis that down-prioritizes a vulnerability—for example, because it is not publicly exposed—falls within this purpose and thus constitutes a "use determination."
- Evidence for a Narrower Interpretation: The specification provides concrete examples of how to determine use, such as checking "configuration files of the applications," verifying "access times to files," and analyzing "system logs" ('032 Patent, col. 8:60-65). A defendant may argue that the term requires these specific types of checks for activity, rather than a more general risk assessment based on exploitability or severity scores as alleged in the complaint (Compl. ¶88).
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement for all asserted patents, stating that Defendant provides "user guides, instructions, sales-related material, and/or other supporting documentation" that instruct its customers on how to operate the accused platform in an infringing manner (Compl. ¶¶58, 94, 130, 165, 199, 234). The complaint also points to demonstration videos and website articles as evidence of intent to induce (Compl. ¶¶60-61, 96-97).
- Willful Infringement: The complaint alleges willful infringement based on both pre- and post-suit knowledge. Pre-suit knowledge is alleged to stem from a May 2019 meeting where Plaintiff presented its technology to Defendant’s future founders, Defendant’s subsequent hiring of Plaintiff’s patent counsel, and alleged copying of patent figures (Compl. ¶¶14, 23, 66). The complaint includes a side-by-side comparison of patent figures from both companies to support the copying allegation (Compl. p. 12). Post-suit knowledge is based on the filing of the original complaint and cease-and-desist letters sent regarding several of the patents (Compl. ¶¶67, 129, 164).
VII. Analyst’s Conclusion: Key Questions for the Case
- A central theme of the litigation will be one of evidentiary proof versus narrative. The complaint presents a compelling narrative of wholesale copying, supported by allegations of hiring former counsel and duplicating patent drawings. The key question for the court will be how this narrative, if substantiated, influences the technically rigorous infringement analysis, particularly on issues of claim construction, the doctrine of equivalents, and willfulness.
- A core issue will be one of definitional scope: can claim terms describing specific, discrete actions, such as "emulating the virtual disks" (’031 Patent) and "determining whether... applications are used" (’032 Patent), be construed to read on the accused product’s more generalized, graph-based system of contextual risk analysis and prioritization? The case may turn on whether there is a fundamental mismatch between the specific steps claimed in the patents and the holistic analysis allegedly performed by the accused platform.
- A key question will be one of timing and knowledge for willfulness. The complaint alleges knowledge dating back to before the defendant company was even formed. The dispute will likely involve intense discovery into the 2019 meeting, the hiring of Plaintiff's former counsel, and Defendant's product development timeline to establish what Defendant knew and when it knew it.