SYSTEMS AND METHODS FOR AUTOMATED CYBERSECURITY THREAT TESTING AND DETECTION

DETAILED ACTION Notice of Pre-AIA or AIA Status 1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment 2. The Amendment filed January 02, 2026 has been entered. Claims 1, 3, 14, 16 and 27 have been amended. Claims 1-27 are presented for examining. Applicant’s amendments to claim 1 have overcome the claim objections previously set forth in the Non-Final Office Action mailed October 02, 2025. Response to Arguments 3. Applicant’s arguments, see pages 8-10, filed January 02, 2026, with respect to the rejection of claims 1-27 under 35 U.S.C. § 103 have been considered but are moot in view of the new grounds of rejection. The claims (as amended) do not overcome the new ground of rejection made in view of newly found prior art references. Claim Rejections - 35 USC § 103 4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 5. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 6. Claim(s) 1, 2, 4, 6, 8, 12-15, 17, 19, 20, and 25-27 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid et (US 10,587,647 B1) et al, hereafter Khalid, in view Orazio et al. (US 2023/0035918 A1), hereafter Orazio, and further in view of Eidissen (US 2022/0150269 A1), hereafter Eidissen. Noted that indicates what the cited art does not teach. Regarding claim 1, Khalid teaches a vulnerability and compromise detection (“VCD”) system for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, {Khalid [Col. 6, line 1-9] “A testing network 310 of the testing environment 300 may include a test console 320, a switch 330, and one or more network security devices whose efficacy of detecting the malware is to be assessed, i.e., the security devices are tested to determine whether they can accurately detect the malware and/or malicious behavior.“} A vulnerability allows threats, such as malware, to exploit a system. Cyber-attacks use malware to achieve a harmful objective. Khalid’s system tests security devices to determine whether they can accurately detect malware, and therefore is a VCD system. the VCD system comprising at least one computer device comprising at least one processor, and at least one memory device in communication therewith, the at least one processor programmed to: {Khalid [Col. 4, line 31-40] “The end node 200 may be illustratively embodied as a test console, a unit-under-test (UUT) including a malware detection system (MDS), and/or a remote server. The end node 200 may include one or more CPUs 212, a memory 220, one or more network interfaces 214, one or more devices 216, and (optionally) a user interface 215 connected by a system interconnect 218.”} filter a plurality of indicators of compromise associated with active threat actors using the received selection criteria; {Khalid {Col. 10, line 6-27] “The network interface 362 may receive and parse the request 400, which specifies…the URL 452 of the requested test sample or samples… URL 452 (identifier) is provided to the content engine 366 and used as an index to obtain the requested sample or predetermined mixture of samples from the sample database 368. The content engine 366 provides the requested test sample or samples to the network interface 362 of the remote server, which generates (creates) a message for “serving” the sample or samples to the virtualized endpoint as a response to the request.” [Col. 10, line 28-36] “The content engine 366 may also retrieve from the sample database indicators of compromise (IOC's) (e.g., behavioral features) associated with the test sample or samples, e.g., in response to selection of the URL by the test administrator. The IOC's may be sent to the test application 322 in a message separate from the sample or samples, whether proximate in time to the message containing the sample or samples or at a later time, such as during testing of the samples by the UUTs 9.”} A test administrator selects test sample identifier (e.g., malicious samples) from a sample database and submits a request (see col. 7, line 29-60). When the content engine 366 receives this request, it uses the test sample identifiers to retrieve the relevant test samples and their associated IOCs from sample database 368. generate a plurality of validation tests to test for the filtered plurality of indicators of compromise; {Khalid [Col. 14, line 29-49] “The procedure 600 starts at step 602 and proceeds to step 604 where the virtualized endpoint running on the test console (test computer) generates one or more requests to acquire the plurality of test samples, wherein each request includes an indicator of an alias domain (e.g., URL) that may or may not be associated with a source of malware.”} Also see col. 7, line 29-54. execute the plurality of validation tests in a simulation environment to generate a plurality of results; {Khalid [Col. 14, line 29-49 ] “At step 606, the virtualized endpoint sends the request to acquire the test sample or samples from a database of samples.” [Col. 14, line 50-67] “At step 612, a response to the request is generated at the remote server, wherein the response includes the test sample or samples, each having at least one malware or benign object. At step 614, the response is returned to the virtualized endpoint via the switch where, at step 616, a copy of the response to the request is provided to each UUT. At step 618, each object included in the response is processed at the virtualized endpoint and, at step 620, in this embodiment, each UUT also processes (e.g., runs static and/or behavioral analysis) the object (e.g., a copy thereof) to detect whether the object is malware or benign.” [Col. 7 line 61-67 - col. 8 line 1-10] “The test application 322 may instantiate the virtualized endpoint 324 as a virtual machine running on the test console 320 to simulate one or more actual endpoints on the enterprise network that may be vulnerable to the malware.”} analyze the plurality of results to detect one or more failed validation tests of the plurality of validation tests; {Khalid [Col. 11, line 22-64] “In those cases in which IOC’s associated with a sample/object are received from the content engine 366, upon completion of processing by the virtualized endpoint 324, the test application 322 may inspect (e.g., scan) the virtualized endpoint using observed IOC's of the objects to determine whether the virtualized endpoint was compromised or not. Any failure on the part of one or another of the UUT's to so detect those behaviors (i.e., failure to detect the received IOC's or observed IOC's at the endpoint) can be reported by the test application 322 as reflecting on efficacy in detection. When the test application 322 reports on the efficacy of the UUT's, it may report on those IOC’s not detected by the UUT's (if any), which may present a compelling differential in performance of the UUT's in detecting malware.”} Also see Col. 11, line 22-64 and col. 12 line 1-9. However, Khalid does not teach receiving selection criteria associated with a threat assessment of a computer network; scan a plurality of system logs of a computer network for indicators of compromise associated with the one or more failed validation tests; and determine whether the computer network is compromised based on the scan of the plurality of system logs. However, Orazio teaches scan a plurality of system logs of a computer network for indicators of compromise associated with the one or more failed validation tests; {Orazio [Para. 0037] “System 60 may detect and assess evidence of malware intrusion by system scanner 62 performing one or more scans of a system, wherein the one or more scans detect evidence of malware intrusion.” [Para. 0045] “The operating system of system 100 can also utilize connectors to scan logs for suspicious events, for example, unexpected execution of privileged tasks, deletion of logged events, or wholesale deletion of log files.” [Para. 0046] “Indicators of compromise may be detected by system scanner 62 (shown in FIG. 2), which also identifies malware intrusion techniques.”} Also see para. 0041 in Orazio. Orazio’s system scans system logs to detect IOCs. and determine whether the computer network is compromised based on the scan of the plurality of system logs. {Orazio [Para. 0038] “Responsive to the assessment score computed or calculated by assessment score calculator 66 exceeding a pre-determined threshold, 2.5 in one example, forensic report generator 68 generates a forensic report for scanned system 100, wherein the forensic report comprises each respective result of the one or more scans by system scanner 62, the severity score assigned by severity score assignor 64 to each respective result, and the assessment score computed or calculated by assessment score calculator 66, and sends forensic report 300 (shown in FIG. 3) to system administrator 90.”} Also see para. 0039 in Orazio. Orazio is analogous art because each of Khalid and Orazio pertains to detecting indicators of compromise. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid to include Orazio’s teaching of the limitations of claim 1, listed above. Doing so would “provide for assessing system integrity of a system after a potential malware attack may have occurred” (Orazio, para. 0034). However, Orazio also does not teach receiving selection criteria associated with a threat assessment of a computer network. However, Eidissen teaches receiving selection criteria associated with a threat assessment of a computer network. {Eidissen [Para. 0014] “A user device may be configured to indirectly test at least a particular portion of one or more networks. For example, such network(s) may interface the user device with one or more remotely located computing devices (e.g., servers), which may communicate, to the user device, data describing one or more security tests. Based at least in part on such data, the user device may execute one or more aspects of the security test(s), which may include communicating with the remotely located computing device(s) via the at least a particular portion of the network(s).” [Para. 0025] “The data describing such security test(s) may include data indicating one or more predetermined threat indicators associated with a particular predetermined threat. Such threat indicator(s) may include an IP address associated with the particular predetermined threat, a domain name associated with the particular predetermined threat, a web-address reference associated with the particular predetermined threat,…”} A user device receives security test data containing specific threat indicators and subsequently, runs these tests on a computer network. See paras. 0023-0026 for further details on the security tests. Eidissen is analogous art because each of Khalid, Orazio and Eidissen pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid and Orazio to include Eidissen’s teaching of the limitations of receiving selection criteria associated with a threat assessment of a computer network. Doing so would “enable a user to efficiently perform multiple useful security tests with respect to one or more networks without the need for specialized knowledge” (Eidissen, para. 0015). Claim 2: Regarding claim 2, the combination of Khalid, Orazio and Eidissen teaches wherein the at least one processor is further programmed to report threat posture information about the computer network and related systems as a form of threat intelligence. {Khalid [Col. 14, line 6-28] “The test application 322 may assess the reported results, and determine the efficacy of each UUT 340 in correctly determining whether the received objects of the samples 542 are malicious or benign. The test application 322 may also present the results of the UUT's analysis in more detail, including the characteristics and behaviors observed for each sample, on which the malware determination is based. The test application 322 may generate a report on the efficacy and comparison of detection results of the UUTs (including, for example, where applicable, behaviors of the samples observed during their execution by the UUTs).”} Claim 4: Regarding claim 4, the combination of Khalid, Orazio and Eidissen teaches wherein each validation test of the plurality of validation tests is configured to test if the corresponding indicator of compromise will be blocked by one or more Internet security controls, {Khalid [Col. 13, line 8-28] “An alternative, “in-band” deployment, can locate one or another of the UUT's in series with the switch, and between the firewall 350 and the test console. Upon detecting (rightly or wrongly) a malicious attack (including communications containing or associated with suspected malware), the in-line UUT 340 may be configured to block the communication (e.g., request-response message traffic). For example, the in-line UUT 340 may determine that a request message is directed to a blacklisted domain (the alias domain) and therefore block the request, or determine that the response message containing the sample is being sent from a blacklisted domain (the alias domain), and otherwise allow the traffic to proceed.” [Col. 6, line 21-26 ] “The security devices are illustratively “units under test” (UUT's 340), e.g., network traffic capture devices coupled locally and communicating with one or more local or remote malware detection systems (MDS's).”} wherein each validation test of the plurality of validation tests is performed in a simulated environment in communication with the one or more internet security controls. {Khalid [Col. 7 line 61-67 - col. 8 line 1-10] “The test application 322 may instantiate the virtualized endpoint 324 as a virtual machine running on the test console 320 to simulate one or more actual endpoints on the enterprise network that may be vulnerable to the malware.” [Col. 14, line 50-67] “At step 614, the response is returned to the virtualized endpoint via the switch where, at step 616, a copy of the response to the request is provided to each UUT. At step 618, each object included in the response is processed at the virtualized endpoint and, at step 620, in this embodiment, each UUT also processes the object (e.g., a copy thereof) to detect whether the object is malware or benign.”} Claim 6: Regarding claim 6, the combination of Khalid, Orazio and Eidissen teaches wherein the simulation environment simulates a computer system on the computer network. {Khalid [Col. 7 line 61-67 - col. 8 line 1-10] “The test application 322 may instantiate the virtualized endpoint 324 as a virtual machine running on the test console 320 to simulate one or more actual endpoints on the enterprise network that may be vulnerable to the malware.”} Claim 8: Regarding claim 8, the combination of Khalid, Orazio and Eidissen teaches wherein a validation test succeeds if one or more Internet security controls blocks access during the validation test. {Khalid [Col. 13, line 8-28] “For example, the in-line UUT 340 may determine that a request message is directed to a blacklisted domain (the alias domain) and therefore block the request, or determine that the response message containing the sample is being sent from a blacklisted domain (the alias domain), and otherwise allow the traffic to proceed.” [Col. 14, line 6-28] “The test application 322 may assess the reported results, and determine the efficacy (e.g., a malware detection score) of each UUT 340 in correctly determining whether the received objects of the samples 542 are malicious or benign.”} Claim 12: Regarding claim 12, the combination of Khalid, Orazio and Eidissen teaches wherein the at least one processor is further programmed to: detect at least one compromised computer system based on the scan of the plurality of system logs; and instruct the computer network to isolate the at least one compromised computer system. {Orazio [Para. 0045] “The operating system of system 100 can also utilize connectors to scan logs for suspicious events, for example, unexpected execution of privileged tasks, deletion of logged events, or wholesale deletion of log files.” [Para. 0046] “Indicators of compromise may be detected by system scanner 62.” [Para. 0039] “Responsive to the assessment score computed or calculated by assessment score calculator 66 exceeding a pre-determined threshold, 2.5 in one example, system isolator 70 isolates and quarantines scanned system 100,… and removes scanned system 100 from at least one network using, in one example, via network adapter 20 (shown in FIG. 1).”} Orazio is analogous art because each of Khalid, Orazio and Eidissen pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid and Eidissen to include Orazio’s teaching of the limitations of claim 12, listed above. Doing so would “provide for assessing system integrity of a system after a potential malware attack may have occurred” (Orazio, para. 0034). Claim 13: Regarding claim 13, Khalid, Orazio and Eidissen teach the elements of claim 1 as stated. Khalid further teaches wherein the at least one processor is further programmed to report the plurality of results of the plurality of validation tests and results of the scan of the plurality of system logs. {Khalid [Col. 15, line 13-36] “At step 622, each UUT generates a report of detection of the object as malware or benign. At step 624, the test application can report on the efficacy of the UUT's by comparing and contrasting the detections of the UUT's as reported in step 622. Moreover, in some embodiments, the report of the test application may include information regarding the ability of the UUT's to detect the IOC's as provided by the content engine and/or as experienced by (and monitored in) the virtualized endpoint during processing of the object.”} However, Khalif and Eidissen do not teach wherein the at least one processor is further programmed to report the plurality of results of the plurality of validation tests and results of the scan of the plurality of system logs. However, Orazio teaches wherein the at least one processor is further programmed to report the plurality of results of the plurality of validation tests and results of the scan of the plurality of system logs. {Orazio [Para. 0038] “Responsive to the assessment score computed or calculated by assessment score calculator 66 exceeding a pre-determined threshold, 2.5 in one example, forensic report generator 68 generates a forensic report for scanned system 100, wherein the forensic report comprises each respective result of the one or more scans by system scanner 62, the severity score assigned by severity score assignor 64 to each respective result, and the assessment score computed or calculated by assessment score calculator 66, and sends forensic report 300 to system administrator 90.”} Orazio is analogous art because each of Khalid, Orazio and Eidissen pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid and Eidissen to include Orazio’s teaching of reporting results of a scan of system logs. Doing so would “provide for assessing system integrity of a system after a potential malware attack may have occurred” (Orazio, para. 0034). Claim 14, 15, 17, 19, 20, and 25-27: Regarding claims 14, 15, 19, 20 and 25-26 the claims are directed to a method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, and the method compromises the steps recited by claims 1, 2, 6, 8, 12 and 13. Therefore, the rejection applied to claims 1, 2, 6, 8, 12 and 13 also applies to claims 14, 15, 19, 20, 25 and 26. Claims 1, 2, 6, 8, 12 and 13 are rejected under the same rationale as claims 14, 15, 19, 20, 25 and 26. Claim 14 further recites a computer-based method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, the method implemented on a vulnerability and compromise detection (“VCD”) computer device including at least one processor in communication with at least one memory device, the method comprising: the operations recited by claim 1. {Khalid [Col. 5, line 27-31] “A testing technique to test and compare malware detection capabilities of network security devices and other cyber-attack security devices.” [Col. 4, line 31-40] “The end node 200 may be illustratively embodied as a test console, a unit-under-test (UUT) including a malware detection system (MDS), and/or a remote server as described further herein. The end node 200 may include one or more CPUs 212, a memory 220, one or more network interfaces 214, one or more devices 216,…connected by a system interconnect 218.”} Claim 17: Regarding claim 17, the combination of Khalid, Orazio and Eidissen teaches wherein each validation test of the plurality of validation tests is configured to test if the corresponding indicator of compromise will be blocked by one or more Internet security controls. {Khalid [Col. 13, line 8-28] “In-band” deployment, can locate one or another of the UUT's in series with the switch, and between the firewall 350 and the test console. Upon detecting a malicious attack, the in-line UUT 340 may be configured to block the communication (e.g., request-response message traffic). For example, the in-line UUT 340 may determine that a request message is directed to a blacklisted domain (the alias domain) and therefore block the request, or determine that the response message containing the sample is being sent from a blacklisted domain (the alias domain), and otherwise allow the traffic to proceed.” [Col. 6, line 21-26 ] “The security devices are illustratively “units under test” (UUT's 340), e.g., network traffic capture devices coupled locally and communicating with one or more local or remote malware detection systems (MDS's).”} Claim 27: Regarding claim 27, the claim is directed to a computer-readable storage media containing instructions that will cause the processor to implement the operations recited by claim 1. Therefore, the rejection applied to claim 1 also applies to claim 27. Claim 27 further recites at least one non-transitory computer-readable storage media having computer-executable instructions embodied thereon, wherein when executed by at least one processor, the computer-executable instructions cause the processor to: implement the steps recited by claim 1. {Khalid [Col. 5, line 17-26] “Other types of processing elements and memory, including various computer-readable media, may be used to store and execute program instructions...” [Col. 4 line 59-67 - col.5 line 1-4] “The CPU 212 may be embodied as a hardware processor including processing elements or logic adapted to execute the software program code and application programs, and manipulate the data structures.”} 7. Claims 3, 5, 16 and 18 are rejected under 35 U.S.C. § 103 as being unpatentable over Khalid, Orazio and Eidissen as applied to claims 1 and 14, and further in view of McClintock et al. (US 10,135, 862 B1), hereafter McClintock. Regarding claim 3, Khalid, Orazio and Eidissen teach the elements of claim 1 as stated. However, Khalid, Orazio and Eidissen do not teach receiving the plurality of indicators of compromise on a periodic basis. However, McClintock teaches wherein the at least one processor is further programmed to receive the plurality of indicators of compromise on a periodic basis. {McClintock [Col. 3, line 54-61 ] “The indicators of compromise ingestion service 218 is executed to receive data describing known indicators of compromise from internal and/or external sources. The indicators of compromise ingestion service 218 may receive periodic data feeds from other organizations using STIX).”} McClintock is analogous art because each of Khalid, Orazio, Eidissen and McClintock pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidissen to include McClintock’s teaching of receiving plurality of IOCs on a periodic basis. Doing so “can assess the effect of any automated defenses” (McClintock, col. 2 line 21-22). Claim 5: Regarding claim 5, the combination of Khalid, Orazio, Eidissen and McClintock teaches wherein the at least one processor is further programmed to instruct the one or more Internet security controls to block the indicators of compromise associated with the one or more failed validation tests. {McClintock [Col. 4, line 30-39] “The intrusion detection system 112 may cause one or more automated actions to be performed in response to detecting a known indicator of compromise. Such actions may include configuring a router or firewall to remove access to the network 212 for one or more network hosts 206, quarantining suspicious files on a network host 206 (e.g., so that the files cannot easily be executed), configuring a router or firewall to block inbound or outbound network access for one or more network addresses or ports, or other actions.”} McClintock is analogous art because each of Khalid, Orazio, Eidissen and McClintock pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidissen to include McClintock’s teaching of instructing an Internet security control to block IOCs associated with the failed validation tests. Doing so “can assess the effect of any automated defenses” (McClintock, col. 2 line 21-22). Claims 16 and 18: Regarding claims 16 and 18, the claims are directed to a method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, and the method comprises the operations recited by claims 3 and 5. Therefore, the rejection applied to claims 3 and 5 also applies to claims 16 and 18. Claims 3 and 5 are rejected under the same rationale as claims 16 and 18. 8. Claims 7, 9, 21 and 22 are rejected under 35 U.S.C. § 103 as being unpatentable over Khalid and Orazio as applied to claims 1 and 14, and further in view of Telang et al. (US 2018/0357422 A1), hereafter Telang. Regarding claim 7, Khalid, Orazio and Eidissen teach the elements of claim 1 as stated. However, Khalid, Orazio and Eidissen do not teach wherein the plurality of results includes message logs generated during the corresponding validation tests. However, Telang teaches wherein the plurality of results includes message logs generated during the corresponding validation tests. {Telang [Para. 0074] “The first part of the syslog message is associated with a priority value that represents a facility and a severity. Various operating system daemons and processes have been assigned numeric facility codes though those that are unassigned may use any of the “local use” or “user-level” facilities. Illustrative operating system daemons and processes include kernel messages, user-level messages, mail system messages, security/authorization messages, syslogd messages, system daemons, clock daemon, file transfer protocol (FTP) daemon, log alert, etc. Illustrative severity codes may be associated with “Emergency: system is unusable”, “Alert: action must be taken immediately”, “Critical: critical conditions”, “Error: error conditions”, “Warning: warning conditions”, etc.”} Also see para. 0073 in Telang. Telang is analogous art because each of Khalid, Orazio, Eidissen and DiValentin pertains to implementing malware detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidissen to include Telang’s teaching of the limitations of claim 7, listed above. Doing so would “ensure that cybersecurity system correctly responds to different types of attacks” (Telang, para. 0705). Claim 9: Regarding claim 9, the combination of Khalid, Orazio and Telang teaches wherein the plurality of system logs includes activity and message logs of a plurality of computers in the computer network. {Telang [Para. 0073] “Network activity data capture device(s) 104 may include one or more computing devices that are syslog servers that collect any syslog data from any of the plurality of monitored devices 102. Syslog data may be generated by communication networking devices, DHCP servers, proxy servers, web servers, workstations, etc. For a typical entity, a single syslog data feed may contain dozens of different event record types (firewall, authentication, web proxy, end point, Internet provider security, intrusion detection system, etc.) ”} Also see para. 0074 in Telang. Telang is analogous art because each of Khalid, Orazio, Eidissen and Telang pertains to implementing malware detection. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidisssen to include Telang’s teaching of the limitations of claim 9, listed above. Doing so would “ensure that cybersecurity system correctly responds to different types of attacks” (Telang, para. 0705). Claims 21 and 22: Regarding claims 21 and 22, the claims are directed to a method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, and the method comprises the operations recited by claims 7 and 9. Therefore, the rejection applied to claims 3 and 5 also applies to claims 21 and 22. Claims 7 and 9 are rejected under the same rationale as claims 21 and 22. 9. Claims 10 and 23 are rejected under 35 U.S.C. § 103 as being unpatentable over Khalid and Orazio as applied to claims 1 and 14, and further in view of Zettel II et al. (US 2018/0324197 A1), hereafter Zettel II. Regarding claim 10, Khalid, Orazio and Eidissen teach the elements of claim 1 as stated. Khalid further teaches wherein the at least one processor is further programmed to: retrieve a plurality of compromise information for each of the indicators of compromise associated with the one or more failed validation tests; {Khalid [Col. 11, line 22-64] “In those cases in which IOC’s associated with a sample/object are received from the content engine 366, upon completion of processing by the virtualized endpoint 324, the test application 322 may inspect (e.g., scan) the virtualized endpoint using observed IOC's of the objects to determine whether the virtualized endpoint was compromised or not. Any failure on the part of one or another of the UUT's to so detect those behaviors (i.e., failure to detect the received IOC's or observed IOC's at the endpoint) can be reported by the test application 322 as reflecting on efficacy in detection. When the test application 322 reports on the efficacy of the UUT's, it may report on those IOC’s not detected by the UUT's (if any)...”} However, Khalid, Orazio and Eidissen do not teach scanning the plurality of system logs of the computer network based on the plurality of compromise information. However, Zettel teaches scan the plurality of system logs of the computer network based on the plurality of compromise information. {Zettel [Para. 0058] “The platform instance 330 sends a message 360 to the agent device 320. The message includes an observable (e.g., an observable associated with a security incident and/or an observable included in a trusted circle alert or query). Responsive to the message, the search module 322 invokes searches of data in the customer infrastructure for occurrences of the observable. The search module 322 also invokes a search of data in the security log system 328 (e.g., a Splunk or Elasticsearch log store) using one or more query messages 366 supported by an API of the security log system 328) to obtain one or more query responses 368 and to find occurrences of the observable.” [Para. 0017] “For example, an observable may be a component of an indicator of compromise (IoC).”} Zettel II is analogous art because each of Khalid, Orazio, Eidissen and Zettel II pertains to detecting indicators of compromise. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidissen to include Zettel II’s teaching of scanning system logs of a computer network based on a plurality of compromise information. Doing so would prevent exfiltration of sensitive data (see Zettel II, para. 0016). Claim 23: Regarding claim 23, the claim is directed to a method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, and the method comprises the operations recited by claim 10. Therefore, the rejection applied to claim 10 also applies to claim 23.. Claim 10 is rejected under the same rationale as claim 23. 10. Claims 11 and 24 are rejected under 35 U.S.C. § 103 as being unpatentable over Khalid and Orazio as applied to claims 1 and 14, and further in view of DiValentin et al. (US 2018/0041538 A1), hereafter DiValentin. Regarding claim 11, Khalid, Orazio and Eidissen teach the elements of claim 1 as stated. Khalid further teaches where the wherein the indicator of compromise is a website, {Khalid [Col. 2, line 26-53] “A virtualized endpoint running on a test console, e.g., a computer, connected to the testing network of a testing environment generates and sends one or more request messages (requests) to acquire a plurality (e.g., mixture) of test samples from a database of samples stored in a secure data store of the testing environment. Each request includes an indicator, e.g., a uniform resource locator (URL), of a domain that may or may not be known to be associated with a source of malware. In other embodiments, the URL's may correspond to a mixture of such whitelisted domains and “dirty” or “blacklisted” domains known to be associated with a malicious server.”} However, Khalid, Orazio and Eidissen do not teach wherein the at least one processor is further programmed to determine if any computer system in the computer network accessed the website based on the scan of the plurality of system logs of the computer network. However, DiValentin teaches and wherein the at least one processor is further programmed to determine if any computer system in the computer network accessed the website based on the scan of the plurality of system logs of the computer network. {DiValentin [Para. 0061] “During stage 520, the computing system 504 can perform the incident response, and can provide a further notification 522 that pertains to the security incident, which can include results of the performed actions (e.g., the response scripts), a status of the affected computing device, and a list of possible actions that may be performed based on the device's current status. In the present example, the further notification 522 indicates that a script for removing the malicious process was executed, but additional suspicious files were detected on the affected device. The further notification 522 in the present example may also indicate that an action of isolating the suspicious files, and an action of blocking outgoing network traffic from the affected device may be performed.”} DiValentin is analogous art because each of Khalid, Orazio, Eidissen and DiValentin pertains to analyzing a network for potential security risks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Khalid, Orazio and Eidissen to include DiValentin’s teaching of the limitations of claim 13, listed above. Doing so “can defend against evolving cyber-attacks” (DiValentin, para. 0008). Claim 24: Regarding claim 24, the claim is directed to a method for testing and analyzing computer networks for potential vulnerabilities to cyber-attacks, and the method comprises the operations recited by claim 11. Therefore, the rejection applied to claim 11 also applies to claim 24. Claim 11 is rejected under the same rationale as claim 24. Conclusion 11. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Godard et al. (US 2018/0239902 A1) discloses a method for performing simulated cyber-attack scenarios and actions against a target (e.g., a server in a cloud). Martin et al. (US2018/0004942 A1) discloses a system for detecting a cyber-attack. The system scans network accounting logs to identify elements in the logs that match IOC values contained in new threat intelligence. 12. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 13. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BIN QING ZHENG whose telephone number is (703)756-1535. The examiner can normally be reached on M-F 9:30 am -5:30 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J. Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BIN QING ZHENG/ Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499