Conexus LLC v. Vectra Ai Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Conexus LLC (NM)
  • Defendant: Vectra AI, Inc. (DE)
  • Plaintiff’s Counsel: Garibian Law Offices, P.C.; Rabicoff Law LLC
• Case Identification: 1:25-cv-00893, D. Del., 10/16/2025
• Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains an established place of business in the District of Delaware and has committed acts of infringement within the district.
• Core Dispute: Plaintiff alleges that Defendant’s cybersecurity products infringe a patent related to methods for detecting malicious injection exploits by monitoring and analyzing application behavior at the point of execution.
• Technical Context: The technology operates in the field of application security, addressing the limitations of traditional network-based firewalls by analyzing application function calls to detect anomalies indicative of cyberattacks.
• Key Procedural History: The filing is a First Amended Complaint. The complaint does not mention any prior litigation, inter partes review proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date	Event
2019-04-09	U.S. Patent No. 11,736,499 Priority Date
2020-04-09	U.S. Patent No. 11,736,499 Application Filing Date
2023-08-22	U.S. Patent No. 11,736,499 Issue Date
2025-10-16	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 11,736,499 - Systems and methods for detecting injection exploits

• Issued: August 22, 2023 (’499 Patent).

The Invention Explained

• Problem Addressed: The patent asserts that conventional cybersecurity systems, such as web application firewalls, were deficient because they primarily analyzed network traffic and relied on known attack signatures (Compl. ¶10, 12). This approach made them unable to detect novel "zero-day" attacks or exploits that only manifest during an application’s internal execution, allowing attackers to evade network-level defenses (Compl. ¶11, 12).
• The Patented Solution: The invention proposes a method that moves detection from the network layer to the application execution layer (Compl. ¶19). It involves monitoring an application for the invocation of an "execution function"—a function that accepts external data—and then generating a behavioral model of what constitutes legitimate activity for that function (’499 Patent, Abstract; Compl. ¶16). By comparing the application's actual, real-time behavior against this model, the system can detect deviations and validate whether they are caused by external input, thereby identifying malicious exploits at their precise point of occurrence within the application (’499 Patent, Abstract; Compl. ¶15, 18). The specification notes that this detection is "independent of the deployment of an application." ('499 Patent, col. 36:42-43).
• Technical Importance: This behavioral, application-level approach is described as a fundamental improvement that closes the gap between network-level detection and execution-level exploitation, enabling the detection of sophisticated attacks that traditional systems would miss (Compl. ¶20, 24).

Key Claims at a Glance

• The complaint’s infringement theory centers on independent Claim 1, which is cited repeatedly (Compl. ¶11, 15-19, 23).
• The essential elements of Claim 1 include:
  • Monitoring executing web applications to detect the invocation of an "execution function" that accepts "external free-form data values."
  • Generating a "model of legitimate behavior" after the execution function is invoked.
  • Comparing the "actual behavior" to the model of legitimate behavior.
  • Generating an alert upon deviation from the model and "validating whether the deviation...is due to one or more functions that accept external input."
• The complaint alleges infringement of one or more claims and refers to "Exemplary '499 Patent Claims," suggesting Plaintiff reserves the right to assert additional claims (Compl. ¶27).

III. The Accused Instrumentality

Product Identification

The complaint alleges infringement by "Exemplary Defendant Products" but does not name them in the body of the complaint (Compl. ¶27). It states they are identified in charts contained in an Exhibit 2, which was not provided with the complaint document (Compl. ¶30, 32).

Functionality and Market Context

The complaint does not provide sufficient detail for analysis of the accused products' specific functionality. The allegations are made by reference to claim chart exhibits that are not included in the filed document, with the complaint stating that these charts demonstrate how the products "practice the technology claimed by the '499 Patent" (Compl. ¶32).

IV. Analysis of Infringement Allegations

The complaint references claim charts in Exhibit 2, which are not provided in the submitted filings (Compl. ¶33). Therefore, a claim chart summary cannot be constructed. The narrative infringement theory alleges that Defendant’s products directly infringe the ’499 Patent by performing the inventive method of execution-level monitoring and behavioral analysis (Compl. ¶27, 32). The complaint asserts that the inventive concepts captured in Claim 1—monitoring execution functions, generating behavioral models, comparing actual to legitimate behavior, and validating deviations—are practiced by the accused products (Compl. ¶19, 32). No probative visual evidence provided in complaint.

Identified Points of Contention

• Scope Questions: A central issue may be whether the accused products' method of security analysis constitutes "generating a model of legitimate behavior subsequent to invocation of the execution function" as required by the claim. The definition of "model" and the specific timing of its generation relative to function invocation will be critical.
• Technical Questions: What evidence does the complaint provide that the accused products perform the specific step of "validating whether the deviation of the actual behavior is due to one or more functions that accept external input"? The complaint makes this allegation by reference to an unattached exhibit, raising the question of what technical proof exists that the accused products perform this distinct validation step, as opposed to generating a more general anomaly alert (Compl. ¶18, 32).

V. Key Claim Terms for Construction

• The Term: "execution function"

  • Context and Importance: This term defines the event that triggers the claimed detection method. Its construction will determine the breadth of application activities the patent covers. The dispute will likely focus on what types of software functions qualify under this definition.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: Claim 1 provides a functional definition: "a function that accepts external free-form data values" (’499 Patent, col. 39:3-5). Plaintiff may argue this plain language covers any function that processes external input.
    • Evidence for a Narrower Interpretation: The specification provides examples such as "program execution functions, e.g., eval()", functions that "execute SQL queries," and methods accepting user input like "GET, POST, etc." (’499 Patent, col. 4:32-35). Defendant may argue the term should be construed as limited to functions directly implicated in known injection vectors.

• The Term: "generating a model of legitimate behavior"

  • Context and Importance: This term is at the core of the patent's asserted departure from prior art signature-matching systems (Compl. ¶16). Its construction will be critical to distinguishing the claimed invention from conventional anomaly detection.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself does not specify the structure of the "model," which could support a construction covering any baseline of normal activity against which deviations are measured.
    • Evidence for a Narrower Interpretation: The specification describes a process where "a set of baseline signatures...is built from incoming activity records" during a "learning" phase (’499 Patent, col. 19:7-10). Defendant may argue that "generating a model" must be limited to this more specific process of creating and comparing detailed signatures.

VI. Other Allegations

• Indirect Infringement: The complaint alleges induced infringement, stating that Defendant distributes "product literature and website materials" that instruct end users on how to use the accused products in an infringing manner (Compl. ¶30, 31).
• Willful Infringement: The complaint does not explicitly allege willful infringement but pleads facts to support a claim for post-suit willfulness. It alleges that service of the complaint provides Defendant with "Actual Knowledge of Infringement" and that Defendant continues to infringe despite this knowledge (Compl. ¶29, 30). Plaintiff also requests that the case be declared "exceptional" under 35 U.S.C. § 285 (Compl. p. 11, Prayer for Relief ¶E.i).

VII. Analyst’s Conclusion: Key Questions for the Case

• A primary issue will be one of evidentiary proof: Given the complaint’s reliance on an unattached exhibit, the immediate focus of the case will be on discovery to establish the precise technical operations of the accused products. The viability of the infringement claim depends entirely on whether the defendant's products can be shown to perform the specific sequence of monitoring, modeling, comparing, and validating as claimed.
• The case will also turn on a question of claim scope: How will the court construe "generating a model of legitimate behavior"? The dispute will likely focus on whether this term requires the detailed "baseline signature" generation process described in the patent’s specification or if it can be read more broadly to cover other forms of behavioral anomaly detection, an interpretation that could significantly impact the patent's applicability to modern cybersecurity technologies.