Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2024-01191
• Patent #: 11,775,326
• Filed: August 7, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security Ltd.
• Challenged Claims: 1-28

2. Patent Overview

• Title: Securing Virtual Cloud Assets Against Cyber Vulnerabilities
• Brief Description: The ’326 patent describes methods and systems for securing virtual assets within a cloud computing environment. The claimed technology involves receiving a request to scan cloud assets, and for each asset, using a cloud provider's API to determine the location of a virtual disk snapshot, accessing the snapshot, and analyzing it to identify potential cyber vulnerabilities. The method further includes determining a risk for each vulnerability, calculating an overall risk level for the asset, and reporting the vulnerabilities in a manner prioritized by the associated risk levels.

3. Grounds for Unpatentability

Ground 1: Obviousness over Veselov and Basavapatna - Claims 1-21 and 28 are obvious over Veselov in view of Basavapatna.

• Prior Art Relied Upon: Veselov (Patent 11,216,563) and Basavapatna (Application # 2013/0191919).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Veselov teaches the core functionality of the independent claims, including a scanning service in a cloud environment that receives a request, uses an API to obtain a snapshot of a virtual disk, analyzes the snapshot to identify security vulnerabilities (like CVEs), and reports the results. Petitioner asserted that Basavapatna supplies the remaining limitations by teaching methods to determine a risk associated with each detected vulnerability (a "vulnerability-centric risk metric"), aggregate those risks to determine an overall asset-level risk, and report the results in a prioritized manner based on those risk levels to help users identify the most critical security issues.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine these references to enhance the snapshot-based vulnerability assessment of Veselov with the more comprehensive risk analysis and prioritization framework of Basavapatna. This combination would yield a more effective security tool by not only identifying vulnerabilities but also contextualizing their severity, allowing administrators to predictably focus remediation efforts on the highest-priority threats.
  • Expectation of Success: Success was expected because snapshot-based analysis, vulnerability detection, and risk-based prioritization were all well-known and routinely implemented techniques in the cybersecurity field. Combining them would not present unexpected technical challenges.

Ground 2: Obviousness over Veselov, Basavapatna, and Czarny - Claims 4-5 and 17 are obvious over Veselov, Basavapatna, and Czarny.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Basavapatna (Application # 2013/0191919), and Czarny (Patent 9,749,349).
• Core Argument for this Ground:
  • Prior Art Mapping: Building on Ground 1, Petitioner argued that Czarny provides specific, well-known techniques for performing the "analyzing" step recited in the dependent claims. Where claims 4 and 17 require matching application files against a known list of vulnerable applications, Czarny was alleged to explicitly teach performing this analysis by matching the complete binary files. For claim 5, which requires computing and matching a cryptographic hash, Czarny was alleged to teach this precise technique for identifying vulnerabilities.
  • Motivation to Combine: A POSITA would incorporate Czarny’s matching techniques into the Veselov/Basavapatna system to achieve more robust and accurate vulnerability detection. Czarny’s binary and hash-based comparisons were known to be more thorough and reliable than merely matching software names or version numbers, thus providing a predictable improvement to the overall security assessment process.
  • Expectation of Success: A POSITA would have had a reasonable expectation of success, as binary and hash-based matching were common and effective methods for vulnerability scanning that could be straightforwardly integrated into the combined system.

Ground 3: Obviousness over Veselov, Basavapatna, and Giakouminakis - Claims 22-27 are obvious over Veselov, Basavapatna, and Giakouminakis.

• Prior Art Relied Upon: Veselov (Patent 11,216,563), Basavapatna (Application # 2013/0191919), and Giakouminakis (Patent 9,141,805).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground also builds on Ground 1, with Petitioner arguing that Giakouminakis and Basavapatna together teach the specific risk-assessment factors for determining a "takeover risk" as recited in claims 22-27. Petitioner asserted that Basavapatna and Giakouminakis teach weighting risk based on an asset’s criticality, which could be determined from factors such as the contents stored on the asset (claim 24), its network location (claim 23), and other assets accessible from it (claim 25).
  • Motivation to Combine: A POSITA would be motivated to incorporate the multi-factorial risk assessment teachings of Giakouminakis and Basavapatna to make the risk analysis more accurate and comprehensive. This would improve the system's ability to prioritize threats by considering not just the vulnerability itself, but also the business importance and connectivity of the affected asset.
  • Expectation of Success: Success was expected because applying these well-known risk factors was a routine, straightforward practice in cybersecurity. Integrating these factors to refine the risk scoring of the Veselov/Basavapatna system would be a predictable enhancement.

4. Key Claim Construction Positions

• "location of a snapshot": Petitioner argued this term should be construed to encompass both virtual (e.g., a virtual address) and non-virtual locations. This position was based on the specification's explicit example of a "virtual address" and the common industry practice of storing snapshots in non-virtual storage arrays accessed via non-virtual locations.
• "analyzing the snapshot": Petitioner argued this term covers both direct analysis of the snapshot data as a file and the analysis of a virtual machine instantiated from that snapshot. For the purposes of the inter partes review (IPR), Petitioner adopted this broader construction, which it alleges the Patent Owner uses in related district court litigation.

5. Arguments Regarding Discretionary Denial

• Petitioner argued against discretionary denial under Fintiv factors, stating that the parallel district court case was in its early stages. The trial was not scheduled until March 2026, well after the projected Final Written Decision (FWD) in this IPR would be due, minimizing concerns of duplicative efforts or inefficiency.
• Petitioner also argued that denial under 35 U.S.C. §325(d) was inappropriate because the asserted grounds and prior art combinations were never considered by the U.S. Patent and Trademark Office. While Veselov was cited in an Information Disclosure Statement, it was never applied in a rejection, and the key secondary references (Basavapatna, Czarny, and Giakouminakis) were never before the Examiner.

6. Relief Requested

• Petitioner requests institution of an IPR and cancellation of claims 1-28 of Patent 11,775,326 as unpatentable under 35 U.S.C. §103.