DCT
1:25-cv-02088
GoSecure Inc v. CrowdStrike Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: GoSecure, Inc. (Delaware)
- Defendant: CrowdStrike, Inc. and CrowdStrike Holdings, Inc. (Delaware)
- Plaintiff’s Counsel: Cleary Gottlieb Steen & Hamilton LLP
- Case Identification: 1:25-cv-02088, W.D. Tex., 12/19/2025
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant CrowdStrike Holdings, Inc. has its principal executive office in the district, Defendant CrowdStrike, Inc. maintains its largest office in the district, and both Defendants are alleged to have committed acts of infringement there.
- Core Dispute: Plaintiff alleges that Defendant’s Falcon Platform for endpoint cybersecurity infringes a patent related to a system for dynamically monitoring computer systems.
- Technical Context: The technology relates to Endpoint Detection and Response (EDR), a cybersecurity field focused on detecting and investigating threats on endpoint devices like laptops and servers, particularly novel or "zero-day" attacks that evade traditional signature-based antivirus software.
- Key Procedural History: The complaint alleges that a CrowdStrike co-founder, Dmitri Alperovitch, served on GoSecure’s Board of Directors from November 2011 to May 2012, during which time he allegedly received detailed, confidential information about GoSecure’s technology and product roadmap. The complaint also references active litigation between the parties for nearly two years prior to this filing, including instances where CrowdStrike filed for inter partes review of other GoSecure patents. These allegations may be central to Plaintiff’s claims of willful infringement.
Case Timeline
| Date | Event |
|---|---|
| 2011-01-01 | CrowdStrike co-founded (approximate date) |
| 2011-11-01 | CrowdStrike co-founder joins GoSecure's Board (start) |
| 2012-05-31 | CrowdStrike co-founder leaves GoSecure's Board (end) |
| 2013-04-01 | Earliest date of GoSecure product sales mentioned |
| 2015-01-07 | ’099 Patent Priority Date |
| 2018-10-16 | ’099 Patent Issue Date |
| 2023-04-01 | CrowdStrike sued by OpenText, subsequently subpoenas GoSecure |
| 2025-12-19 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,104,099 - "System and method for monitoring a computer system using machine interpretable code"
The Invention Explained
- Problem Addressed: The patent addresses the challenge of detecting novel "zero-day" cyberattacks for which no predefined "fingerprint" exists (’099 Patent, col. 1:57-67). It also addresses the difficulty of distributing and updating low-level detection tools on computer systems, as such updates often require a system reboot or risk causing a system failure or crash, which is unsuitable for systems requiring continuous operation (Compl. ¶24; ’099 Patent, col. 2:1-10).
- The Patented Solution: The invention proposes a two-part monitoring architecture. A stable set of pre-installed, low-level "compiled instructions" serves as the core monitoring engine on an endpoint device (the "collector computer system"). Separately, "machine interpretable code" (e.g., a script or configuration file) is sent to the device. This code, which is not directly executable by the computer's processor, contains the specific parameters for a monitoring task: what to monitor, the method for monitoring it, and the criteria for reporting events. An "interpreter" on the endpoint reads this interpretable code and uses it to direct the actions of the compiled instructions (’099 Patent, Abstract; col. 2:28-54). This separation allows for flexible and dynamic updates to security monitoring rules without altering the core compiled code, thereby avoiding system reboots and reducing the risk of crashes (Compl. ¶27).
- Technical Importance: This approach allows security systems to be reconfigured rapidly and safely to respond to emerging threats, a critical capability in the context of sophisticated cyberattacks.
Key Claims at a Glance
- The complaint asserts infringement of at least Claim 1 of the ’099 Patent (Compl. ¶34). It also references claims 3, 4, and 8 as containing other inventive concepts (Compl. ¶28).
- Independent Claim 1 requires a method with the following essential elements:
- On a "collector computer system" storing an interpreter and compiled instructions:
- Receiving "machine interpretable code" that is not directly executable but is configured for the interpreter and includes information identifying monitoring targets, a monitoring method, and reporting criteria.
- Interpreting that code with the interpreter to obtain the targets, method, and criteria.
- Monitoring targets for candidate activity by executing the "compiled instructions".
- Obtaining candidate event information.
- Reporting that information to a distinct computer system.
- The method also requires that the "compiled instructions" were generated by a compiler on a second, distinct computer system and received from that system.
III. The Accused Instrumentality
Product Identification
- The "Falcon Platform," which includes product tiers such as Falcon Go, Falcon Pro, and Falcon Enterprise (collectively, the "Accused Products") (Compl. ¶29).
Functionality and Market Context
- The Falcon Platform is an endpoint security product that operates via software called the "Falcon sensor" or "Falcon agent" installed on endpoint devices (e.g., workstations, servers) (Compl. ¶30). The complaint alleges that this sensor functions as the claimed "collector computer system" (Compl. ¶37). It is alleged to contain both "built-in sensor content" (the "compiled instructions") and a "detection engine" with an "interpreter." This sensor receives "Rapid Response Content" (the alleged "machine interpretable code") from the CrowdStrike cloud. This content is used to "gather telemetry, identify indicators of adversary behavior, and augment novel detections and preventions on the sensor without requiring sensor code changes" (Compl. ¶38). The sensor then reports gathered information back to the CrowdStrike cloud infrastructure, which is alleged to be the "distinct computer system" (Compl. ¶42).
IV. Analysis of Infringement Allegations
’099 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A computer implemented method of monitoring a collector computer system, the collector computer system comprising one or more processors and memory storing an interpreter and compiled instructions... | The CrowdStrike Falcon sensor is deployed on an endpoint device ("collector computer system") and allegedly contains an interpreter and compiled instructions ("built-in sensor content"). | ¶37 | col. 2:28-32 |
| receiving, by the collector computer system, machine interpretable code that is configured for interpretation by the interpreter, wherein the machine interpretable code is not directly executable...and includes...monitoring targets...a method for monitoring...and predefined reporting criteria | The Falcon sensor receives "Rapid Response Content" from the cloud, which is alleged to be the machine interpretable code. This content is not directly executable and is used to define monitoring tasks. | ¶38 | col. 2:32-40 |
| interpreting, by the collector computer system, the machine interpretable code with the interpreter to obtain the...monitoring targets, the method for monitoring...and the predefined reporting criteria | The Falcon sensor's "content interpreter," allegedly using a "regular-expression based engine," interprets the Rapid Response Content to obtain the monitoring parameters. | ¶39 | col. 2:40-45 |
| monitoring, by the collector computer system...for candidate activity that satisfies the predefined reporting criteria by executing compiled instructions that correspond to the method for monitoring... | The Falcon sensor executes its built-in content ("compiled instructions") to monitor for activity that matches criteria derived from the interpreted Rapid Response Content. | ¶40 | col. 2:45-50 |
| obtaining, by the collector computer system, candidate event information that is associated with the candidate activity | The Falcon sensor correlates data from its local graph store with live system activity to generate event information, such as indicators of attack (IOAs). | ¶41 | col. 2:50-52 |
| reporting, by the collector computer system, the candidate event information to a computer system that is distinct from the collector computer system | Information gathered by the Falcon sensor from endpoints is stored in the CrowdStrike cloud, which is a distinct computer system. | ¶42 | col. 2:52-54 |
| wherein the compiled instructions are generated by a compiler in a second computer system that is distinct from the collector computer system, and the method includes receiving the compiled instructions from the second computer system for storing...in the memory | The "built-in sensor content" is allegedly compiled in a second computer system (e.g., at CrowdStrike) before being stored in the memory of the endpoint device where the Falcon sensor runs. | ¶43 | col. 21:58-col. 22:2 |
Identified Points of Contention
- Scope Questions: A central dispute may concern whether CrowdStrike's "Rapid Response Content" constitutes "machine interpretable code" as claimed. The defense could argue it is merely a set of data patterns or signatures, rather than code that defines a "method for monitoring." Similarly, the function of the "regular-expression based engine" (Compl. ¶39) will be scrutinized to determine if it acts as the claimed "interpreter" or performs a simpler pattern-matching function that falls outside the claim's scope.
- Technical Questions: The complaint includes a screenshot of the Falcon Sensor's status on an endpoint device, confirming its presence as a "collector computer system" and its connection to the cloud (Compl. p. 13). However, a key technical question will be what evidence demonstrates that the "Rapid Response Content" actually directs the method of monitoring performed by the compiled instructions, as opposed to simply providing data (like signatures) for those instructions to use in a predefined, static method.
V. Key Claim Terms for Construction
The Term: "machine interpretable code"
- Context and Importance: This term is foundational to the patent's asserted novelty. The infringement case depends on whether CrowdStrike's "Rapid Response Content" falls within the scope of this term. Practitioners may focus on this term because the distinction between declarative data (like a configuration file with signatures) and procedural instructions (like a script) is often a critical line in software patent disputes.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification suggests the term is not limited to a single format, stating it can be in a "script language (e.g., Python, XML, etc.)" or an "intermediary representation of instructions (e.g., Protocol Buffers, etc.)" (’099 Patent, col. 15:35-40). This language could support an argument that any non-executable data structure that directs the sensor's behavior qualifies.
- Evidence for a Narrower Interpretation: The claim requires the code to include "a method for monitoring." This language, combined with the specification's reference to Python, could support a narrower construction requiring the code to contain procedural logic or function calls, not just declarative patterns or values that a pre-compiled function would match against.
The Term: "interpreter"
- Context and Importance: The meaning of "interpreter" is directly linked to "machine interpretable code." The functionality of the accused "content interpreter" and "regular-expression based engine" (Compl. ¶39) will be compared against the construed definition of this term.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent describes the interpreter's function as to "obtain the first set of one or more monitoring targets, the method for monitoring... and the predefined reporting criteria" from the interpretable code (’099 Patent, col. 2:41-45). This functional definition could be argued to cover any component that parses a configuration file to set up monitoring parameters.
- Evidence for a Narrower Interpretation: The specification states the interpreter "converts one or more non-executable instructions in machine interpretable code into machine executable instructions" or "performs operations specified in the one or more non-executable instructions" (’099 Patent, col. 9:50-57). This could support a narrower definition requiring a component that executes procedural logic, akin to a traditional programming language interpreter, rather than one that simply reads configuration values.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement under 35 U.S.C. § 271(b), asserting that CrowdStrike instructs its customers on how to install and operate the Accused Products through user guides and customer support (Compl. ¶44). It also alleges contributory infringement (Compl. ¶46).
- Willful Infringement: The complaint alleges both pre-suit and post-suit knowledge as a basis for willfulness. Pre-suit knowledge is alleged based on a CrowdStrike co-founder's prior role on GoSecure's board, a subpoena CrowdStrike served on GoSecure in an unrelated 2023 litigation, and CrowdStrike's involvement in prior litigation and IPR proceedings concerning other GoSecure patents (Compl. ¶45, 48). Post-suit knowledge is based on receipt of the complaint itself (Compl. ¶45).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: Can the term "machine interpretable code," which the patent specifies must include a "method for monitoring," be construed to cover the "Rapid Response Content" used by the accused Falcon Platform? The case may turn on whether this content is found to be merely a set of data patterns for matching or a set of procedural instructions that are "interpreted" in the manner claimed.
- A second central question will be evidentiary and related to willfulness: What evidence will discovery yield regarding CrowdStrike’s alleged pre-suit knowledge of GoSecure’s technology and the ’099 patent? The complaint's specific allegations concerning a co-founder's access to confidential information and interactions between the parties in prior legal matters suggest that the history between the companies will be a significant focus of the litigation, with direct implications for potential enhanced damages.