Prosecution Insights
Last updated: July 17, 2026
Application No. 18/968,633

DETECTING SECURITY EXCEPTIONS ACROSS MULTIPLE COMPUTE ENVIRONMENTS

Non-Final OA §102§DP
Filed
Dec 04, 2024
Priority
May 23, 2022 — CIP of 12/505,200 +1 more
Examiner
RAHIM, MONJUR
Art Unit
2436
Tech Center
2400 — Computer Networks
Assignee
Wiz Inc.
OA Round
1 (Non-Final)
84%
Grant Probability
Favorable
1-2
OA Rounds
1y 3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 84% — above average
84%
Career Allowance Rate
753 granted / 892 resolved
+26.4% vs TC avg
Strong +16% interview lift
Without
With
+16.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
32 currently pending
Career history
924
Total Applications
across all art units

Statute-Specific Performance

§101
8.2%
-31.8% vs TC avg
§103
62.6%
+22.6% vs TC avg
§102
7.5%
-32.5% vs TC avg
§112
3.7%
-36.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 892 resolved cases

Office Action

§102 §DP
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION 1. This action is responsive to: an original application filed on 4 December 2024. 2. Claims 1-15 are currently pending and claims 1, 8 and 9 are independent claims. Priority 3. Priority date claimed has been considered by the examiner. Drawings 4. The drawings filed on 4 December 2024 are accepted by the examiner. Double Patenting 5. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents /process/ file/efs/guidance /eTD-info-I.jsp. Claims 1-15 are rejected under the grounds of non-statutory obviousness-type double patenting, as they are deemed unpatentable over claims 1-15 of US Patent application No. 18/400,705. Although the conflicting claims are not identical, they are considered not patentably distinct from one another, as they convey the same inventive concept. Specifically, both sets of claims disclose a method for generating, detecting, applying, traversing. Furthermore, it would have been obvious to one of ordinary skill in the art, at the time of the invention’s filing, to employ this approach to prevent and protect data from cyberattack, thereby rendering the claims unpatentable. Claim Rejections - 35 USC § 102 6. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-15 are rejected 35 U.S.C §102 (a)(2) as being anticipated by applicant admitted IDS, Avi Shua (US Publication No. 20220345481), hereinafter Shua. Regarding claim 1: generating a policy exception for a first workload deployed in a first computing environment (Shua, ¶217, ¶307), wherein An organization policy may include a policy applied to all users by the controlling organization of a workload. An access policy may determine the authorized users of an associated system. generating a representation of the first workload in a security database, wherein the security database includes a graph representation of the first computing environment and a graph representation of a second computing environment (Shua, ¶417), wherein system wherein the common interface is configured to display one or more workload metrics associated with the each listed asset. Workload metrics may be a statistical representation of the current performance of the workload, the capacity for additional processing of the workload, and the historical performance of the workload based on statistical trend. traversing a graph in the security database to detect a first node representing the first workload (Shua, ¶231), herein, ¶66), wherein, cybersecurity system is configured to traverse the graph to identify at least one source originating via the Internet and reaching the workload. Traversing the graph, as used herein, may refer to a device, such as scanning system 101, accessing the systems represented by the nodes in the graph, to determine which systems are accessible and how. For example, scanning system 101 may analyze the graph to detect sources coming from the internet and reaching the workload, by accessing a first system, and traversing between systems in a depth-first, breadth-first, or other manner, until a path to an external network (e.g., the Internet) is reached. traversing the graph in the security database to detect a second node representing a second workload (Shua, ¶231, ¶505), wherein traversing the graph to identify at least one source originating via the internet and reaching the workload; and [0506] outputting a risk notification associated with the workload. detecting in the representation of the second computing environment a representation of the second workload associated with the representation of the first workload (Shua, ¶130), wherein insights may include at least one of a vulnerability associated with the workload or a composition of installed applications associated with the workload. A vulnerability, as used herein, may refer to any weakness within an organization's information systems, internal controls, or system processes that can be exploited. A composition of installed applications associated with the workload, and applying the policy exception to the second workload in response to detecting that the second workload is associated with the first workload (Shua, ¶159), wherein, implement remedial actions via one or more processors. Remedial actions may include, among other things, notification to an end user of an identified threat, compensation through a revised security code to mitigate the potential threat, publication of the identified threat and vulnerability in a log or record of detected vulnerabilities, and communication of the sensed vulnerability and threat to a server operator or maintainer to fortify the protections of workloads existing on similar environments. Regarding claim 2: 2. The method of claim 1, further comprising: generating an inspectable disk from a disk of the first workload; detecting a cybersecurity object on the inspectable disk; and generating the policy exception based on the cybersecurity object (Shua, ¶521, ¶95). Regarding claim 3: wherein generating the inspectable disk further comprises: cloning the disk of the workload into a cloned disk (Shua, ¶100). Regarding claim 4: further comprising: releasing the inspectable disk in response to determining that inspection is complete (Shua, ¶353). Regarding claim 5: further comprising: detecting a second cybersecurity object in the inspectable disk, the second cybersecurity object failing a policy of the first computing environment; and failing the first workload, in response to detecting the second cybersecurity object (Shua, ¶¶249). Regarding claim 6: further comprising: detecting a first code object in a configuration code file, the configuration code file including a plurality of code objects; determining that the first workload is deployed based on the first code object; and applying the generated policy exception to the first code object (Shua, ¶65). Regarding claim 7: further comprising: detecting in the representation a representation of a first object, the first object deployed in the first computing environment; detecting in the representation a representation of a second object, the second object deployed in the second computing environment; detecting in the representation a connection between the representation of the first object and the representation of the second object; and applying a policy of the first computing environment to the first object and the second object in response to detecting the connection (Shua, ¶106, ¶109). Regarding claim 8: one or more instructions that, when executed by one or more processors of a device, cause the device to (Shua, ¶37): generate a policy exception for a first workload deployed in a first computing environment (Shua, ¶217, ¶307), wherein An organization policy may include a policy applied to all users by the controlling organization of a workload. An access policy may determine the authorized users of an associated system. generate a representation of the first workload in a security database, wherein the security database includes a graph representation of the first computing environment and a graph representation of a second computing environment (Shua, ¶417), wherein system wherein the common interface is configured to display one or more workload metrics associated with the each listed asset. Workload metrics may be a statistical representation of the current performance of the workload, the capacity for additional processing of the workload, and the historical performance of the workload based on statistical trend. traverse a graph in the security database to detect a first node representing the first workload (Shua, ¶231), herein, ¶66), wherein, cybersecurity system is configured to traverse the graph to identify at least one source originating via the Internet and reaching the workload. Traversing the graph, as used herein, may refer to a device, such as scanning system 101, accessing the systems represented by the nodes in the graph, to determine which systems are accessible and how. For example, scanning system 101 may analyze the graph to detect sources coming from the internet and reaching the workload, by accessing a first system, and traversing between systems in a depth-first, breadth-first, or other manner, until a path to an external network (e.g., the Internet) is reached. traverse the graph in the security database to detect a second node representing a second workload (Shua, ¶231, ¶505), wherein traversing the graph to identify at least one source originating via the internet and reaching the workload; and [0506] outputting a risk notification associated with the workload. detect in the representation of the second computing environment a representation of the second workload associated with the representation of the first workload (Shua, ¶130), wherein insights may include at least one of a vulnerability associated with the workload or a composition of installed applications associated with the workload. A vulnerability, as used herein, may refer to any weakness within an organization's information systems, internal controls, or system processes that can be exploited. A composition of installed applications associated with the workload, and apply the policy exception to the second workload in response to detecting that the second workload is associated with the first workload (Shua, ¶159), wherein, implement remedial actions via one or more processors. Remedial actions may include, among other things, notification to an end user of an identified threat, compensation through a revised security code to mitigate the potential threat, publication of the identified threat and vulnerability in a log or record of detected vulnerabilities, and communication of the sensed vulnerability and threat to a server operator or maintainer to fortify the protections of workloads existing on similar environments. Regarding claim 9: one or more processors configured to (Shua, ¶37): generate a policy exception for a first workload deployed in a first computing environment (Shua, ¶217, ¶307), wherein An organization policy may include a policy applied to all users by the controlling organization of a workload. An access policy may determine the authorized users of an associated system. generate a representation of the first workload in a security database, wherein the security database includes a graph representation of the first computing environment and a graph representation of a second computing environment (Shua, ¶417), wherein system wherein the common interface is configured to display one or more workload metrics associated with the each listed asset. Workload metrics may be a statistical representation of the current performance of the workload, the capacity for additional processing of the workload, and the historical performance of the workload based on statistical trend. traverse a graph in the security database to detect a first node representing the first workload (Shua, ¶231), herein, ¶66), wherein, cybersecurity system is configured to traverse the graph to identify at least one source originating via the Internet and reaching the workload. Traversing the graph, as used herein, may refer to a device, such as scanning system 101, accessing the systems represented by the nodes in the graph, to determine which systems are accessible and how. For example, scanning system 101 may analyze the graph to detect sources coming from the internet and reaching the workload, by accessing a first system, and traversing between systems in a depth-first, breadth-first, or other manner, until a path to an external network (e.g., the Internet) is reached. traverse the graph in the security database to detect a second node representing a second workload (Shua, ¶231, ¶505), wherein traversing the graph to identify at least one source originating via the internet and reaching the workload; and [0506] outputting a risk notification associated with the workload. detect in the representation of the second computing environment a representation of the second workload associated with the representation of the first workload (Shua, ¶130), wherein insights may include at least one of a vulnerability associated with the workload or a composition of installed applications associated with the workload. A vulnerability, as used herein, may refer to any weakness within an organization's information systems, internal controls, or system processes that can be exploited. A composition of installed applications associated with the workload, and apply the policy exception to the second workload in response to detecting that the second workload is associated with the first workload (Shua, ¶159), wherein, implement remedial actions via one or more processors. Remedial actions may include, among other things, notification to an end user of an identified threat, compensation through a revised security code to mitigate the potential threat, publication of the identified threat and vulnerability in a log or record of detected vulnerabilities, and communication of the sensed vulnerability and threat to a server operator or maintainer to fortify the protections of workloads existing on similar environments. Regarding claim 10: wherein the one or more processors are further configured to: generate an inspectable disk from a disk of the first workload; detect a cybersecurity object on the inspectable disk; and generate the policy exception based on the cybersecurity object (Shua, ¶95, ¶521). Regarding claim 11: wherein the one or more processors, when generating the inspectable disk, are configured to: clone the disk of the workload into a cloned disk (Shua, ¶100). Regarding claim 12: wherein the one or more processors are further configured to: release the inspectable disk in response to determining that inspection is complete (Shua, ¶353). Regarding claim 13: wherein the one or more processors are further configured to: detect a second cybersecurity object in the inspectable disk, the second cybersecurity object failing a policy of the first computing environment; and fail the first workload, in response to detecting the second cybersecurity object (Shua, ¶249). Regarding claim 14: wherein the one or more processors are further configured to: detect a first code object in a configuration code file, the configuration code file including a plurality of code objects; determine that the first workload is deployed based on the first code object; and apply the generated policy exception to the first code object (Shua, ¶65). Regarding claim 15: wherein the one or more processors are further configured to: detect in the representation a representation of a first object, the first object deployed in the first computing environment; detect in the representation a representation of a second object, the second object deployed in the second computing environment; detect in the representation a connection between the representation of the first object and the representation of the second object; and apply a policy of the first computing environment to the first object and the second object in response to detecting the connection (Shua, ¶106, ¶109). Conclusion 7. The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANANDA) or 571-272-1000. /Monjur Rahim/ Patent Examiner United States Patent and Trademark Office Art Unit: 2436; Phone: 571.270.3890 E-mail: monjur.rahim@uspto.gov Fax: 571.270.4890
Read full office action

Prosecution Timeline

Dec 04, 2024
Application Filed
Jun 03, 2026
Non-Final Rejection mailed — §102, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676845
METHOD AND SYSTEM FOR AUTHENTICATING A USER TO ACCESS A WEB APPLICATION HOSTED ON AN APPLICATION SERVER
1y 10m to grant Granted Jul 07, 2026
Patent 12657337
SYSTEMS AND METHODS FOR RUNTIME CONTENT MASKING
2y 2m to grant Granted Jun 16, 2026
Patent 12659140
ENCRYPTED INFORMATION RETRIEVAL
1y 11m to grant Granted Jun 16, 2026
Patent 12652300
PROBABILISTIC EVIDENCE BASED INSIDER THREAT DETECTION AND REASONING
3y 6m to grant Granted Jun 09, 2026
Patent 12619554
NON-INTRUSIVE REKEYING FOR MEMORY ENCRYPTION
2y 0m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
84%
Grant Probability
99%
With Interview (+16.4%)
2y 11m (~1y 3m remaining)
Median Time to Grant
Low
PTA Risk
Based on 892 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month