PTAB

IPR2025-01086

Orca Security Ltd v. Wiz Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Cybersecurity Incident Response Using Large Language Models
  • Brief Description: The ’549 patent discloses methods, systems, and apparatus for providing cybersecurity incident response. The technology uses a large language model (LLM) to process a received cybersecurity "incident input," map it to a predefined scenario, generate a query for a security database, and initiate a mitigation action based on the query results.

3. Grounds for Unpatentability

Ground 1: Claims 1-5 and 11-16 are obvious over Peters in view of Lal

  • Prior Art Relied Upon: Peters (Patent 11,303,666) and Lal (Provisional Application # 63/472,227).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Peters taught a comprehensive system for cybersecurity threat detection and mitigation that met most of the limitations of the challenged claims, but using an "ensemble of machine learning classifiers" instead of an LLM. Peters’ system received security alerts (the claimed "incident input"), classified them into threat types (the claimed "scenarios"), generated and executed investigative queries against data sources like Active Directory (the claimed "security database"), and initiated mitigation routes. Petitioner contended that Lal taught the missing element: a cybersecurity-specific LLM trained to understand security documentation, analyze threats, and translate natural language inputs or threat data into API queries. According to Petitioner, substituting Lal’s advanced LLM for Peters’ older machine learning classifiers would have been an obvious modification to achieve the claimed invention.
    • Motivation to Combine (for 35 U.S.C. §103 grounds): Petitioner asserted multiple motivations for a Person of Ordinary Skill in the Art (POSITA) to combine the references. A POSITA would combine Peters and Lal to:
      • Upgrade Peters’ system with the more powerful and flexible LLM technology taught by Lal, which was gaining widespread adoption at the time of the invention.
      • Consolidate Peters' ensemble of multiple, threat-specific machine learning classifiers into a single, more efficient, and broadly trained LLM as taught by Lal, thereby improving performance and scalability.
      • Leverage Lal’s LLM, which was trained on API specifications, to automate and streamline the generation of API queries, replacing Peters' more rigid method of using stored, source-specific configuration parameters.
      • Enhance the efficiency and accuracy of responding to security alerts, consistent with the stated goals of both Peters and Lal.
    • Expectation of Success (for §103 grounds): Petitioner argued a POSITA would have a reasonable expectation of success because both references operated in the well-understood field of cybersecurity. Combining a known AI tool (Lal's LLM) with a known cybersecurity framework (Peters' system) to achieve a more automated and efficient result was a predictable improvement, not requiring undue experimentation.

4. Key Claim Construction Positions

  • Petitioner asserted that two terms required construction based on positions taken in related district court litigation.
  • "wherein each scenario is associated with an incidence response": Petitioner argued this term was indefinite. Patent Owner had argued that "incidence" was a typographical error for "incident" and that no other construction was necessary. For the purposes of the petition, Petitioner adopted the Patent Owner's proposed correction.
  • "based on": Petitioner proposed a construction of "dependent on; the limitations of claims 1, 11 and 12 must be performed in order." Patent Owner had argued that no construction was necessary or, alternatively, that it meant "influenced by." Petitioner contended its obviousness arguments prevailed under any of the proposed constructions for this term.

5. Relief Requested

  • Petitioner requests institution of an inter partes review (IPR) and cancellation of claims 1-5 and 11-16 of the ’549 patent as unpatentable.