Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 1 of 26 PageID #: 3365
`
`IN THE UNITED STATES DISTRICT COURT
`FOR DISTRICT OF DELAWARE
`
`ORCA SECURITY LTD.,
`
`Plaintiff,
`
`v.
`
`WIZ, INC.
`
`Defendants.
`
`C.A. No. 23-00758-JLH-SRF
`
`WIZ, INC.’S ANSWERING BRIEF IN OPPOSITION TO ORCA SECURITY LTD.’S
`MOTION TO DISMISS WIZ, INC.’S AMENDED COUNTERCLAIM COUNT IV
`UNDER FED. R. CIV. P. 12(b)(6)
`
`OF COUNSEL:
`
`Jordan R. Jaffe
`Catherine Lacey
`Callie Davidson
`Alex Miller
`WILSON SONSINI GOODRICH & ROSATI, P.C.
`One Market Plaza
`Spear Tower, Suite 3300
`San Francisco, CA 94105
`(415) 947-2000
`
`RICHARDS, LAYTON & FINGER, P.A.
`Frederick L. Cottrell, III (#2555)
`Kelly E. Farnan (#4395)
`Christine D. Haynes (#4697)
`One Rodney Square
`920 N. King Street
`Wilmington, DE 19801
`(302) 658-6541
`cottrell@rlf.com
`farnan@rlf.com
`haynes@rlf.com
`
`Dated: September 19, 2024
`
`Counsel for Defendant Wiz, Inc.
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 2 of 26 PageID #: 3366
`
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`NATURE AND STAGE OF PROCEEDINGS .................................................................. 1
`
`SUMMARY OF ARGUMENT .......................................................................................... 1
`
`III.
`
`STATEMENT OF FACTS ................................................................................................. 3
`
`A.
`
`B.
`
`The ’549 Patent Specification ................................................................................. 3
`
`The Asserted ’549 Patent Claims ............................................................................ 5
`
`1.
`
`2.
`
`The Independent Claims ............................................................................. 5
`
`The Asserted Dependent Claims ................................................................. 6
`
`IV.
`
`LEGAL STANDARD ......................................................................................................... 6
`
`A.
`
`B.
`
`Motions to Dismiss Under Rule 12(b)(6) ............................................................... 6
`
`Patent Eligibility under 35 U.S.C. § 101 ................................................................ 7
`
`V.
`
`ARGUMENT ...................................................................................................................... 7
`
`A.
`
`Alice Step One: The Claims Are Not Directed to an Abstract Idea ........................ 8
`
`1.
`
`2.
`
`The Independent Claims Are Directed to A Specific Solution to a
`Computer Problem ...................................................................................... 8
`
`The Asserted Dependent Claims Are Directed to Even More
`Concrete Ideas ........................................................................................... 15
`
`B.
`
`Alice Step Two: Inventive Concepts Preclude Dismissal ..................................... 16
`
`1.
`
`2.
`
`The Independent Claims Include Inventive Concepts .............................. 16
`
`The Dependent Claims Include Additional Inventive Concepts ............... 19
`
`C.
`
`Dismissal Is Not Appropriate................................................................................ 20
`
`VI.
`
`
`CONCLUSION ................................................................................................................. 20
`
`
`i
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 3 of 26 PageID #: 3367
`
`
`
`TABLE OF AUTHORITIES
`
`CASES
`
`Page(s)
`
`Aatrix Software, Inc. v. Green Shades Software, Inc.,
`882 F.3d 1121 (Fed. Cir. 2018)..................................................................................3, 6, 16
`
`Aatrix Software, Inc. v. Green Shades Software, Inc.,
`890 F.3d 1354 (Fed. Cir. 2018)..........................................................................................16
`
`Alice Corp Pty. v. CLS Bank Int’l,
`573 U.S. 208 (2014) .........................................................................................................2, 7
`
`Ancora Techs., Inc. v. HTC Am., Inc.,
`908 F.3d 1343 (Fed. Cir. 2018)..........................................................................................10
`
`Bascom Glob. Internet Servs., Inc. v. AT&T Mobility LLC,
`827 F.3d 1341 (Fed. Cir. 2016)....................................................................................17, 18
`
`Berkheimer v. HP Inc.,
`881 F.3d 1360 (Fed. Cir. 2018)......................................................................................6, 15
`
`Blackbird Tech v. Uber Techs., Inc., C.A. No. 19-561 (MN),
`
`2020 WL 58535 (D. Del. Jan. 6, 2020) ......................................................................3, 6, 20
`
`BSG Tech LLC v. Buyseasons, Inc.,
`899 F.3d 1281 (Fed. Cir. 2018)..........................................................................................14
`
`CardioNet, LLC v. InfoBionic, Inc.,
`955 F.3d 1358 (Fed. Cir. 2020)..........................................................................................11
`
`Cellspin Soft, Inc. v. Fitbit, Inc.,
`927 F.3d 1306 (Fed. Cir. 2019)............................................................................................7
`
`Chewy, Inc. v. Int’l Bus. Machs. Corp.,
`94 F.4th 1354 (Fed. Cir. 2024) ..........................................................................................12
`
`CoolTVNetwork.com, Inc. v. Facebook, Inc., C.A. No. 19-292-LPS-JLH,
`
`2019 WL 4415283 (D. Del. Sept. 16, 2019) ......................................................................11
`
`Core Wireless Licensing S.A.R.L. v. LG Elecs., Inc.,
`
`880 F.3d 1356 (Fed. Cir. 2018)..........................................................................................11
`
`CosmoKey Sols. GmbH & Co. KG v. Duo Sec. LLC,
`15 F.4th 1091 (Fed. Cir. 2021) ..........................................................................................17
`
`Data Engine Techs. LLC v. Google LLC,
`906 F.3d 999 (Fed. Cir. 2018)........................................................................................2, 10
`
`DDR Holdings, LLC v. Hotels.com, L.P.,
`773 F.3d 1245 (Fed. Cir. 2014)....................................................................................2, 8, 9
`
`ii
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 4 of 26 PageID #: 3368
`
`
`
`Enfish, LLC v. Microsoft Corp.,
`822 F.3d 1327 (Fed. Cir. 2016)............................................................................2, 9, 10, 18
`
`FairWarning IP, LLC v. Iatric Systems, Inc.,
`
`839 F.3d 1089 (Fed. Cir. 2016)..........................................................................................13
`
`Ficep Corp. v. Peddinghaus Corp., C.A. No. 19-1994-RGA,
`
`2021 WL 254104 (D. Del. Jan. 26, 2021) ..........................................................................20
`
`Finjan, Inc. v. Blue Coat Sys., Inc.,
`879 F.3d 1299 (Fed. Cir. 2018)......................................................................................7, 10
`
`Hyper Search, LLC v. Facebook, Inc., C.A. No. 17-1387-CFC-SRF,
`
`2018 WL 6617143 (D. Del. Dec. 17, 2018).......................................................................19
`
`Int’l Bus. Machines Corp. v. Zillow Grp., Inc.,
`50 F.4th 1371 (Fed. Cir. 2022) ..........................................................................................12
`
`Intell. Ventures I LLC v. Cap. One Bank (USA),
`792 F.3d 1363 (Fed. Cir. 2015)..........................................................................................19
`
`Intell. Ventures I LLC v. Symantec Corp.,
`838 F.3d 1307 (Fed. Cir. 2016)..........................................................................................12
`
`McRO, Inc. v. Bandai Namco Games Am., Inc.
`
`837 F.3d 1299 (Fed. Cir. 2016)..........................................................................................12
`
`Neochloris, Inc. v. Emerson Process Mgmt. LLLP,
`140 F. Supp. 3d 763 (N.D. Ill. 2015) .................................................................................19
`
`Packet Intel. LLC v. NetScout Sys., Inc.,
`965 F.3d 1299 (Fed. Cir. 2020)............................................................................................8
`
`PersonalWeb Techs. LLC v. Google LLC,
`8 F.4th 1310 (Fed. Cir. 2021) ............................................................................................12
`
`Quad City Pat., LLC v. Zoosk, Inc.,
`498 F. Supp. 3d 1178 (N.D. Cal. 2020) .............................................................................19
`
`Recentive Analytics, Inc. v. Fox Corp.,
`692 F. Supp. 3d 438 (D. Del. 2023) ...................................................................................19
`
`Simio, LLC v. FlexSim Software Products,
`983 F.3d 1353 (Fed. Cir. 2020)....................................................................................12, 13
`
`TecSec, Inc. v. Adobe Inc.,
`978 F.3d 1278 (Fed. Cir. 2020)....................................................................................10, 11
`
`Trackthings LLC v. Netgear, Inc., C.A. No. 22-981-RGA,
`
`2023 WL 4926184 (D. Del. Aug. 2, 2023) ....................................................................7, 20
`
`Trading Techs. Int’l, Inc. v. IBG LLC,
`921 F.3d 1084 (Fed. Cir. 2019)..........................................................................................12
`
`iii
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 5 of 26 PageID #: 3369
`
`
`
`Trinity Info Media, LLC v. Covalent, Inc.,
`72 F.4th 1355 (Fed. Cir. 2023) ..........................................................................................12
`
`Universal Secure Registry LLC v. Apple Inc.,
`10 F.4th 1342 (Fed. Cir. 2021) ....................................................................................14, 15
`
`Vehicle Intel. & Safety LLC v. Mercedes-Benz USA, LLC,
`635 F. App’x 914 (Fed. Cir. 2015) ....................................................................................19
`
`35 U.S.C. § 101 ................................................................................................................................2
`
`
`STATUTES
`
`
`
`iv
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 6 of 26 PageID #: 3370
`
`
`
`I.
`
`NATURE AND STAGE OF PROCEEDINGS
`
`Plaintiff and Counterclaim-Defendant Orca Security Ltd. (“Orca”) filed its original
`
`complaint initiating this suit on July 12, 2023. D.I. 1. Orca amended its complaint twice and
`
`currently alleges that Defendant and Counterclaim-Plaintiff Wiz, Inc. (“Wiz”) infringes six
`
`patents: U.S. Patent Nos. 11,663,031, 11,663,032, 11,693,685, 11,726,809, 11,740,926, and
`
`11,775,326. D.I. 15. On June 4, 2024, Wiz answered and filed counterclaims for Orca’s
`
`infringement of U.S. Patent Nos. 11,722,554, 11,929,896, 11,936,693, 12,001,549 (the “’549
`
`patent”), and 12,003,529 (collectively, the “Wiz Asserted Patents”). D.I. 70 at 37-147. On July
`
`25, 2024, Orca moved to dismiss Wiz’s Counterclaim IV for Orca’s infringement of the ’549
`
`patent under Rule 12(b)(6), arguing that the ’549 patent lacks patent-eligible subject matter under
`
`35 U.S.C. § 101. D.I. 111. On August 22, 2024, Wiz filed amended counterclaims including
`
`additional factual allegations regarding the ’549 Patent that addressed any issues raised in Orca’s
`
`motion to dismiss. See D.I. 124, ¶¶ 89-124. Nevertheless, on September 5, 2024 Orca filed the
`
`instant Motion to Dismiss, which is largely the same as its prior motion. D.I. 137, 138. Orca has
`
`not moved to dismiss Wiz’s counterclaims under the other four Wiz Asserted Patents.
`
`II.
`
`SUMMARY OF ARGUMENT
`
`1.
`
`The asserted claims of Wiz’s ’549 patent were filed on January 31, 2024, from a
`
`parent application originally filed August 28, 2023 and issued on June 4, 2024. These brand-new
`
`claims recently approved by the Patent Office provide an improved technological solution that
`
`uses cutting-edge generative artificial intelligence (“AI”) technology in the context of cloud
`
`cybersecurity. This is a quintessential technical problem with no brick-and-mortar analog.
`
`Orca’s motion to dismiss does not contend otherwise. The claims are directed to an improved
`
`system and method for improved cloud cybersecurity incident response, and thus are directed to
`
`improvements in the functioning of a computer, rather than an abstract idea. The claims further
`
`1
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 7 of 26 PageID #: 3371
`
`
`
`require a specific form of generative AI—large language models (“LLMs”)—and a specific
`
`solution to improve cybersecurity incident response that was neither conventional nor known in
`
`the prior art. See, e.g., D.I. 124, ¶¶ 94-97. Indeed, Orca provides no arguments that novel cloud
`
`cybersecurity solutions using generative AI could be considered “routine” or “conventional” at
`
`all. Orca’s attempt to argue that a specific cloud cybersecurity solution using a specific form of
`
`generative AI technology should be considered abstract should be rejected.
`
`2.
`
`The asserted claims of the ’549 patent claim subject matter that is eligible for
`
`patenting under 35 U.S.C. § 101. Under the two-step test set out by the Supreme Court in Alice
`
`Corp Pty. v. CLS Bank International, patent claims are eligible if they (i) are not directed to a
`
`patent-ineligible concept, or if (ii) their claims, either individually or as an ordered combination,
`
`add an inventive concept to the patent-ineligible concept. 573 U.S. 208, 217 (2014).
`
`3.
`
`At Alice Step One, the claims are not directed to an abstract idea or any patent-
`
`ineligible concept. This ends the inquiry. The independent claims are directed to a specific,
`
`technical solution to a problem in the field of computing, including utilizing LLMs in a specific
`
`way to address the prior art systems’ deficiencies in leveraging inputs and queries in human-
`
`understandable natural language in systems also utilizing structured data solutions that are
`
`extremely useful for computer systems. The Federal Circuit has long held such claims
`
`“necessarily rooted in computer technology in order to overcome a problem specifically arising
`
`in the realm of computer networks” are not directed to abstract ideas. DDR Holdings, LLC v.
`
`Hotels.com, L.P., 773 F.3d 1245, 1257 (Fed. Cir. 2014); see also Enfish, LLC v. Microsoft Corp.,
`
`822 F.3d 1327, 1339 (Fed. Cir. 2016). The claims further improve cybersecurity responses,
`
`“improv[ing] the efficient functioning of computers,” and are not directed to a patent-ineligible
`
`idea. Data Engine Techs. LLC v. Google LLC, 906 F.3d 999, 1009 (Fed. Cir. 2018).
`
`2
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 8 of 26 PageID #: 3372
`
`
`
`4.
`
`The inquiry should end at Alice Step One, but if not, the elements of the claims,
`
`taken individually or as an ordered combination, add an inventive concept that render the claims
`
`patent eligible. See, e.g., D.I. 124, ¶¶ 94-108. The specific application of LLMs to cloud
`
`cybersecurity incident response are not “well-understood, routine, [and] conventional” as
`
`specifically alleged by Wiz in response to Orca’s original motion to dismiss. Aatrix Software,
`
`Inc. v. Green Shades Software, Inc., 882 F.3d 1121, 1128 (Fed. Cir. 2018) (modification in
`
`original). Orca’s only argument to the contrary relies on contradicting the well-pled allegations
`
`in Wiz’s counterclaims, which is improper on a motion to dismiss. Id.
`
`5.
`
`Wiz’s amended counterclaims were directly responsive to Orca’s original motion
`
`to dismiss. They include specific, plausible factual allegations that the claim elements of the
`
`’549 patent were not well-known, routine, or conventional, whether individually or as an
`
`ordered-combination. D.I. 124, ¶¶ 95, 103-106. This “precludes dismissal” under 35 U.S.C. §
`
`101 at the Rule 12(b)(6) stage because the Court is required “to resolve any plausibly alleged
`
`factual issues in favor of the patentee.” Blackbird Tech v. Uber Techs., Inc., C.A. No. 19-561
`
`(MN), 2020 WL 58535, at *6 (D. Del. Jan. 6, 2020).
`
`III.
`
`STATEMENT OF FACTS
`
`A.
`
`The ’549 Patent Specification
`
`The ’549 patent specification describes specific techniques for addressing a problem
`
`unique to the field of computers and for responding to cybersecurity incidents, as Wiz has
`
`explained in its detailed, factual allegations in the amended counterclaims in filed after Orca’s
`
`original motion to dismiss. See D.I. 124, ¶¶ 95-105.
`
`The ’549 patent explains that “[s]tructured data solutions are extremely useful for
`
`computer systems” because “a data structure, such as a SQL database, makes it easier for a
`
`machine to store data, retrieve data, manage data.” ’549 patent at 1:31-35. On the other hand, in
`
`3
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 9 of 26 PageID #: 3373
`
`
`
`the context of cybersecurity solutions, queries and alerts when presented in natural language
`
`form can lack context and important information, even using prior art natural language
`
`processing techniques. Id. at 1:38-50; see also D.I. 124, ¶ 94.
`
`The ’549 patent, and in particular the asserted claims, provide a specific, technical
`
`solution to this deficiency in the prior art using cutting-edge artificial intelligence technology
`
`that leverages both natural language and structured data techniques in an unconventional manner.
`
`See, e.g., D.I. 124, ¶ 95. The claims are directed to a specific improvement in computer
`
`capabilities, using not just artificial intelligence (“AI”) in general, but a specific application of
`
`AI—large language models, or “LLMs”—to improve cybersecurity incident response, security
`
`databases and mitigation actions. Id.; see also ’549 patent at 10:27-28 (“In some embodiments,
`
`the [artificial neural network] is a large language model, such as GPT, BERT, and the like.”).
`
`This improved technique and solution for cybersecurity incident response includes generating a
`
`prompt for an LLM based on an incident input based on a cybersecurity event, where the LLM
`
`generates an output based on the generated prompt, mapping the received incident input into a
`
`scenario of a plurality of scenarios associated with an incident response based on the output of
`
`the LLM, generating a query based on both the received incident input and the mapped scenario,
`
`executing a query on a security database that includes representation of a computing
`
`environment, and initiating a mitigation action based on a result of the executed query. See ’549
`
`patent at 4:23-41; see also D.I. 124, ¶ 96.
`
`Contrary to Orca’s contention that the advance is merely “supplying additional context or
`
`‘structure’ for natural language queries,” the ’549 patent techniques involve generating a specific
`
`prompt for an LLM where the LLM maps an incident input into a scenario and generates a query
`
`for the database based on both the received incident input and the mapped scenario; running the
`
`query on the database allows initiation of a mitigation action based on the result of the executed
`
`4
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 10 of 26 PageID #: 3374
`
`
`
`query. See, e.g., id., ¶ 97. This is an improved cloud cybersecurity system, rather than one
`
`merely supplying “additional context.” These techniques were not well-understood, routine, or
`
`conventional. See. D.I. 124, ¶¶ 98-101.
`
`B.
`
`The Asserted ’549 Patent Claims
`
`1.
`
`The Independent Claims
`
`Wiz asserts claims 1-5 and 11-16 of the ’549 patent against Orca. Claim 1 recites:
`
`1. A method for providing cybersecurity incident response, comprising:
`
`receiving an incident input based on a cybersecurity event;
`
`generating a prompt for a large language model (LLM) based on the received incident
`input;
`
`configuring the LLM to generate an output based on the generated prompt;
`
`mapping the received incident input into a scenario of a plurality of scenarios based on
`the output of the LLM, wherein each scenario is associated with an incidence
`response;
`
`generating a query based on the received incident input and the mapped scenario;
`
`executing the query on a security database, the security database including a
`representation of a computing environment; and
`
`initiating a mitigation action based on a result of the executed query.
`
`Claim 11 recites: “A non-transitory computer-readable medium storing a set of
`
`instructions for providing cybersecurity incident response, the set of instructions comprising: one
`
`or more instructions that, when executed by one or more processors of a device, cause the device
`
`to” perform essentially the same method steps as claim 1. Claim 12 recites: “A system for
`
`providing cybersecurity incident response comprising: a processing circuitry; a memory, the
`
`memory containing instructions that, when executed by the processing circuitry, configure the
`
`system to” similarly to perform the method of claim 1.
`
`5
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 11 of 26 PageID #: 3375
`
`
`
`2.
`
`The Asserted Dependent Claims
`
`As discussed below, the asserted dependent claims add meaningful limitations to the
`
`independent claims. Claims 3, 5, 14, and 16 include specific limitations as to how to train the
`
`LLM utilized in the solution of the independent claims. See claims 3 and 14 (“the LLM is
`
`trained on any one of: a data schema utilized in representing the computing environment,
`
`incident data classified to a scenario, the plurality of scenarios, and a combination thereof”);
`
`claims 5 and 16 (“training the LLM further on a plurality of database queries, each database
`
`query executable on the security database”). Claims 4 and 15 add the limitation of generating a
`
`second prompt based on specific elements: “generating a second prompt for the LLM which
`
`when executed by the LLM outputs the query, wherein the second prompt is generated based on
`
`any one of: the received incident input, the data schema, the plurality of scenarios, and a
`
`combination thereof.” Claims 2 and 13 further narrow the incident inputs.
`
`IV.
`
`LEGAL STANDARD
`
`A. Motions to Dismiss Under Rule 12(b)(6)
`
`Patent eligibility can be resolved at the Rule 12(b)(6) stage “only when there are no
`
`factual allegations that, taken as true, prevent resolving the eligibility question as a matter of
`
`law.” Aatrix Software, 882 F.3d at 1125. The underlying question in the Section 101 analysis
`
`“of whether a claim element or combination of elements is well-understood, routine and
`
`conventional to a skilled artisan in the relevant field is a question of fact.” Berkheimer v. HP
`
`Inc., 881 F.3d 1360, 1368 (Fed. Cir. 2018). Thus, where “plausible factual allegations that the
`
`claimed invention improves upon the prior conventional systems” raise a dispute regarding
`
`“whether the claim elements and their ordered combination is simply well-known, routine and
`
`conventional,” such a dispute precludes dismissal. Blackbird Tech, 2020 WL 58535 at *6.
`
`6
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 12 of 26 PageID #: 3376
`
`
`
`B.
`
`Patent Eligibility under 35 U.S.C. § 101
`
`The Supreme Court has established a two-step test for determining whether patent claims
`
`are invalid under § 101. Alice Corp., 573 U.S. at 217 (2014). In Step One, the Court must
`
`“determine whether the claims at issue are directed to a patent-ineligible concept.” Id. If the
`
`answer is no, the inquiry ends, and the claims are patent eligible. See, e.g., Finjan, Inc. v. Blue
`
`Coat Sys., Inc., 879 F.3d 1299, 1305-06 (Fed. Cir. 2018). Otherwise, at Step Two, the Court
`
`“consider[s] the elements of each claim both individually and as an ordered combination” to
`
`determine if there is an “inventive concept— i.e., an element or combination of elements that is
`
`sufficient to ensure that the patent in practice amounts to significantly more than a patent upon
`
`the [ineligible concept] itself.” Alice, 573 U.S. at 217-18 (internal quotations and citations
`
`omitted). “Claims pass muster at step two when they ‘involve more than performance of well-
`
`understood, routine, and conventional activities previously known to the industry.’” Trackthings
`
`LLC v. Netgear, Inc., C.A. No. 22-981-RGA, 2023 WL 4926184, at *10 (D. Del. Aug. 2, 2023),
`
`report and recommendation adopted, 2023 WL 5993186 (D. Del. Sept. 15, 2023). Issued claims
`
`are presumed patentable because “the Patent and Trademark Office has already examined
`
`whether the patent satisfies ‘the prerequisites for issuance of a patent,’ including § 101.”
`
`Cellspin Soft, Inc. v. Fitbit, Inc., 927 F.3d 1306, 1319 (Fed. Cir. 2019).
`
`V.
`
`ARGUMENT
`
`The asserted claims of the ’549 patent are eligible under Section 101 and Alice because
`
`they are not directed to ineligible subject matter. They also contain an inventive concept, and in
`
`any event, fact issues preclude resolving this issue on summary judgment let alone the pleading
`
`stage.
`
`7
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 13 of 26 PageID #: 3377
`
`
`
`A. Alice Step One: The Claims Are Not Directed to an Abstract Idea
`
`1.
`
`The Independent Claims Are Directed to A Specific Solution to a
`Computer Problem
`
`The asserted ’549 patents claims are not directed to an abstract idea, or any other patent-
`
`ineligible subject matter. The inquiry thus ends at Alice Step 1.
`
`First, the claims are not directed to an abstract idea because they are “necessarily rooted
`
`in computer technology in order to solve a specific problem in the realm of computer networks.”
`
`Packet Intel. LLC v. NetScout Sys., Inc., 965 F.3d 1299, 1309 (Fed. Cir. 2020); see also DDR
`
`Holdings, 773 F.3d at 1257. As explained in the ’549 patent specification and Wiz’s
`
`counterclaims, specifically in the context of cybersecurity solutions, queries and alerts when
`
`presented in natural language form can lack context and important information, such as the
`
`relevant workloads, root causes, or potential mitigation whereas computers typically
`
`communicate using structured data, such as SQL for databases. D.I. 124, ¶ 94; see also 1:22-43;
`
`7:30-34. Prior incident response cybersecurity systems failed to provide a solution that improved
`
`a cybersecurity incident response system while leveraging both natural language processing and
`
`structured data. D.I. 124, ¶ 94; see also ’549 patent at 1:44-56.
`
`The asserted claims address this problem arising in the realm of computer networks with
`
`a solution entirely rooted in computer technology. See D.I. 124, ¶¶ 94, 97. The asserted claims
`
`utilize one form of generative AI—LLMs—in a specific way to address this problem. For
`
`example, the claims require using generative AI to map what specific cloud cybersecurity
`
`response scenarios are applicable given the particular received incident input. See ’549 patent
`
`claim 1; D.I. 124, ¶¶ 95-97. The claims, therefore, “do not merely recite the performance of
`
`some business practice known from the pre-Internet world along with the requirement to perform
`
`8
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 14 of 26 PageID #: 3378
`
`
`
`it on the Internet,” but instead are directed to an improved cloud cybersecurity system that
`
`utilizes generative AI to improve incident response. DDR Holdings, 773 F.3d at 1257.
`
`Moreover, the claims are “directed to a specific implementation of a solution to a
`
`problem in” cybersecurity systems and are therefore non-abstract. Enfish, 822 F.3d at 1339
`
`(emphasis added). The claims recite how the claimed method, system, and computer readable
`
`medium are implemented. The claims recite generating a prompt based on an incident input
`
`based on a cybersecurity event, mapping that received incident input into a scenario of a plurality
`
`of scenarios based on the output of the LLM, wherein each scenario is associated with an
`
`incident response, followed by specific further steps on how the improved system or method uses
`
`the output from the artificial intelligence model to generate a query for the security database
`
`based on the received incident input and the mapped scenario, to execute such a query, and then
`
`to initiate a mitigation action. See D.I. 124, ¶ 100; ’549 patent at 4:23-42, claim 1. The claims
`
`do not recite “using AI” with no details, but rather provide a specific use of a specific type of
`
`AI—an LLM—and how that LLM is used, including mapping the received incident input into a
`
`scenario of a plurality of scenarios based on the output of the LLM, wherein each scenario is
`
`associated with an incident response, followed by specific further steps on generating and
`
`executing a query for the security database, and then initiating a mitigation action. See D.I. 124,
`
`¶ 100; ’549 patent at 5:16-34, claim 1.
`
`The claims further require that the database be a “security database” that “includ[es] a
`
`representation of a computing environment” rather than any generic database. See D.I. 124, ¶
`
`101; claim 1. In the claimed solution, the scenarios are mapped to one of a plurality of scenarios
`
`based on an incident response, which can then be used directly to interface with the security
`
`database that contains the representation of the computing environment. The asserted claims are
`
`thus directed to a particular enhanced cybersecurity system that requires, for example, mapping
`
`9
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 15 of 26 PageID #: 3379
`
`
`
`what cloud cybersecurity response scenarios are applicable given received incident input
`
`utilizing an LLM. See ’549 patent claim 1; D.I. 124, ¶¶ 95-97. Id. Claims directed to a specific
`
`implementation to achieve improvements in inter alia querying databases are not directed to an
`
`abstract idea. See Enfish, 822 F.3d at 1333 (claims directed to specific implementation for
`
`“faster searching of data” in databases was non-abstract).
`
`The claims are also non-abstract because they are directed to “improv[ing] the efficient
`
`functioning of computers,” and are thus not directed to a patent-ineligible idea. Data Engine,
`
`906 F.3d at 1009. The claims are directed to a solution that improves computer capabilities that
`
`allows improved responses to cybersecurity incidents. See D.I. 124, ¶¶ 95- 101. The claims of
`
`the ’549 patent are directed to a specific, technical improvements that “increase[] the usability of
`
`a cybersecurity monitoring solution, and improves the incident response time” and “utiliz[e] a
`
`large language model to map an incident input to a scenario [that]. . . decreases incidence
`
`response time, and therefore decreases time to mitigation in the event of a cybersecurity breach.”
`
`’549 patent at 8:31-38; see also D.I. 124, ¶ 99. The ’549 patent’s “claimed advance is a concrete
`
`assignment of specified functions among a computer’s components to improve computer
`
`security, and this claimed improvement in computer functionality is eligible for patenting.”
`
`Ancora Techs., Inc. v. HTC Am., Inc., 908 F.3d 1343, 1344 (Fed. Cir. 2018), as amended (Nov.
`
`20, 2018); Finjan, 879 F.3d at 1305 (“The asserted claims are therefore directed to a non-abstract
`
`improvement in computer functionality, rather than the abstract idea of computer security writ
`
`large.”)
`
`The claims of the ’549 patent are directed to specific, novel implementations of computer
`
`technology to solve a specific problem rooted in cybersecurity systems, and thus are non-
`
`abstract. Orca’s arguments to the contrary are not compelling, and broadly rely on improperly
`
`“overgeneralizing claims.” TecSec, Inc. v. Adobe Inc., 978 F.3d 1278, 1293 (Fed. Cir. 2020).
`
`10
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 144 Filed 09/19/24 Page 16 of 26 PageID #: 3380
`
`
`
`When Orca asserts the “claims focus on retrieving, contextualizing, querying, and responding to
`
`cybersecurity threat information” (D.I. 138 at 8), it “characteriz[es] the claims at ‘a high level of
`
`abstraction’ that is ‘untethered from the language of the claims’” in an attempt to ensure “the
`
`exceptions to § 101 swallow the rule.’” TecSec, 978 F.3d at 1293; see also CardioNet, LLC v.
`
`InfoBionic, Inc., 955 F.3d 1358, 1371 (Fed. Cir. 2020). This characterization ignores the specific
`
`requirements of the claims, including that they require generating a prompt for an LLM based on
`
`an incident input based on a cybersecurity event, mapping that incident input to a scenario based
`
`on the output of the LLM, generating a query for a security database based on the incident input
`
`and scenario, and that the cybersecurity database include a represe