APPLICATION PROGRAMMING INTERFACE (API) ATTACK SURFACE DISCOVERY USING CLOUD SECURITY POSTURE MANAGEMENT (CSPM)

DETAILED ACTION This office action is in response to the application filed on 01/20/2026. Claim(s) 1-20 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s amendments regarding the 112(f) interpretation for claim 10 adds sufficient structure overcoming the interpretation. Applicant's arguments filed on 1/20/2026 have been fully considered but they are not persuasive for the following reasons: Applicant’s Argument: The art of record does not teach or reasonably suggest every limitation of amended claim 1. In particular, the cited art does not disclose making API calls using modified addresses for the APIs and the additional APIs to discover the hidden APIs as recited by amended claim 1. Preventing external tracking of a host web page as generally discussed by Sanchez is different than discovering hidden APIs. Intercepting API calls that include unauthorized code to read/write to storage accessible via a web page and then removing or otherwise obfuscating a portion of the corresponding API response generated using the code is different than making API calls using modified addresses to discover hidden or otherwise undocumented APIs. While Sanchez discusses modifying an API response, Sanchez does not discuss modifying the address of the API response but instead discusses returning the API response to the entity that sent the API call. Since Sanchez discusses transferring the modified API response to the external domain that sent the API call, the modified API response would not result in the discovery of a hidden API. Moreover, modifying an API response is different than transferring an API call with a modified address. Kravtsov does not alleviate the deficiencies of Sanchez. As such, the cited combination does not teach or reasonably suggest making API calls using modified addresses for the APIs and the additional APIs to discover the hidden APIs as recited by claim 1. (Applicant’s response filed on 1/20/2026, page 7-9). Examiner’s Response: The Examiner respectfully disagrees. The cited portion of Sanchez Col. 4 Ln. 25-41 teaches, “creating an altered API response by obfuscating the response to the portion of frame code that contains instructions to read from or write to the storage that is accessible to the web browser; and transmitting the altered API response to the hidden external domain.” Which is clearly teaching the concept of altering the API response and has further application as shown by Sanchez, Col. 11 Ln. 42-46, “Once the obfuscator has created the altered web request by obfuscating header values that include identifiers, the privacy application may transmit the altered web request to the web browser.” Altering, web requests and header values of an API can change the address of said API. Further, by transmitting the API response back to the identified hidden API as shown in Krav ¶ 10 and 32, “The operations include generating a catalog of a plurality of API definitions, generating a plurality of runtime APIs, mapping the plurality of runtime APIs to the API definition, and/or creating a tab for the API definition in the catalog of API definitions, wherein the tab visually represents the plurality of runtime APIs. Runtime APIs 180 may be subject to specification reconstruction, which may highlight shadow APIs, zombie APIs, and the like.”, the system is discovering as to send information to a destination a destination must be known. As such the combination of Krav and Sanchez teaches the claimed limitation. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 10, and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kravtsov (US 2024/0134979 A1), hereinafter Krav in view of Sanchez Rola (US 11,528,257 B1), hereinafter Sanchez. Regarding Claim(s) 1, 10, and 19 Krav teaches: A method to discover hidden Application Programming Interfaces (APIs) and detect security vulnerabilities in the hidden APIs, the method comprising: (Krav ¶ 7 teaches, an application security tool includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and including instructions that, when executed by the one or more processors, cause the application security tool to perform operations. The operations include generating an application programming interface (API) definition by observing traffic. The API definition may be associated with an API definition name and an API specification. ¶ 9 teaches, in response to performing the runtime analysis, whether the API definition is a shadow API, (i.e., hidden API) and/or determining, in response to performing the runtime analysis, whether the API definition is a zombie API.) accessing Cloud Security Posture Management (CSPM) logs; (Krav ¶ 36 teaches, this concept may be extended to any issue found in the code in that same sequence. For example, this concept may be extended to a cloud security posture management (CSPM) tool. Krav ¶ 10 teaches, the operations include generating a catalog of a plurality of API definitions, generating a plurality of runtime APIs, mapping the plurality of runtime APIs to the API definition, and/or creating a tab for the API definition in the catalog of API definitions, wherein the tab visually represents the plurality of runtime APIs. (i.e., getting the information from the CSPM)) discovering APIs based on the CSPM logs; (Krav ¶ 10 teaches, the operations include generating a catalog of a plurality of API definitions, generating a plurality of runtime APIs, mapping the plurality of runtime APIs to the API definition, and/or creating a tab for the API definition in the catalog of API definitions, wherein the tab visually represents the plurality of runtime APIs.) identifying additional APIs that are not present in the CSPM logs; (Krav ¶ 32 teaches, Runtime APIs 180 may be subject to specification reconstruction, which may highlight shadow APIs, zombie APIs, and the like. (i.e., APIs that are not present)) testing discovered APIs to determine attack surfaces, wherein the discovered APIs comprise the APIs, the additional APIs, and the hidden APIs. (Krav ¶ 13 teaches, as vulnerabilities are discovered, (i.e., APIs) either in infrastructural components or in the software for the server application, the artifact trees are attributed with those discovered issues. The artifact trees with the discovered vulnerabilities can be used for pen-testers and fuzzers. For example, specific tests may be developed that try to exploit those vulnerabilities. (i.e., attack surfaces)) Krav does not appear to explicitly teach but in related art: making API calls using modified addresses for the APIs and the additional APIs to discover the hidden APIs; and (Sanchez Col. 4 Ln. 25-41 teaches, creating an altered API response by obfuscating the response to the portion of frame code that contains instructions to read from or write to the storage that is accessible to the web browser; (i.e., modified addresses) and transmitting the altered API response to the hidden external domain. (i.e., discover the hidden API)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav with Sanchez, to modify the system for api security integration of Krav with the testing of APIs of Sanchez. The motivation to do so, Sanchez Col. 19 Ln. 30-32, the tracking activities of these domains may be avoided, and a user online privacy may be protected. Regarding Claim 18 Krav in view of Sanchez teaches: The system of claim 10 further comprising computing circuitry configured to execute the CSPM discover agent, the API log analyzer, and the attack surface discovery module. (Krav ¶ 7 teaches, an application security tool includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and including instructions that, when executed by the one or more processors, cause the application security tool to perform operations.) Claim(s) 2 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Petefish (US 2023/0396643 A1), hereinafter Petefish. Regarding Claim(s) 2 and 11 Krav in view of Sanchez teaches: The method of claim 1 further comprising, (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: generating a report that identifies the discovered APIs and that indicates the attack surfaces. (Petefish ¶ 16 teaches, including a server for identifying and reporting vulnerabilities of the networked system (i.e., discovered APIs). the client portal 410 allows the server 110 to provide results (e.g., the first vulnerability report 432 and the second vulnerability report 434) of penetration testing of the networked system 100 in real-time. (i.e. attack surfaces)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Petefish, to modify the system for api security integration of Krav with the testing of APIs of Sanchez with the vulnerability report of Petefish. The motivation to do so, Petefish ¶ 3, to help identify susceptibility to application, network, cloud and operating system breaches. Claim(s) 3 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Cooney (US 2024/0275842 A1), hereinafter Cooney. Regarding Claim(s) 3 and 12 Krav in view of Sanchez teaches: The method of claim 1, (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: wherein identifying the additional APIs that are not present in the CSPM logs comprises inferring that the additional APIs exist based on an association with the APIs identified in the CSPM logs. (Cooney ¶ 72-74 teaches, the log correlation engine 290 may analyze and correlate the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network 200 to automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network 200, search the correlated event data for information meeting certain criteria, or otherwise manage vulnerabilities and assets in the network 200. (i.e., inferring security information from log data)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Cooney, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the log correlation of Cooney. The motivation to do so, Cooney ¶ 68, to generate or update a comprehensive model associated with the network. Claim(s) 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 and 19 above, and further in view Petefish in further view of Cooney. Regarding Claim(s) 20 Krav in view of Sanchez teaches: The computer-readable storage media of claim 18 (Examiner believes the claim is meant to be dependent on claim 19 and is interpreted as such.) wherein the operations further comprise: (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: generating a report that identifies the discovered APIs and that indicates the attack surfaces; and wherein: (Petefish ¶ 16 teaches, including a server for identifying and reporting vulnerabilities of the networked system (i.e., discovered APIs). the client portal 410 allows the server 110 to provide results (e.g., the first vulnerability report 432 and the second vulnerability report 434) of penetration testing of the networked system 100 in real-time. (i.e. attack surfaces)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Petefish, to modify the system for api security integration of Krav with the testing of APIs of Sanchez with the vulnerability report of Petefish. The motivation to do so, Petefish ¶ 3, to help identify susceptibility to application, network, cloud and operating system breaches. Krav-Sanchez-Petefish does not appear to explicitly teach but in related art: identifying the additional APIs that are not present in the CSPM logs comprises inferring that the additional APIs exist based on an association with the APIs identified in the (Cooney ¶ 72-74 teaches, the log correlation engine 290 may analyze and correlate the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network 200 to automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network 200, search the correlated event data for information meeting certain criteria, or otherwise manage vulnerabilities and assets in the network 200. (i.e., inferring security information from log data)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Cooney, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the log correlation of Cooney. The motivation to do so, Cooney ¶ 68, to generate or update a comprehensive model associated with the network. Claim(s) 4 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Morgan (US 2024/0031664 A1), hereinafter Morgan. Regarding Claim(s) 4 and 13 Krav in view of Sanchez teaches: The method of claim 1 wherein accessing the CSPM logs comprises: (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: obtaining CSPM log credentials; (Morgan ¶ 65 teaches, The security gateway 102 then exchanges tokens for database credentials with the identity pool 232. The security gateway 102 is then granted access to the could-based database 202 based upon the credentials.) utilizing the CSPM log credentials to transfer CSPM log requests to one or more of an API gateway, load balancer, or API access log to retrieve the CSPM logs; (Morgan ¶ 65 teaches, The security gateway 102 then exchanges tokens for database credentials with the identity pool 232. The security gateway 102 is then granted access to the could-based database 202 based upon the credentials. ¶ 69 teaches, The security gateway 102 may access the cloud-based database 202 through an Application Program Interface (API) Gateway. The API Gateway validates the tokens from a successful user pool 230 authentication and uses those tokens to grant users access to the resources within the security gateway 102 and the cloud-based database 202.) and receiving the CSPM logs from the one or more of the API gateway, load balancer, or API access log. (Morgan ¶ 65 teaches, the security gateway 102 then exchanges tokens for database credentials with the identity pool 232. The security gateway 102 is then granted access to the could-based database 202 based upon the credentials. ¶ 69 teaches, the security gateway 102 may access the cloud-based database 202 through an Application Program Interface (API) Gateway. The API Gateway validates the tokens from a successful user pool 230 authentication and uses those tokens to grant users access to the resources within the security gateway 102 and the cloud-based database 202. (i.e., logs)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Morgan, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the credentials to access information via an API gateway of Morgan. The motivation to do so, Morgan ¶ 69, to grant users access to the resources within the security gateway and the cloud-based database. Claim(s) 5 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Horowitz (US 10,331,677 B1), hereinafter Horowitz. Regarding Claim(s) 5 and 14 Krav in view of Sanchez teaches: The method of claim 1 wherein: (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: the CSPM logs indicate historic calls to the APIs; and (Horowitz Col. 22 Ln. 10-18 teaches, The API data 366 can include log files from the contextual connection system's API. These log files can include a history of calls made to the API by registered applications and/or a master application.) discovering the APIs based on the CSPM logs comprises discovering the APIs based on the historic calls to the APIs. (Horowitz Col. 1 Ln. 15-25 teaches, the contextual connection system can further use the data in the database to perform contextually relevant searches on behalf of a node. In various implementations, the data considered by the search can include data generated through use of multiple different, unrelated applications.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Horowitz, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the historic API calls and contextual connection system of Horowitz. The motivation to do so constitutes applying a known technique of analyzing historical information to known devices and/or methods for API integrity ready for improvement to yield predictable results of a system better able to predict threats. Claim(s) 6-7, and 15 -16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Shishir (US 2022/0060398 A1), hereinafter Shishir. Regarding Claim(s) 6 and 15 Krav in view of Sanchez teaches: The method of claim 1 wherein identifying the additional APIs that are not present in the CSPM logs comprises: (Krav in view of Sanchez teaches the parent claim above.) Krav in view of Sanchez does not appear to explicitly teach but in related art: identifying ancillary API endpoints based on an open API specification associated with the APIs; pinging the ancillary API endpoints; and (Shishir ¶ 15 teaches, the functionality set of checks may include checking if a service API endpoint is functioning by performing a ping test. Additionally, the functionality set of checks may include checking if all dependent service endpoints, e.g., endpoints within a chain of services that are executed as a chain of services, are operating by performing a ping test. The dependent endpoints may be determined by reading policies of containers which contain a list of dependencies. (i.e., specification associated with)) discovering the additional APIs based on ones of the ancillary API endpoints that responded to the pinging. (Shishir ¶ 15 teaches, the functionality set of checks may include checking if a service API endpoint is functioning by performing a ping test. (i.e., if the point is active it will ping)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Shishir, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the pinging of API endpoints of Shishir. The motivation to do so Shishir ¶ 15, to check if an endpoint is functioning. Regarding Claim(s) 7 and 16 Krav-Sanchez-Shishir teaches: The method of claim 1 wherein transferring the API calls using modified addresses for the APIs and the additional APIs comprises: (Krav in view of Sanchez teaches the parent claim above.) addressing the API calls for API endpoints not referenced in the CSPM logs or an open API specification associated with the APIs; (Shishir ¶ 15 teaches, the functionality set of checks may include checking if a service API endpoint is functioning by performing a ping test. Additionally, the functionality set of checks may include checking if all dependent service endpoints, e.g., endpoints within a chain of services that are executed as a chain of services, are operating by performing a ping test) transferring the API calls to the API endpoints; and (Shishir ¶ 15 teaches, the functionality set of checks may include checking if a service API endpoint is functioning by performing a ping test. Additionally, the functionality set of checks may include checking if all dependent service endpoints, e.g., endpoints within a chain of services that are executed as a chain of services, are operating by performing a ping test. (i.e., transferring to endpoints)) discovering the hidden APIs based on ones of the API endpoints that responded to the API calls. (Shishir ¶ 15 teaches, the functionality set of checks may include checking if a service API endpoint is functioning by performing a ping test. Additionally, the functionality set of checks may include checking if all dependent service endpoints, e.g., endpoints within a chain of services that are executed as a chain of services, are operating by performing a ping test. (i.e., if the endpoint pings it is found/functioning)) The motive given in Claim 6 is equally applicable to the above claim. Claim(s) 8 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav in view of Sanchez as applied to claim 1 above, and further in view of Duplys (US 2023/0161651 A1), hereinafter Duplys. Regarding Claim(s) 8 and 17 Krav in view of Sanchez teaches: The method of claim 1 wherein testing the discovered APIs to determine the attack surfaces comprises: (Krav in view of Sanchez teaches the parent claim above.) generating improper API calls that comprise attributes that are not present in expected API calls for the discovered APIs; (Sanchez Col. 4 Ln. 25-41 teaches, creating an altered API response by obfuscating the response to the portion of frame code that contains instructions to read from or write to the storage that is accessible to the web browser; (i.e., improper modified addresses) and transmitting the altered API response to the hidden external domain. (i.e., discover the hidden API)) transferring the improper API calls to the discovered APIs to attempt to (Sanchez Col. 4 Ln. 25-41 teaches, creating an altered API response by obfuscating the response to the portion of frame code that contains instructions to read from or write to the storage that is accessible to the web browser; (i.e., improper modified addresses) and transmitting the altered API response to the hidden external domain. (i.e., discover the hidden API. An improper call would perform a non)) determining the attack surfaces based on ones of the discovered APIs that implemented the improper API calls. (Krav ¶ 13 teaches, as vulnerabilities are discovered, (i.e., APIs) either in infrastructural components or in the software for the server application, the artifact trees are attributed with those discovered issues. The artifact trees with the discovered vulnerabilities can be used for pen-testers and fuzzers. For example, specific tests may be developed that try to exploit those vulnerabilities. (i.e., attack surfaces)) Krav in view of Sanchez does not appear to explicitly teach but in related art: drive the discovered APIs to performed unauthorized actions; and (Duplys ¶ 5 teaches, APIs are subject to security vulnerabilities caused by bad actors attempting to force access to the API by making unauthorized function calls to an API from outside, or inside, the computer system hosting the API.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav in view of Sanchez with Duplys, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the APIs being used for unauthorized function calls of Duplys. The motivation to do so Duplys ¶ 5, to improve computer systems using APIs. Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krav-Sanchez-Duplys as applied to claim 8 above, and further in view of Plotnik (US 2020/0379879 A1), hereinafter Plotnik. Regarding Claim(s) 9 Krav-Sanchez-Duplys teaches: The method of claim 8 wherein the improper API calls comprise one or more of (Krav-Sanchez-Duplys teaches the parent limitation above.) Krav-Sanchez-Duplys does not appear to explicitly teach but in related art: additional fields, request types not aligned with API types, or invalid security credentials. (Plotnik ¶ 93 teaches the concept, A software developer changes a Data Model Java class called UserDetails (which is exposed to the internet by the API GetUserDetails without authorization), adding a SocialSecurityNumber field to it.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Krav-Sanchez-Duplys with Plotnik, to modify the system for api security integration and CSPM of Krav with the testing of APIs of Sanchez with the APIs being used for unauthorized function calls of Duplys with the adding of a field of Plotnik. The motivation to do so constitutes applying a known technique of adding an additional field to an API call to known devices and/or methods for API integrity ready for improvement to yield predictable results of testing different variables on an API call. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20230259612 A1 – Systems and Methods for Exploit Detection In A Cloud-based Sandbox, receiving unknown content in a cloud-based sandbox; performing analysis of the unknown content int the cloud based sandbox. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.B.K./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408