Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response to the amendments filed 10/14//2025.Claims 1-9 have been amended. Claim 19 has been cancelled. Claim 11 has been added. Claims 1-9 and 11 are pending and are below.
Priority
18270362 filed 06/29/2023 is a National Stage entry of PCT/IB2021/062463 , International Filing Date: 12/30/2021, claims foreign priority to 102020000032882, filed 12/30/2020, claims foreign priority to 102021000032468, filed 12/23/2021.
Drawings
The drawings filed on 06/29/2023 are accepted.
Specification
The specification filed on 06/29/2023 is accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/02/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see remarks page 9 filed 10/14/2025, with respect to “objection to the claims “ have been fully considered and are persuasive. The objection to the claims has been withdrawn in light to the amendments to the claims.
Applicant’s arguments, see remarks pages 8-9 filed 10/14/2025, with respect to “Claim Rejections - 35 USC § 101“ have been fully considered and are persuasive. The rejection to the claims has been withdrawn in light to the cancellation of the claim.
Applicant’s arguments, see remarks page 9 filed 10/14/2025, with respect to “Claim Rejections - 35 USC § 112“ have been fully considered and are persuasive. The rejection to the claims has been withdrawn in light to the cancellation of the claim.
Applicant's arguments remarks pages 10-13” Futoransky neither teaches nor suggests a system for allowing a penetration/validation tester to execute penetration tests on, and validate the cybersecurity of” have been fully considered but they are not persuasive because: Furoransky et al teaches see par. 50 The present system and method is divided into 3 main components and a central database (113): front end (104), penetration testers (106), and report generators (108, 109). Par.55 the invention restricts to penetration-testing assets in Amazon Web Services, the user can provide with Identity and Access Management (IAM, for short; check http://aws.amazon.com/iam/) credentials that alone allow a user to interact with the Cloud Infrastructure to list his assets and verify that the user owns these assets (i.e., EC2 credentials with "Describe Instances" permissions set to "Allow" for all of the assets).Par.75-76 The command and control component will include a load monitor (403) which monitors the resources (penetration tester components, report generator components) available, the size of the existing queues (if any). A pentest ticket task builder (402) within the command and control component is responsible for defining pentest task tickets that are assigned to penetration tester components. Gwilliams teaches further teaches par37-38, Fig. 1B depicts the pentesting device 100 operating in the remote mode, the pentesting device 100 is coupled to the target application 102 via the connection 106. However, in this example, the pentesting device 100 establishes a secure connection 108 with a computing device 110 that is operated by a skilled user. Doing so allows the skilled user to remotely control the pentesting device 100 to perform the pentest. Par. 66 The remote mode allows skilled users to perform pentesting in locations and par.67 further teaches stablishing a secure connection between the pentesting device and a remote computing device. In this step, once the pentesting device is coupled to a target application, the pentesting device may seek to establish a secure connection with a remote computing device that is operated by a skilled technician to allow the technician to remotely control the pentesting device., which the meet the limation of claimed invention.
Examiner Notes
The IDS filed on 12/02/2025 with respect to the third party observation for application number EP20210848037, the third party observation refers to reference such E1, E3-E8, on pages 16-17, and further on page 28, however it is unclear to the examiner what references the applicant is referring to, the applicant is kindly require to summit the third party observation with clarifying details and corresponding references in or order for the examiner to consider.
Claim Objections
Claim 1 is objected to because of the following informalities: claims 1-9 and 11 recites the limitation of in the preamble of claim “A system (1) for allowing a penetration/validation tester (6, 7) to execute penetration tests on, and validate the cybersecurity of,:” which should be “A system . Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 4-8 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Futoransky et al U.S. 2014/0237606 A1 in view Gwilliams U.S. 2020/0265144 A1.
Claims 1 and 11: Futoransky et al teaches a system (1) for allowing a penetration/validation tester (6, 7) to execute penetration tests on, and validate the cybersecurity of, computer resources (4) of one or more local embedded systems the system (1) comprising:
one or more local electronic connectivity and processing units (3) each designed to be connectable to the one or more local embedded systems and to provide Internet connectivity to the one or more local embedded systems to which it is connected wherein each of the one or more local embedded system is without Internet connectivity (par.52-54, a computer having a memory, a processor, and one or more input and/or output (I/O) devices (or peripherals) that are communicatively coupled via a local interface. The local interface can be, for example but not limited to, one or more buses or other wired or wireless connections, as is known in the art); and
Futoransky et al fails to teach, however Gwilliams in the same field of endeavor teaches
a remote computing platform (2) designed to communicate with the one or more local electronic connectivity and processing units (3) and to allow access to the penetration/validation tester (6, 7) authorized to access the one or more local embedded systems to allow the penetration/validation tester (6, 7) to execute penetration tests on, and validate the cybersecurity of, the computer resources (4) of the one or more local embedded systems (par37-38, Fig. 1B depicts the pentesting device 100 operating in the remote mode, the pentesting device 100 is coupled to the target application 102 via the connection 106. However, in this example, the pentesting device 100 establishes a secure connection 108 with a computing device 110 that is operated by a skilled user. Doing so allows the skilled user to remotely control the pentesting device 100 to perform the pentest. Par. 66 The remote mode allows skilled users to perform pentesting in locations and par.67 further teaches stablishing a secure connection between the pentesting device and a remote computing device. In this step, once the pentesting device is coupled to a target application, the pentesting device may seek to establish a secure connection with a remote computing device that is operated by a skilled technician to allow the technician to remotely control the pentesting device);
wherein each of the one or more local electronic connectivity and processing unit (3) is designed to (par.31 The pentesting device 100 may be configured to perform a pentest on the target application 102 by executing a pentesting script customized for the target application):
store and execute one or more embedded computer tools designed to execute automatic penetration tests on, and validate the cybersecurity of, the computer resources (4) of the one or more local embedded systems connected to the one or more local electronic connectivity and processing units (3)(par.48, the pentesting script may be a preconfigured script that is stored in a memory of the pentesting device. The preconfigured script may be prepared by a skilled worker that customizes the script for the target application); and
communicate with the remote computing platform (2) to allow penetration/validation tester (6, 7) authorized to access the one or more local embedded systems connected to the local electronic connectivity and processing unit (3) to execute penetration tests on, and remotely validate the cybersecurity of, the computer resources (4) of the local embedded systems (par.26, 37, the pentesting device facilitates for a skilled technician to remotely perform the pentest, perhaps by establishing a secure connection between the pentesting device and a computing device operated by the skilled technician. Par.67 establishing a secure connection between the pentesting device and a remote computing device. In this step, once the pentesting device is coupled to a target application, the pentesting device may seek to establish a secure connection with a remote computing device that is operated by a skilled technician to allow the technician to remotely control the pentesting device. ); and
wherein the remote computing platform (2) is also designed to:
establish and manage secure connections between the local electronic connectivity and processing units (3) and the penetration/validation tester (6, 7) authorized to access the one or more local embedded systems connected to the local electronic connectivity and processing units (3) to allow penetration/validation tester(6, 7) to perform penetration tests on, and remotely validate the cybersecurity of the computer resources (4) of the the one or more local embedded systems to be tested, both through the embedded computing tools stored in the local connectivity and processing electronic units (3) and through computing tools of the penetration tester (6, 7)(par.67 establishing a secure connection between the pentesting device and a remote computing device. In this step, once the pentesting device is coupled to a target application, the pentesting device may seek to establish a secure connection with a remote computing device that is operated by a skilled technician to allow the technician to remotely control the pentesting device. par. receiving from the remote computing device instructions for performing a remote pentest on the target application. The instructions may cause the pentesting device to scan the target application, perform a series of tests to identify and evaluate potential vulnerabilities, and validate false positives, among other operations.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Futoransky et al with the additional features of Gwilliams in order to provide systems that improve security assessments of IT infrastructure by providing the ability to perform a penetration test, executing the script to perform the test on the application; based on results of the test, and compiling data indicative of security vulnerabilities in the application, as suggested by Gwilliams abstract and par.1.
Claim 2: the combination teaches The system (1) according to claim 1 the remote computer platform (2) is further designed to:
allow the penetration/validation tester (6, 7) to request the assignment of time intervals for executing penetration tests on, and validating the cybersecurity of, local computer resources (4) of the one or more local embedded systems to which the penetration/validation tester (6, 7) is authorized to have access (Futoransky et al, par. 56, 70, 76, 83, 87);
assign to the penetration/validation tester (6, 7) one or more time intervals in which to execute penetration tests on, and validate the cybersecurity of, local computer resources (4) of the one or more local embedded systems (10) (Futoransky et al, par. 56, 70, 76, 83, 87); and
establish secure connections between the remote computing platform (2) and the one or more local electronic connectivity and processing units (3) in the time intervals assigned to the penetration/validation tester (6, 7) to allow the penetration/validation testers (6, 7) to perform penetration tests on, and remotely validate the cybersecurity of the computer resources (4), of the one or more local embedded systems connected to the local electronic connectivity and processing units (3) connected to the remote computing platform (2) (Futoransky et al, par. 56, 70, 75-76, 83, 87).
The same motivation to modify Futoransky et al in view of Gwilliams applied to claim 1 above applies here.
Claim 4: the combination teaches the system (1) according to claim 1
where the remote computing platform (2) is designed to manage the multiplexing between the penetration/validation tester (6, 7) and the one or more local electronic connectivity and processing units (3), to address security and conflict management of timing ensuring equal access to all penetration/validation tests (6, 7)( Futoransky et al, par.56, 70, Gwilliams, par.67).
The same motivation to modify Futoransky et al in view of Gwilliams applied to claim 1 above applies here.
Claim 5: the combination teaches
wherein the remote computing platform (2) is also designed to virtualize the one or more local embedded systems in order to make the related computer resources (4) on which to execute the penetration or cybersecurity validation tests available to the penetration/validation tester (6, 7)(Gwilliams, par 37-38, 67).
The same motivation to modify Futoransky et al in view of Gwilliams applied to claim 1 above applies here.
Claim 6: the combination teaches the cybersecurity testing and validation system (1) according to claim 1, in which the remote computing platform (2) is also designed to allow the implementation of one or more of the following features:
monitoring the activity of the local electronic connectivity and processing units (3) and of the remote computer platform (2)( Gwilliams, par. 47, 61-64);
recording penetration and cybersecurity validation test sessions (Gwilliams, par. 47, 61-64); and
generating reports of the activity of the one or more local electronic connectivity and processing units (3) and of the remote computer platform (2)( Gwilliams, par 35-36, 67).
The same motivation to modify Futoransky et al in view of Gwilliams applied to claim 1 above applies here.
Claim 7: the combination teaches
wherein the penetration/validation tester (6, 7) is a single user (6) or a bug bounty platform (7) to which single users are connected (6)(Futoransky et al, Fig.1, items 106-107).
Claim 8: the combination teaches the system (1) according to claim 1, wherein the one or more local electronic connectivity and processing units (3) are also designed to allow the implementation of one or more of the following functions: updating the embedded computing tools if a new type of vulnerability or attack methodology is found; and provide specifications, requirements and information on the types of vulnerabilities (Futoransky et al, par.39-42, 87).
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Futoransky et al U.S. 2014/0237606 A1 in view Gwilliams U.S. 2020/0265144 A1 in further view of Gorodissky et al U.S. 2019/0149572 A1.
Claim 3: the combination fails to teach, however Gorodissky et al in the same field of endeavor teaches the system (1) according to claim 2, wherein the one or more local electronic connectivity and processing units (3) are also designed to:
receive from the remote computing platform (2) and store the time intervals in which to connect to the remote computing platform (2)( par.106-110, 117, 141, 150); and
autonomously connect to the remote computing platform (2) in the stored time intervals(par.106-110, 117, 141, 150).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Futoransky et al with the additional features of Gorodissky et al in order to provide the ability to provide a first penetration testing campaign uses only active validation and a second penetration campaign uses only passive validation, where both campaigns are performed by a single penetration testing system in a single networked system. Node-by-node determination of whether to use active or passive validation can be based on expected extent and/or likelihood of damage from actually compromising a network node using active validation, as suggested by Gorodissky et al abstract.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Futoransky et al U.S. 2014/0237606 A1 in view Gwilliams U.S. 2020/0265144 A1 in further view of Chen et al CN 111901349 A (applicant provided IDS)
Claim 9: the combination fails to teach, however Wang et al in the same field of endeavor teaches the system (1) according to claim 1
wherein the local embedded systems (10) to be tested comprise an on-board motor vehicle system or a network of on-board motor vehicle systems connected to an on-board motor vehicle communication network (page 2, claim 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Futoransky et al with the additional features of Chen et al in order to provide a penetration testing system based on CAN bus in vehicle to simply and quickly test the in-vehicle CAN bus, without the need of other permeation test device, simple test step, high test efficiency and high accuracy, as suggested by Chen et al abstract
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Russ et al U.S. 20080256638 A1 System and method for providing network penetration testing.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Saturday, January 10, 2026
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436