THREAT MODELING AT SCALE

§101 §103 §112

DETAILED ACTION A response was received on 07 December 2025. By this response, Claims 1, 2, 6, 7, 11, 12, and 17 have been amended. Claims 3, 4, 13, and 14 have been canceled. No new claims have been added. Claims 1, 2, 5-12, and 15-20 are currently pending in the present application. Response to Arguments Applicant's arguments filed 07 December 2025 have been fully considered but they are not persuasive. Regarding the objections to the drawings for informalities, Applicant asserts that Figure 4 is clear when considered in combination with the specification (page 10 of the present response). However, even when considering paragraphs 0083, 0085, and 0087 as cited, the flow out of step 304, whether the logging of step 309 should then lead to step 310, and what the actual yes or no decision that is made in decision block 318 are still unclear. Applicant has not provided any further explanation. Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(a) for failure to comply with the enablement requirement, Applicant argues that the training of the AI enables prediction of probability and refinement/enhancement of the decision-making algorithms (pages 11-12 of the present response, citing paragraphs 0039, 0042-0044, 0064, 0065, 0067 of the specification) and that one skilled in the art of software security vulnerability assessment would understand how to implement AI algorithms for probability prediction and have knowledge of AI/ML techniques for probabilistic analysis (pages 12-13 of the present response). However, as described in the cited paragraphs of the specification, the AI model largely functions as a black box because there is no actual algorithm described. Although Applicant asserts that the algorithms are continuously refined and enhanced, there is still not a clear description of the initial starting point for these algorithms. Although Applicant asserts that one skilled in the art of vulnerability assessment would understand how to implement AI algorithms in this situation, Applicant provides no evidence for this assertion. It is noted that the fields of vulnerability assessment and artificial intelligence are defined in two different portions of the classification scheme (e.g. CPC G06F 21/577 for vulnerability assessment and G06N 20/00 for machine learning) and there has not been clear evidence provided to indicate that the level of ordinary skill in vulnerability assessment would necessarily include the use of machine learning. Applicant further argues that the specification describes synthesizing information from various sources such as historical data and false positive analysis where this synthesis is enhanced by AI/ML algorithms (pages 13-14 of the present response, citing paragraphs 0046, 0047, 0051-0055, and 0079) and asserts that the inventor has therefore provided a detailed functional description of a process for synthesizing these insights (page 14 of the present response). However, again, it is noted that there is no explanation of how to modify a workload or update a protocol based on any decision and what combinations of the decisions and probabilities would actually lead to a decision to modify the disposition action or what action to apply. Again, the specification appears to have no specific algorithm or other working example of how the determination of whether to apply the action is to be made. The lack of details or examples in any detail suggests that there is little direction provided by the inventor. Combined with the broad scope of the claims, this suggests that the enablement of the description is not commensurate in scope with the claims (MPEP § 2164.08) and that undue experimentation would be required to make or use the invention based on the disclosure (MPEP § 2164.06). Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(b) as indefinite, Applicant argues that “the security vulnerability” has proper antecedent basis in Claim 1, line 5 (page 15 of the present response). However, although this does recite “a security vulnerability”, the claim further recites “one or more security vulnerabilities” in line 8. Therefore, subsequent references to “the security vulnerability” are unclear as to which of these plural vulnerabilities these limitations are intended to refer. See MPEP § 2173.05(e). Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below. Information Disclosure Statement Although Applicant states that a copy of a previously-cited document was filed concurrently with the present response (page 9 of the present response), Applicant has not filed an required information disclosure statement as required for consideration of this reference. Drawings The objection to Figure 1 as requiring a prior art label is withdrawn in light of Applicant’s remarks (pages 9-10 of the present response). The objection to the drawings for failure to comply with 37 CFR 1.84(p)(5) is withdrawn in light of the amendments to the specification. The objection to the drawings for informalities is NOT withdrawn for the reasons detailed above with respect to Figure 4. The drawings are objected to because they include informalities. In particular, the flow of Figure 4 is generally unclear. It is not clear what is done after step 304 or if it proceeds to step 306. It is also not clear whether the logging in step 309 is then fed to step 310. Additionally, the decision in step 318 is unclear as to what leads to a yes or no result. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Specification The objection to the disclosure for informalities is withdrawn in light of the amendments to the specification. Applicant’s cooperation is again requested in correcting any other errors of which applicant may become aware in the specification. The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: Independent Claims 1 and 11 have been amended to recite “automatically modifying, upon determining to apply the automated disposition action, the application workload to mitigate the security vulnerability” or similar language. However, there appears to be no mention in the specification of automatically modifying the workload. Therefore, there is not clearly proper antecedent basis for the claimed subject matter in the specification. For further detail, see below with respect to the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement. Claim Rejections - 35 USC § 101 The rejection of Claims 1-20 under 35 U.S.C. 101 is withdrawn (or moot) in light of the amendments to the independent claims reciting modifying the workload to mitigate a vulnerability, which integrates the recited abstract ideas into a practical application (or in light of the cancellation of the claims). Claim Rejections - 35 USC § 112 The rejection of Claims 1, 2, 5-12, and 15-20 under 35 U.S.C. 112(a) for failure to comply with the enablement requirement is NOT withdrawn for the reasons detailed above. The rejection of Claims 1, 2, 5-12, and 15-20 under 35 U.S.C. 112(b) as indefinite is NOT withdrawn because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below. The rejections of Claims 3, 4, 13, and 14 are moot in light of the cancellation of the claims. The following is a quotation of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1, 2, 5-12, and 15-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent Claims 1 and 11 have been amended to recite “automatically modifying, upon determining to apply the automated disposition action, the application workload to mitigate the security vulnerability” or similar language. However, there appears to be no mention in the specification of automatically modifying the workload, and Applicant has not clearly pointed out where the claims as amended are supported in the specification. See also MPEP § 2163.04. Therefore, there is not clearly sufficient written description of the claimed subject matter in the specification. Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. Claims 1, 2, 5-12, and 15-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claims contain subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. A determination of a failure to comply with the enablement requirement is made considering the undue experimentation factors set forth in MPEP § 2164.01(a). In the present application, the factors which appear to weigh most heavily are the breadth of the claims (MPEP § 2164.08), the amount of direction provided by the inventor (MPEP § 2164.03), and the existence of working examples (MPEP § 2164.02). Independent Claims 1 and 11 broadly recite “predicting a probability that the security vulnerability is a false positive based on an analysis of one or more characteristics of the security vulnerability and historical data pertaining to one or more similar security vulnerabilities”. The phrase “predicting a probability” is a broad recitation, and the claims do not recite any details of the algorithms or equations used to predict such a probability. Although the specification generally discusses using artificial intelligence to predict a likelihood of a false positive (see paragraphs 0039-0044), and the claims now recite that predicting the probability “includes using artificial intelligence trained using the historical data”, there appears to be no detail provided in the specification of how such an artificial intelligence would need to be trained to make such predictions. The specification appears to have no specific algorithm, equation, or other working example of how the probability is to be predicted. The independent claims also broadly recite “determining whether to apply an automated disposition action for the security vulnerability based on the one or more precedent decisions and the probability of the security vulnerability being a false positive”. The phrase “based on the one or more precedent decisions and the probability” is a broad recitation, and the claims do not recite any details of algorithms used to make such a determination. Although the specification generally describes a “synthesis of the insights” (see paragraph 0079), there is not clear description of how to combine the decisions and probability and what combinations would lead to applying the automated action or not. Although paragraph 0079 describes various disposition actions (such as modifying a workload or updating protocols) contingent upon the evaluated risk and precedents, there is no explanation of how it would be determined whether to modify a workload or update a protocol, or how such modification or update would occur. The specification appears to have no specific algorithm or other working example of how the determination of whether to apply the action is to be made. The lack of details or examples in any detail suggests that there is little direction provided by the inventor. Combined with the broad scope of the claims, this suggests that the enablement of the description is not commensurate in scope with the claims (MPEP § 2164.08) and that undue experimentation would be required to make or use the invention based on the disclosure (MPEP § 2164.06). Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1, 2, 5-12, and 15-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites “the security vulnerability” in lines 8-9, 15-17, and 19. However, the claim previously recited plural vulnerabilities, and it is not clear to which of the plural vulnerabilities these limitations are intended to refer. The claim additionally recites “automatically modifying, upon determining to apply the automated disposition action, the application workload to mitigate the security vulnerability” in lines 18-19. However, it is not clear what is done if it is determined not to apply the automated disposition action, which constitutes a gap in the claim. The above ambiguities render the claim indefinite. Claim 2 recites “comparing aspects” in line 1. It is not clear when this step occurs relative to the other claimed steps. The claim further recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 5 recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 8 recites “providing feedback” in line 1. It is not clear to whom or to what the feedback is provided. The claim further recites “the security vulnerability” in lines 1-2 and 3. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 10 recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. The claim also recites that the disposition action includes modifying the application workload in line 3; it is not clear if this is an additional action supplementing the modification of the application workload in Claim 1. Claim 11 recites “the security vulnerability” in lines 13, 20-22, and 24. However, the claim previously recited plural vulnerabilities, and it is not clear to which of the plural vulnerabilities these limitations are intended to refer. The claim additionally recites that the system is caused to “automatically modify, upon determining to apply the automated disposition action, the application workload to mitigate the security vulnerability” in lines 23-24. However, it is not clear what is done if it is determined not to apply the automated disposition action, which constitutes a gap in the claim. The above ambiguities render the claim indefinite. Claim 12 recites that the system is caused to “compare aspects” in line 2. It is not clear when this step occurs relative to the other claimed steps. The claim further recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 15 recites that the instructions “cause the computer system to manually review” in lines 1-2. However, it is not clear how the computer system would perform a manual review when it appears that this would require a user to perform such a manual review. The claim further recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 16 recites “manually reviewing contributes to updating a disposition repository” in lines 1-2. It is not clear whether this contributing is intended to be a positive function of the system. Claim 18 recites that the system is caused to “provide feedback” in line 2. It is not clear to whom or to what the feedback is provided. The claim further recites “the security vulnerability” in lines 2 and 3. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. Claim 20 recites “the security vulnerability” in line 2. It is not clear to which of the plural vulnerabilities this limitation is intended to refer. The claim also recites that the disposition action includes modifying the application workload in line 3; it is not clear if this is an additional action supplementing the modification of the application workload in Claim 11. Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. Examiner’s Note Because the claims are rendered indefinite and non-enabled and are not supported by the specification based on the numerous issues as detailed above in reference to the rejections under 35 U.S.C. 112(a) and (b), it has not been possible to fully construe pending Claims 1-20 for novelty under 35 U.S.C. 102 and non-obviousness under 35 U.S.C. 103. As per MPEP § 2173.06 II, if there is uncertainty as to the proper interpretation of the limitations of a claim, it would not be proper to reject such a claim on the basis of prior art. See also In re Steele, 305 F.2d 859, 134 USPQ 292 (CCPA 1962). A search has been performed to the extent possible, and references that appear to be relevant are cited below. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time. Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Zachary A. Davis/Primary Examiner, Art Unit 2492