Prosecution Insights
Last updated: July 17, 2026
Application No. 19/089,841

FRAMEWORK FOR AUTOMATED PENETRATION TESTING

Non-Final OA §102
Filed
Mar 25, 2025
Priority
May 15, 2020 — provisional 63/025,437 +1 more
Examiner
DAVIS, ZACHARY A
Art Unit
Tech Center
Assignee
Twilio Inc.
OA Round
1 (Non-Final)
54%
Grant Probability
Moderate
1-2
OA Rounds
3y 2m
Est. Remaining
76%
With Interview

Examiner Intelligence

Grants 54% of resolved cases
54%
Career Allowance Rate
273 granted / 506 resolved
-6.0% vs TC avg
Strong +22% interview lift
Without
With
+22.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 5m
Avg Prosecution
33 currently pending
Career history
568
Total Applications
across all art units

Statute-Specific Performance

§101
1.8%
-38.2% vs TC avg
§103
65.2%
+25.2% vs TC avg
§102
24.8%
-15.2% vs TC avg
§112
7.8%
-32.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 506 resolved cases

Office Action

§102
DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority The present application is a continuation of Application Serial No. 17/302,828, filed 13 May 2021 and issued as US Patent 12287882 on 29 April 2025. Specification The disclosure is objected to because of the following informalities: The specification does not include a brief summary of the invention as per 37 CFR 1.73. If a summary was intentionally omitted, Applicant is requested to make a statement confirming this on the record. Appropriate correction is required. Applicant’s cooperation is requested in correcting any other errors of which applicant may become aware in the specification. Claim Objections Claims 1, 8, and 15 are objected to because of the following informalities: In Claim 1, line 4; Claim 8, line 6; and Claim 15, line 5, it is recommended to insert “that” before “has a tree structure” to make more explicit that this phrase is also referring to the attack tree. Appropriate correction is required. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-4, 6-11, 13-18, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1, 4, 9, 11, 14, and 16 of U.S. Patent No. 12287882. Although the claims at issue are not identical, they are not patentably distinct from each other because the pending claims are broader than the issued claims and are therefore anticipated by the issued claims. Anticipation is the epitome of obviousness. More specifically, pending Claim 1 recites steps of accessing a request that corresponds to and is broader than the step of receiving in issued Claim 1. The step of performing attacks in pending Claim 1 also corresponds to and is broader than the step of performing attacks in issued Claim 1, and the step of determining that the penetration test penetrated the device based on a result of the final attack in pending Claim 1 corresponds to and is broader than the step of determining that the penetration test is successful based on successfully executing the final attack in issued Claim 1. The performance of the steps by processors in pending Claim 1 is broader than the performance by a penetration manager in issued Claim 1. Therefore, pending Claim 1 is anticipated by issued Claim 1. Pending Claim 3 recites receiving the request as in issued Claim 1, and pending Claim 4 recites an outcome of a first attack being a basis upon which to perform a second attack which corresponds to passing the results of a first attack to a next-level attack as in issued Claim 1. Pending Claim 2 is an obvious variation based on the disclosures of the issued patent (see column 2, lines 49-53, where the request includes a configuration file). Pending Claim 6 corresponds to issued Claim 9, and pending Claim 7 corresponds to portions of issued Claim 4. Similarly, pending Claims 8-11 are anticipated by and obvious based on issued Claim 11, and pending Claims 15-18 are anticipated by an obvious based on issued Claim 16. Pending Claim 13 corresponds to issued Claim 9, and pending Claim 14 corresponds to portions of issued Claim 14. Pending Claim 20 corresponds to issued Claim 9. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hebert et al, US Patent Application Publication 2017/0019421. In reference to Claim 1, Hebert discloses a method comprising: accessing, by one or more processors, a request that a penetration test be performed against a device based on an attack tree that is defined by the request and has a tree structure with nodes that each represent a corresponding attack (paragraph 0019, penetration test with attack tree); performing, by the one or more processors, one or more attacks against the device based on at least a portion of the attack tree defined by the request, the one or more attacks including a final attack represented by a final node of the attack tree (see paragraphs 0020-0040 for examples of performing attacks along trees); and determining, by the one or more processors, that the penetration test penetrated the device based on a result of the final attack that corresponds to the final node of the attack tree defined by the request (see paragraph 0041, describing a successful penetration test). In reference to Claim 2, Hebert further discloses that the request that the penetration test be performed against the device includes a configuration file that defines the nodes of the attack tree for performing the penetration test against the device (paragraph 0019, attacks and targets defined). In reference to Claim 3, Hebert further discloses that the accessing of the request that defines the attack tree on which basis the penetration test is to be performed includes receiving the request that defines the attack tree on which basis the penetration test is to be performed (paragraph 0019, receiving provided attack tree). In reference to Claim 4, Hebert further discloses that the performing of the one or more attacks includes performing a first attack that corresponds to a first node of the attack tree defined by the request, an outcome of the first attack being a basis upon which to perform a second attack that corresponds to a second node of the attack tree defined by the request (see paragraphs 0020-0041 for examples of performing attacks along trees). In reference to Claim 5, Hebert further discloses that the second attack that corresponds to the second node of the attack tree defined by the request is the final attack that corresponds to the final node of the attack tree defined by the request (see paragraphs 0020-0041 for examples of performing attacks along trees). In reference to Claim 6, Hebert further discloses that the first attack that corresponds to the first node of the attack tree defined by the request includes scanning ports of the device to find a vulnerability of the device (see paragraph 0085, network mapping and paragraph 0094, ports; see also paragraphs 0020-0041). In reference to Claim 7, Hebert further discloses that the device is a target device and the method further comprises: providing an application programming interface (API) that enables a requestor device to generate the request that the penetration test be performed (paragraph 0086, interface). Claims 8-14 are directed to systems having functionality corresponding to the methods of Claims 1-7, and are rejected by a similar rationale, mutatis mutandis. Claims 15-20 are directed to software implementations of the methods of Claims 1-6, and are rejected by a similar rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See the parent application for description of the cited prior art references. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time. Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Zachary A. Davis/Primary Examiner, Art Unit 2492
Read full office action

Prosecution Timeline

Mar 25, 2025
Application Filed
Jun 30, 2026
Non-Final Rejection mailed — §102 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676750
Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
4y 5m to grant Granted Jul 07, 2026
Patent 12676751
Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
4y 5m to grant Granted Jul 07, 2026
Patent 12659750
ULTRA-WIDEBAND UNLOCK DEVICE
3y 8m to grant Granted Jun 16, 2026
Patent 12592929
TECHNIQUE FOR COMPUTING A BLOCK IN A BLOCKCHAIN NETWORK
4y 9m to grant Granted Mar 31, 2026
Patent 12566840
Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
3y 7m to grant Granted Mar 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
54%
Grant Probability
76%
With Interview (+22.0%)
4y 5m (~3y 2m remaining)
Median Time to Grant
Low
PTA Risk
Based on 506 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month