Conexus LLC v. Rapid7 Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Conexus LLC (NM)
  • Defendant: Rapid7, Inc. (DE)
  • Plaintiff’s Counsel: Garibian Law Offices, P.C.; Rabicoff Law LLC
• Case Identification: 1:25-cv-00891, D. Del., 07/17/2025
• Venue Allegations: Plaintiff alleges venue is proper in the District of Delaware because Defendant has an established place of business in the district.
• Core Dispute: Plaintiff alleges that Defendant’s unnamed cybersecurity products infringe a patent related to detecting network security threats by tracing application execution and network connection lineage.
• Technical Context: The technology operates in the field of enterprise cybersecurity, addressing the detection of threats that have already penetrated a network’s perimeter by monitoring internal activity for anomalous behavior.
• Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date	Event
2015-12-07	'497 Patent Priority Date (U.S. Provisional 62/264,192)
2016-12-07	'497 Patent Application Filing Date
2020-10-20	'497 Patent Issue Date
2025-07-17	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,812,497 - "Systems and methods for detecting and responding to security threats using application execution and connection lineage tracing"

• Patent Identification: U.S. Patent No. 10,812,497, "Systems and methods for detecting and responding to security threats using application execution and connection lineage tracing," issued October 20, 2020.

The Invention Explained

• Problem Addressed: The patent addresses the problem of detecting security threats that are already inside an enterprise network environment. Such threats often must perform a series of actions—communicating, propagating, and gaining privileges—before they can exfiltrate data, a process that can take a significant amount of time and generates activity that may be detectable (Compl. ¶9; ’497 Patent, col. 4:8-25).
• The Patented Solution: The invention proposes a system where sensors on servers or devices collect "activity data," such as network connection information and application execution details. This raw data is sent to a "collector server," which combines it with "context information" (e.g., user identity from a directory service) to create an "activity record." The system compares these activity records against a set of "baseline signatures" representing normal, previously observed behavior. An alert is generated when a new activity record deviates from all known baseline signatures, indicating a potential threat (’497 Patent, Abstract; col. 1:30-59).
• Technical Importance: This approach of creating behavioral baselines and tracing activity lineage is designed to detect sophisticated, "low-and-slow" attacks that might evade traditional perimeter security by appearing as legitimate, albeit unusual, internal network traffic (’497 Patent, col. 4:8-18).

Key Claims at a Glance

• The complaint does not specify which claims are asserted, instead referring to "Exemplary ’497 Patent Claims" identified in an external chart (Compl. ¶11). Independent claim 1 is a representative method claim.
• The essential elements of independent claim 1 include:
  • Receiving, at a collector server from a first sensor, a first piece of activity data.
  • Combining context information with the activity data to generate a first activity record.
  • Comparing the activity record to a set of baseline signatures.
  • Incrementing a count for a matching baseline signature.
  • Receiving, from a second sensor, a second piece of activity data.
  • Combining context information with the second activity data to generate a second activity record.
  • Generating an alert when the second activity record differs from all baseline signatures by a predetermined threshold.
• The complaint states Plaintiff will identify other infringed claims and reserves the right to assert them (Compl. ¶11).

III. The Accused Instrumentality

Product Identification

The complaint does not name any specific accused products in its main body. It refers to "Exemplary Defendant Products" that are identified in charts within Exhibit 2, which is incorporated by reference but was not filed with the complaint (Compl. ¶11, ¶16).

Functionality and Market Context

The complaint does not provide sufficient detail for analysis of the accused products' specific functionality or market context, other than alleging they "practice the technology claimed by the '497 Patent" (Compl. ¶16).

IV. Analysis of Infringement Allegations

The complaint’s infringement allegations are contained in claim charts in an unprovided Exhibit 2 (Compl. ¶16-17). The narrative theory asserts that Defendant's "Exemplary Defendant Products" practice the claimed technology and satisfy all elements of the asserted claims (Compl. ¶16). The complaint further alleges that direct infringement occurs through Defendant’s making, using, selling, and importing of these products, as well as through internal testing by its employees (Compl. ¶11-12). No probative visual evidence provided in complaint.

Identified Points of Contention

• Evidentiary Questions: A primary question will be whether discovery shows that the unnamed "Exemplary Defendant Products" actually perform the specific, multi-step process recited in claims like claim 1. The complaint’s generalized allegations will need to be substantiated with technical evidence.
• Technical Questions: What evidence does the complaint provide that the accused system receives data from a "first connection and application execution sensor" and a "second connection and application execution sensor" as required by claim 1? The claim's recitation of two distinct sensors and two separate record-generation steps may be a focal point of the dispute.
• Scope Questions: Does the accused system's method for establishing "normal" behavior fall within the scope of a "baseline signature" as that term is used in the patent? The mechanism by which the accused products "combine" raw activity data with "context information" will also be a critical point of comparison against the claim language.

V. Key Claim Terms for Construction

• The Term: "baseline signature"

  • Context and Importance: This term is the foundation of the patented invention's detection method; all new activity is judged against these signatures. The scope of this term will be central to determining whether the accused system’s method of establishing a behavioral norm constitutes infringement.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claims define a baseline signature functionally as comprising "a second set of attributes, each attribute having a particular value and each baseline signature being unique in the combination of values of its attributes" (’497 Patent, col. 21:39-44). This suggests any unique combination of attributes representing a known state could qualify.
    • Evidence for a Narrower Interpretation: The specification provides detailed examples of specific signature types, such as "session signatures" with enumerated attributes (e.g., user name, source machine, receiver machine) and "process spawning signatures" with others (e.g., executable image path name, command line) (’497 Patent, col. 12:10-24; col. 14:28-40). A defendant may argue the term is limited to structures that include these specific, disclosed attribute types.

• The Term: "context information"

  • Context and Importance: The claim requires "combining" activity data with "context information" to create a record. Infringement hinges on whether the accused system performs an equivalent data enrichment step.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes this broadly, for example, as information used "to more specifically identify the user, application, geographic location of the user, and/or device involved" (’497 Patent, col. 8:5-8).
    • Evidence for a Narrower Interpretation: The patent discloses specific methods for obtaining context, such as "looking up an IP address... with an identity manager service" or using information from "Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Active Directory Domain Controller (AD-DC) and/or Virtual Private Network (VPN)" (’497 Patent, col. 22:3-8; col. 10:65-col. 11:2). A party may argue the term should be construed to require these or similar specific sources of identity information.

VI. Other Allegations

• Indirect Infringement: The complaint alleges induced infringement, stating that Defendant distributes "product literature and website materials" that instruct end users on how to use the accused products in a manner that infringes the ’497 Patent (Compl. ¶14-15).
• Willful Infringement: The complaint does not contain an explicit allegation of willful infringement. However, it alleges "Actual Knowledge of Infringement" arises from the service of the complaint itself (Compl. ¶13), which may form the basis for a claim of post-filing willfulness and supports the prayer for enhanced damages under 35 U.S.C. § 284 and a finding of an exceptional case under § 285 (Prayer for Relief ¶D, E.i).

VII. Analyst’s Conclusion: Key Questions for the Case

• A primary issue is one of evidentiary sufficiency: Given the complaint’s reliance on an unprovided exhibit, the case will immediately focus on whether discovery can substantiate the bare allegations. The central factual question is whether the accused products, once identified, actually perform the specific data collection, enrichment, and comparison steps recited in the asserted claims.
• The case will likely turn on a question of definitional scope: The construction of the term "baseline signature" will be critical. The court will need to decide whether the term can be broadly applied to any system that establishes a profile of normal activity, or if it is limited by the specific examples and enumerated attributes detailed in the ’497 Patent’s specification.
• A key technical question will be one of functional specificity: Does the accused system perform the precise two-sensor, two-record generation process required by claim 1? The resolution of this issue will depend on a detailed comparison of the accused system’s architecture and data processing flow against the specific sequence of operations mandated by the claim language.