DCT

7:25-cv-00040

Skysong Innovations LLC v. CrowdStrike Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 7:25-cv-00040, W.D. Tex., 05/16/2025
  • Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendants maintain their headquarters and principal place of business in Austin, employ hundreds of individuals in the district, are registered to do business in Texas, and have committed the alleged acts of infringement within the district.
  • Core Dispute: Plaintiff, the technology transfer organization for Arizona State University, alleges that Defendant’s Falcon Platform for cybersecurity infringes five patents related to threat mitigation using darknet data, secure browser instantiation, automated labeling of dark web content, efficient neural network computation, and predictive vulnerability analysis.
  • Technical Context: The technology resides in the endpoint cybersecurity sector, a critical market focused on protecting enterprise and government computer networks from malware, ransomware, and other sophisticated cyberattacks through threat intelligence and vulnerability management.
  • Key Procedural History: The complaint alleges that in March 2019, one of the named inventors, Professor Paulo Shakarian, met with senior CrowdStrike representatives, including its Co-Founder and CTO, and disclosed confidential and patent-pending subject matter related to the asserted technology. This meeting is presented as a basis for Defendants' alleged pre-suit knowledge.

Case Timeline

Date Event
2013-12-06 ’721 Patent Priority Date
2015-11-30 ’385 Patent Priority Date
2016-09-26 ’831 Patent Priority Date
2017-11-03 ’897 Patent Priority Date
2018-05-09 ’900 Patent Priority Date
2019-03-04 Meeting alleged between inventor Prof. Shakarian and CrowdStrike
2019-06-04 ’385 Patent Issue Date
2020-02-25 ’721 Patent Issue Date
2022-03-15 ’900 Patent Issue Date
2023-10-03 ’831 Patent Issue Date
2024-02-06 ’897 Patent Issue Date
2025-05-16 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,313,385 - “Systems and methods for data driven game theoretic cyber threat mitigation” (Issued Jun. 4, 2019)

The Invention Explained

  • Problem Addressed: The patent’s background section identifies a lack of host-based cyber defense approaches that use game theory informed by "un-conventional" sources, specifically data from darknet markets where new and previously unknown "zero-day" exploits are sold (Compl. ¶24; ’385 Patent, col. 2:26-38).
  • The Patented Solution: The invention proposes a data-driven security framework that models an attacker based on real-world exploit market data mined from the darknet ('385 Patent, col. 1:15-20). The system uses this external threat intelligence to analyze a defender's IT infrastructure, identify key vulnerabilities ("constraint sets"), and develop optimal defense strategies to mitigate cyberattacks ('385 Patent, col. 3:4-15).
  • Technical Importance: The technology enables a proactive, game-theoretic approach to cybersecurity, allowing defenders to model and anticipate attacker behavior based on the actual tools and exploits available in underground markets (Compl. ¶24).

Key Claims at a Glance

  • The complaint asserts independent method claim 8 (Compl. ¶65).
  • The essential elements of claim 8 include:
    • Accessing data comprising dark net information.
    • Obtaining a set of exploits from that information.
    • Applying an "exploit function" that takes exploits as input and returns a set of vulnerabilities.
    • Creating a "constraint set of vulnerabilities" for a computer system comprising a minimum set of operational dependencies.
    • Applying the exploits to the constraint set to determine their effect.
    • Analyzing an application to detect a particular vulnerability within the constraint set.
    • Altering the computer system's configuration in response to the analysis to reduce potential damage.

U.S. Patent No. 10,574,721 - “Systems and methods for an automatic fresh browser instance for accessing Internet content” (Issued Feb. 25, 2020)

The Invention Explained

  • Problem Addressed: The patent addresses security vulnerabilities that arise from accessing both sensitive (e.g., banking) and non-sensitive content within the same browser session, which can lead to information leakage, cross-site request forgery, and other attacks ('721 Patent, col. 1:25-35, col. 3:1-6).
  • The Patented Solution: The invention provides a system that automatically compartmentalizes browsing sessions. When a user in a standard browser instance attempts to access a URL classified as sensitive, the system intercepts the request and launches a "fresh browser instance" (FBI) to handle the sensitive content, thereby isolating it from the original session ('721 Patent, Abstract). This process is managed by a combination of a browser extension and an external daemon that tracks active browser instances ('721 Patent, col. 2:45-50).
  • Technical Importance: The system automates browser isolation to enhance security against common web-based attacks without requiring manual user action, thus protecting sensitive data like login credentials from being compromised by malicious code running in other tabs (Compl. ¶29).

Key Claims at a Glance

  • The complaint asserts independent system claim 1 (Compl. ¶106).
  • The essential elements of claim 1 include:
    • Receiving data defining first and second web content classes, where the second is for sensitive information.
    • Generating a first browser instance for the first class.
    • Intercepting a request from the first browser instance for a URL belonging to the second class.
    • Confirming the URL is not already being accessed in a separate instance by using a daemon outside the first browser.
    • The daemon tracks active browsers and manages the launch of new ones.
    • The process involves receiving the request via a browser extension, forwarding it to the daemon via a native application, confirming the content class mismatch and availability, and launching a new browser for the sensitive content.

U.S. Patent No. 11,275,900 - “Systems and methods for automatically assigning one or more labels to discussion topics shown in online forums on the dark web” (Issued March 15, 2022)

  • Technology Synopsis: The patent addresses the challenge of classifying large volumes of data from deep and dark web forums, which is often a manual and unscalable process (Compl. ¶34; '900 Patent, col. 2:10-15). The invention provides a computer-implemented system that automatically assigns one or more labels or tags to discussion topics in a hierarchical structure, using machine learning to overcome issues of data scarcity and imbalanced classes ('900 Patent, col. 3:10-14).
  • Asserted Claims: Independent method claim 12 (Compl. ¶135).
  • Accused Features: The complaint alleges that CrowdStrike’s Falcon Adversary Intelligence and Falcon Intelligence Recon services, which monitor and analyze deep and dark web forums to provide threat intelligence, infringe the ’900 Patent by using machine learning models to classify and tag collected data (Compl. ¶137-145).

U.S. Patent No. 11,775,831 - “Cascaded computing for convolutional neural networks” (Issued October 3, 2023)

  • Technology Synopsis: The technology targets the high computational and memory intensity of Convolutional Neural Networks (CNNs), which makes real-time classification difficult on low-power devices (Compl. ¶39; '831 Patent, col. 1:22-29). The patented solution is a "cascaded computing" method where an initial, low-precision computation is performed using only the most significant bits (MSBs) of the data; if a maximum value can be determined from this initial pass, a full-precision computation is then performed only for that specific data set, thereby reducing the total computation required ('831 Patent, Abstract).
  • Asserted Claims: Independent claim 1 (Compl. ¶160).
  • Accused Features: The complaint alleges that the Falcon Platform’s use of CNN models like "Kestrel" for malware detection in PowerShell scripts infringes the ’831 Patent by employing a similar cascaded approach to efficiently extract predictive features from script content (Compl. ¶164, ¶166).

U.S. Patent No. 11,892,897 - “Systems and methods for predicting which software vulnerabilities will be exploited by malicious hackers to prioritize for patching” (Issued February 6, 2024)

  • Technology Synopsis: The patent addresses the problem that existing methods for prioritizing software vulnerability patching are often ineffective, flagging too many vulnerabilities as severe without accurately predicting which ones will actually be exploited ('897 Patent, col. 1:48-2:7). The invention uses machine learning models that analyze a variety of data sources—including social network features of users participating in dark web forums—to predict "exploits in the wild" before they are widely known (Compl. ¶44).
  • Asserted Claims: Independent method claim 1 (Compl. ¶185).
  • Accused Features: The complaint accuses the Falcon Exposure Management module and its underlying "ExPRT.AI" model, which is trained on CrowdStrike's exploit intelligence and real-world threat data to predict the likelihood of vulnerability exploitation and help customers prioritize patching (Compl. ¶186, ¶191).

III. The Accused Instrumentality

Product Identification

  • The Accused Products are collectively identified as the CrowdStrike Falcon Platform and its associated modules, features, and functionalities, including Falcon Adversary Intelligence and Falcon Exposure Management (Compl. ¶7, ¶47).

Functionality and Market Context

  • The Falcon Platform is a cloud-native Software-as-a-Service (SaaS) offering for endpoint security, providing next-generation antivirus (NGAV) and endpoint detection and response (EDR) (Compl. ¶47). It functions through a lightweight "Falcon sensor" installed on endpoint devices, which collects telemetry data and communicates with the "CrowdStrike Security Cloud" for analysis and threat detection (Compl. ¶52, ¶55). The complaint alleges that specific premium modules perform the infringing functions: Falcon Adversary Intelligence conducts dark web monitoring to provide threat intelligence (Compl. ¶51), while Falcon Exposure Management uses an AI model trained on exploit data to assess and prioritize system vulnerabilities (Compl. ¶50, ¶79). A marketing table in the complaint shows the various bundles offered to customers (Compl. p. 13). A diagram illustrates the platform's architecture as a "single platform, console, and agent" system (Compl. p. 14).

IV. Analysis of Infringement Allegations

’385 Patent Infringement Allegations

Claim Element (from Independent Claim 8) Alleged Infringing Functionality Complaint Citation Patent Citation
accessing data comprising dark net information associated with a computer system; The Falcon Adversary Intelligence module performs 24/7 monitoring of the "open, deep and dark web." ¶70 col. 1:15-20
obtaining a set of exploits from the dark net information... The platform monitors criminal forums and provides "Vulnerability Exploit Intelligence" to identify exploits that can penetrate a computer system. ¶75, ¶76 col. 3:4-7
applying an exploit function which takes the set of exploits as input and returns a set of vulnerabilities; The platform's intelligence services connect threat actors and their techniques (exploits) with associated vulnerabilities, as shown in a dashboard displaying "326 Vulnerabilities attributed to 78 actors." ¶77 col. 3:8-15
creating a constraint set of vulnerabilities of the computer system from the set of vulnerabilities comprising a minimum set of dependencies to operate the computer system... Falcon Adversary Intelligence operates based on a customer's computer "environment," which constitutes the set of assets and dependencies, and identifies vulnerabilities within that environment. ¶80, ¶81 col. 3:20-40
...determining the effect of the set of exploits on the constraint set of vulnerabilities of the computer system; The platform determines and displays the effect of exploits by showing "Vulnerability IDs" linked to "prevalent actors" within the customer's environment. ¶82, ¶83 col. 3:8-15
analyzing an application associated with the set of exploits on the computer system to detect a particular vulnerability... A user can analyze a specific threat actor (e.g., "CARBON SPIDER") to see the specific vulnerabilities and endpoint detections associated with that actor's exploits on the protected system. ¶84 col. 3:20-40
altering a configuration of the computer system in response to the analysis...to reduce potential damage of a cyberattack. The platform's "Kill chain" intelligence identifies exploitable CVEs and provides information that "can be sent to the vulnerability management team to prioritize patching," which alters the system configuration. A screenshot demonstrates a "Kill chain" tab used for prioritizing patching (Compl. p. 41). ¶89 col. 1:18-20
  • Identified Points of Contention:
    • Scope Questions: A central question may be whether the Falcon Platform's AI-driven correlation of threat intelligence data constitutes the specific, sequential method steps of the claim. For instance, does identifying "prevalent actors" and their associated vulnerabilities meet the limitation of "applying an exploit function which takes the set of exploits as input and returns a set of vulnerabilities"?
    • Technical Questions: The complaint alleges a customer's "environment" is the claimed "constraint set." A point of contention could be whether this environment represents a "minimum set of dependencies to operate the computer system," as the patent requires, or merely an inventory of all existing software and hardware.

’721 Patent Infringement Allegations

No probative visual evidence provided in complaint.

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
...receive data defining a first web content class and a second web content class...the second web content class further being associated with sensitive information presenting a security risk; The platform employs a "Zero Trust model" that classifies URLs into different classes, such as "Isolate" or "Do not Isolate," based on security risk, thereby defining at least two content classes. ¶108, ¶109 col. 2:50-55
generate a first browser instance, the first browser instance defining a browser instance type predetermined to be associated with the first web content class; A user's initial browsing session, such as one for "Normal browsing," constitutes the first browser instance associated with the first web content class. ¶111 col. 3:55-60
intercept a request to access web content from the first browser instance, the request defining a URL of the second plurality of URLs... The platform intercepts access requests to verify identity and policy adherence before granting access to a URL associated with a different security class. ¶112, ¶113 col. 2:45-50
confirm that the URL is not being accessed by another separate already-running browser instance...by implementing a daemon outside the first browser instance that tracks active browser instances and launches a new browser... The platform's Zero Trust Network Access ("ZTNA") allegedly functions in the background as a daemon to autonomously check and enforce security policies on browsing activity. ¶114, ¶115 col. 2:45-50
receiving the request via a browser extension associated with the first browser instance, The platform is alleged to employ "Browser Isolation policies" that use a browser extension corresponding to a web page request. ¶117 col. 2:45-50
forwarding the request from the browser extension to the daemon using a native application, The platform allegedly uses a "WARP" client as a native application to act as an intermediary between the browser extension and the ZTNA (daemon). ¶118 col. 2:48-50
confirming, via the daemon that the web content is not associated with the first web content class and that another browser instance is not already launched... The ZTNA daemon confirms the policy mismatch and isolates the restricted content, preventing it from being associated with the original, non-restricted session. ¶119, ¶120 col. 2:45-50
launch a new browser for accessing the web content associated with the second web content class... When a page is classified for isolation (e.g., as "Do not Isolate," per the complaint's allegation), it is presented in a new browser. ¶121 col. 2:45-50
  • Identified Points of Contention:
    • Scope Questions: A likely dispute will be over the term "launch a new browser." Defendant may argue that its "isolation" technology relies on remote browser isolation (where the session runs in the cloud) rather than launching a distinct new browser process on the user's local machine as contemplated by the patent.
    • Technical Questions: The infringement theory depends on the specific interaction between CrowdStrike's platform and its partner Cloudflare's technology. The actual data flow and technical roles of the "browser extension," "WARP client" (native application), and "ZTNA" (daemon) will be a key factual question for the court.

V. Key Claim Terms for Construction

’385 Patent

  • The Term: "exploit function"
  • Context and Importance: This term is the core mechanism linking darknet intelligence to actionable defense. The infringement case turns on whether CrowdStrike's AI-driven correlation of actor tactics with known vulnerabilities performs this claimed "function."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent describes a conceptual "framework" designed to "model an attacker" ('385 Patent, col. 3:8-10). This language may support an argument that any automated process mapping darknet-derived threat data to a system's vulnerabilities falls within the term's scope.
    • Evidence for a Narrower Interpretation: The claim requires a function that "takes the set of exploits as input and returns a set of vulnerabilities." This may support a more structured, mathematical interpretation, suggesting a specific algorithm rather than a probabilistic correlation, a view potentially bolstered by the specification’s references to "game theoretic" analysis and algorithms ('385 Patent, col. 3:11-13).

’721 Patent

  • The Term: "launch a new browser"
  • Context and Importance: This is the ultimate security action claimed by the patent. Infringement depends on whether CrowdStrike's "isolation" of a web session constitutes launching a "new browser."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's goal is compartmentalization, so Plaintiff may argue that any mechanism creating a new, functionally separate browsing session—whether local, virtual, or remote—meets the claim's objective and falls within the term's scope.
    • Evidence for a Narrower Interpretation: The specification describes launching a "fresh instance of the browser ... without menus, tabs, or address bar" ('721 Patent, col. 6:9-12), which suggests the creation of a new, distinct browser process on the user's machine. This could be used to argue that remote browser isolation, where the browser runs on a server and is streamed to the user, does not meet this limitation.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges Defendants induce infringement of all asserted patents by providing the Falcon Platform to customers and partners, along with instructions, user manuals, and technical support that allegedly encourage and direct users to operate the platform in an infringing manner (e.g., Compl. ¶94-96).
  • Willful Infringement: Willfulness is alleged for all five patents. The allegations are based on Defendants' alleged knowledge since at least the filing of the complaint (e.g., Compl. ¶102). For patents co-invented by Professor Shakarian ('385, '900, '897), the complaint further bases its willfulness claim on alleged pre-suit knowledge stemming from a March 2019 meeting where the inventor allegedly disclosed patent-pending subject matter to CrowdStrike's senior leadership (Compl. ¶58-61).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A central issue will be one of functional operation: does CrowdStrike's AI-powered cybersecurity platform, which correlates vast datasets of threat intelligence, perform the specific, discrete functional steps recited in the method claims of the '385, '897, and '900 patents, or is there a fundamental mismatch between the platform's probabilistic analysis and the patents' more deterministic, step-by-step processes?
  • Another core issue will be one of definitional scope: can the term "launch a new browser" in the '721 patent, which the specification suggests is a new process on a user's machine, be construed to cover modern "browser isolation" technologies that may execute the browsing session remotely in the cloud and stream the output to the user?
  • A key factual question will concern pre-suit knowledge: what technical information was disclosed during the alleged March 2019 meeting between the inventor and CrowdStrike executives, and did that disclosure provide legally sufficient notice of the patent-pending technologies to support the claim of willful infringement?