THREAT MANAGEMENT SYSTEM FOR IDENTIFYING AND PERFORMING ACTIONS ON CYBERSECURITY TOP THREATS

§102 §103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed September 12, 2025 have been fully considered but they are not persuasive. Applicant states in page 1 of the remarks that claims 1-19 were rejected under 35 U.S.C. 112(a) ("112(a)") for lacking sufficient written description, and for being indefinite under 35 U.S.C. 112(b) (“112(b)”). Without stating or commenting on the merits of the rejections, Applicant has amended the claims to advance prosecution, in particular the independent claims 1, 11, and 19 being amended to remove the mention of 'degree of relatedness' in the now removed step "(ii)", previously rejected for failing to comply with written description. Examiner states that as a result of the independent claims being amended to remove the previous rejections under 112(a) and 112(b). However, in the amended claims, the term ‘active attack’ is not defined in the claims, and the Specification of the Applicant only describes identifying threats that are actively attacking enterprise that involve a first industry, provide certain types of products or services in paragraph [0079], and a matching of a threat actor group actively targeting enterprises in the energy/utility industry in paragraph [0080]. At no point does it ever provide a definite statement as to what an active attack is, and merely repeats the limitations in the independent claims. As a result, the amended independent claims are rejected under 112(b) for indefinite term regarding ‘active attack’. Next, in page 2 of the remarks, Applicant states that claims 11-12, 14, and 17 were rejected under 35 U.S.C. 102 ("102") for being anticipated by Alabdulhadi (US 11477226 B2). Claims 1-4, 7, and 13 were previously rejected under 35 U.S.C. 103 ("103") for allegedly being obvious over Alabdulhadi and Krishnakumar et al. (US 20210224080 A1), claims 15-16, and 18-19 were rejected under 103 for being obvious over Alabdulhadi and Hodgman et al. (US 20200053115), claims 5-6, and 8 were rejected under 103 for being obvious over Alabdulhadi, Krishnakumar, and Hodgman, and finally, claim 10 was rejected for being obvious over Alabdulhadi, Krishnakumar, and Agper et al. (WO 2022094341 A1). Applicant has amended claims 1, 4, 11, 14, and 19 to differentiate the application from the prior art listed. Regarding independent claim 1, Applicant states that in pages 2-3 of the remarks that the claim is not rendered unpatentable over any of the cited references taken alone or in combination, and has been amended to recite 'a global threat intelligence data store [...]', a first data store to contain a threat catalog 'comprising a subset of threats selected from the global threat intelligence store [...]', eliminating step "(ii)" from the limitation of a recommendation engine, renaming step "(iii)" to step "(ii)", further emphasizing the step of generating a threat list based on analytic results 'by filtering the threat list based on a comparison of the one or more enterprise characteristics of the enterprise profile [...]'. Applicant states that while Alabdulhadi describes "the OSINT domain can include a variety of OSINT data sources that can be employed [...] provid[ing] information such as [...] threat actor, mean, and motive factors' in Alabdulhadi [Col. 9, lines 17-27], states that the reference fails to teach of fully suggest the amended limitation of 'a first data store to contain a threat catalog' and 'a recommendation engine', and as a result, Applicant states withdrawal of the rejections under 103 is requested, especially for independent claims 1 and its respective dependent claims. Examiner disagrees with the Applicant's arguments regarding independent claim 1's amendments rendering the claim as allowable. The limitation of 'a global threat intelligence data store comprising cybersecurity intelligence' is disclosed by Alabdulhadi [Col. 15, lines 59-64] with a database 27 storing risks, risk profiles, and other security-related information to train and maintain risk model, 'first data store to contain a threat catalog comprising a subset of threats selected from the global threat intelligence data store, wherein the subset of threats being selected based on a correspondence within one or more enterprise characteristics of an enterprise profile' is disclosed by Alabdulhadi in [Col. 9, lines 17-24] with the OSINT data domain gathering risk-related information from database 27, which itself can store risks and other security-related information, and '(ii) generate a threat list based on the analytic results by filtering the threat list based on a comparison of the one or more enterprise characteristics of the enterprise profile to one or more threat attributes associated with an active attack' is disclosed by Alabdulhadi [Col. 2, lines 18-22] Fig. 2, step 130, risks are weighted based on OSINT domain ranking, which is based on factors shown in Fig. 4, such as the impact of OSINT domain, and [Col. 11, lines 45-53] Fig. 5 shows an example of a threat attribute of a plurality of threats from the OSINT domain, which correspond to one or more threat attributes. As a result of the amended limitations being taught by the prior art of Alabdulhadi utilized in the independent claims, Examiner maintains the rejections of the previous Office Action. In page 3 of the remarks, Applicant states that claims 11 and 19 are not obvious over the materials cited in the Office Action, and that both claims 11 and 19 share similar limitations as to claim 1 above. Applicant requests withdrawal of the rejections under U.S.C. 102 for claim 11 and U.S.C. 103 for claim 19, respectively. Examiner states that as both claims 11 and 19 share similar claim limitations as claim 1 above, both claims 11 and 19 are rejected for the reasons as claim 1 above, and have their rejections maintained from the previous Office Action. Lastly, on page 3 of the remarks, Applicant states that with respect to the above independent claims, the dependent claims are not obvious over the materials cited in the Office Action, and notes that patentability of dependent claims does not hinge on patentability of independent claims, without noting any other arguments. Examiner states that as the independent claims remain rejected, the dependent claims remain rejected under their previous grounds of rejections from the previous Office Action. Claim Rejections - 35 USC § 112(b) The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The term “active attack” in claim 1, line is a relative term which renders the claim indefinite. The term “active attack” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The Specification of the Applicant only describes identifying threats that are actively attacking enterprise that involve a first industry, provide certain types of products or services in paragraph [0079], and a matching of a threat actor group actively targeting enterprises in the energy/utility industry in paragraph [0080]. At no point does it ever provide a definite statement as to what an active attack is, and merely repeats the limitations in the independent claims. The term ‘active attack’ is rendered indefinite in the claims. Dependent claims 2-10 are dependent on independent claim 1, and dependent claims also inherit the deficiencies of their respective independent claims. As a result, dependent claims 2-10 are also rejected for similar reasons as claim 1 above. The independent claim 11 recites similar claim limitations as independent claim 1 above. Therefore, claim 11 is also rejected for similar reasons as independent claim 1 as recited above. Dependent claims 12-18 are dependent on independent claim 11, and dependent claims also inherit the deficiencies of their respective independent claims. As a result, dependent claims 12-18 are also rejected for similar reasons as claim 11 above. The independent claim 20 recites similar claim limitations as independent claim 1 above. Therefore, claim 20 is also rejected for similar reasons as independent claim 1 as recited above. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 11-12, 14, and 17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Alabdulhadi (US 11477226 B2). Regarding claim 11, Alabdulhadi also teaches a computerized method for prioritizing threats and actions for addressing the threats, comprising ([Col. 6, lines 41-44] Fig. 2, process 100 shows the identifying and prioritizing of risks in a computer network.): conducting analytics on content from a threat catalog comprising a subset of threats selected from a global threat intelligence data store comprising cybersecurity intelligence, wherein the subset of threats being selected based on a correspondence within one or more enterprise characteristics of an enterprise profile and content from an enterprise profile to generate analytic results that identify a plurality of threats directed to an enterprise by filtering a threat list based on a comparison of the one or more enterprise characteristics of the enterprise profile to one or more threat attributes associated with an active attack ([Col. 5, lines 62-67] Fig. 5, where the NS system 20 can analyze data from three domains to evaluate risks and risky computing resources in a computer network 10, where the network-internal domain corresponds to an enterprise profile of the applicant, and the OSINT domains corresponds to a threat catalog of the applicant. [Col. 6, lines 44-49] NS system 20 performs steps 105 and 110, where the analyzing of data in each of those steps is from a network-internal domain in step 105, and from identifying risks in step 110, which can include the OSINT domain. [Col. 9, lines 17-24] OSINT data domain can be employed to gather risk-related information from databases such as database 27, which includes risks stored in the database. Risks are shown in risk ranking 200 in Fig. 5, which corresponds to a subset of threats being selected and being weighted based on enterprise characteristics utilized as weights appearing in Fig. 4 as well. [Col. 2, lines 18-22] Fig. 2, step 130, risks are weighted based on OSINT domain ranking, which is based on factors shown in Fig. 4, such as the impact of OSINT domain. Weighting risks corresponds to filtering a threat list as claimed, and corresponding to the comparison of one or more enterprise characteristics of the plurality of enterprise characteristics to the risk being determined. The risks correspond to active attacks on an enterprise system. [Col. 11, lines 45-53] Fig. 5 shows an example of a threat attribute of a plurality of threats from the OSINT domain, which correspond to one or more threat attributes.), generating a threat list based on the analytic results, the threat list corresponding to a prioritized order of cybersecurity threats relevant to the enterprise ([Col. 7, lines 6-10] Step 115 states that a risk assessment is analyzed based on the risks involved, and in step 120, the most urgent risks are to be evaluated first, to which the prioritized risks correspond to the threat list of the applicant based on the analytic results in step 115. Furthermore, step 130 in Fig. 2 weighs the risks based on Fig. 5's risk ranking of threat attributes and ranking in different domains, including a network-internal domain, which corresponds to enterprise characteristics of the applicant, as stated in [Col. 7, lines 10-25].); and generating a plurality of actions corresponding to each threat of the threat list, each action of the plurality of actions including information directed to operations to mitigate or neutralize a risk associated with a threat of the threat list ([Col. 16, lines 1-16] Where the CRR handler 295 corresponds to an action engine, and is coupled to a risk evaluator, which corresponds to a recommendation engine. The CRR handler can generate solutions for evaluated risks and remediate the risks. This corresponds to an action list including a plurality of actions. [Col. 5, lines 57-61] NS system 20 is capable of identifying and prioritizing risks for testing and remediation, which can correspond to creating a threat list that is then performed by the CRR handler. [Col. 6, lines 33-36] NS system 20 can remediate the risks that were identified earlier, and is also related to the creation of a threat list, and performs solutions with respect to the risks identified.). Regarding claim 12, Alabdulhadi discloses the elements of claim 11 as recited above. Alabdulhadi also teaches the limitation of ‘wherein the threat catalog includes a plurality of threats and each threat of the plurality of threats includes the one or more threat attributes’ ([Col. 9, lines 2-5] Keywords are associated with each risk or risky computing resource and therefore, can correspond to the one or more threat attributes of an applicant. [Col. 9, lines 9-13] New keywords can be added into the OSINT domain data sources when searches are conducted for important risks that affect a network or computing system.). Regarding claim 14, Alabdulhadi discloses the elements of claim 11 as recited above. Alabdulhadi also teaches the limitation of ‘wherein the conducting on the content comprises conducting analytics on the one or more threat attributes associated with a threat of the plurality of threats and an enterprise characteristic of the plurality of enterprise characteristics’ ([Col. 15, lines 19-22] Risk evaluator 294 can communicate with NID risk assessor and the OSINT fusor 292. [Col. 8, line 66-Col. 9, line 5] Risks are identified, prioritized, and have keywords associated with each risk generated, which allows for the NS system 20 to use the keywords for searching the OSINT domain for risks relating the keywords from previous risks. [Col. 13, line 37-40] Data for the network-internal domain and the OSINT domains are sent to the respective domains so as to organize the data, and streamline analytics. [Col. 14, line 59-67] Searching the OSINT domain data, which corresponds to the plurality of threats, is based on risks in the NID risk assessor, which assesses the network internal domain, corresponding to the enterprise profile, and the NID risk assessor contains the enterprise characteristics.). Regarding claim 17, Alabdulhadi discloses the elements of claim 11 as recited above. Alabdulhadi also teaches the limitation of ‘wherein each action of the plurality of actions includes commands to be transferred, in response to an input by a customer to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ ([Col. 5, lines 44-48] NS system 20 can communicate with an analyst computing resource and provide the necessary data for the resource to perform remediation of the risks identified. The presence of “Alternatively, the NS system 20 can autonomously perform the analysis or remediation, without any user intervention or interaction” indicates that when the system does not perform the functions autonomously, user input is required for the steps to occur in this limitation. [Col. 10, lines 28-32] The NS system 20 can select solutions for each risk, and this allows the user to select and have a analyst computing resource perform the necessary operations to mitigate or neutralize the risks identified, which corresponds to a threat list.). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 7, 9, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Alabdulhadi, in view of Krishnakumar et al. (US 20210224080 A1), hereinafter Krishnakumar. Regarding claim 1, Alabdulhadi discloses a threat management system, comprising: a computing system comprising one or more processors ([Col. 5, lines 39-43] The NS system 20 can carry out one or more penetration testing solutions on targeted computing resources. The NS system 20 can prioritize the identified risks based on severity, urgency, or potential impact on the computing resource, the computer network 10, or the entity that owns or controls the computer network or computing resource. [Col. 12, lines 1-18] Fig. 3, the GPU 21 can act as a processor for the NS system 20.); a global threat intelligence data store comprising cybersecurity intelligence ([Col. 15, lines 59-64] Database 27 can store risks, risk profiles, and other security-related information to train and maintain risk model, corresponding to cybersecurity intelligence as claimed.); a first data store to contain a threat catalog comprising a subset of threats selected from the global threat intelligence data store, wherein the subset of threats being selected based on a correspondence within one or more enterprise characteristics of an enterprise profile ([Col. 9, lines 17-20] “OSINT domain can include a variety of OSINT data sources that can be employed individually or collectively to gather risk-related information from various resources, repositories, databases”, in which the OSINT domain corresponds to the first data store to contain a threat catalog. [Col. 9, lines 17-24] OSINT data domain can be employed to gather risk-related information from databases such as database 27, which includes risks stored in the database. Risks are shown in risk ranking 200 in Fig. 5, which corresponds to a subset of threats being selected and being weighted based on enterprise characteristics utilized as weights appearing in Fig. 4 as well.); a recommendation engine communicatively coupled to the first data store and the second data store, the recommendation engine is configured to (i) conduct analytics on content from the threat catalog and content from the enterprise profile to generate results that identify a plurality of threats directed to the enterprise ([Col. 15, lines 44-49] Fig. 3, risk evaluator 294 corresponds to the recommendation engine of the applicant, and the risk evaluator communicates with the RIAM system 29 to model a computer network 10 including the risks and resources present in the NS system 20. [Col. 5, lines 62-67] Fig. 5, where the NS system 20 can analyze data from three domains to evaluate risks and risky computing resources in a computer network 10, where the network-internal domain corresponds to an enterprise profile of the applicant, and the OSINT domains corresponds to a threat catalog of the applicant. [Col. 6, lines 44-49] NS system 20 performs steps 105 and 110, where the analyzing of data in each of those steps is from a network-internal domain in step 105, and from identifying risks in step 110, which can include the OSINT domain.), and (ii) generate a threat list based on the analytic results by filtering the threat list based on a comparison of the one or more enterprise characteristics of the enterprise profile to one or more threat attributes associated with an active attack ([Col. 7, lines 6-10] Step 115 states that a risk assessment is analyzed based on the risks involved, and in step 120, the most urgent risks are to be evaluated first, to which the prioritized risks correspond to the threat list of the applicant based on the analytic results. Furthermore, step 130 in Fig. 2 weighs the risks based on Fig. 5's risk ranking of threat attributes and ranking in different domains, including a network-internal domain, which corresponds to the mapping of one or more threat attributes to one or more enterprise characteristics of the applicant, as stated in [Col. 7, lines 10-25]. [Col. 2, lines 18-22] Fig. 2, step 130, risks are weighted based on OSINT domain ranking, which is based on factors shown in Fig. 4, such as the impact of OSINT domain. Weighting risks corresponds to filtering a threat list as claimed, and corresponding to the comparison of one or more enterprise characteristics of the plurality of enterprise characteristics to the risk being determined. The risks correspond to active attacks on an enterprise system. [Col. 11, lines 45-53] Fig. 5 shows an example of a threat attribute of a plurality of threats from the OSINT domain, which correspond to one or more threat attributes. [Col. 18, lines 47-50] The steps of the process in Fig. 2 can be performed in any order.); and an action engine communicatively coupled to the recommendation engine, the action engine is configured to receive the threat list and generate a plurality of actions corresponding to each threat of the threat list, each action of the plurality of actions including information directed to operations to mitigate or neutralize a risk associated with a threat of the threat list ([Col. 16, lines 1-16] Where the CRR handler 295 corresponds to an action engine, and is coupled to a risk evaluator, which corresponds to a recommendation engine. The CRR handler can generate solutions for evaluated risks and remediate the risks. This corresponds to an action list including a plurality of actions. [Col. 5, lines 57-61] NS system 20 is capable of identifying and prioritizing risks for testing and remediation, which can correspond to creating a threat list that is then performed by the CRR handler. [Col. 6, lines 33-36] NS system 20 can remediate the risks that were identified earlier, and is also related to the creation of a threat list, and performs solutions with respect to the risks identified.). Alabdulhadi does not appear to expressly teach the limitation of ‘a second data store to contain an enterprise profile’. However, Krishnakumar teaches the limitation of a second data store to contain an enterprise profile ([0020] Fig. 1, enterprise profile 123 can represent the information associated with a particular enterprise. This can include an enterprise identifier 126, a configuration profile 129, and a staging user account 133. [0021] An enterprise identifier 126 could take the form of an alphanumeric character string (e.g., a company name), a universal unique identifier (UUID), a globally unique identifier (GUID), or similar unique identifier.); Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Krishnakumar before them, to include Krishnakumar’s ‘a second data store to contain an enterprise profile’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combination to enhance security by using information that an enterprise sees what resources are at high risk, and a capability of containing different profiles are identified such that one can see how threats are detected, such that the end result is ‘the enterprise profile 123 could be used in a multi-tenant environment’, as taught by Krishnakumar [0020]. Regarding claim 2, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi also teaches the limitation of ‘wherein the threat catalog of the first data store includes a plurality of threats and each threat of the plurality of threats includes the one or more threat attributes’ ([Col. 9, lines 2-5] Keywords are associated with each risk or risky computing resource and therefore, can correspond to the one or more threat attributes of an applicant. [Col. 9, lines 9-13] New keywords can be added into the OSINT domain data sources when searches are conducted for important risks that affect a network or computing system.) Regarding claim 3, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi does not teach, but Krishnakumar teaches the limitation of ‘wherein enterprise profile of the second data store includes the one or more enterprise characteristics representative of an enterprise’ ([0021] Fig. 1, enterprise identifier 126 can be used to uniquely identify an enterprise with respect to another enterprise and, therefore, uniquely identify respective enterprise profiles 123, including with a character string, universally unique identifier (UUID), or a similar unique identifier.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Krishnakumar before them, to include Krishnakumar’s ‘wherein enterprise profile of the second data store includes a plurality of enterprise characteristics representative of an enterprise’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combination to increase efficiency, such that when identifiers are used to quickly reference parts of an enterprise or different enterprises altogether, configurations of how threats are detected are assigned to the respective enterprises or parts of an enterprise, and work in conjunction with threat catalogs, as taught by Krishnakumar [0020]. Regarding claim 4, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi also teaches the limitation of ‘wherein the recommendation engine to conduct analytics on the one or more threat attributes associated with a threat of the plurality of threats and an enterprise characteristic of the plurality of enterprise characteristics’ ([Col. 15, lines 19-22] Risk evaluator 294 can communicate with NID risk assessor and the OSINT fusor 292. [Col. 8, line 66-Col. 9, line 5] Risks are identified, prioritized, and have keywords associated with each risk generated, which allows for the NS system 20 to use the keywords for searching the OSINT domain for risks relating the keywords from previous risks. [Col. 13, line 37-40] Data for the network-internal domain and the OSINT domains are sent to the respective domains so as to organize the data, and streamline analytics. [Col. 14, line 59-67] Searching the OSINT domain data, which corresponds to the plurality of threats, is based on risks in the NID risk assessor, which assesses the network internal domain, corresponding to the enterprise profile, and the NID risk assessor contains the enterprise characteristics.). Regarding claim 7, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi also teaches the limitation of ‘wherein each action of the plurality of actions generated by the action engine includes commands to be transferred, in response to an input by a customer to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ ([Col. 5, lines 44-48] NS system 20 can communicate with an analyst computing resource and provide the necessary data for the resource to perform remediation of the risks identified. The presence of “Alternatively, the NS system 20 can autonomously perform the analysis or remediation, without any user intervention or interaction” indicates that when the system does not perform the functions autonomously, user input is required for the steps to occur in this limitation. [Col. 10, lines 28-32] The NS system 20 can select solutions for each risk, and this allows the user to select and have a analyst computing resource perform the necessary operations to mitigate or neutralize the risks identified, which corresponds to a threat list.). Regarding claim 9, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi also teaches the limitation of ‘wherein the action engine further comprises (i) an action data store including a plurality of actions each corresponding to text or links to direct operability of a customer or one or more commands to cause an operational event to occur and (ii) action prioritization logic to prioritize arrangement of the text or links or ordering of the one or more commands’ ([Col. 4, lines 59-61] Network security solution identifies and prioritizes pen testing solutions to evaluate risks, and in this scenario, the network security system can correspond to an action engine. The solutions to evaluate risks correspond to a plurality of actions corresponding to one or more commands to cause an operational event to occur. [Col. 11, lines 56-62] NS system 20 includes database 27 and RIAM system 29, connected through backbone B, shown in Fig. 1. Database 27 can correspond to an action data store. [Col. 15, lines 28-32] Database 27 can store risks, risk profiles, and pen testing solutions that can be needed to maintain a risk model up to date. [Col. 5, lines 39-43] NS system 20 can prioritize the risks based on the urgency and the severity of the risk, and the prioritization of risks corresponds to the action prioritization logic of the ordering of the one or more commands.). Regarding claim 13, Alabdulhadi discloses the elements of claim 11 as recited above. Alabadulhadi does not teach, but Krishnakumar teaches the limitation of ‘wherein enterprise profile is maintained within a non-transitory storage medium and includes the one or more enterprise characteristics representative of the enterprise’ ([0019] Enterprise profile is stored in a data store 119, accessible to computing environment 103. [0051] Provisioning service 113 can query a data store to search for an enterprise profile 123 associated with an enterprise identifier 126. [0061] Various software components stored in the memory, including the data store 119 containing an enterprise profile 123, can be in an executable program stored in a non-transitory medium, such as a hard drive, solid-state drive, a USB flash drive, or other memory components.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Krishnakumar before them, to include Krishnakumar’s ‘wherein enterprise profile is maintained within a non-transitory storage medium and includes the plurality of enterprise characteristics representative of the enterprise’ in Alabdulhadi’s method performing prioritization of threats and actions for addressing the threats. One would have been motivated to make such a combination to increase efficiency by having all the functionality of the system into a piece of software with all the functionality ready for an enterprise or a customer of the enterprise to use, as taught by Krishnakumar [0066]. Claims 15-16, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Alabdulhadi in view of Hodgman et al. (US 20200053115 A1), hereinafter Hodgman. Regarding claim 15, Alabdulhadi discloses the elements of claim 11 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein each action of the plurality of actions includes text or web links directed to the operations to be conducted by a customer’ ([0025] and [0047] Fig. 1, threat analysis system 102 produces insights 106, which the insights can be used to generate a report of the insights, which can be used to provide information of an organization’s operational and security concerns, to which the report will describe the issues and actions that must be taken to overcome those issues. Paragraph [0048] further states that various insights can be exposed to clients 118, which correspond to customers of the applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein each action of the plurality of actions includes text or web links directed to the operations to be conducted by a customer’ in Alabdulhadi’s method performing prioritization of threats and actions for addressing the threats. One would have been motivated to make such a combination to enhance security by alerting the user of potential severities that the threat can bring if left unchecked for even a brief period of time, as it can possibly spread to other devices in an organization, as taught by Hodgman [0025]. Regarding claim 16, Alabdulhadi discloses the elements of claim 1 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein each action of the plurality of actions includes commands to be automatically transferred to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ ([0053] One of the actions stated in this paragraph include the suspending of operations of at least an electronic asset, which corresponds to one or more security controls to perform the operations to mitigate the risk associated with the threat of a threat list per the applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein each action of the plurality of actions includes commands to be automatically transferred to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ in Alabdulhadi’s method performing prioritization of threats and actions for addressing the threats. One would have been motivated to make such a combination to enhance security by having an asset be inaccessible until the situation can be resolved so that the asset or system cannot get infect any more than the state it was in before locking and suspending operations, as taught by Hodgman [0053]. Regarding claim 18, Alabdulhadi discloses the elements of claim 1 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein the generating of the plurality of actions includes generating a series of actions to be conducted in a prescribed order to mitigate or neutralize the risk associated with the threat of the threat list’ ([0014] and claim 9 of Hodgman show an order on how the threats are neutralized, mainly locking an asset, contacting an authorized user, and ending in suspending operation of the asset.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein the generating of the plurality of actions includes generating a series of actions to be conducted in a prescribed order to mitigate or neutralize the risk associated with the threat of the threat list’ in Alabdulhadi’s method performing prioritization of threats and actions for addressing the threats. One would have been motivated to make such a combination to improve efficiency by having an order of actions so that it is easy to follow and that the system can ensure security of the system and the organization using the fastest methods possible, as taught by Hodgman [0053]. Regarding claim 19, Alabdulhadi discloses a non-transitory storage medium including software that, upon execution, detects cybersecurity threats identified by a threat list conducted on an enterprise ([Col. 2, lines 48-54] Non-transitory storage medium is described for storing the program and its instructions for having a risk be identified and prioritized. [Col. 3, lines 3-9] This section states that penetration testing of a risky resource is prioritized, and evaluating the risk is also performed.): a recommendation engine configured to (i) conduct analytics on content from a threat catalog comprising a subset of threats selected from a global threat intelligence data store comprising cybersecurity intelligence, wherein the subset of threats being selected based on a correspondence within one or more enterprise characteristics of an enterprise profile and content from an enterprise profile to generate results that identify a plurality of threats directed to the enterprise ([Col. 15, lines 44-49] Risk evaluator corresponds to a recommendation engine of the applicant. [Col. 5, lines 62-67] Fig. 5, where the NS system 20 can analyze data from three domains to evaluate risks and risky computing resources in a computer network 10, where the network-internal domain corresponds to an enterprise profile of the applicant, and the OSINT domains corresponds to a threat catalog of the applicant. [Col. 6, lines 44-49] NS system 20 performs steps 105 and 110, where the analyzing of data in each of those steps is from a network-internal domain in step 105, and from identifying risks in step 110, which can include the OSINT domain. [Col. 9, lines 17-24] OSINT data domain can be employed to gather risk-related information from databases such as database 27, which includes risks stored in the database. Risks are shown in risk ranking 200 in Fig. 5, which corresponds to a subset of threats being selected and being weighted based on enterprise characteristics utilized as weights appearing in Fig. 4 as well.), and (ii) generate a threat list based on the analytic results by filtering the threat list based on a comparison of the one or more characteristics of the enterprise profile to one or more threat attributes associated with an active attack ([Col. 7, lines 6-10] Step 115 states that a risk assessment is analyzed based on the risks involved, and in step 120, the most urgent risks are to be evaluated first, to which the prioritized risks correspond to the threat list of the applicant based on the analytic results. Furthermore, step 130 in Fig. 2 weighs the risks based on Fig. 5's risk ranking of threat attributes and ranking in different domains, including a network-internal domain, which corresponds to enterprise characteristics of the applicant, as stated in [Col. 7, lines 10-22]. [Col. 2, lines 18-22] Fig. 2, step 130, risks are weighted based on OSINT domain ranking, which is based on factors shown in Fig. 4, such as the impact of OSINT domain. Weighting risks corresponds to filtering a threat list as claimed, and corresponding to the comparison of one or more enterprise characteristics of the plurality of enterprise characteristics to the risk being determined. The risks correspond to active attacks on an enterprise system. [Col. 11, lines 45-53] Fig. 5 shows an example of a threat attribute of a plurality of threats from the OSINT domain, which correspond to one or more threat attributes.); and an action engine communicatively coupled to the recommendation engine, the action engine is configured to receive the threat list and generate a plurality of actions corresponding to each threat of the threat list, each action of the plurality of actions including information directed to operations to mitigate or neutralize a risk associated with a threat of the threat list ([Col. 16, lines 1-16] Where the CRR handler 295 corresponds to an action engine, and is coupled to a risk evaluator, which corresponds to a recommendation engine. The CRR handler can generate solutions for evaluated risks and remediate the risks. This corresponds to an action list including a plurality of actions. [Col. 5, lines 57-61] NS system 20 is capable of identifying and prioritizing risks for testing and remediation, which can correspond to creating a threat list that is then performed by the CRR handler. [Col. 6, lines 33-36] NS system 20 can remediate the risks that were identified earlier, and is also related to the creation of a threat list, and performs solutions with respect to the risks identified.). Alabdulhadi does not appear to teach the limitation of ‘the non-transitory storage medium comprising: a recommendation engine… and an action engine’. However, Hodgman teaches the limitation of ‘the non-transitory storage medium comprising: a recommendation engine… and an action engine’ ([0037] The apparatus can be a software program in a physical medium or in a driver, which includes the data stores and the recommendation and action engines included on the program.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘non-transitory storage medium comprising: a recommendation engine… and an action engine’ in Alabdulhadi’s non-transitory storage medium containing elements to detect cybersecurity threats identified by a threat list conducted on an enterprise. One would have been motivated to make such a combination to increase efficiency by having “particular elements might be implemented in hardware, software (including portable software, such as applets) or both” so as to ensure that the elements such as the recommendation engine could be integrated into software form, as taught by Hodgman [0071]. Claims 5-6, and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Alabdulhadi in view of Krishnakumar, in further view of Hodgman. Regarding claim 5, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein each action of the plurality of actions generated by the action engine includes text or web links directed to the operations to be conducted by a customer’ ([0025] and [0047] Fig. 1, threat analysis system 102 produces insights 106, which the insights can be used to generate a report of the insights, which can be used to provide information of an organization’s operational and security concerns, to which the report will describe the issues and actions that must be taken to overcome those issues. Paragraph [0048] further states that various insights can be exposed to clients 118, which correspond to customers of the applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein each action of the plurality of actions generated by the action engine includes text or web links directed to the operations to be conducted by a customer’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combination to enhance security by alerting the user of potential severities that the threat can bring if left unchecked for even a brief period of time, as it can possibly spread to other devices in an organization, as taught by Hodgman [0025]. Regarding claim 6, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein each action of the plurality of actions generated by the action engine includes commands to be automatically transferred to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ ([0053] One of the actions stated in this paragraph include the suspending of operations of at least an electronic asset, which corresponds to one or more security controls to perform the operations to mitigate the risk associated with the threat of a threat list per the applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein each action of the plurality of actions generated by the action engine includes commands to be automatically transferred to one or more security analyzer devices or one or more security controls to perform the operations to mitigate or neutralize the risk associated with the threat of the threat list’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combination to enhance security by having an asset be inaccessible until the situation can be resolved so that the asset or system cannot get infect any more than the state it was in before locking and suspending operations, as taught by Hodgman [0053]. Regarding claim 8, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabdulhadi does not teach, but Hodgman teaches the limitation of ‘wherein the action engine comprises an action generator logic configured to generate the plurality of actions as a series of actions to be conducted in a prescribed order to mitigate or neutralize the risk associated with the threat of the threat list’ ([0014] and claim 9 of Hodgman show an order on how the threats are neutralized, mainly locking an asset, contacting an authorized user, and ending in suspending operation of the asset.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Hodgman before them, to include Hodgman’s ‘wherein the action engine comprises an action generator logic configured to generate the plurality of actions as a series of actions to be conducted in a prescribed order to mitigate or neutralize the risk associated with the threat of the threat list’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combination to improve efficiency by having an order of actions so that it is easy to follow and that the system can ensure security of the system and the organization using the fastest methods possible, as taught by Hodgman [0053]. Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Alabdulhadi in view of Krishnakumar, in further view of Agper et al. (WO 2022094341 A1), hereinafter Agper. Regarding claim 10, Alabdulhadi in view of Krishnakumar teaches the elements of claim 1 as recited above. Alabadulhadi discloses the method of ‘wherein the action engine is configured to provide an action list including the plurality of actions’ ([Col. 16, lines 1-16] Where the CRR handler 295 corresponds to an action engine, and is coupled to a risk evaluator, which corresponds to a recommendation engine. The CRR handler can generate solutions for evaluated risks and remediate the risks. This corresponds to an action list including a plurality of actions.). Alabdulhadi in view of Krishnakumar does not teach, but Agper teaches the limitation of ‘each action of the plurality of actions represented by a selectable, display element that uniquely corresponds to a display element associated with a threat of the threat list’ ([0260] and [0261] Fig. 11A shows a GUI screen that has ‘actions’ as a drop down option on the right side of the GUI, with the main options are about the threats that must be dealt with.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Alabdulhadi and Agper before them, to include Agper’s ‘each action of the plurality of actions represented by a selectable, display element that uniquely corresponds to a display element associated with a threat of the threat list’ in Alabdulhadi’s threat management system performing the prioritization and neutralization of risks of a system in a network. One would have been motivated to make such a combin