Prosecution Insights
Last updated: July 17, 2026
Application No. 19/007,308

SYSTEMS AND METHODS FOR PROVIDING CYBERSECURITY ANALYSIS BASED ON OPERATIONAL TECHNOLOGIES AND INFORMATION TECHNOLOGIES

Non-Final OA §102§112
Filed
Dec 31, 2024
Priority
Jun 02, 2015 — continuation of 9923915 +2 more
Examiner
DAVIS, ZACHARY A
Art Unit
2492
Tech Center
2400 — Computer Networks
Assignee
C3.ai Inc.
OA Round
1 (Non-Final)
54%
Grant Probability
Moderate
1-2
OA Rounds
2y 11m
Est. Remaining
76%
With Interview

Examiner Intelligence

Grants 54% of resolved cases
54%
Career Allowance Rate
273 granted / 506 resolved
-4.0% vs TC avg
Strong +22% interview lift
Without
With
+22.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 5m
Avg Prosecution
33 currently pending
Career history
568
Total Applications
across all art units

Statute-Specific Performance

§101
1.8%
-38.2% vs TC avg
§103
65.2%
+25.2% vs TC avg
§102
24.8%
-15.2% vs TC avg
§112
7.8%
-32.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 506 resolved cases

Office Action

§102 §112
DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment A preliminary amendment was filed on 22 January 2025. By this amendment, Claim 1 has been canceled and new Claims 2-21 have been added. Claims 2-21 are currently pending in the present application. Priority The present application is a continuation of Application Serial No. 17/810,757, filed 05 July 2022 and issued 04 February 2025 as US Patent 12218966, which is a continuation of Application Serial No. 15/891,630, filed 08 February 2018 and issued 09 August 2022 as US Patent 11411977, which is a continuation of Application Serial No. 14/728,932, filed 02 June 2015 and issued 20 March 2018 as US Patent 9923915. Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 120 as follows: The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA 35 U.S.C. 112, except for the best mode requirement. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994). The disclosures of the prior-filed applications, Application Nos. 17/810,757, 15/891,630, and 14/728,932, fail to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph for one or more claims of this application. In particular, the prior-filed applications do not provide adequate support for the limitations of Claims 2, 16, and 21 of “security event data” or “correlating the operational data with the security event data” or that generating risk metrics is “based on the correlated data”; the limitations of Claim 3 and 17 of “data-centric functions” or “aggregates logs and events from various sources”; the limitation of Claim 4 of “identifying overlapping anomalies in the operational data and the security event data that align with one or more known threat patterns”; the limitation of Claim 5 of “predefined attack signatures”; the limitations of Claims 6 and 18 of “machine learning models” and “normal operational parameters”; the limitation of Claim 7 of “updating the one or more machine learning models based on new data and detected incidents”; the limitation of Claim 8 of “mapping security events to specific operational components using network topology information”; the limitations of Claims 9 and 19 of “an importance of one or more associated operational technology components”; the limitations of Claims 10 and 20 of “applying weighted values to different threat indicators identified during correlation” and “changing threat landscapes or organizational priorities”; the limitation of Claim 11 of “updating the risk metrics continuously in real-time based on new operational data, new security event data”; the limitations of Claim 13 of “intrusion detection systems, antivirus software, user authentication systems”; the limitations of Claim 14 of “configuration settings, sensor readings, and real-time status indicators”; and the limitations of Claim 15 of “manufacturer details, firmware versions, and known vulnerabilities” and “factoring in known vulnerabilities associated with specific firmware versions or hardware models”. Specification The disclosure is objected to because of the following informalities: The specification includes minor typographical and other errors. For example, in paragraph 0001 (see page 2 of the preliminary amendment), it appears that the reference to Application 17/810,757 should be updated to include the issue date and patent number for consistency with the other parent applications. In paragraph 0046, line 3, it appears that “MOM” should read “MDM” as an abbreviation of “meter data management”. Appropriate correction is required. Applicant’s cooperation is requested in correcting any other errors of which applicant may become aware in the specification. The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: New Claims 2, 16, and 21 each recite “security event data” or “correlating the operational data with the security event data” or that generating risk metrics is “based on the correlated data”. New Claims 3 and 17 each recite “data-centric functions” or “aggregates logs and events from various sources”. New Claim 4 recites “identifying overlapping anomalies in the operational data and the security event data that align with one or more known threat patterns”. New Claim 5 recites “predefined attack signatures”. New Claims 6 and 18 each recite “machine learning models” and “normal operational parameters”. New Claim 7 recites “updating the one or more machine learning models based on new data and detected incidents”. New Claim 8 recites “mapping security events to specific operational components using network topology information”. New Claims 9 and 19 each recite “an importance of one or more associated operational technology components”. New Claims 10 and 20 each recite “applying weighted values to different threat indicators identified during correlation” and “changing threat landscapes or organizational priorities”. New Claim 11 recites “updating the risk metrics continuously in real-time based on new operational data, new security event data”. New Claim 13 recites “intrusion detection systems, antivirus software, user authentication systems”. New Claim 14 recites “configuration settings, sensor readings, and real-time status indicators”. New Claim 15 recites “manufacturer details, firmware versions, and known vulnerabilities” and “factoring in known vulnerabilities associated with specific firmware versions or hardware models. There appears to be no mention in the specification of any of these new limitations, and therefore, there is not clearly proper antecedent basis for the claimed subject matter in the specification. For further detail, see below with respect to the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 2-21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. New independent Claims 2, 16, and 21 each recite “security event data” or “correlating the operational data with the security event data” or that generating risk metrics is “based on the correlated data”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention any “security event data”. Although paragraph 0064 mentions failing to correlate a login with physical presence, this is not clearly a correlation of operational data with security event data. Further, there is no mention in these paragraphs of generating risk metrics based on any correlated data. Additionally, there appears to be no mention elsewhere in the specification of any security event data or any correlation. Therefore, there is not clear written description of the claimed subject matter. New Claims 3 and 17 each recite “data-centric functions” or “aggregates logs and events from various sources”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention data-centric functions or aggregation. Further, there appears to be no mention elsewhere in the specification of any data-centric functions or aggregation. Therefore, there is not clear written description of the claimed subject matter. New Claim 4 recites “identifying overlapping anomalies in the operational data and the security event data that align with one or more known threat patterns”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), and although paragraph 0064 generally mentions protocol anomalies, none of these paragraphs mention identifying overlapping anomalies or any known threat patterns. Further, there appears to be no mention elsewhere in the specification of any overlapping anomalies or known threat patterns. Therefore, there is not clear written description of the claimed subject matter. New Claim 5 recites “predefined attack signatures”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention attack signatures. Further, there appears to be no mention elsewhere in the specification of any attack signatures. Therefore, there is not clear written description of the claimed subject matter. New Claims 6 and 18 each recite “machine learning models” and “normal operational parameters”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), and although paragraph 0056 discusses machine learning processes, none of these paragraphs explicitly mentions machine learning models. Further, none of these paragraphs mention normal operational parameters or operational parameters more generally. Further, there appears to be no mention elsewhere in the specification of any machine learning models or normal operational parameters. Therefore, there is not clear written description of the claimed subject matter. New Claim 7 recites “updating the one or more machine learning models based on new data and detected incidents”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention machine learning models as noted above, and further, none of these paragraphs mention updating any machine learning models, nor do they mention new data or detected incidents. Further, there appears to be no mention elsewhere in the specification of any updating, new data, or detected incidents. Therefore, there is not clear written description of the claimed subject matter. New Claim 8 recites “mapping security events to specific operational components using network topology information”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention any mapping or network topology information. Further, there appears to be no mention elsewhere in the specification of any mapping or topology information. Therefore, there is not clear written description of the claimed subject matter. New Claims 9 and 19 each recite “an importance of one or more associated operational technology components”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention the importance of any components. Further, there appears to be no mention elsewhere in the specification of any importance. Therefore, there is not clear written description of the claimed subject matter. New Claims 10 and 20 each recite “applying weighted values to different threat indicators identified during correlation” and “changing threat landscapes or organizational priorities”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), and although paragraph 0056 generally discloses applying weight values to metrics, none of these paragraphs mentions applying weight values to threat indicators, and because there is no mention of correlation as discussed above, there is also no discussion of any indicators identified during correlation. Further, although paragraph 0070 mentions priority for repairing components, there is not clear mention of organizational priorities, nor does there appear to be any mention of any threat landscapes. Additionally, there appears to be no mention elsewhere in the specification of any application of weighted values to threat indicators, threat landscapes, or organizational priorities. Therefore, there is not clear written description of the claimed subject matter. New Claim 11 recites “updating the risk metrics continuously in real-time based on new operational data, new security event data”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), and although paragraph 0056 generally describes updating an analysis module and paragraph 0048 discusses acquiring data in real time, none of these paragraphs describe updating risk metrics continuously in real time. Further, as noted above, there is not any mention of security event data, and therefore, there cannot be updating based on new security event data. Additionally, there appears to be no mention elsewhere in the specification of any continuous updating of the risk metrics based on new operational data or new security event data. Therefore, there is not clear written description of the claimed subject matter. New Claim 13 recites “intrusion detection systems, antivirus software, user authentication systems”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention intrusion detection systems, antivirus software, or user authentication systems. Although other paragraphs generally mention intrusion prevention systems, these are not the same as intrusion detection systems. Further, there appears to be no mention elsewhere in the specification of any intrusion detection systems, antivirus software, or user authentication systems. Therefore, there is not clear written description of the claimed subject matter. New Claim 14 recites “configuration settings, sensor readings, and real-time status indicators”. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention configuration settings, sensor readings, or real-time status indicators. Further, there appears to be no mention elsewhere in the specification of any configuration settings (or configuration more generally), sensor readings (or sensors more generally), or real-time status indicators (or status indicators more generally). Therefore, there is not clear written description of the claimed subject matter. New Claim 15 recites “manufacturer details, firmware versions, and known vulnerabilities” and “factoring in known vulnerabilities associated with specific firmware versions or hardware models. Although Applicant has cited paragraphs 0042-0052, 0056, and 0064-0070 of the specification for support of the new claims (see page 8 of the present response), none of these paragraphs mention manufacturer details, firmware versions, or that any vulnerabilities are “known”. Further, there appears to be no mention elsewhere in the specification of any manufacturer details (or manufacturers more generally), firmware versions, or known vulnerabilities. Therefore, there is not clear written description of the claimed subject matter. Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 2-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 2 recites “one or more operational technology components” in line 11. It is not clear whether these components are in the plurality of operational technology components recited in line 2 or not. If they are intended to be elements of the plurality, then the claim could be amended to recite “one or more of the operational technology components” or similar. Claim 6 recites “normal operational patterns” in line 3. The term “normal” is a relative term which has not clearly been defined in the claim or specification. There is no mention of the term “normal” in the specification, and therefore, the specification provides no definition of the term and no standard of comparison to allow one to determine whether operational patterns are normal or not. See MPEP § 2173.05(b). Claim 16 recites “one or more operational technology components” in line 14. It is not clear whether these components are in the plurality of operational technology components recited in line 5 or not. If they are intended to be elements of the plurality, then the claim could be amended to recite “one or more of the operational technology components” or similar. Claim 18 recites “normal operational patterns” in line 3. The term “normal” is a relative term which has not clearly been defined in the claim or specification. There is no mention of the term “normal” in the specification, and therefore, the specification provides no definition of the term and no standard of comparison to allow one to determine whether operational patterns are normal or not. See MPEP § 2173.05(b). Claim 21 recites “one or more operational technology components” in line 12. It is not clear whether these components are in the plurality of operational technology components recited in line 3 or not. If they are intended to be elements of the plurality, then the claim could be amended to recite “one or more of the operational technology components” or similar. Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 2-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Martinez et al, US Patent Application Publication 2014/0137257 (cited by Applicant). In reference to Claim 2, Martinez discloses a method comprising: acquiring operational data from a plurality of operational technology (OT) components and security event data from a plurality of information technology (IT) services within a networked system (see paragraphs 0063, 0090, and 0156, and Figure 3, step 302, gathering data); correlating the operational data with the security event data to identify one or more cyber threats potentially affecting the operational technology components (paragraph 0090; see also Figure 6, steps 602-614, identifying threats); generating a plurality of risk metrics comprising a respective risk metric for each of at least a subset of the operational technology components based on the correlated data, wherein each respective risk metric indicates a predicted severity of potential cybersecurity threats for a corresponding operational technology component (Figure 7, step 722, determine vulnerability score; Figure 10, step 1006, calculate risk); and prioritizing examination or repair of one or more operational technology components based on the plurality of risk metrics (see paragraph 0192, determining priority). In reference to Claim 3, Martinez further discloses that the OT components include physical devices that control operational processes, and the IT services include applications that manage data-centric functions (see paragraph 0162), and wherein acquiring security event data comprises acquiring data from a security information and event management (SIEM) system, wherein the SIEM system aggregates logs and events from various sources within the networked system (paragraph 0193, SIEM; paragraph 0151, aggregating). In reference to Claim 4, Martinez further discloses that correlating the operational data with the security event data comprises identifying overlapping anomalies in the operational data and the security event data that align with one or more known threat patterns (paragraph 0151, identifying patterns). In reference to Claim 5, Martinez further discloses detecting sequences of events that match one or more predefined attack signatures or behavioral patterns (paragraph 0151). In reference to Claim 6, Martinez further discloses applying one or more machine learning models trained to recognize normal operational patterns and flag anomalies to the operational data, the security event data, or a combination thereof (see paragraph 0065, modeling; see also paragraph 0151, recognizing patterns). In reference to Claim 7, Martinez further discloses updating the one or more machine learning models based on new data and detected incidents (paragraph 0123). In reference to Claim 8, Martinez further discloses mapping security events to specific operational technology components using network topology information (paragraph 0103, mapping assets to threats). In reference to Claim 9, Martinez further discloses calculating a score for each operational technology component based on a severity of the detected one or more cyber threats, an importance of one or more associated operational technology components, or a combination thereof (paragraphs 0088, 0192, severity; paragraphs 0243-0250, importance). In reference to Claim 10, Martinez further discloses applying weighted values to different threat indicators identified during correlation, and wherein the weighted values are adjusted dynamically in response to changing threat landscapes or organizational priorities (paragraph 0050, weighted variables). In reference to Claim 11, Martinez further discloses updating the risk metrics continuously in real-time based on new operational data, new security event data, or a combination thereof (paragraph 0123). In reference to Claim 12, Martinez further discloses generating a ranked list of operational technology components based on their respective risk metrics, and allocating resources or scheduling maintenance based on the ranked list (paragraph 0192, determining priority). In reference to Claim 13, Martinez further discloses that the security event data includes logs and events from firewalls, intrusion detection systems, antivirus software, user authentication systems, and network devices (paragraph 0194, network logs; paragraph 0141, firewall, intrusion detection system; paragraph 0122, anti-virus). In reference to Claim 14, Martinez further discloses that operational data includes performance metrics, configuration settings, sensor readings, and real-time status indicators of the operational technology components (paragraph 0091, metrics and readings; paragraph 0122, configuration settings; paragraph 0156, status indicators). In reference to Claim 15, Martinez further discloses collecting asset information related to the operational technology components, such as manufacturer details, firmware versions, and known vulnerabilities, wherein generating each respective risk metric includes factoring in known vulnerabilities associated with specific firmware versions or hardware models (paragraphs 0113-0115). Claims 16-20 are directed to systems having functionality corresponding to the methods of Claims 2, 3, 6, 9, and 10, respectively, and are rejected by a similar rationale, mutatis mutandis. Claim 21 is directed to a software implementation of the method of Claim 1, and is rejected by a similar rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The cited art was generally made of record in the parent applications. See the prosecution histories of the parent applications for additional description of the cited art. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time. Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Zachary A. Davis/Primary Examiner, Art Unit 2492
Read full office action

Prosecution Timeline

Dec 31, 2024
Application Filed
Jun 17, 2026
Non-Final Rejection mailed — §102, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676750
Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
4y 5m to grant Granted Jul 07, 2026
Patent 12676751
Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
4y 5m to grant Granted Jul 07, 2026
Patent 12659750
ULTRA-WIDEBAND UNLOCK DEVICE
3y 8m to grant Granted Jun 16, 2026
Patent 12592929
TECHNIQUE FOR COMPUTING A BLOCK IN A BLOCKCHAIN NETWORK
4y 9m to grant Granted Mar 31, 2026
Patent 12566840
Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
3y 7m to grant Granted Mar 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
54%
Grant Probability
76%
With Interview (+22.0%)
4y 5m (~2y 11m remaining)
Median Time to Grant
Low
PTA Risk
Based on 506 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month