Wiz Inc v. Orca Security Ltd

1. Case Identification

• Case #: IPR2025-00095
• Patent #: 11,637,855
• Filed: November 1, 2024
• Petitioner(s): Wiz, Inc.
• Patent Owner(s): Orca Security Ltd.
• Challenged Claims: 1-18

2. Patent Overview

• Title: Cyber Security System for a Cloud Environment
• Brief Description: The ’855 patent describes a cybersecurity system for cloud environments. The system uses a cloud provider API to access a workload's block storage, identify installed software and its version, and then look up known vulnerabilities for that version in a data structure to determine the workload's susceptibility to outside attack.

3. Grounds for Unpatentability

Ground 1: Claims 1-6, 8-9, and 11-18 are obvious over Elder in view of Kim.

• Prior Art Relied Upon: Elder (Application # 2014/0189873) and Kim (Application # 2016/0092679).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Elder disclosed most limitations of the independent claims. Elder taught an automated risk analysis system for network environments that identifies installed software applications and their versions on a host, accesses a vulnerability database, performs a lookup to identify known vulnerabilities, and uses network accessibility information (from CVSS score metrics) to assess susceptibility to attack. Petitioner asserted that Kim supplied the remaining key limitations by teaching the use of a cloud provider API for agentless access to workload data (e.g., virtual disk) and the use of network port status information as part of a security assessment.
  • Motivation to Combine: Petitioner presented several motivations for a Person of Ordinary Skill in the Art (POSA) to combine the references. First, Kim expressly identified Elder as "related preceding technology," creating an explicit suggestion to combine. Second, a POSA would have been motivated to replace Elder's agent-based data collection with Kim's more efficient and secure agentless, API-based method, a well-known improvement in the art. Third, a POSA would incorporate Kim's teaching on using network port status to make Elder's risk assessment more accurate, as open ports were a known and critical factor in determining attack susceptibility. The combination was argued to be a predictable application of known techniques to achieve improved results.
  • Expectation of Success: Petitioner contended that a POSA would have a reasonable expectation of success in combining the references. The individual techniques—software-matching vulnerability analysis, API-based data access, and port status checks—were all well-known and routinely implemented, and their combination would not have posed significant technical challenges or produced unexpected results.

Ground 2: Claims 1-18 are obvious over Elder, Kim, and Hufsmith.

• Prior Art Relied Upon: Elder (Application # 2014/0189873), Kim (Application # 2016/0092679), and Hufsmith (Application # 2020/0097662).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the combination of Elder and Kim from Ground 1. Petitioner argued that Hufsmith provided additional teachings for limitations in the independent and dependent claims, particularly regarding the types of network accessibility information used. Hufsmith taught refining a vulnerability risk assessment by considering context-specific network properties of the workload, such as its execution environment (e.g., whether it is behind a firewall or externally exposed). Petitioner asserted this constituted using "cloud provider information" to assess risk. Hufsmith also taught using data collected by a scanner (static or dynamic) and storing historical scan data to analyze trends, which mapped to limitations in dependent claims 7 and 10.
  • Motivation to Combine: A POSA would have been motivated to apply Hufsmith's teachings to the Elder/Kim combination to further improve the accuracy and relevance of the vulnerability risk assessment. Hufsmith explained that supplementing generic CVSS metrics with environment-specific information provides a more accurate assessment of risk. A POSA would therefore seek to incorporate Hufsmith's contextual analysis (e.g., workload location in the network) into the system of Elder and Kim to better prioritize threats. The use of scanner-collected data and historical trend analysis, as taught by Hufsmith, were also known methods to enhance security monitoring.
  • Expectation of Success: Petitioner argued success would be expected, as using environment-specific network properties and scanner data to refine risk analysis were familiar and predictable techniques in the field of cybersecurity. Combining these routine enhancements with the system of Elder and Kim would be a straightforward application of known principles.

4. Arguments Regarding Discretionary Denial

• Petitioner argued that discretionary denial under 35 U.S.C. §325(d) would be inappropriate. The primary references, Elder and Kim, were never presented to or considered by the Patent Office during prosecution. While Hufsmith was disclosed in an Information Disclosure Statement (IDS), it was never discussed or applied by the Examiner. Therefore, the Office did not previously consider the grounds presented in the petition, which also included a new expert declaration. Petitioner further argued that the Examiner committed a material error by allowing the claims based on a distinction from prior art that Elder, in fact, teaches.

5. Relief Requested

• Petitioner requests the institution of an inter partes review and the cancellation of claims 1-18 of Patent 11,637,855 as unpatentable.