Prosecution Insights
Last updated: July 17, 2026
Application No. 19/058,612

AUGMENTED ARTIFICIAL INTELLIGENCE-BASED INVESTIGATIONS OF POTENTIAL CYBER INCIDENTS, AND USE THEREOF

Non-Final OA §101§102§112
Filed
Feb 20, 2025
Priority
Feb 20, 2024 — provisional 63/555,823
Examiner
MCNALLY, MICHAEL S
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Darktrace Holdings Limited
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
1y 2m
Est. Remaining
98%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
962 granted / 1072 resolved
+31.7% vs TC avg
Moderate +9% lift
Without
With
+8.7%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
16 currently pending
Career history
1093
Total Applications
across all art units

Statute-Specific Performance

§101
4.2%
-35.8% vs TC avg
§103
59.2%
+19.2% vs TC avg
§102
13.4%
-26.6% vs TC avg
§112
5.9%
-34.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 1072 resolved cases

Office Action

§101 §102 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Information Disclosure Statement The information disclosure statement (IDS) submitted on 29 August 2025 has been considered by the examiner. Drawings The drawings are objected to under 37 CFR 1.83(a). The drawings must show every feature of the invention specified in the claims. Therefore, the user interaction module must be shown or the feature canceled from the claims. No new matter should be entered. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: a cyber threat analyst module configured to perform.. of Claims 1 and 11 (Corresponding structure: Modules are disclosed as software running on hardware. It is unclear if there is a corresponding instantiating algorithm sufficient to convert the described general purpose computer to a specific purpose computer) a user interaction module communicatively coupled to the cyber threat analyst module, wherein the user interaction module is configured to receive.. of Claims 1 and 11 (Corresponding structure: Modules are disclosed as software running on hardware. It is unclear if there is a corresponding instantiating algorithm sufficient to convert the described general purpose computer to a specific purpose computer) Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-18 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The claim limitations listed above invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claims is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. Claims 1 and 11 are rejected on this basis. Claims 2-10 and 12-18 are rejected as depending from a rejected claim and failing to correct the deficiencies thereof. Claim 11 recites the limitation “wherein the cyber threat analyst module is configured to generate data indicative of: one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses; an outcome of the investigation for each hypothesis,” It is unclear if both pieces of generated data are required or if only one is, as the list is not terminated with either an “and” or an “or”. Claim 11 is rejected on this basis. Claims 12-17 are rejected as inheriting the deficiencies of claim 11 and failing to correct the same. Claim 20 recites the limitation “where the generated data is indicative of one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses, an outcome of the investigation for each hypothesis.” It is unclear if both pieces of generated data are required or if only one is, as the list is not terminated with either an “and” or an “or”. Claim 20 is rejected on this basis. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without significantly more Claim 1 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 1 is directed to an abstract idea because the following claim limitations recite an abstract idea: perform the investigation into the potential cyber incident; (mental activity); receive one or more user-selected hypotheses (mental activity); perform the investigation into the potential cyber incident based on the one or more user-selected hypotheses selected by a user responsive to one or more alerts generated by the cyber security system (mental activity); cause one or more actions to be performed based on an outcome of the investigation (mental activity) Claim 1 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware) and wherein instructions implemented in software for the cyber threat analyst module and the user interaction module are configured to be stored in one or more non- transitory storage mediums to be executed by one or more processing units (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 1, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 1 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 1 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 2 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 2 is directed to an abstract idea because the following claim limitations recite an abstract idea: review an output of the investigation into the potential cyber incident; (mental activity); supply the one or more user-selected hypotheses for the cyber threat analyst module to further review by the cyber threat analyst module to conclude whether the potential cyber incident detected by the cyber security system is an actual cyber incident caused by a cyber threat (mental activity) Claim 2 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 2, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 2 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 2 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 3 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 3 is directed to an abstract idea because the following claim limitations recite an abstract idea: receive input from the user indicative of the one or more user-selected hypotheses (mental activity); Claim 3 contains the additional elements of a user interaction module (software running on hardware), and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 3, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 3 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 3 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 4 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 4 is directed to an abstract idea because the following claim limitations recite an abstract idea: provide a representation of the one or more alerts detected by the cyber security system (mental activity); allow the user to select the one or more user-selected hypotheses for the cyber threat analyst module to investigate (mental or spoken activity) Claim 4 contains the additional elements of a user interaction module (software running on hardware), and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 4, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 4 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 3 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 4 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 4 is directed to an abstract idea because the following claim limitations recite an abstract idea: provide a representation of the one or more alerts detected by the cyber security system (mental activity); allow the user to select the one or more user-selected hypotheses for the cyber threat analyst module to investigate (mental or spoken activity) Claim 4 contains the additional elements of a user interaction module (software running on hardware), and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 4, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 4 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 4 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 5 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 5 is directed to an abstract idea because the following claim limitations recite an abstract idea: provide a representation of one or more suggested hypotheses identified by the cyber security system in response to the one or more alerts, wherein the one or more suggested hypotheses are identified based on one or more predefined rules (mental activity); cause a user interface to provide the user with an option to select the one or more hypotheses for investigation from a set of hypotheses other than the one or more suggested hypotheses (mental activity or can be performed with pencil and paper) Claim 5 contains the additional elements of a user interaction module (software running on hardware), and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 5, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 5 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 5 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 6 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 6 is directed to an abstract idea because the following claim limitations recite an abstract idea: receive one or more user specified criteria for the cyber security system, wherein the one or more user specified criteria are indicative of the one or more actions that are to be performed based on the outcome of the investigation to allow the user to augment recommended response actions to be taken by the cyber security system with the one or more actions selected by the user. (mental activity); Claim 6 contains the additional elements of a user interaction module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 6, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 6 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 6 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 7 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 7 is directed to an abstract idea because the following claim limitations recite an abstract idea: allow the user to be able to review i) how the cyber threat analyst module performed the investigation into the potential cyber incident and concluded a cyber threat was present and ii) then what are one or more autonomous responses to be taken by the cyber security system. (mental activity or activity performed with pencil and paper); Claim 7 contains the additional elements of a user interaction module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 7, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 7 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 7 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 8 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 8 is directed to an abstract idea because the following claim limitations recite an abstract idea: cooperate with an autonomous response module to allow the user to review one or more autonomous responses to be taken by the autonomous response module to mitigate against a cyber threat detected in the potential cyber incident and then to allow the user to insert their own better judgement on what autonomous responses will be taken by the autonomous response module (mental activity or activity performed with pencil and paper); Claim 8 contains the additional elements of a user interaction module (software running on hardware) and an autonomous response module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 8, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 8 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 8 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 9 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 9 is directed to an abstract idea because the following claim limitations recite an abstract idea: represent at least some data generated as part of the investigation into the potential cyber incident, (mental activity or activity performed with pencil and paper); use data to generate a representation comprising: a status of the investigation; a description associated with at least one of the one or more hypotheses; one or more steps taken by the cyber threat analyst module as part of the investigation for at least one of the one or more user-selected hypotheses; the outcome of the investigation, wherein the outcome is indicative of whether the data supports at least one of the one or more user-selected hypotheses; or a combination thereof (mental activity or activity performed with pencil and paper). Claim 9 contains the additional elements of a user interface and the apparatus. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 9, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 9 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 9 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 10 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 9 is directed to an abstract idea because the following claim limitations recite an abstract idea: provide a request for input from the user to trigger one or more responses to be taken by the cyber security system to address the potential cyber incident., (mental activity or activity performed with pencil and paper). Claim 10 contains the additional elements of a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 10, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 10 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 10 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 11 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 11 is directed to an abstract idea because the following claim limitations recite an abstract idea: perform the investigation into the potential cyber incident based on one or more hypotheses, (mental activity); generate data indicative of: one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses; an outcome of the investigation for each hypothesis, (mental activity); provide at least a portion of the data generated by the cyber threat analyst module for use by a user interface to represent the portion of the data (mental activity) Claim 11 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware), a user interface and wherein instructions implemented in software for the cyber threat analyst module and the user interaction module are configured to be stored in one or more non- transitory storage mediums to be executed by one or more processing units (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 11, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 11 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 11 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 12 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 12 is directed to an abstract idea because the following claim limitations recite an abstract idea: receive one or more user-selected hypotheses selected by a user via the user interface, (mental activity); review an output of the investigation into the potential cyber incident, and then supply the one or more user-selected hypotheses for the cyber threat analyst module to further review by the cyber threat analyst module to conclude whether the potential cyber incident detected by the cyber security system is an actual cyber incident caused by a cyber threat (mental activity). Claim 12 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware) and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 12, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 12 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 12 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 13 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 13 is directed to an abstract idea because the following claim limitations recite an abstract idea: send an indication of one or more user-selected hypotheses to the cyber threat analyst module (mental activity); use the one or more user-selected hypotheses as part of the investigation into the potential cyber incident (mental activity). Claim 13 contains the additional elements of a cyber threat analyst module (software running on hardware) and a user interaction module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 13, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 13 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 13 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 14 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 14 is directed to an abstract idea because the following claim limitations recite an abstract idea: display a representation of one or more alerts generated by the cyber security system in connection with the potential cyber incident (mental activity or can be performed with a paper and pencil). Claim 14 contains the additional elements of a user interaction module (software running on hardware). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 14, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 14 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 14 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 15 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 15 is directed to an abstract idea because the following claim limitations recite an abstract idea: handle a user request, input via the user interface, for the portion of the data generated by the cyber threat analyst module to be displayed by the user interface. (mental activity or can be performed with a paper and pencil). Claim 15 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware) and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 15, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 15 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 15 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 16 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 16 is directed to an abstract idea because the following claim limitations recite an abstract idea: cooperate with an autonomous response module to allow a user to review one or more autonomous responses to be taken by the autonomous response module to mitigate against a cyber threat detected in the potential cyber incident and then to allow the user to insert their own better judgement on what autonomous responses will be taken by the autonomous response module (mental activity or can be performed with a paper and pencil). Claim 16 contains the additional elements of wherein the user interaction module is implemented via an application programming interface (API). Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 16, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 16 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 16 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 17 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 17 is directed to an abstract idea because the following claim limitations recite an abstract idea: wherein the outcome of the investigation for each hypothesis is indicative of whether the cyber threat analyst module determined that the hypothesis is supported based on the data generated by the cyber threat analyst module (mental activity or can be performed with a paper and pencil). Claim 17 contains the additional elements of the cyber threat analyst module. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 17, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 17 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 17 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 18 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 18 is directed to an abstract idea because the following claim limitations recite an abstract idea: determines that at least one hypothesis of the one or more hypotheses is not supported based on the data generated (mental activity or can be performed with a paper and pencil); provide, for use by the user interface, at least a portion of the generated data associated with the at least one hypothesis (mental activity or can be performed with a paper and pencil). Claim 18 contains the additional elements of a cyber threat analyst module (software running on hardware), a user interaction module (software running on hardware) and a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 18, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 18 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 18 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 19 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 19 is directed to an abstract idea because the following claim limitations recite an abstract idea: using analysis to perform an investigation into the potential cyber incident based on one or more user-selected hypotheses selected by a user responsive to one or more alerts generated by the cyber security system (mental activity or can be performed with a paper and pencil); causing one or more actions to be performed based on an outcome of the investigation (mental activity or can be performed with a paper and pencil). Claim 19 contains the additional elements of the method being computer implemented and using artificial intelligence (Al) based analysis. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 19, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 19 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 19 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim 20 is directed to an abstract idea without significantly more. Step 2A, prong 1: Claim 20 is directed to an abstract idea because the following claim limitations recite an abstract idea: representing data generated as part of the investigation into the potential cyber incident detected by the cyber security system, where the generated data is indicative of one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses ,an outcome of the investigation for each hypothesis (mental activity or can be performed with a paper and pencil); representing data generated as part of the investigation into the potential cyber incident detected by the cyber security system, where the generated data is indicative of one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses, an outcome of the investigation for each hypothesis (mental activity or can be performed with a paper and pencil). Claim 20 contains the additional elements of a user interface. Step 2A, prong 2: The claim amounts to the mental activity of gathering information, processing it and making decisions based on the processing and, therefore, fails to provide any improvement to the functioning of a computer or technology. No technical solution is recited to a technical problem. Regarding claim 20, the additional elements fail to integrate the abstract idea into a practical application because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Step 2B: Likewise, the claim fails to recite, both when viewing the additional elements alone and in combination the abstract idea, significantly more than the abstract idea itself. Claim 20 fails to recite significantly more than the abstract idea because all the additional elements, even when considered under 112f, are all recited at a level of generality and are merely using computers as a tool to implement the abstract idea. Thus, the additional elements amount to mere instructions to apply the exception (see MPEP 2106.05(f)). Therefore, claim 20 is directed to an abstract idea without significantly more and are unpatentable under 35 USC 101. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent Application Publication No. 2022/0225101 by Fellows. As to claim 1, Fellows discloses an apparatus for performing an investigation into a potential cyber incident detected by a cyber security system, the apparatus comprising: a cyber threat analyst module configured to perform the investigation into the potential cyber incident (Fellows: Page 11, Sec 119: “The cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats and can cooperate with the analyser module with the one or more data analysis processes to confirm the results of the investigation on the possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities in the domains under analysis.”), a user interaction module communicatively coupled to the cyber threat analyst module, wherein the user interaction module is configured to receive one or more user-selected hypotheses (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”), wherein the cyber threat analyst module is configured to perform the investigation into the potential cyber incident based on the one or more user-selected hypotheses selected by a user responsive to one or more alerts generated by the cyber security system, wherein the cyber threat analyst module is configured to cause one or more actions to be performed based on an outcome of the investigation (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”), and wherein instructions implemented in software for the cyber threat analyst module and the user interaction module are configured to be stored in one or more non- transitory storage mediums to be executed by one or more processing units (Fellows: Page 18, Sec 193; “The method and system are arranged to be performed by one or more processing components with any portions of software stored in an executable format on a computer readable medium. Thus, any portions of the method, apparatus and system implemented as software can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors. The computer readable medium may be non-transitory and does not include radio or other carrier waves. The computer readable medium could be, for example, a physical computer readable medium such as semiconductor memory or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-RAN or DVD.”). As to claim 2, Fellows further discloses wherein the user interaction module is configured to review an output of the investigation into the potential cyber incident, and then supply the one or more user-selected hypotheses for the cyber threat analyst module to further review by the cyber threat analyst module to conclude whether the potential cyber incident detected by the cyber security system is an actual cyber incident caused by a cyber threat (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). . As to claim 3, Fellows further discloses wherein the user interaction module is communicatively coupled to a user interface, wherein the user interface is configured to receive input from the user indicative of the one or more user-selected hypotheses (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 4, Fellows further discloses wherein the user interaction module is configured to cause the user interface to: provide a representation of the one or more alerts detected by the cyber security system; and allow the user to select the one or more user-selected hypotheses for the cyber threat analyst module to investigate (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 5, Fellows further discloses wherein the user interaction module is configured to provide a representation of one or more suggested hypotheses identified by the cyber security system in response to the one or more alerts, wherein the one or more suggested hypotheses are identified based on one or more predefined rules, and wherein the user interaction module is configured to cause a user interface to provide the user with an option to select the one or more hypotheses for investigation from a set of hypotheses other than the one or more suggested hypotheses (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 6, Fellows further discloses wherein the user interaction module is configured to receive one or more user specified criteria for the cyber security system, wherein the one or more user specified criteria are indicative of the one or more actions that are to be performed based on the outcome of the investigation to allow the user to augment recommended response actions to be taken by the cyber security system with the one or more actions selected by the user (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 7, Fellows further discloses wherein the user interaction module is configured to allow the user to be able to review i) how the cyber threat analyst module performed the investigation into the potential cyber incident and concluded a cyber threat was present and ii) then what are one or more autonomous responses to be taken by the cyber security system (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 8, Fellows further discloses wherein the user interaction module is configured to cooperate with an autonomous response module to allow the user to review one or more autonomous responses to be taken by the autonomous response module to mitigate against a cyber threat detected in the potential cyber incident and then to allow the user to insert their own better judgement on what autonomous responses will be taken by the autonomous response module (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 9, Fellows further discloses wherein the one or more actions comprise causing a user interface to represent at least some data generated as part of the investigation into the potential cyber incident, and wherein the apparatus is configured to use data to generate a representation comprising: a status of the investigation; a description associated with at least one of the one or more hypotheses; one or more steps taken by the cyber threat analyst module as part of the investigation for at least one of the one or more user-selected hypotheses; the outcome of the investigation, wherein the outcome is indicative of whether the data supports at least one of the one or more user-selected hypotheses; or a combination thereof (Fellows: Page 11, Sec 116; “The cyber threat analyst module forms and investigates hypotheses on what are a possible set of cyber threats and can also cooperate with the analyser module with its one or more data analysis processes to conduct an investigation on a possible set of cyber threats hypotheses that would include an anomaly of at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with, for example, the one or more AI models trained with machine learning on the normal pattern of life of entities in the system. (For example, see FIG. 10, the cyber threat analyst module will perform several additional rounds of gathering additional information over period of time, in this example, examining data over a 7 day period to determine causal links between the information.) The cyber threat analyst module will submit to check and recheck various combinations/a chain of potentially related information under analysis until each of the one or more hypotheses on potential cyber threats are one of 1) refuted, 2) supported, or 3) included in a report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user and that also conveys at least this particular hypothesis was neither supported or refuted; and thus, needs a human to further investigate the anomaly of interest included in the chain of potentially related information. Note, a data analysis process can be algorithms/scripts written by humans to perform their function discussed herein; and, can in various cases use AI classifiers as part of their operation. Note, any portions of the AI based cyber security appliance 100 implemented as software can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors.”). As to claim 10, Fellows further discloses wherein one or more actions comprise causing a user interface to provide a request for input from the user to trigger one or more responses to be taken by the cyber security system to address the potential cyber incident (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 11, Fellows discloses an apparatus for representing data generated as part of an investigation into a potential cyber incident detected by a cyber security system, the apparatus comprising: an cyber threat analyst module configured to perform the investigation into the potential cyber incident based on one or more hypotheses (Fellows: Page 11, Sec 119: “The cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats and can cooperate with the analyser module with the one or more data analysis processes to confirm the results of the investigation on the possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities in the domains under analysis.”), wherein the cyber threat analyst module is configured to generate data indicative of: one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses (Fellows: Page 11, Sec 119: “The cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats and can cooperate with the analyser module with the one or more data analysis processes to confirm the results of the investigation on the possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities in the domains under analysis.”),; an outcome of the investigation for each hypothesis (Fellows: Page 11, Sec 119: “The cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats and can cooperate with the analyser module with the one or more data analysis processes to confirm the results of the investigation on the possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities in the domains under analysis.”),, a user interaction module communicatively coupled to the cyber threat analyst module and a user interface, wherein the user interaction module is configured to provide at least a portion of the data generated by the cyber threat analyst module for use by a user interface to represent the portion of the data (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”), and wherein instructions implemented in software for the cyber threat analyst module and the user interaction module are configured to be stored in one or more non- transitory storage mediums to be executed by one or more processing units (Fellows: Page 18, Sec 193; “The method and system are arranged to be performed by one or more processing components with any portions of software stored in an executable format on a computer readable medium. Thus, any portions of the method, apparatus and system implemented as software can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors. The computer readable medium may be non-transitory and does not include radio or other carrier waves. The computer readable medium could be, for example, a physical computer readable medium such as semiconductor memory or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-RAN or DVD.”). As to claim 12, Fellows further discloses wherein the user interaction module is configured to receive one or more user-selected hypotheses selected by a user via the user interface, and wherein the user interaction module is configured to review an output of the investigation into the potential cyber incident, and then supply the one or more user-selected hypotheses for the cyber threat analyst module to further review by the cyber threat analyst module to conclude whether the potential cyber incident detected by the cyber security system is an actual cyber incident caused by a cyber threat (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 13, Fellows further discloses wherein the user interaction module is configured to send an indication of one or more user-selected hypotheses to the cyber threat analyst module, and wherein the cyber threat analyst module is configured to use the one or more user-selected hypotheses as part of the investigation into the potential cyber incident (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 14, Fellows further discloses wherein the user interaction module is configured to cause the user interface to display a representation of one or more alerts generated by the cyber security system in connection with the potential cyber incident (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 15, Fellows further discloses wherein the user interaction module is configured to handle a user request, input via the user interface, for the portion of the data generated by the cyber threat analyst module to be displayed by the user interface (Fellows: Page 15, Sec 159; “The cyber threat analyst module can put data and entities into 1) a directed graph and nodes in that graph that are overlapping or close in distance have a good possibility of being related in some manner, 2) a vector diagram, 3) relational database, and 4) other relational techniques that will at least be examined to assist in creating the chain of related activity connected by causal links, such as similar time, similar entity and/or type of entity involved, similar activity, etc., under analysis. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber security appliance 100 is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber security appliance 100 may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.”). As to claim 16, Fellows further discloses wherein the user interaction module is implemented via an application programming interface (API), and wherein the user interaction module is configured to cooperate with an autonomous response module to allow a user to review one or more autonomous responses to be taken by the autonomous response module to mitigate against a cyber threat detected in the potential cyber incident and then to allow the user to insert their own better judgement on what autonomous responses will be taken by the autonomous response module (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 17, Fellows further discloses wherein the outcome of the investigation for each hypothesis is indicative of whether the cyber threat analyst module determined that the hypothesis is supported based on the data generated by the cyber threat analyst module (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 18, Fellows further discloses wherein when the cyber threat analyst module determines that at least one hypothesis of the one or more hypotheses is not supported based on the data generated, and wherein the user interaction module is configured to provide, for use by the user interface, at least a portion of the generated data associated with the at least one hypothesis (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 19, Fellows discloses a computer-implemented method of investigating a potential cyber incident detected by a cyber security system, the method comprising: using artificial intelligence (Al) based analysis to perform an investigation into the potential cyber incident based on one or more user-selected hypotheses selected by a user responsive to one or more alerts generated by the cyber security system(Fellows: Page 11, Sec 119: “The cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats and can cooperate with the analyser module with the one or more data analysis processes to confirm the results of the investigation on the possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities in the domains under analysis.”); and causing one or more actions to be performed based on an outcome of the investigation (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). As to claim 20, Fellows further discloses further comprising: representing data generated as part of the investigation into the potential cyber incident detected by the cyber security system, where the generated data is indicative of one or more investigative steps taken as part of the investigation for each hypothesis of the one or more hypotheses, an outcome of the investigation for each hypothesis; and providing at least a portion of the generated data for use by a user interface to represent the portion of the data (Fellows: Pages 6-7, Sec 78; “The cyber threat analyst module cooperates with, for example, one or more AI models trained on how human analysts conduct cyber investigations to conduct initial investigations regarding any anomaly of interest raised in the alert, then collects additional information to form a chain of potentially related/linked information under analysis from either prior wireless transmissions and/or data from other domains that have a probability above a threshold, such as greater than 40% related, of a logical nexus to the anomaly of interest and/or wireless transmission itself. The cyber threat analyst module is configured to cooperate with the one or more AI models trained on how the human cyber security analysts conduct cyber investigations to form one or more hypotheses on potential cyber threats that could have this chain of potentially related information under analysis. The cyber threat analyst module will perform several additional rounds of gathering additional information in order to refute or to support each of the one or more hypotheses to re-check cyber threat indications for the chain of potentially related information under analysis until the one or more hypotheses on potential cyber threats are one of refuted, supported, or included in the report that includes details of activities assessed to be relevant activities to the anomaly of interest to the user, and that also conveys at least a first hypothesis is neither supported nor refuted; and thus, needs a human to further investigate the anomaly of interest. A report of all alerts and their details over a reporting period of time can be generated. In addition, incident reports can be generated for hypotheses that are supported and the reasons why appear in user interface as a selectable report, and the information regarding hypotheses that have been refuted and the reasons why can also be retrieved via the user interface.”). Priority The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. Patent No. 11,763,006 to Rao et al. discloses graphical display of vulnerabilities U.S. Patent No. 11,829,486 by Lambotte discloses enhanced cybersecurity Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MICHAEL S. MCNALLY Primary Examiner Art Unit 2432 /Michael S McNally/Primary Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Feb 20, 2025
Application Filed
Jun 04, 2026
Non-Final Rejection mailed — §101, §102, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12675563
METHOD FOR UNLOCKING AN ELECTRONIC DEVICE
1y 10m to grant Granted Jul 07, 2026
Patent 12659300
CUSTOMER-MANAGED IDENTIFIER ROTATION AND ANONYMOUS PROCESSING
2y 3m to grant Granted Jun 16, 2026
Patent 12641079
BIOMETRIC DATA-BASED HOLOGRAPHIC AUTHENTICATION
2y 7m to grant Granted May 26, 2026
Patent 12640923
NUMBER-THEORETIC TRANSFORM ARCHITECTURE FOR LATTICE-BASED CRYPTOGRAPHIC ALGORITHMS
2y 1m to grant Granted May 26, 2026
Patent 12632547
INFORMATION PROCESSING APPARATUS AND VIRUS DETECTION DISPLAY METHOD
2y 6m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
98%
With Interview (+8.7%)
2y 6m (~1y 2m remaining)
Median Time to Grant
Low
PTA Risk
Based on 1072 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month