Prosecution Insights
Last updated: July 17, 2026
Application No. 18/737,564

SYSTEM AND METHOD FOR UTILIZING LARGE LANGUAGE MODELS AS A LOGICAL COMPONENT TO ENHANCE REACTIVE AND PROACTIVE SECURITY WITHIN A CYBERSECURITY SYSTEM

Final Rejection §103
Filed
Jun 07, 2024
Priority
Jun 09, 2023 — provisional 63/472,227
Examiner
GYORFI, THOMAS A
Art Unit
2435
Tech Center
2400 — Computer Networks
Assignee
Darktrace Holdings Limited
OA Round
2 (Final)
76%
Grant Probability
Favorable
3-4
OA Rounds
1y 4m
Est. Remaining
92%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allowance Rate
528 granted / 699 resolved
+17.5% vs TC avg
Strong +16% interview lift
Without
With
+16.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
11 currently pending
Career history
715
Total Applications
across all art units

Statute-Specific Performance

§101
2.5%
-37.5% vs TC avg
§103
78.7%
+38.7% vs TC avg
§102
11.0%
-29.0% vs TC avg
§112
1.5%
-38.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 699 resolved cases

Office Action

§103
DETAILED ACTION Claims 1-19 remain for examination. The amendment filed 3/2/26 amended claims 1, 11, & 15. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see pages 8-21 of the amendment filed 3/2/26, with respect to 35 USC 112 and claim interpretation have been fully considered and are persuasive. The rejection of claims 11-14 under 35 USC 112(b) has been withdrawn. Applicant’s arguments, see page 22 of the amendment filed 3/2/26, with respect to 35 USC 101 have been fully considered and are persuasive. The rejection of claims 11-14 under 35 USC 101 has also been withdrawn. Applicant’s arguments, see pages 23-26 of the amendment filed 3/2/26, with respect to the rejection(s) of claims 1-19 under 35 USC 103 have been fully considered and are persuasive. Therefore, that rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the newly discovered reference to Ghare. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 1-4, 6-7, 10-16, & 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chesla (U.S. Patent Publication 2023/0319089) in view of Shachar (U.S. Patent Publication 2024/0372876) in view of Ghare (U.S. Patent Publication 2019/0081876). Regarding claim 1: Chesla discloses a non-transitory storage medium including software configured, when executed by one or more processors, to enhance cyber threat detection or a response to a cyber threat detected by a cybersecurity appliance, the software comprising: a threat landscape analysis module configured, when executed by the one or more processors, to operate with a first large language model to (i) analyze threat landscape data received from one or more external sources and (ii) identify threat technique data associated with one or more cyber threats included within the threat landscape data (paragraphs 0039-0043, including [¶0040] “In some embodiments, linguistic analysis module 110 may be configured to perform linguistic analysis on threat intelligence reports that may include information relevant to known stages of an attack”; [¶0041]“In step 142, linguistic analysis module 110 of server system 104 may perform a linguistic analysis on threat intelligence reports 134 of database 108 and other information received from the corpus of data for a possible threat detected on system under threat 122”; [¶0043] “Threat intelligence threat reports may be retrieved in step 142, manually or automatically. These reports may be retrieved from both open as well as commercial data sources such as Virus Total®, MS threat Center®, SANS Internet Storm Center®, FBI InfraGard®, MITRE ATT&CK®, emails, internal communications, previous cases in which the system was run and analysts interacted with the system, and others”; an embodiment wherein large language models used as the NLP processor at paragraph 0047; see also paragraph 0059 regarding the MITRE ATT&CK data comprising threat techniques); and a data store adapted to maintain the threat technique data identified by the threat landscape analysis module (paragraph 0041: “Probability model(s) 130 may be generated and updated in step 146 based on the transition matrix module 114 output”; and paragraph 0039: “Each of linguistic analysis module 110, predictive application 112, transition matrix module 114 and classification module 116 may be configured as one or more software modules which may be collections of code or instructions stored on a media (e.g., memory of server system 104) that represent a series of machine instructions (e.g., program code) that implements one or more algorithmic steps”; i.e. the output of the NLP module is saved to memory [“data store”] for subsequent use). Although the purpose of the Chesla disclosure is how to build the prediction model to detect likely future avenues of attack such that they can be prevented (Chesla, paragraph 0004), nevertheless Chesla does not explicitly disclose an action severity module communicatively coupled to the data store, the action severity module is configured to adjust a sensitivity of a cyber threat detection engine in monitoring for the one or more cyber threats represented by the threat technique data. However, Shachar discloses a related invention for using large language models to process threat data to detect potential threats and weaknesses in one’s network security posture (e.g. Abstract, and paragraphs 0004-0005) further comprising a remediation suggestion module that adjusts a sensitivity of a cyber threat detection engine in monitoring for the one or more cyber threats represented by the threat technique data (Shachar, paragraphs 0062-0063 & 0070, including [0063] “In other cases, if the current security posture of the enterprise provides insufficient security against potential threats identified in the patterns, the recommended security posture may indicate that more strict security measures are needed in order to proactively protect against threats identified in the patterns”). It would have been obvious prior to the effective filing date of the instant application for Chesla to implement one or more remediation actions to prevent attacks predicted by his model, thus increasing the security of the network, as doing so was clearly a known option within the grasp of a person of ordinary skill in the art to achieve the predictable result of protecting one’s enterprise network (Shachar, Ibid; Chesla, paragraph 0004). Neither Chesla nor Shachar explicitly disclose modifying a detect threshold required for the cyber threat detection engine to issue an alert. However, Ghare discloses a related invention for detecting anomalies in one’s network including fraud and other threats (e.g. Ghare at paragraph 0017) wherein this limitation is taught (Ghare, paragraph 0057). It would have been obvious prior to the effective filing date of the instant application for the invention(s) disclosed by Chesla and/or Shachar to dynamically update the thresholds for detecting anomalies and threats, so as to reflect changing definitions of “normal” behavior over time (Ghare, Ibid) which in turn can lead to a reduction of false negative and false positive results (Ghare, paragraph 0020). Regarding claims 11 & 15: The rejection of claim 1 applies mutatis mutandis to claims 11 & 15. Regarding claim 2: The combination further discloses wherein the threat technique data includes (i) information associated with a threat actor responsible for the one or more cyber threats, (ii) information associated with an industry targeted by the one or more cyber threats, or (iii) information associated with a geographic region targeted by the one or more cyber threats (Chesla: the MITRE ATT&CK data as per paragraphs 0034, 0043, 0059, 0105, etc. is known to include information regarding threat actors responsible for one or more cyber threats). Regarding claims 3 and 12: The combination further discloses a detection analysis module communicatively coupled to the cyber threat detection engine and the action severity module, the detection analysis module is configured to receive a message from the action severity module to adjust operability of the cyber threat detection engine by enhancing detection of events correlated with events associated with the one or more cyber threats included within the threat technique data (Shachar, paragraph 0065). Regarding claims 4 and 16: The combination further discloses wherein the action severity module is configured to retrieve information associated with events pertaining to one or more potential cyber threats detected by the cyber threat detection engine, determine a level of correlation between the retrieved information and the threat technique data that pertains to one or more cyber threats included in the threat landscape data, and based on the level of correlation exceeding a first prescribed value, generate a message to the detection analysis module to increase a sensitivity of the cyber threat detection engine in monitoring for the potential cyber threat associated with the threat technique data (Chesla, paragraph 0105, including: “In some embodiments, this may be performed by using a metric in the language space or by correlation with attacks and comments or annotations made by responders to an attack”; see also Shachar, paragraph 0065). Regarding claims 6 and 18: The combination further discloses wherein the action severity module is further configured to adjust a setting of a cyber threat response engine to increase severity of response actions conducted by an autonomous response engine towards detected cyber threats corresponding to the cyber threats identified by the threat landscape data (Shachar, paragraph 0063: “In other cases, if the current security posture of the enterprise provides insufficient security against potential threats identified in the patterns, the recommended security posture may indicate that more strict security measures are needed in order to proactively protect against threats identified in the patterns”). Regarding claim 7: The combination further discloses wherein the adjusting of the setting of the cyber threat response engine to increase the severity of response actions is intended to cause the cyber threat response engine to conduct a first set of actions to address the detected cyber threats corresponding to the cyber threats identified by the threat landscape data, the first set of actions is different from a second set of actions usually performed by the cyber threat response engine (Shachar, Ibid). Regarding claim 10: The combination further discloses: an action explainer module communicatively coupled to the action severity module, the action explainer module includes or has access to a large language model configured to generate an explanation message, wherein the explanation message includes content in an natural language processing (NLP) format that states why certain response actions are being conducted or why the severity of the response actions has been increased, decreased, or remains constant (Shachar, paragraphs 0065 & 0070). Regarding claim 13: The combination further discloses a current action analysis module communicatively coupled to a cyber threat response engine and the action severity module, the current action analysis module is configured to receive a message from the action severity module to adjust operability of a cyber threat response engine of the cybersecurity appliance by altering response actions undertaken by the cybersecurity appliance in response to the detected cyber threats correlated with the one or more cyber threats included within the threat landscape data (Shachar, paragraph 0050, including: “The raw CDR data sets (e.g., JSON files) from the threat detection module 106 can be provided as input to the LLM of the pre-processing module 108 such that the pre-processing module 108 identifies what subsets of data in the JSON files are considered as suspicious or potentially malicious in order to produce “focused data sets” that contain substantially only the suspicious or potentially malicious subsets of the CDR data, which can be provided as input to the summarization module 110”; see also paragraphs 0065 & 0070). Regarding claims 14 and 19: The rejection of claim 10 applies mutatis mutandis to claims 14 and 19. Claims 5, 8, 9, & 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Shachar in view of Ghare as applied to claims 4, 6, 7, & 16 above, and further in view of Hutelmyer (U.S. Patent Publication 2023/0239312). Regarding claims 5 and 17: Although the combination teaches wherein the security posture can either be increased or remain at current levels (Shachar, paragraph 0063), neither Chesla nor Shachar explicitly discloses wherein the action severity module is further configured, based on the level of correlation falling below a second prescribed value being less than the first prescribed value, to generate a message to decrease the sensitivity of the cyber threat detection engine in monitoring for the one or more cyber threats associated with the threat technique data. However, Hutelmyer discloses a related invention for detecting and remediating cyberattacks wherein that invention is capable of both increasing and decreasing the sensitivity of the rules for detecting threats, as appropriate (Hutelmyer, paragraph 0110). It would have been obvious prior to the effective filing date of the instant application for the inventions of Chesla and Shachar to be capable of decreasing the sensitivity of their respective detection engines, as doing so was a known option within the grasp of a person of ordinary skill in the art for adjusting the security posture of one’s enterprise network (Hutelmyer, paragraph 0051). Regarding claim 8: Although remediation actions are clearly contemplated by the Chesla and Shachar disclosures (Chesla, paragraph 0004; Shachar, paragraphs 0062-0070), neither Chesla nor Shachar explicitly disclose wherein the first set of actions includes blocking communications, revoking permissions held by a user, or shutting down a computing device that is different from the second set of actions including quarantining data or logging events associated with the detected cyber threats. However, Hutelmyer discloses a related invention for detecting and remediating cyberattacks wherein when that invention detects a threat, it can take actions such as but not limited to blocking the network communications (paragraphs 0008-0011, including “…blocking, by the network security system, the network activity based on a determination that the network activity triggers the at least one security event rule…”) and revoking permissions held by a user (paragraphs 0048 and 0108: “(e.g., apprehend the employee, block the employee from performing certain activities, remove privileges/access rights of the employee, etc.)”). It would have been immediately obvious prior to the effective filing date of the instant application for Chesla and/or Shachar to take remediation actions such as blocking communications or revoking user permissions in response to a detected threat, as these were clearly known options within the grasp of a person of ordinary skill in the art. If doing so would lead to success, it would be the result not of innovation but of ordinary skill and common sense. Regarding claim 9: Although the combination teaches wherein the security posture can either be increased or remain at current levels (Shachar, paragraph 0063), neither Chesla nor Shachar explicitly disclose wherein the action severity module is further configured to adjust the setting of the cyber threat response engine to decrease severity of response actions conducted by an autonomous response engine towards detected cyber threats to halt or lessen response actions conducted by the cyber threat response engine on the detected cyber threats. However, Hutelmyer discloses a related invention for detecting and remediating cyberattacks wherein that invention is capable of both increasing and decreasing the sensitivity of the rules for detecting threats, as appropriate (Hutelmyer, paragraph 0110). It would have been obvious prior to the effective filing date of the instant application for the inventions of Chesla and Shachar to be capable of decreasing the sensitivity of their respective detection engines, as doing so was a known option within the grasp of a person of ordinary skill in the art for adjusting the security posture of one’s enterprise network (Hutelmyer, paragraph 0051). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: U.S. Patent Publication 2019/0182268 (Lancioni) [paragraph 0053] U.S. Patent Publication 2018/0365696 (Yan) [paragraphs 0037, 0044, 0047] U.S. Patent 10,341,374 (Sadaghiani) [col. 8, lines 32-42] Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thomas A Gyorfi whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. THOMAS A. GYORFI Examiner Art Unit 2435 /THOMAS A GYORFI/Examiner, Art Unit 2435 5/21/2026 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435
Read full office action

Prosecution Timeline

Jun 07, 2024
Application Filed
Oct 02, 2025
Non-Final Rejection mailed — §103
Mar 02, 2026
Response Filed
Jun 03, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676888
VIRTUAL FILE HONEY POTS FOR COMPUTING SYSTEMS PROTECTION AGAINST RANSOMWARE ATTACKS
2y 9m to grant Granted Jul 07, 2026
Patent 12671706
ADAPTIVE SYSTEM FOR NETWORK AND SECURITY MANAGEMENT
3y 1m to grant Granted Jun 30, 2026
Patent 12659337
DATA GENERATION AND ANALYSIS ENGINE FOR IDENTIFICATION AND MONITORING OF ENDPOINT ACTIVITY RESPONSE
2y 11m to grant Granted Jun 16, 2026
Patent 12652308
SYSTEMS AND METHODS OF SIMULATING CYBERATTACKS
2y 10m to grant Granted Jun 09, 2026
Patent 12652292
CYBER DEFENSE AUTOMATION ENGINE
2y 10m to grant Granted Jun 09, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
76%
Grant Probability
92%
With Interview (+16.3%)
3y 5m (~1y 4m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 699 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month