Prosecution Insights
Last updated: July 17, 2026
Application No. 18/606,669

SYSTEMS AND METHOD FOR GENERATING RISK SCORES

Final Rejection §103
Filed
Mar 15, 2024
Examiner
SHINGLES, KRISTIE D
Art Unit
2453
Tech Center
2400 — Computer Networks
Assignee
KnowBe4 Inc.
OA Round
3 (Final)
82%
Grant Probability
Favorable
4-5
OA Rounds
6m
Est. Remaining
96%
With Interview

Examiner Intelligence

Grants 82% — above average
82%
Career Allowance Rate
656 granted / 797 resolved
+24.3% vs TC avg
Moderate +13% lift
Without
With
+13.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 10m
Avg Prosecution
27 currently pending
Career history
829
Total Applications
across all art units

Statute-Specific Performance

§101
1.5%
-38.5% vs TC avg
§103
51.6%
+11.6% vs TC avg
§102
42.2%
+2.2% vs TC avg
§112
0.2%
-39.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 797 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Response to Amendment Claims have not been amended, canceled or added. Claims 1-20 are pending. Response to Arguments Applicant's arguments filed 4/20/2026 have been fully considered but they are not persuasive. With respect Independent Claims 1 and 11—Applicant argues that cited prior art SARIPALLI et al and SUNKAVALLY et al fail to explicitly teach “assigning each event to a bucket based on type associated with the event”. Examiner respectfully disagrees. SARIPALLI et al assigns bucket weights and dense rank weight-descending order of risk associated with each activity (paras 0088, 0195, 0346). SUNKAVALLY et al assigned events to buckets based on scores covering a range of values for each bucket, wherein all events that fall into specific bucket have a particular confidence score (paras 0005, 0027-40, 0053-58). The assignment of scores and weights are types “associated” and related to the event as described in the claim limitation, which fulfills the functionality of the claim language. Applicant’s arguments are therefore unpersuasive and the rejection under the cited prior arts are maintained. Claim Rejections - 35 USC § 103 II. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. III. CLAIMS 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over HEINEMEYER et al (US 2021/0194924) in view of SARIPALLI et al (US 2025/0088538) and SUNKAVALLY et al (US 2020/0349255). Per claim 1, HEINEMEYER et al teach a method for generating a risk score of a user based at least on groups of events related to security, the method comprising: receiving, by one or more servers, data associated with a plurality of events over time, the plurality of events representing one or more security risks associated with one or more users to an organization (paras 0026, 0028, 0066, 0069, 0082, 0091—receiving security threats and identifying potential risks); computing, by the one or more servers, a risk score for a user of the one or more users based at least on a function of the weight assigned to each bucket and a quantity of events in each bucket (paras 0033, 0112, 0116, 0118, 0125—threat level score and weighting); and providing, by the one or more servers, a graphical user interface configured to display the risk score and information identifying reasons computation of the risk score changes over time for the user (paras 0033, 0089, 0092, 0103, 0106, 0124-125, 0174—graphical user interface to display metrics, alerts and events for visual context of the data, making a suggested response to counter the displayed threat). HEINEMEYER et al teach employing system event logging tools the (paras 0057, 0073-74) limitations as applied above, yet fail to explicitly teach “identifying, by the one or more servers, a plurality of buckets for which to assign the plurality of events, each bucket identifying a collection of events that are assigned a level of risk from a plurality of levels of risk, each level of risk assigned a weight; assigning, by the one or more servers, each event of the plurality of events to a bucket of the plurality of buckets based at least on a type associated with each event”. However, SARIPALLI et al teach sensitivity buckets assigned to the event data, risk scores, anomaly scores, assigning bucket weights and security anomaly type and category associated event (page 9 Table, paras 0101-102, 0133, 0195, 0288-289, 0302-311, 0322, 0346, 0429-436). SUNKAVALLY et al teach assigning a weight to a bucket, wherein the weight reflects how much a change in a bucket contributes to the overall risk score relative to other buckets, and whether the bucket negatively or positively impacts the risk score (paras 0005, 0026-40, 0042, 0053-58). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al for the purpose of provisioning buckets of assigned weights for anomaly types with risk scores and, which is well-known in the art for assigning weights to determine threat severity levels and categorizing risk events in buckets. Claim 11 contains limitations that are substantially equivalent to the limitations of claim 1 and are therefore rejected under the same basis. Per claim 2, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach wherein the graphical user interface is further configured to display one or more recommendations for mitigations based on risk factors identified while generating the risk score (paras 0092, 0103, 0106—graphical user interface to display metrics, alerts, events and suggestions to counter the threat; SARIPALLI et al: paras 0004, 0029-31, 0036, 0290—security policy recommendation and graphical user interface). Claim 12 contains limitations that are substantially equivalent to the limitations of claim 2 and are therefore rejected under the same basis. Per claim 3, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach the method further comprising determining, by the one or more servers, an action to take based at least on the risk score (paras 0028, 0033, 0037, 0065, 0125—security postures to mitigate, assigning threat level score and selecting actions when anomaly score/levels are met; SARIPALLI et al: paras 0027, 0068, 0076, 0079, 0082, 0101-102, 0175-178, 0195, 0197—calculating risk, anomaly and sensitivity scores, generating and implementing a security policy based on the risks/anomalies and security policy recommendations with mitigation actions; SUNKAVALLY et al: paras 0006, 0017-18, 0022-26—triggers for an alert based on risk score across a set of security events). Claim 13 contains limitations that are substantially equivalent to the limitations of claim 3 and are therefore rejected under the same basis. Per claim 4, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 3, HEINEMEYER et al further teach the method further comprising taking, by the one or more servers, the action of providing electronic training to the user corresponding to the risk score of the user or the action of initiating a simulated phishing campaign targeted to the user based at least on the risk score (Abstract, paras 0008-0012, 0019, 0024-25, 0027-30—training AI models with machine learning using a phishing email generator; SARIPALLI et al: paras 0058, 0083, 0090-98—trainable classifiers based on machine learning to identify anomalies). Claim 14 contains limitations that are substantially equivalent to the limitations of claim 4 and are therefore rejected under the same basis. Per claim 5, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach wherein each event comprises a type of a risky event, a secure event or a mitigation event (paras 0028, 0032, 0065-66, 0097-98, 0103, 0123-125, 0130—event alerts, security vulnerabilities or security policy and mitigate; SARIPALLI et al: Abstract, paras 0004, 0027, 0031-33, 0068, 0079, 0316-322, 0367-368—risk events and mitigating security risks; SUNKAVALLY et al: paras 0022, 0051, 0072—distribution of risk scores across multiple security events). Claim 15 contains limitations that are substantially equivalent to the limitations of claim 5 and are therefore rejected under the same basis. Per claim 6, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, SARIPALLI et al further teach the method further comprising assigning, by the one or more servers, each of the plurality of buckets to an aggregator bucket of a plurality of aggregator buckets; each aggregator bucket of the plurality of aggregator buckets comprising a collection of one or more buckets representing related elements of security risk (page 9 Table, paras 0022, 0195—buckets and assigning bucket weights of aggregated records; SUNKAVALLY et al: Abstract, paras 0004-6, 0017-19, 0021-24, 0040, 0042, 0068-70—aggregate risk score associated with assigned buckets). Claim 16 contains limitations that are substantially equivalent to the limitations of claim 6 and are therefore rejected under the same basis. Per claim 7, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 6, SARIPALLI et al further teach wherein each aggregator bucket of the plurality of aggregator buckets is assigned second weight according to a second level of risk assigned to each aggregator bucket (page 9 Table, paras 0022, 0195—buckets and assigning bucket weights and rank weight of aggregated records; SUNKAVALLY et al: Abstract, paras 0005, 0038-44, 0056, 0070—corresponding weights indicating how much a change in a given bucket contributes to an overall score). Claim 17 contains limitations that are substantially equivalent to the limitations of claim 7 and are therefore rejected under the same basis. Per claim 8, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 6, SARIPALLI et al further teach the method further comprising generating, by the one or more servers, the risk score for the user based on the function of the second weight assigned to each aggregator bucket (para 0195—assigning dense rank weight-descending order of risk associated with activity and anomaly scores with aggregated records in the buckets; SUNKAVALLY et al: Abstract, paras 0004-6, 0017-19, 0021-24, 0040, 0042, 0068-70—aggregate risk score associated with assigned buckets). Claim 18 contains limitations that are substantially equivalent to the limitations of claim 8 and are therefore rejected under the same basis. Per claim 9, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, SARIPALLI et al further teach the method further comprising removing, by the one or more servers, an event of the plurality events from a bucket based on meeting a threshold of a number of look back days (paras 0101, 0176-178, 0193, 0195—buckets created at a document level with aggregate records at activity level, blind spot detection has 28-day window; HEINEMEYER et al: paras 0033, 0058-59, 0113, 0118—configurable threshold level of threat, bands of time in number of days; SUNKAVALLY et al: Abstract, paras 0006, 0025, 0063—triggers an alert based on one or more predefined threshold criteria). Claim 19 contains limitations that are substantially equivalent to the limitations of claim 9 and are therefore rejected under the same basis. Per claim 10, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach further comprising modifying, by the one or more servers, the risk score based at least on one of a booster factor or an offset of the user or the organization (paras 0028, 0180-181—organization, factors fed into prioritization logic as parameters; SUNKAVALLY et al: paras 0050—scaling factor). Claim 20 contains limitations that are substantially equivalent to the limitations of claim 10 and are therefore rejected under the same basis. Conclusion IV. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. V. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KRISTIE D SHINGLES whose telephone number is (571)272-3888. The examiner can normally be reached on Monday-Thursday 10am-7pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KRISTIE D SHINGLES/ Primary Examiner, Art Unit 2453
Read full office action

Prosecution Timeline

Mar 15, 2024
Application Filed
Jul 22, 2025
Non-Final Rejection mailed — §103
Oct 20, 2025
Response Filed
Jan 20, 2026
Non-Final Rejection mailed — §103
Apr 20, 2026
Response Filed
Jul 01, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683939
DEVICE AND A METHOD FOR THE DEVICE
2y 2m to grant Granted Jul 14, 2026
Patent 12683980
STREAMING AND FILTERING EVENT OBJECTS INTO A DATA LAKE
1y 10m to grant Granted Jul 14, 2026
Patent 12665927
SYSTEMS AND METHODS FOR INTERCEPTING CONVERGENT DATA STREAMS
2y 6m to grant Granted Jun 23, 2026
Patent 12652321
TECHNIQUES FOR DYNAMIC RESOLUTIONS
4y 10m to grant Granted Jun 09, 2026
Patent 12645821
EVENT INTEGRATED ACCESS GRAPH DATA MANAGEMENT
2y 3m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

4-5
Expected OA Rounds
82%
Grant Probability
96%
With Interview (+13.4%)
2y 10m (~6m remaining)
Median Time to Grant
High
PTA Risk
Based on 797 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month