PTAB

IPR2025-00093

Wiz Inc v. Orca Security Ltd

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Cloud-Based Cybersecurity System for Assessing Internet Exposure
  • Brief Description: The ’257 patent discloses techniques for assessing the internet exposure of a cloud-based workload. The system accesses a cloud provider API to identify network entities and their configurations, builds a graph of their connections, integrates data about publicly accessible proxy services, traverses the graph to find paths originating from the internet to the workload, and outputs an associated risk notification.

3. Grounds for Unpatentability

Ground 1: Obviousness over Keren - Claims 1-20 are obvious over Keren.

  • Prior Art Relied Upon: Keren (Patent 11,374,982).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Keren, which was not before the Examiner during prosecution, teaches or suggests all limitations of claims 1-20. Keren allegedly discloses a nearly identical system for generating "network analysis insights" in a cloud environment. Petitioner asserted that Keren teaches accessing a cloud provider API to identify "security objects" (the claimed "entities"), including proxies, firewalls, and load balancers capable of routing traffic. The system then collects data on their networking configurations to construct a "security graph," which corresponds to the claimed graph.
    • Petitioner placed significant emphasis on Keren allegedly teaching the specific limitations the Examiner found novel during prosecution. Specifically, Petitioner argued Keren teaches accessing a data structure (its "storage 630" or "graph database") that stores collected security object data, which identifies services publicly accessible via the internet and capable of serving as an internet proxy (e.g., public proxies, web-access firewalls, Nginx web servers). Keren then allegedly integrates this information into the security graph by, for example, "tagging" security objects with their properties.
    • Further, Petitioner contended that Keren’s process of calculating a "reachability property" by traversing the security graph to see if a workload can be reached from an external network (the internet) meets the claimed traversing step. The resulting "security insights" that notify a user of risky configurations, such as a database being exposed to external networks, were argued to be the claimed "risk notification." Petitioner also mapped Keren's disclosure of virtual entities, specific configurations (firewall, proxy), node-and-link graphs, and the inclusion of port numbers to the various dependent claims.
    • Key Aspects: Petitioner argued that the allowance of the ’257 patent was based on a material error, as the Examiner stated that no prior art of record taught accessing a data structure for internet proxy services and integrating them into a graph—the very features Petitioner alleges are disclosed in Keren.

Ground 2: Obviousness over Keren and Engelberg - Claims 1-20 are obvious over Keren in view of Engelberg.

  • Prior Art Relied Upon: Keren (Patent 11,374,982) and Engelberg (Application # 2022/0263855).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground asserted that the combination of Keren and Engelberg renders all challenged claims obvious. Keren was relied upon for the same teachings as in Ground 1, providing the foundational cybersecurity system. Engelberg was introduced primarily to teach the limitation of dependent claim 10, which requires the risk notification to include "one or more resolution recommendations." Petitioner argued that Engelberg addresses cyber risk mitigation by teaching systems that not only identify risks but also recommend "remedial actions" or "courses of action" to security personnel. Engelberg’s disclosure of providing actionable recommendations to remediate identified risks was argued to meet the "resolution recommendations" limitation.
    • Motivation to Combine: Petitioner argued a person of ordinary skill in the art (POSITA) would combine the references to improve the functionality of Keren’s system. Keren’s stated purpose is to provide administrators with useful insights into network vulnerabilities. Engelberg teaches the benefit of providing explicit remediation steps along with risk notifications to enable personnel to react and remediate events more effectively. A POSITA would have recognized that augmenting Keren’s "security insights" with Engelberg’s explicit "resolution recommendations" would be a logical and predictable improvement, making the entire system more valuable to a network administrator. The references are in the same field and address analogous problems.
    • Expectation of Success: Petitioner asserted a POSITA would have a reasonable expectation of success in making this combination. The integration of resolution recommendations into risk alerts was a well-understood and conventional practice in the cybersecurity field. Combining Keren's risk identification with Engelberg's recommendation feature would involve applying a known technique to a known system to yield predictable results, without presenting any meaningful technical challenges.

4. Arguments Regarding Discretionary Denial

  • Petitioner argued that discretionary denial under 35 U.S.C. §325(d) would be inappropriate. The petition is based on Keren, a reference that was never presented to, or considered by, the USPTO during the original prosecution. Petitioner contended that Keren is not cumulative of the art considered by the Examiner and that its absence resulted in a material error in allowance. The Examiner allowed the claims precisely because the prior art of record was found to lack the teachings that Petitioner now asserts are present in Keren. The petition also presents a new expert declaration not previously before the Office.

5. Relief Requested

  • Petitioner requests institution of an inter partes review and cancellation of claims 1-20 of Patent 11,582,257 as unpatentable.