Prosecution Insights
Last updated: May 04, 2026
Application No. 18/778,125

CYBER SECURITY SCENARIOS WITH SIMULATED INCIDENTS

Non-Final OA §101§103§112
Filed
Jul 19, 2024
Priority
Jul 20, 2023 — provisional 63/528,009
Examiner
BROWN, CHRISTOPHER J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Darktrace Holdings Limited
OA Round
1 (Non-Final)
75%
Grant Probability
Favorable
1-2
OA Rounds
1y 7m
Est. Remaining
88%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
533 granted / 708 resolved
+17.3% vs TC avg
Moderate +13% lift
Without
With
+13.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
38 currently pending
Career history
746
Total Applications
across all art units

Statute-Specific Performance

§101
12.7%
-27.3% vs TC avg
§103
54.8%
+14.8% vs TC avg
§102
10.3%
-29.7% vs TC avg
§112
11.0%
-29.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 708 resolved cases

Office Action

§101 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Interpretation - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word "means," but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: cyber security restoration engine configured to simulate/generate…,” recited in claim 1; “cyber security restoration engine configured to receive/determine/generate…,” recited in claim 9; “cyber security restoration engine configured to generate…,” recited in claim 12; “cyber security restoration engine configured to suggest…,” recited in claim 13; “cyber security restoration engine configured to progress…,” recited in claim 14; “cyber security restoration engine configured to simulate/receive/cause…,” recited in claim 19; and ““cyber security restoration engine configured to generate…,” recited in claim 20; Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 7 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 7 states “the simulated cyber security scenario is generated one or more of” and then “prior to generating the data representative of the simulated cyber security scenario”. It is unclear if Applicant has accidentally left out limitations that would clarify this claim. Additionally, Examiner asserts as written, the claim states that a cyber security scenario is generated prior to generating “data representative of the…scenario” which is akin to asserting that a scenario is generated before itself. The limitations have been interpreted as generating simulated cyber security scenarios. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-9, 11-20 are rejected under 35 USC 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more. Regarding claims 1-9, 11-20; Claim 1 recites the limitations “generate data representative of a simulated cyber security scenario;” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the operations “cyber security restoration engine configured to simulate an asset;” However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity. It’s also noted that the claims recite additional limitation/elements (i.e., system, non-transitory medium, etc.,). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-15, 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2025/0007942 in view of Barai US 2021/0352100. As per claim 1, Crabtree teaches an apparatus, comprising: a cyber security restoration engine configured to simulate an asset of a computing network that is involved in a simulated cyberattack, which is further configured to: generate data representative of a simulated cyber security scenario involving the asset of the computing network, wherein the simulated cyber security scenario is derived from a real-world cyber security scenario mapped to the asset; and where instructions implemented in software for the cyber security restoration engine are configured to be stored in one or more non-transitory storage mediums to be executed by one or more processing units. [0006][0007][0008] [0013] (attack mission based on knowledge graph including entities, edges, relationships, generating a simulated cyber-attack based on the computer network) [0069][0070] (generating scenarios based in part on MITRE ATT&CK database which are based on real events) [0087][0089] (teaches monitoring progress of simulated attack scenario including health indicators and relationship events, and attack/defense progress indicators, including blue team incident response ) Crabtree teaches simulation of a network but does not *explicitly* teach simulation of a particular asset. Bari more explicitly teaches a cyber security restoration engine configure to simulate an asset of a computing network. [0005][0006][0017][0048][0049][0063] (teaches an attack simulation that is simulated against an emulation of a network including a virtual simulation network that is based on the actual physical network assets) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the teaching of Bari with the prior art because it would produce more accurate results of a simulated cyber-attack. As per claim 2. The apparatus of claim 1, Crabtree teaches wherein the simulated cyber security scenario is based on a template derived from data representative of an event that occurred as part of a real-life cyber security scenario that occurred on another computing network. [0069][0070] (generating scenarios based in part on MITRE ATT&CK database which are based on real events) As per claim 3. The apparatus of claim 2, Crabtree teaches wherein the template is based on a synthetic cyber security scenario generated based on a historical real life cyber security scenario. [0069][0070] (generating scenarios based in part on MITRE ATT&CK database which are based on real events) As per claim 4. The apparatus of claim 2, Crabtree teaches wherein the template is represented by a graph comprising one or more edges between one or more connecting assets of the computing network. [0013] (attack mission based on knowledge graph including entities, edges, relationships) As per claim 5. The apparatus of claim 1, Crabtree teaches wherein the simulated cyber security scenario is artificial intelligence (AI) generated. [0013] (AI generated attack scenarios) As per claim 6. The apparatus of claim 5, Crabtree teaches wherein the simulated cyber security scenario is AI generated based on one or more of a graph of interactions between assets in the computing network; and knowledge of threat actor techniques and tactics. [0012][0013] (teaches generating a scenario using contextual information of the network via knowledge graph and TTP information) As per claim 7. The apparatus of claim 5, Crabtree teaches wherein the simulated cyber security scenario is generated one or more of prior to generating the data representative of the simulated cyber security scenario; and in response to a change to an environment associated with the computing network triggered by user input while the cyber security restoration engine is generating the data representative of the simulated cyber security scenario. [0006][0013] (teaches generation of cyber security scenario, which is based on network simulation of computing network) As per claim 8. The apparatus of claim 1, Crabtree teaches wherein the simulated cyber security scenario comprises an event, and wherein the generated data is representative of an effect that the event has on one or more of: the computing network and an organization associated with the computing network. [0087] (teaches monitoring progress of attack scenario including health indicators and relationship events) As per claim 9. The apparatus of claim 1, Crabtree teaches wherein the cyber security restoration engine is configured to: receive an indication of an action taken by a user in response to an event that occurs as part of the simulated cyber security scenario; determine that the action is to modify a progression of the simulated cyber security scenario; and generate data representative of a modified progression of the simulated cyber security scenario based on the action. [0006][0007] [0087][0089] (teaches monitoring progress of attack scenario including health indicators and relationship events, and attack/defense progress indicators, including blue team incident response ) As per claim 10. The apparatus of claim 9, Crabtree teaches wherein the action comprises one or more of the user instructing a simulated cyber security tool to perform a user-specified action to modify further progression of the simulated cyber security scenario; the user instructing a simulated cyber security tool to autonomously perform an action to modify further progression of the simulated cyber security scenario; and the user providing information about the simulated cyber security scenario to a specified individual in an organization, and the user indicating a response of the specified individual. [0003] [0007] [0061] (red team users, and blue team users perform simulated attack to further progress the scenario, including use of AI attack strategies) As per claim 11. The apparatus of claim 1, Crabtree teaches wherein the simulated cyber security scenario is based on a configuration used by a real-life cyber security tool for protecting the computing network. [0006][0007] (teaches use of real-life tools, EDR, etc) As per claim 12. The apparatus of claim 11, Crabtree teaches wherein the cyber security restoration engine is configured to generate a metric indicative of an effect that the configuration has on the simulated cyber security scenario. [0085] (teaches generating metrics based on the simulated attack) As per claim 13. The apparatus of claim 12, Crabtree teaches wherein the cyber security restoration engine is configured to suggest a change to be made to the configuration of the real-life cyber security tool based on the metric. [0007][0079][0080] (teaches suggestion of additional security measures) As per claim 14. The apparatus of claim 1, Crabtree teaches wherein the cyber security restoration engine is configured to progress the simulated cyber security scenario based an interaction of a user with a simulation based on the data representative of a simulated cyber security scenario. [0006][0007] [0087][0089] (teaches monitoring progress of attack scenario including health indicators and relationship events, and attack/defense progress indicators, including red team and blue team actions) As per claim 15. The apparatus of claim 14, Crabtree teaches wherein progression of the simulation is displayed on a user interface, and wherein the interaction is input via the user interface. [0006][0007] [0087][0089] (teaches monitoring progress of attack scenario including health indicators and relationship events, and attack/defense progress indicators, including red team and blue team actions) [0063](team portals for implementing security controls) As per claim 17. The apparatus of claim 1, Crabtree teaches wherein the cyber security restoration engine is configured to at least one of reference i) a database of restoration response scenarios stored in the database for the computing network and ii) a prediction engine configured to run Artificial Intelligence-based simulations and use an operational state of a node in a graph corresponding to the asset of the computing network during simulations of cyberattacks on the computing network to restore each node compromised by a cyber threat during the simulation of the cyberattack. [0013][0066][0078][0079] (teaches AI suggestions for actions for remediation, and defense improvement) As per claim 18. Crabtree teaches A computer-implemented method for a cyber security restoration engine configured to simulate an asset of a computing network that is involved in a simulated cyberattack, comprising: generating data representative of a simulated cyber security scenario involving the asset of the computing network, wherein the simulated cyber security scenario is derived from a real-world cyber security scenario mapped to the asset. . [0006][0007][0008] [0013] (attack mission based on knowledge graph including entities, edges, relationships, generating a simulated cyber-attack based on the computer network) [0069][0070] (generating scenarios based in part on MITRE ATT&CK database which are based on real events) [0087][0089] (teaches monitoring progress of simulated attack scenario including health indicators and relationship events, and attack/defense progress indicators, including blue team incident response ) Crabtree teaches simulation of a network but does not *explicitly* teach simulation of a particular asset. Bari more explicitly teaches a cyber security restoration engine configure to simulate an asset of a computing network. [0005][0006][0017][0048][0049][0063] (teaches an attack simulation that is simulated against an emulation of a network including a virtual simulation network that is based on the actual physical network assets) It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to use the teaching of Bari with the prior art because it would produce more accurate results of a simulated cyber-attack. As per claim 19. Crabtree teaches An apparatus, comprising: a cyber security restoration engine configured to simulate an asset of a computing network that is involved in a simulated cyberattack, which is further configured to: receive an indication of an action taken by a user in response to an event that takes place during a simulation of a cyber security scenario involving the asset of the computing network, wherein the cyber security scenario is derived from a real world cyber security scenario mapped to the asset, and cause the simulation to progress the cyber security scenario based on the action taken by the user; and where instructions implemented in software for the cyber security restoration engine are configured to be stored in one or more non-transitory storage mediums to be executed by one or more processing units. [0006][0007][0008] [0013] (attack mission based on knowledge graph including entities, edges, relationships, generating a simulated cyber-attack based on the computer network) [0069][0070] (generating scenarios based in part on MITRE ATT&CK database which are based on real events) [0087][0089] (teaches monitoring progress of simulated attack scenario including health indicators and relationship events, and attack/defense progress indicators, including blue team incident response ) Crabtree teaches simulation of a network but does not *explicitly* teach simulation of a particular asset. Bari more explicitly teaches a cyber security restoration engine configure to simulate an asset of a computing network. [0005][0006][0017][0048][0049][0063] (teaches an attack simulation that is simulated against an emulation of a network including a virtual simulation network that is based on the actual physical network assets) It would have been obvious to one of ordinary skill in the art effective filing date of the claimed invention to use the teaching of Bari with the prior art because it would produce more accurate results of a simulated cyber-attack. As per claim 20. The apparatus of claim 19, Crabtree teaches wherein the cyber security restoration engine is configured to generate a metric indicative of an effect that the action had on the simulation. [0085] (teaches generating metrics based on the simulated attack) Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2025/0007942 in view of Barai US 2021/0352100 in view of Risoldi US 2020/0311630 As per claim 16. The apparatus of claim 15, Crabtree and Barai do not *explicitly* teach the following. Risoldi teaches wherein the user interface is configured to display a representation of a plurality of assets of the computing network, and wherein the user interface is configured to allow the user to select, from the plurality of assets, the asset to use in the simulated cyber security scenario. [0045][0068] (teaches a user interface to select assets on the network for risk evaluation) It would have been obvious to one of ordinary skill in the art effective filing date of the claimed invention to use the teaching of Risoldi with the prior art because it improves user accessibility and control. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

Jul 19, 2024
Application Filed
Apr 17, 2026
Non-Final Rejection — §101, §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12615280
DETECTING POLYMORPHIC BOTNETS USING AN IMAGE RECOGNITION PLATFORM
2y 9m to grant Granted Apr 28, 2026
Patent 12615289
ROGUE DEVICE DETECTION INCLUDING MAC ADDRESS SPOOFING DETECTION
1y 10m to grant Granted Apr 28, 2026
Patent 12609956
SECURITY INFORMATION CAPTURE AND DISTRIBUTION
2y 6m to grant Granted Apr 21, 2026
Patent 12603822
SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM
4y 11m to grant Granted Apr 14, 2026
Patent 12574725
METHODS, APPARATUSES, COMPUTER PROGRAMS AND CARRIERS FOR SECURITY MANAGEMENT BEFORE HANDOVER FROM 5G TO 4G SYSTEM
1y 10m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
75%
Grant Probability
88%
With Interview (+13.0%)
3y 5m (~1y 7m remaining)
Median Time to Grant
Low
PTA Risk
Based on 708 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month