PTAB

IPR2025-01086

Orca Security Ltd. v. Wiz, Inc.

Log In

1. Case Identification

2. Patent Overview

  • Title: Cybersecurity Incident Response Using Large Language Models
  • Brief Description: The ’549 patent discloses a method and system for providing cybersecurity incident response. The technology leverages a Large Language Model (LLM) to process a cybersecurity “incident input,” such as a natural language query or an alert. The system uses the LLM to map the input to a predefined scenario, generates a database query based on the mapped scenario, executes the query on a security database, and initiates a corresponding mitigation action.

3. Grounds for Unpatentability

  • The petition asserts a single ground of unpatentability for all challenged claims.

Ground 1: Claims 1-5 and 11-16 are obvious over Peters in view of Lal.

  • Prior Art Relied Upon: Peters (Patent 11,303,666) and Lal (Application # 2024/0403428, which claims priority to provisional Application # 63/472,227).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Peters teaches a comprehensive cybersecurity threat detection and mitigation system that meets most limitations of independent claim 1. Peters’ system receives a "security alert" (the claimed "incident input"), uses an "ensemble of machine learning classifiers" to classify the alert into a distinct "cybersecurity threat type" (the claimed "scenario"), and based on this classification, initiates an "automated investigation workflow." This workflow generates "investigation queries" or API calls to gather more data and ultimately identifies a "threat mitigation route" (the claimed "mitigation action"). Petitioner asserted that Peters' disclosure of executing these API calls against sources like an Active Directory teaches the claimed "executing the query on a security database including a representation of a computing environment," as Active Directory inherently contains such a representation.
    • The petition contended that Lal, which was not considered during prosecution, renders the use of an LLM for these functions obvious. Lal explicitly teaches using a cybersecurity-focused LLM that is trained to understand API specifications and cybersecurity documentation. The combination would substitute Peters’ machine learning classifiers with Lal's more advanced LLM to perform the functions of classifying incident inputs (mapping to a scenario) and generating queries. Specifically, Lal teaches using template-style prompts that can be populated with incident-specific data to configure the LLM, directly mapping to the ’549 patent’s prompting and configuration steps. The dependent and system claims were argued to be obvious based on the same combination, as they recite system components (processor, memory) and minor variations (e.g., the nature of the input, further LLM training) that are also taught or made obvious by the combination of Peters and Lal.
    • Motivation to Combine: A POSITA would combine Peters and Lal for several compelling reasons. First, Lal expressly teaches incorporating its LLM into broader mitigation systems to improve efficiency, augment threat analysis, and allow for handling investigations at "machine speed and scale." This directly addresses the goal of "intelligently scaling detection capabilities" stated in Peters. Second, a POSITA would recognize the significant efficiency gains from replacing Peters' ensemble of multiple, threat-specific machine learning classifiers with Lal’s single, versatile, and pre-trained LLM. This represents a simple substitution of one known AI element for an improved one to obtain predictable results. Third, a POSITA would combine the references to enhance the system's transparency and query generation capabilities, as Lal’s LLM can translate natural language into specific API queries and explain its reasoning.
    • Expectation of Success: The petition asserted a POSITA would have had a high and reasonable expectation of success. Both Peters and Lal operate in the well-understood field of cybersecurity, and the combination involves integrating known software components—a threat response framework and an LLM—to yield the predictable result of a more automated and efficient cybersecurity system. No undue experimentation would be required to implement Lal's LLM within the framework disclosed by Peters.

4. Key Claim Construction Positions

  • The petition identified two key terms from related district court litigation for which the parties proposed differing constructions, but argued the claims are obvious under any proposed construction.
  • "wherein each scenario is associated with an incidence response": Petitioner’s primary position was that this term is indefinite. For the purposes of the IPR, Petitioner acceded to the Patent Owner’s contention that "incidence" should be read as "incident."
  • "based on": Petitioner proposed this term means "dependent on," implying a specific order of operations must be followed. The petition contended that the claims are obvious under this construction as well as under the Patent Owner's broader proposed construction of "influenced by."

5. Relief Requested

  • Petitioner requests institution of an inter partes review and cancellation of claims 1-5 and 11-16 of Patent 12,001,549 as unpatentable under 35 U.S.C. §103.