DCT
2:25-cv-00913
Qomplx LLC v. Palo Alto Networks Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Qomplx LLC (New York)
- Defendant: Palo Alto Networks, Inc. (Delaware)
- Plaintiff’s Counsel: Irell & Manella LLP; Miller Fair Henry PLLC
- Case Identification: 2:25-cv-00913, E.D. Tex., 08/28/2025
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant maintains a regular and established place of business in the district, employs over 800 people there, and has committed acts of infringement within the district.
- Core Dispute: Plaintiff alleges that Defendant’s cybersecurity and data processing products infringe four patents related to large-scale data analysis using distributed graphs, graph-based network security, and secure telemetry transport.
- Technical Context: The technologies at issue address the management, analysis, and security of massive data streams within large enterprise and cloud computing environments, a market central to modern cybersecurity and IT infrastructure.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the Asserted Patents.
Case Timeline
| Date | Event |
|---|---|
| 2015-10-28 | Earliest Priority Date for ’424 and ’425 Patents |
| 2016-04-28 | Earliest Priority Date for ’663 Patent |
| 2021-04-22 | Priority Date for ’627 Patent |
| 2022-12-27 | ’663 Patent Issued |
| 2024-11-12 | ’424 Patent Issued |
| 2024-11-12 | ’425 Patent Issued |
| 2025-05-13 | ’627 Patent Issued |
| 2025-08-28 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 12,143,424, "Rapid Predictive Analysis of Very Large Data Sets Using the Distributed Computational Graph," Issued November 12, 2024
The Invention Explained
- Problem Addressed: The patent’s background, as described in the complaint, identifies that prior art "data pipelines" were inefficient for analyzing very large data sets because they were "extremely limited" and "rigidly programmed," making them too labor-intensive and inflexible for complex tasks (Compl. ¶¶ 20, 22; ’424 Patent, col. 3:61-4:18).
- The Patented Solution: The invention proposes a system for analyzing very large data sets using a "distributed computational graph" (Compl. ¶23; ’424 Patent, col. 4:58-63). This architecture allows the system to dynamically introduce new "transformation pipelines" as needed, enabling it to scale resources up or down to match unpredictable data inputs and efficiently process data from disparate sources like sensors, databases, and the internet (’424 Patent, col. 9:35-44, col. 15:35-40; Compl. ¶¶ 25-26).
- Technical Importance: This approach is described as providing a tangible improvement to computer systems by enabling the timely analysis of substantially larger data sets and, in a cloud computing context, reducing costs by matching resource consumption to immediate needs (Compl. ¶¶ 24, 26).
Key Claims at a Glance
- The complaint asserts infringement of at least Claim 1 (Compl. ¶32).
- Independent Claim 1 describes a distributed computing cluster with a first plurality of computer systems, where:
- Each system stores data representing a portion of a "distributed computational graph" that describes a data flow between a first and second "transformation pipeline."
- A first computer system is configured to receive a stream of input data, process it in real time using the first pipeline, process the stored graph data to get information about the second pipeline, and transmit the output messages to a second computer system.
- The second computer system is configured to receive those messages and process them in real time using the second pipeline.
- A third computer system is configured to cause a fourth system to execute one of the pipelines (Compl. ¶33).
- The complaint does not explicitly reserve the right to assert dependent claims.
U.S. Patent No. 12,143,425, "Rapid Predictive Analysis of Very Large Data Sets Using the Distributed Computational Graph," Issued November 12, 2024
The Invention Explained
- Problem Addressed: The ’425 Patent addresses the same problems as the ’424 Patent regarding the limitations of rigid, prior-art data pipelines for large-scale data analysis (Compl. ¶¶ 54, 56, 58).
- The Patented Solution: The solution is also centered on a distributed computational graph architecture that enables smart scaling and dynamic resource allocation (Compl. ¶¶ 57, 60). The '425 Patent further describes a system with self-monitoring capabilities that can "enable[] steps to be taken and notifications to be passed if individual transformation nodes...become unresponsive" or to resolve stalled data processing (Compl. ¶¶ 61-62; ’425 Patent, col. 23:29-33).
- Technical Importance: The invention is alleged to provide discrete technological solutions for dynamic resource allocation and system self-monitoring to resolve unstable data processing in environments with disparate, high-volume data streams (Compl. ¶62).
Key Claims at a Glance
- The complaint asserts infringement of at least Claim 1 (Compl. ¶66).
- Independent Claim 1 describes a system with a distributed computing network comprising at least three pluralities of computer systems, where:
- First and second computer systems process data streams using first and second transformation pipelines, respectively.
- A third computer system stores data representing a portion of a "distributed computational graph" describing the data flow between the pipelines.
- The third computer system is configured to process the graph data, "monitor" the execution of the software instructions on the first and second systems, and "in response to the monitoring, cause a fourth computer system...to execute" instructions to process additional data (Compl. ¶67).
- The complaint does not explicitly reserve the right to assert dependent claims.
Multi-Patent Capsule: U.S. Patent No. 12,301,627
- Patent Identification: U.S. Patent No. 12,301,627, "Correlating Network Event Anomalies Using Active and Passive External Reconnaissance to Identify Attack Information," Issued May 13, 2025 (Compl. ¶84).
- Technology Synopsis: The patent addresses the problem that prior art cybersecurity rating methods fail to incorporate sufficient information to adequately profile an organization's security posture (Compl. ¶90). The patented solution provides a system that represents network entities and their relationships as a directed graph, analyzes streaming data to identify anomalies, and uses the graph to identify potential attack paths and their root causes (Compl. ¶¶ 91-92, 94).
- Asserted Claims: At least Claim 1 (Compl. ¶99).
- Accused Features: The "Accused Security Products," which include at least Infinity Graph, Prisma Cloud, and Cortex Cloud (Compl. ¶99).
Multi-Patent Capsule: U.S. Patent No. 11,539,663
- Patent Identification: U.S. Patent No. 11,539,663, "System and Method for Midserver Facilitation of Long-Haul Transport of Telemetry for Cloud-Based Services," Issued December 27, 2022 (Compl. ¶118).
- Technology Synopsis: The patent addresses problems with heterogeneous data transfer to cloud services, including a "lack of reliable data collection methods" and security risks from thousands of separate device connections (Compl. ¶¶ 123-124). The solution uses "midservers" integrated with the enterprise network to collect, aggregate, and securely transmit data from many devices as a single, secure data stream to a cloud-based service, thereby reducing the number of connections and attack vectors (Compl. ¶¶ 125-126, 129).
- Asserted Claims: At least Claim 1 (Compl. ¶133).
- Accused Features: The "Accused Broker Products," which utilize the Broker Virtual Machine ("Broker") (Compl. ¶¶ 132-133).
III. The Accused Instrumentality
Product Identification
The complaint groups the accused instrumentalities based on the technology they allegedly utilize:
- Accused SLS Products: Products that use the Strata Logging Service ("SLS"), formerly Cortex Data Lake, are accused of infringing the ’424 and ’425 Patents. These include AIOps for NGFW, Prisma Access, IoT Security, Panorama, Cortex XDR, and others (Compl. ¶¶ 31-32, 65-66).
- Accused Security Products: Products that use Infinity Graph are accused of infringing the ’627 Patent. These include Infinity Graph, Prisma Cloud, and Cortex Cloud (Compl. ¶99).
- Accused Broker Products: Products that use the Broker Virtual Machine ("Broker") are accused of infringing the ’663 Patent (Compl. ¶¶ 132-133).
Functionality and Market Context
- The complaint alleges the Accused SLS Products operate on a "large-scale data platform on Google Cloud" that uses Apache Beam to define and deploy data processing "pipelines" (Compl. ¶¶ 35, 69). An included screenshot from a Palo Alto Networks blog post describes this infrastructure as handling one trillion events daily (Compl. ¶35). These products allegedly use a "custom autoscaler" that monitors metrics, such as "Beam backlog metrics," to scale computing resources up or down as needed to manage throughput and reduce costs (Compl. ¶¶ 41, 76). The complaint includes a diagram from Apache Beam's documentation, allegedly used by the SLS products, that shows a pipeline as a directed acyclic graph of data transformations (Compl. ¶36, p. 10).
- The Accused Security Products allegedly use Infinity Graph, which is built on an Amazon Neptune Database, to maintain a directed graph of network assets, accounts, and resources (Compl. ¶¶ 103-104). This system is alleged to receive streaming data about network events, modify the graph in place, and execute pre-defined analyses to search for attack paths, such as identifying publicly exposed instances with high vulnerabilities (Compl. ¶¶ 106-107). The complaint provides a screenshot showing a visualization of an Infinity Graph that depicts network entities like EC2 instances and vulnerabilities as nodes connected by relationships (Compl. ¶104, p. 33).
- The Accused Broker Products are alleged to utilize the Broker Virtual Machine, which functions as a "midserver" for ingesting log data into a cloud-based service (Compl. ¶136). The complaint alleges the Broker VM is a virtual appliance that receives data from multiple endpoints over a local network, applies transformations, and retransmits the data over a secure SSL connection to the cloud as a single data stream (Compl. ¶¶ 137, 140-141).
IV. Analysis of Infringement Allegations
’424 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A distributed computing cluster comprising: a first plurality of computer systems... | The Accused SLS Products run on a "large-scale data platform on Google's massive distributed computing cluster." | ¶35 | col. 9:35-44 |
| wherein each respective computer system...comprises a memory that stores a respective first data, wherein the respective first data represents a respective portion of a distributed computational graph | The Accused SLS Products use Apache Beam, which defines a pipeline as a directed acyclic graph, to define the structure and execution of operations. | ¶36 | col. 4:58-63 |
| wherein a first computer system...is configured to: receive a first stream of input data...process the first stream of input data substantially in real time...to generate first pipeline output messages... | The Accused SLS Products use a custom, distributed Beam Runner that receives a stream of input data and processes it in real time by running complex Beam pipelines. | ¶38 | col. 9:64-67 |
| process the respective first data stored in the memory...to determine information about the second transformation pipeline, and transmit the first pipeline output messages to a second computer system... | The Apache Beam platform documentation allegedly shows the flow of pipeline input and output messages through transformation pipelines, which are run across massive computational clusters. | ¶39, ¶40 | col. 16:53-61 |
| wherein a third computer system...is configured to execute software instructions that cause a fourth computer system...to execute software instructions that apply at least one of the first transformation pipeline and the second transformation pipeline. | The Accused SLS Products use a custom autoscaler that watches metrics and scales resources up and down, causing computer systems to apply transformation pipelines as needed. | ¶41 | col. 9:40-41 |
- Identified Points of Contention:
- Scope Questions: A primary question may be whether the term "distributed computational graph" as claimed in the patent reads on the use of Apache Beam's standard "directed acyclic graph" functionality as alleged by the complaint. The analysis may explore whether the patent's description imparts a specific structure or capability to the "distributed computational graph" that is absent from a generic directed acyclic graph framework.
- Technical Questions: The complaint alleges a third computer system causes a fourth to apply a pipeline based on a "custom autoscaler." A point of contention may be whether this general scaling function meets the specific claim requirement, or if the claim implies a more direct instruction based on the graph's structure rather than system-level performance metrics.
’425 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A system comprising: a distributed computing network comprising a first plurality of computer systems, a second plurality of computer systems, and a third plurality of computer systems... | The Accused SLS Products run on a "large-scale data platform on Google's massive distributed computing cluster." | ¶69 | col. 9:35-44 |
| wherein a first computer system...is configured to execute first software instructions that: receive a first stream of input data, process first portions of the first stream of data by applying a first transformation pipeline... | The Accused SLS Products use Apache Beam to define and deploy pipelines, which run on a custom, distributed Beam Runner that receives and processes input data streams. | ¶70-71 | col. 4:31-34 |
| wherein a third computer system...comprises a memory that stores a first data, wherein the first data represents a portion of a distributed computational graph... | Beam uses a directed graph to define the structure and execution of operations, and portions of this graph are stored in the memory of orchestration computers comprising the custom Beam Runner. | ¶74 | col. 4:58-63 |
| wherein the third computer system is configured to execute third software instructions that...monitor at least a portion of the execution...and in response to the monitoring, cause a fourth computer system...to execute fourth software instructions that perform at least one of: processing second portions of the first stream of data...or processing second portions of the first pipeline output messages... | The Accused SLS Products use a "custom autoscaler that monitors various metrics about the execution of the transformation pipelines, including Beam backlog metrics," and in response scales resources up and down, causing additional computer systems to apply transformation pipelines. | ¶76 | col. 23:29-33 |
- Identified Points of Contention:
- Scope Questions: The central dispute may turn on the "monitor...and in response...cause" limitation. The question for the court will be whether monitoring general "backlog metrics" and scaling resources constitutes the specific type of monitoring and responsive causation described in the patent, which also discusses monitoring for "unresponsive" nodes or "stalled" processing (Compl. ¶62).
- Technical Questions: The complaint's allegations for the '425 Patent rely on the same accused architecture as for the '424 Patent. The factual question will be what specific metrics the "custom autoscaler" actually monitors and what precise actions it "causes" in response, and whether this operation maps to the claim language.
V. Key Claim Terms for Construction
For the ’424 and ’425 Patents:
- The Term: "distributed computational graph"
- Context and Importance: This term is the technological core of the asserted claims in both the ’424 and ’425 Patents. Its construction will be critical in determining whether Defendant's use of Apache Beam's directed acyclic graph architecture falls within the scope of the patents. Practitioners may focus on whether the term carries a specific meaning beyond a standard directed graph as used in open-source data processing tools.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The plain language of the claims describes the graph by its function: "describes a flow of output data of a first transformation pipeline to an input of a second transformation pipeline" (’424 Patent, Claim 1; Compl. ¶33). This functional language may support a construction that covers any graphical representation of data flow between processing stages, such as that used in Apache Beam.
- Evidence for a Narrower Interpretation: The specifications, as cited in the complaint, describe the invention as enabling systems to "self-modify to maintain optimal operation" and "learn and react to intermediate determinations" (Compl. ¶¶ 25, 59). This language suggests the "distributed computational graph" may be more than a static data flow map and may require specific dynamic or intelligent properties not inherent in every directed acyclic graph.
For the ’425 Patent:
- The Term: "monitor at least a portion of the execution...and in response to the monitoring, cause a fourth computer system...to execute..."
- Context and Importance: This limitation is a key element of Claim 1 of the ’425 Patent and the central basis for the infringement allegation against the "custom autoscaler." The dispute will likely center on the nexus between the "monitoring" and the responsive "causing" of another system to act.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is broad, not specifying what must be monitored (only "a portion of the execution") or how the fourth system is caused to act. This could support Plaintiff's theory that monitoring system-level "backlog metrics" and automatically adding computing resources meets the limitation.
- Evidence for a Narrower Interpretation: The specification explains that the invention enables monitoring for "unresponsive" transformation nodes or "stalled or unstable data processing" (Compl. ¶¶ 61-62). Defendant may argue this context narrows the scope of "monitoring" to detecting specific functional failures within the pipeline, rather than general system load.
VI. Other Allegations
- Indirect Infringement: For all four asserted patents, the complaint alleges induced infringement under 35 U.S.C. § 271(b). The allegations state that Defendant provides instructions, documentation, marketing materials, and technical support that encourage and teach customers how to use the accused products in an infringing manner (Compl. ¶¶ 43, 78, 112, 143). The complaint also alleges contributory infringement under § 271(c), asserting that the accused components are material to the inventions, are not staple articles of commerce, and are known by Defendant to be especially adapted for use in an infringing way (Compl. ¶¶ 44, 79, 113, 144).
- Willful Infringement: The complaint does not allege pre-suit knowledge of the patents. It asserts that Defendant will have explicit written notice upon service of the complaint and alleges that any continued infringement thereafter will be knowing, intentional, purposeful, and deliberate (Compl. ¶¶ 47, 82, 116, 146). This forms the basis for a claim of post-suit willful infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
- Definitional Scope vs. Open Source: A central issue will be one of definitional scope: can the term "distributed computational graph," as claimed in the ’424 and ’425 Patents, be construed to cover the accused systems' implementation of widely-used open-source technologies like Apache Beam? The case may turn on whether the patent claims a specific, inventive application of graphical data processing or describes a more general architecture now common in the field.
- Functional Equivalence: A key evidentiary question will be one of functional equivalence: does the accused systems' "custom autoscaler," which allegedly monitors "Beam backlog metrics" for performance scaling, perform the specific monitoring and responsive causation recited in Claim 1 of the '425 Patent? The court will need to determine if there is a fundamental mismatch between general, load-based resource allocation and the patent’s described function of resolving stalled or unstable processing nodes.
- Technological Crowding in Cybersecurity: For the '627 and '663 Patents, the case will likely involve distinguishing the patented methods from a crowded field of existing cybersecurity technologies. The core questions will be whether the specific graph-based anomaly detection and "midserver" telemetry aggregation methods claimed offer a novel and non-obvious improvement over prior art, and whether the accused "Infinity Graph" and "Broker VM" products practice those precise claimed methods.