DCT
2:25-cv-01222
Sulaco Enterprisess LLC v. Sophos Ltd
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Sulaco Enterprises LLC (Texas)
- Defendant: Sophos Limited (United Kingdom)
- Plaintiff’s Counsel: Fabricant LLP
- Case Identification: 2:25-cv-01222, E.D. Tex., 12/16/2025
- Venue Allegations: Plaintiff alleges venue is proper because the Defendant is not a resident of the United States and may therefore be sued in any judicial district.
- Core Dispute: Plaintiff alleges that Defendant’s firewall and cybersecurity products infringe a patent related to methods for detecting malicious activity by monitoring and analyzing Application Programming Interface (API) calls.
- Technical Context: The technology at issue operates in the cybersecurity domain, specifically focusing on protecting web services and applications by intercepting and inspecting API-level communications for potential threats before they reach the application server.
- Key Procedural History: The complaint does not reference any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2013-02-18 | U.S. Patent No. 8,990,942 Priority Date |
| 2015-03-24 | U.S. Patent No. 8,990,942 Issues |
| 2024-11-18 | Date associated with accused Sophos Firewall 21.0 documentation |
| 2025-12-16 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,990,942 - Methods and Systems for API-Level Intrusion Detection
The Invention Explained
- Problem Addressed: The patent’s background section notes that traditional intrusion detection systems (IDS) typically operate at the network-packet level (NIDS) or on a single host machine (HIDS). The patent identifies a need for a more flexible and scalable approach to application-level security, where an application developer’s unique knowledge of correct and incorrect application usage can be leveraged to create more effective security rules. (’942 Patent, col. 1:19-41).
- The Patented Solution: The invention describes an intermediary monitoring system, or "API sandbox," that is placed between user devices and an application server. (’942 Patent, col. 2:56-59). This sandbox intercepts incoming API calls, parses them to extract data like the API call name and its parameters, and then uses a "rules execution engine" to determine if the call violates any predefined security rules before deciding whether to allow the communication to proceed to the application server. (’942 Patent, Abstract; Fig. 2).
- Technical Importance: This architecture provides a scalable method for deploying customized, centralized security policies for web applications without requiring security logic to be hard-coded into each application, thereby increasing flexibility. (’942 Patent, col. 2:60-67).
Key Claims at a Glance
- The complaint asserts independent claim 22. (Compl. ¶15).
- The essential elements of independent claim 22 are:
- Receiving an API call for a service at an API sandbox module.
- Parsing the API call to extract an API call name and/or parameters.
- Generating a copy of the extracted name and/or parameters.
- Providing this copy to an intrusion detection rules execution engine that includes one or more hardware processors.
- Determining, via the engine, if the API call violates security rules from a security rules object.
- Providing an indication of whether the API call is in violation.
- A further requirement that the API sandbox module is co-located at an enterprise software gateway and configured to receive and process API calls for user-selected developers and API name references for application-specific intrusion detection.
- The complaint alleges infringement of "one or more claims," suggesting the right to assert other claims is reserved. (Compl. ¶14).
III. The Accused Instrumentality
Product Identification
The complaint names several accused instrumentalities, including Sophos Firewall products (such as Sophos XGS Series Appliances), Sophos Sandboxing products, Sophos Web Application Firewalls, and other security solutions. (Compl. ¶14). The infringement analysis focuses primarily on the Sophos XGS Series Firewall. (Compl. ¶¶16-19).
Functionality and Market Context
The complaint alleges the accused Sophos XGS Series Firewall provides API-level intrusion detection by utilizing a Web-Application Firewall (WAF) and Sophos Sandbox features. (Compl. ¶16). Documentation referenced in the complaint describes the WAF as a "reverse proxy" that protects applications and websites from exploits and attacks. (Compl. p. 5, fig. 2). The accused functionality includes "Protection policies" that add intrusion prevention to WAF rules to protect web servers from "vulnerability exploits, such as cookie, URL, and form manipulation" and "cross-site scripting (XSS) attacks." (Compl. p. 8, fig. 4). A Sophos features webpage included in the complaint describes a "Cloud sandbox" for "dynamic file analysis" to protect against zero-day threats. (Compl. p. 5, fig. 1).
IV. Analysis of Infringement Allegations
Claim Chart Summary
’942 Patent Infringement Allegations
| Claim Element (from Independent Claim 22) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| an application programming interface (API)-level intrusion detection method, comprising: receiving an API call for a service at an API sandbox module | The Sophos XGS Series Firewall receives an API call for a service at an API sandbox module, which the complaint identifies as the combination of "a Web-Application Firewall and Sophos Sandbox." | ¶16 | col. 4:30-40 |
| parsing the API call to extract at least one of: an API call name; or one or more API call parameters | The Sophos XGS Series Firewall parses the API call to extract at least one of an API call name or one or more API call parameters. | ¶17 | col. 6:19-21 |
| generating a copy of at least one of: the API call name or the one or more API call parameters | The Sophos XGS Series Firewall generates a copy of at least one of the API call name or the API call parameters. | ¶17 | col. 6:14-19 |
| providing, to an intrusion detection rules execution engine including one or more hardware processors, the copy of the at least one of: the API call name or the one or more API call parameters | The Sophos XGS Series Firewall provides the copy of the API call name or parameters to an intrusion detection rules execution engine. | ¶18 | col. 2:50-53 |
| determining, via the intrusion detection rules execution engine, whether the API call is in violation of one or more security rules obtained from a security rules object | The Sophos XGS Series Firewall determines if the API call violates security rules. A screenshot describes how "Protection policies" allow adding "intrusion prevention and protection policies to the WAF rules." (Compl. p. 8, fig. 4). | ¶18 | col. 6:25-30 |
| providing an indication of whether the API call is in violation of the one or more security rules | The Sophos XGS Series Firewall provides an indication of whether the API call is in violation of one or more security rules. | ¶18 | col. 2:58-63 |
| wherein the API sandbox module is co-located at an enterprise software gateway...and processing the received API calls for application specific intrusion detection | The complaint alleges the Sophos XGS Series Firewall uses an API sandbox module co-located at an enterprise software gateway and processes received API calls for application-specific intrusion detection. | ¶19 | col. 2:1-3 |
Identified Points of Contention
- Scope Questions: A central question may be whether the accused combination of a "Web-Application Firewall and Sophos Sandbox" (Compl. ¶16) meets the definition of the claimed "API sandbox module". The defense may argue that its integrated firewall architecture is distinct from the modular system depicted in the patent (e.g., ’942 Patent, Fig. 2).
- Technical Questions: The complaint alleges a sequence of discrete steps ("parsing", "generating a copy", "providing" that copy to an engine). A point of contention will likely be whether the actual operation of the Sophos WAF and its "Protection policies" (Compl. p. 8, fig. 4) performs this specific sequence, or if it uses a different technical method to achieve a similar security outcome. The evidence provided consists of high-level product descriptions, raising the question of how closely the underlying process maps to the claim language.
V. Key Claim Terms for Construction
The Term: "API sandbox module"
- Context and Importance: This term defines the core component of the invention. Its construction will be critical for determining whether the accused Sophos WAF and Sandbox architecture falls within the scope of the claims. The infringement theory hinges on this component reading on the accused products.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the system as an "intermediary between end user devices... and an application server" (’942 Patent, col. 2:56-59), which could support construing the term to cover any component performing this intermediary security function.
- Evidence for a Narrower Interpretation: The patent’s Figure 2 depicts the "API Sandbox" (201) as a discrete architectural block that receives API calls and provides output to a separate "Rules Execution Engine" (204). This could support a narrower construction requiring a distinct, modular component rather than an integrated function within a firewall.
The Term: "co-located at an enterprise software gateway"
- Context and Importance: This limitation in claim 22 adds an architectural requirement that the "API sandbox module" must satisfy. The complaint explicitly alleges the accused firewall functions as such a gateway. (Compl. ¶19).
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification states that in one embodiment, "the SDK may be co-located at an enterprise level software gateway tunneling all selected API calls." (’942 Patent, col. 2:1-3). This language may support a view that any device at the enterprise edge performing this function, such as the accused firewall appliance, qualifies.
- Evidence for a Narrower Interpretation: The defense may argue that "enterprise software gateway" has a more specific meaning in the art that is not met by their product, or that "co-located" implies a specific software or hardware relationship that is absent in their integrated system.
VI. Other Allegations
Indirect Infringement
The complaint alleges inducement by providing the accused products to customers and end-users with "instructions on how to operate the infringing technology." (Compl. ¶23). It also alleges contributory infringement, asserting that the accused components are material to the invention, are not staple articles of commerce, and have no substantial non-infringing uses. (Compl. ¶24).
Willful Infringement
The complaint alleges willful infringement based on a theory of willful blindness, claiming Defendant "adopted a policy of not reviewing the patents of others." (Compl. ¶22). Knowledge is also alleged to exist at least as of the filing date of the complaint, which could support a claim for post-suit willfulness. (Compl. ¶22).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural scope: can the claimed "API sandbox module co-located at an enterprise software gateway" be construed to cover the integrated Web Application Firewall and Sandbox functionalities within the accused Sophos XGS Series firewall appliances? The outcome may depend heavily on claim construction.
- A key evidentiary question will be one of functional mapping: does the general application of "intrusion prevention and protection policies" by the accused products perform the specific, sequential method steps recited in Claim 22—particularly the explicit "generating a copy" of API elements and "providing" that copy to a rules engine—or is there a material difference in the underlying technical operation?