Prosecution Insights
Last updated: July 17, 2026
Application No. 18/186,009

SYSTEM AND METHOD FOR ENTERPRISE CYBERSECURITY BASELINE CLASSIFICATION

Non-Final OA §103
Filed
Mar 17, 2023
Examiner
BROWN, CHRISTOPHER J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Saudi Arabian Oil Company
OA Round
3 (Non-Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
1m
Est. Remaining
88%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
536 granted / 711 resolved
+17.4% vs TC avg
Moderate +13% lift
Without
With
+13.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
34 currently pending
Career history
753
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
92.8%
+52.8% vs TC avg
§102
3.5%
-36.5% vs TC avg
§112
1.3%
-38.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 711 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 6/4/26 have been fully considered but is not persuasive. Applicant argues that the amended limitations state a first score and a second score that are not related. Applicant argues that Mosbys scoring related to risk which are different from “predetermined baseline selection criteria that is used to determined whether a baseline is necessary for the application. Examiner respectfully disagrees. The claims do not state that the first and second score are not related. Examiner asserts that one of ordinary skill in the art would not require a first and second score based on different criteria to be “unrelated”. For example a first score may relate to vulnerability, and a second score may be related to criticality, and yet these 2 scores are related. The claim limitations may still be met on this bases. Examiner asserts that the “baseline selection criteria” as stated in the claim is not defined. Examiner asserts that “the baseline selection” in Mosby is the baseline security that an is required to meet to have access to enterprise resources. This is assessed on a risk score. Mosby then further teaches remediation or “a security baseline” that is required and applied in order to approve the application for access. Examiner asserts that this reference meets the first of Applicants arguments. Applicant argues that the prior art fails to teach a second score based on “predetermined requirement used to determined whether the application is critical or non-critical”. Applicant has failed to define what “predetermined requirement criteria” are. Examiner asserts that Jarvis teaches scoring system based on criticality to an enterprise. The “predetermined requirement criteria” is the requirement of what level of impact a particular application or system would have for an enterprise. If the score indicates a system is “critical” then fixing that system would be prioritized. Thus Jarvis meets classification of an application as critical or non critical based on a second score, which is based on a “requirement criteria” [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls) Since a critical application is prioritized for remediation, and as shown in Mosby, the “security baseline” is a minimum level of risk after configuration/remediation, then Examiner asserts that Jarvis teaches the claim as stated. Examiner also cites: Spisak US 2020/0092319 which teaches criticality [0043][0044] and control or configuration based on criticality [0086][0087] (security baseline) among other teachings. Examiner notes that Applicant reads into the claim language elements from the specification that are not readily apparent from the claims as stated. Examiner must read the claims with a broad but reasonable interpretation, and may not incorporate details from the instant specification into the claims as stated. Examiner notes that “security baseline” is a claim term but not known to one of ordinary skill in the art. Applicant appears to be using it as a “security configuration” of an application. Examiner notes that the claims state determining whether an application is “critical or non-critical”. Examiner asserts that one of ordinary skill in the art would not understand if this means the application has a critical security issue, or if the application is critical to have for the system. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 2, 4-10, 12-16, 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mosby US 20210279337 in view of Jarvis US 2023/0031994. As per claim 1. Mosby teaches A method, comprising: obtaining an application admission request to enter a cybersecurity infrastructure; generating, by a computer processor, an assessment of the application based on a predetermined baseline selection criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category) Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application. Mosby teaches generating, by the computer processor, an assessment of the application based on a predetermined basline selection criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category) (Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use; configuration policy “baseline” is applied to the application) Jarvis teaches determining, by the computer processor, a classification of the application based on the assessments, wherein the application is classified as critical or non-critical; [0016][0044][0045] (criticality score of application) [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls) Jarvis teaches developing, by the computer processor, a security baseline for the application classified as critical; and updating, by the computer processor, a cybersecurity management database with information on the classification application. Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical. [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline) Jarvis teaches determining, by the computer processor, a first score of the application based on the assessment of the application using the predetermined baseline selection criteria; and determining, by the computer processor, a second score of the application based on the assessment of the application using the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Jarvis with the prior art of record because it provides more accurate security control scheme for each category of data. As per claim 3. Jarvis teaches The method of claim 2, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) As per claim 4. Jarvis teaches The method of claim 1, further comprising: generating, by the computer processor, a generic security control for the applications classified as non-critical; and updating, by the computer processor, the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls) As per claim 5. Mosby teaches The method of claim 1, wherein the cybersecurity management database stores classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications) As per claim 6. Mosby teaches The method of claim 1, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by a cybersecurity network. [0096] (users bring their own device including applications) As per claim 7. Jarvis teaches The method of claim 4, wherein the generic security controls are NIST, DOD or enterprise's cybersecurity controls. [0049][0065][0066] (teaches use of NIST guidelines) As per claim 8. Mosby teaches The method of claim 1, wherein the assessment of the application based on the predetermined baseline selection criteria includes application being an off-the-shelf product and not having a custom code, the application having an editable configuration, and the application being a standalone application and not being a part of an existing baseline. [0040][0050][0087] [0104]-[0117] (no custom applications, off the shelf) (any application can be changed/patched, and thus editable, etc) As per claim 9. Jarvis teaches The method of claim 1, wherein the assessment of the application based on the predetermined requirement criteria includes application's cybersecurity tier, application's admittance to an intranet or extranet zone, and a number of employees using the application. [0018][0019][[0061][0063] Figure 4, Figure 5 (teaches using as part of a risk evaluation, risk value, internal/external, and number of users) As per claim 10. Mosby teaches A system, comprising: a network comprising a plurality of network elements;a hardware probe coupled to the plurality of network elements; a network element coupled to the plurality of network elements, the network element comprising a software probe; and a computer processor, wherein the computer processor is coupled to the hardware probe, the software probe, and the plurality of network elements, and wherein the computer processor comprises functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application. [0017][0019][0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category). (Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use) Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0016][0044][0045] (criticality score of application) [0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating) Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical.[0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline) Jarvis teaches the computer processor further comprises functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) As per claim 12. Jarvis teaches The system of claim 11, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) As per claim 13. Jarvis teaches The system of claim 10, wherein the computer processor further comprises functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls) As per claim 14. Mosby teaches The system of claim 10, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications) As per claim 15. Mosby teaches The system of claim 10, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by the cybersecurity network. [0096] (users bring their own device including applications) As per claim 16. Mosby teaches A non-transitory computer readable medium storing instructions executable by a computer processor, the instructions comprising functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application. [0016][0044][0045] (criticality score of application) [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category) (Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use) Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating) Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical.[0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline) Jarvis teaches wherein the instructions further comprise functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) As per claim 18. Jarvis teaches The non-transitory computer readable medium of claim 17, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) As per claim 19. Jarvis teaches The non-transitory computer readable medium of claim 16, wherein the instructions further comprise functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls) As per claim 20. Mosby teaches The non-transitory computer readable medium of claim 16, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

Mar 17, 2023
Application Filed
Sep 03, 2025
Non-Final Rejection mailed — §103
Dec 02, 2025
Response Filed
Mar 09, 2026
Final Rejection mailed — §103
May 04, 2026
Response after Non-Final Action
Jun 04, 2026
Request for Continued Examination
Jun 14, 2026
Response after Non-Final Action
Jun 30, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12652290
CYBER SECURITY FOR SOFTWARE-AS-A-SERVICE FACTORING RISK
5y 3m to grant Granted Jun 09, 2026
Patent 12652315
REMOTE MONITORING OF A SECURITY OPERATIONS CENTER (SOC)
3y 8m to grant Granted Jun 09, 2026
Patent 12641111
Automated Security Analysis of Software Libraries
2y 5m to grant Granted May 26, 2026
Patent 12621339
SYSTEM AND METHOD FOR PROVIDING SECURITY POSTURE MANAGEMENT FOR AI APPLICATIONS
2y 5m to grant Granted May 05, 2026
Patent 12615280
DETECTING POLYMORPHIC BOTNETS USING AN IMAGE RECOGNITION PLATFORM
2y 9m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
88%
With Interview (+13.0%)
3y 5m (~1m remaining)
Median Time to Grant
High
PTA Risk
Based on 711 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month