Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsKnowbe4 Inc. › 18606669
Last updated: April 19, 2026
Application No. 18/606,669

SYSTEMS AND METHOD FOR GENERATING RISK SCORES

Non-Final OA §103
Filed
Mar 15, 2024
Examiner
SHINGLES, KRISTIE D
Art Unit
2453
Tech Center
2400 — Computer Networks
Assignee
Knowbe4 Inc.
OA Round
2 (Non-Final)
82%
Grant Probability
Favorable
2-3
OA Rounds
3y 0m
To Grant
95%
With Interview

Interview Optional

+13.0% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 792 resolved cases, 2023–2026

Examiner Intelligence

SHINGLES, KRISTIE D View full profile →
Grants 82% — above average
82%
Career Allow Rate
653 granted / 792 resolved
+24.4% vs TC avg
Moderate +13% lift
Without
With
+13.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
29 currently pending
Career history
821
Total Applications
across all art units

Statute-Specific Performance

§101
6.4%
-33.6% vs TC avg
§103
37.7%
-2.3% vs TC avg
§102
45.2%
+5.2% vs TC avg
§112
3.8%
-36.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 792 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Response to Amendment Claims have not been amended, canceled or added. Claims 1-20 are pending. Response to Arguments Applicant’s arguments, see Remarks filed 10/20/2025, with respect to the rejection of the pending claims under 35 U.S.C. 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of SUNKAVALLY et al (US 2020/0349255). Claim Rejections - 35 USC § 103 II. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. III. CLAIMS 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over HEINEMEYER et al (US 2021/0194924) in view of SARIPALLI et al (US 2025/0088538) and SUNKAVALLY et al (US 2020/0349255). Per claim 1, HEINEMEYER et al teach a method for generating a risk score of a user based at least on groups of events related to security, the method comprising: receiving, by one or more servers, data associated with a plurality of events over time, the plurality of events representing one or more security risks associated with one or more users to an organization (paras 0026, 0028, 0066, 0069, 0082, 0091—receiving security threats and identifying potential risks); computing, by the one or more servers, a risk score for a user of the one or more users based at least on a function of the weight assigned to each bucket and a quantity of events in each bucket (paras 0033, 0112, 0116, 0118, 0125—threat level score and weighting); and providing, by the one or more servers, a graphical user interface configured to display the risk score and information identifying reasons computation of the risk score changes over time for the user (paras 0033, 0089, 0092, 0103, 0106, 0124-125, 0174—graphical user interface to display metrics, alerts and events for visual context of the data, making a suggested response to counter the displayed threat). HEINEMEYER et al teach employing system event logging tools the (paras 0057, 0073-74) limitations as applied above, yet fail to explicitly teach “identifying, by the one or more servers, a plurality of buckets for which to assign the plurality of events, each bucket identifying a collection of events that are assigned a level of risk from a plurality of levels of risk, each level of risk assigned a weight; assigning, by the one or more servers, each event of the plurality of events to a bucket of the plurality of buckets based at least on a type associated with each event”. However, SARIPALLI et al teach sensitivity buckets assigned to the event data, risk scores, anomaly scores, assigning bucket weights and security anomaly type and category associated event (page 9 Table, paras 0101-102, 0133, 0195, 0288-289, 0302-311, 0322, 0346, 0429-436). SUNKAVALLY et al teach assigning a weight to a bucket, wherein the weight reflects how much a change in a bucket contributes to the overall risk score relative to other buckets, and whether the bucket negatively or positively impacts the risk score (paras 0005, 0026-40, 0042, 0053-58). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al for the purpose of provisioning buckets of assigned weights for anomaly types with risk scores and, which is well-known in the art for assigning weights to determine threat severity levels and categorizing risk events in buckets. Claim 11 contains limitations that are substantially equivalent to the limitations of claim 1 and are therefore rejected under the same basis. Per claim 2, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach wherein the graphical user interface is further configured to display one or more recommendations for mitigations based on risk factors identified while generating the risk score (paras 0092, 0103, 0106—graphical user interface to display metrics, alerts, events and suggestions to counter the threat; SARIPALLI et al: paras 0004, 0029-31, 0036, 0290—security policy recommendation and graphical user interface). Claim 12 contains limitations that are substantially equivalent to the limitations of claim 2 and are therefore rejected under the same basis. Per claim 3, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach the method further comprising determining, by the one or more servers, an action to take based at least on the risk score (paras 0028, 0033, 0037, 0065, 0125—security postures to mitigate, assigning threat level score and selecting actions when anomaly score/levels are met; SARIPALLI et al: paras 0027, 0068, 0076, 0079, 0082, 0101-102, 0175-178, 0195, 0197—calculating risk, anomaly and sensitivity scores, generating and implementing a security policy based on the risks/anomalies and security policy recommendations with mitigation actions; SUNKAVALLY et al: paras 0006, 0017-18, 0022-26—triggers for an alert based on risk score across a set of security events). Claim 13 contains limitations that are substantially equivalent to the limitations of claim 3 and are therefore rejected under the same basis. Per claim 4, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 3, HEINEMEYER et al further teach the method further comprising taking, by the one or more servers, the action of providing electronic training to the user corresponding to the risk score of the user or the action of initiating a simulated phishing campaign targeted to the user based at least on the risk score (Abstract, paras 0008-0012, 0019, 0024-25, 0027-30—training AI models with machine learning using a phishing email generator; SARIPALLI et al: paras 0058, 0083, 0090-98—trainable classifiers based on machine learning to identify anomalies). Claim 14 contains limitations that are substantially equivalent to the limitations of claim 4 and are therefore rejected under the same basis. Per claim 5, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach wherein each event comprises a type of a risky event, a secure event or a mitigation event (paras 0028, 0032, 0065-66, 0097-98, 0103, 0123-125, 0130—event alerts, security vulnerabilities or security policy and mitigate; SARIPALLI et al: Abstract, paras 0004, 0027, 0031-33, 0068, 0079, 0316-322, 0367-368—risk events and mitigating security risks; SUNKAVALLY et al: paras 0022, 0051, 0072—distribution of risk scores across multiple security events). Claim 15 contains limitations that are substantially equivalent to the limitations of claim 5 and are therefore rejected under the same basis. Per claim 6, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, SARIPALLI et al further teach the method further comprising assigning, by the one or more servers, each of the plurality of buckets to an aggregator bucket of a plurality of aggregator buckets; each aggregator bucket of the plurality of aggregator buckets comprising a collection of one or more buckets representing related elements of security risk (page 9 Table, paras 0022, 0195—buckets and assigning bucket weights of aggregated records; SUNKAVALLY et al: Abstract, paras 0004-6, 0017-19, 0021-24, 0040, 0042, 0068-70—aggregate risk score associated with assigned buckets). Claim 16 contains limitations that are substantially equivalent to the limitations of claim 6 and are therefore rejected under the same basis. Per claim 7, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 6, SARIPALLI et al further teach wherein each aggregator bucket of the plurality of aggregator buckets is assigned second weight according to a second level of risk assigned to each aggregator bucket (page 9 Table, paras 0022, 0195—buckets and assigning bucket weights and rank weight of aggregated records; SUNKAVALLY et al: Abstract, paras 0005, 0038-44, 0056, 0070—corresponding weights indicating how much a change in a given bucket contributes to an overall score). Claim 17 contains limitations that are substantially equivalent to the limitations of claim 7 and are therefore rejected under the same basis. Per claim 8, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 6, SARIPALLI et al further teach the method further comprising generating, by the one or more servers, the risk score for the user based on the function of the second weight assigned to each aggregator bucket (para 0195—assigning dense rank weight-descending order of risk associated with activity and anomaly scores with aggregated records in the buckets; SUNKAVALLY et al: Abstract, paras 0004-6, 0017-19, 0021-24, 0040, 0042, 0068-70—aggregate risk score associated with assigned buckets). Claim 18 contains limitations that are substantially equivalent to the limitations of claim 8 and are therefore rejected under the same basis. Per claim 9, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, SARIPALLI et al further teach the method further comprising removing, by the one or more servers, an event of the plurality events from a bucket based on meeting a threshold of a number of look back days (paras 0101, 0176-178, 0193, 0195—buckets created at a document level with aggregate records at activity level, blind spot detection has 28-day window; HEINEMEYER et al: paras 0033, 0058-59, 0113, 0118—configurable threshold level of threat, bands of time in number of days; SUNKAVALLY et al: Abstract, paras 0006, 0025, 0063—triggers an alert based on one or more predefined threshold criteria). Claim 19 contains limitations that are substantially equivalent to the limitations of claim 9 and are therefore rejected under the same basis. Per claim 10, HEINEMEYER et al with SARIPALLI et al and SUNKAVALLY et al teach the method of claim 1, HEINEMEYER et al further teach further comprising modifying, by the one or more servers, the risk score based at least on one of a booster factor or an offset of the user or the organization (paras 0028, 0180-181—organization, factors fed into prioritization logic as parameters; SUNKAVALLY et al: paras 0050—scaling factor). Claim 20 contains limitations that are substantially equivalent to the limitations of claim 10 and are therefore rejected under the same basis. Conclusion IV. The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure: USPN 12242892, USPN 11687438, USPN 12107879, US 2021/01117868, US 2023/0328084. V. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KRISTIE D SHINGLES whose telephone number is (571)272-3888. The examiner can normally be reached on Monday-Thursday 10am-7pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KRISTIE D SHINGLES/ Primary Examiner, Art Unit 2453
Read full office action

Prosecution Timeline

Mar 15, 2024
Application Filed
Jul 18, 2025
Non-Final Rejection — §103
Oct 20, 2025
Response Filed
Jan 16, 2026
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/614,594
Patent 12591653
AUTHENTICATION USING AI-GENERATED MEDIA SAMPLES
2y 5m to grant Granted Mar 31, 2026
18/418,805
Patent 12587509
HYBRID MEDIA DISTRIBUTION FOR TELEHEALTH SESSIONS
2y 5m to grant Granted Mar 24, 2026
19/038,099
Patent 12586063
FORTIFIED DECOUPLED STATE MACHINE REPLICATION
2y 5m to grant Granted Mar 24, 2026
18/468,368
Patent 12568131
AMBIENT, AD HOC, MULTIMEDIA COLLABORATION IN A GROUP-BASED COMMUNICATION SYSTEM
2y 5m to grant Granted Mar 03, 2026
18/576,863
Patent 12563015
SECURE TRANSFER GATEWAY
2y 5m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

2-3
Expected OA Rounds
82%
Grant Probability
95%
With Interview (+13.0%)
3y 0m
Median Time to Grant
Moderate
PTA Risk
Based on 792 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month