US 12001549

US patent 12001549, titled "Cybersecurity incident response techniques utilizing artificial intelligence," was assigned to Wiz Inc. The inventors are Alon SCHINDEL, Barak Sharoni, Amitai Cohen, Ami Luttwak, Roy Reznik, and Yinon COSTICA. The patent was filed on January 31, 2024, and issued on June 4, 2024.

Abstract:
The patent describes a system and method for cybersecurity incident response using a large language model. The method involves mapping a received incident input to a scenario from a plurality of scenarios (each having sub-scenarios), generating a query based on the incident input and a selected sub-scenario, executing this query on a security database that represents a computing environment, and then initiating a mitigation action based on the results of the executed query.

Plain-Language Overview of Independent Claims:
The patent describes two main independent methods, along with corresponding computer-readable media and systems.

Independent Claims (General Aspect 1):

• Method: A method is claimed for cybersecurity incident response. It involves:
  1. Taking an "incident input" (e.g., a query or statement) and mapping it to a specific "scenario" from a collection of possible scenarios. Each scenario contains multiple "sub-scenarios."
  2. Creating a database query using the incident input and a chosen sub-scenario.
  3. Running this query on a "security database" which holds information about a computing environment.
  4. Based on the results of the query, starting a "mitigation action" to address the cybersecurity incident.
• Non-transitory Computer-Readable Medium: A computer-readable medium contains instructions that, when executed by a processor, perform the steps of the method described above.
• System: A system includes processing circuitry and memory configured to execute instructions that perform the steps of the method described above.

Independent Claims (General Aspect 2, explicitly detailing LLM usage for mapping):

• Method: A method for cybersecurity incident response based on a cybersecurity event. It involves:
  1. Receiving an incident input related to a cybersecurity event.
  2. Generating a prompt for a Large Language Model (LLM) based on this incident input.
  3. Using the generated prompt to configure the LLM to produce an output.
  4. Mapping the original incident input to a specific "scenario" from a collection of scenarios (each linked to an incident response), with this mapping being based on the LLM's output.
  5. Generating a database query based on the incident input and the mapped scenario.
  6. Executing this query on a security database representing a computing environment.
  7. Initiating a mitigation action based on the result of the executed query.
• Non-transitory Computer-Readable Medium: A computer-readable medium contains instructions that, when executed by a processor, cause a device to perform the steps of this second method described above.
• System: A system includes processing circuitry and memory configured to execute instructions that perform the steps of this second method described above.

Litigation and Legal Status:
The patent is currently Active.
As of April 26, 2026, the patent family for US12001549 has ongoing litigation.
A PTAB (Patent Trial and Appeal Board) case, IPR2025-01086, was filed against this patent but was "Not Instituted - Merits".
A search of CAFC 2026 dockets specifically for patent number 12001549 did not yield any direct results indicating current appellate court litigation for this patent. It is possible that the "Family has litigation" status refers to broader litigation involving related patents or earlier stages of the current litigation not yet at the CAFC level for this specific patent.The patent US12001549B1, titled "Cybersecurity incident response techniques utilizing artificial intelligence," was granted to Wiz Inc. The inventors listed are Alon SCHINDEL, Barak Sharoni, Amitai Cohen, Ami Luttwak, Roy Reznik, and Yinon COSTICA. The filing date for this patent was January 31, 2024, and it was issued on June 4, 2024.

Abstract:
The abstract describes a system and method for cybersecurity incident response that leverages a large language model (LLM). It details a process that includes mapping a received incident input into a relevant scenario (from a predefined set of scenarios, each with sub-scenarios), generating a query based on the incident input and a selected sub-scenario, executing this query on a security database representing the computing environment, and then initiating a mitigation action based on the results of the executed query.

Plain-Language Overview of Independent Claims:

The patent outlines two main independent sets of claims for its cybersecurity incident response techniques.

First Set of Independent Claims:

• Method Claim: This claim describes a process where an incoming cybersecurity incident (an "incident input") is mapped to a high-level "scenario," which further breaks down into "sub-scenarios." Based on this input and a chosen sub-scenario, a database query is generated. This query is then executed on a security database that contains a model of the computing environment. Finally, a mitigation action is initiated based on what the query reveals.
• Non-transitory Computer-Readable Medium Claim: This claim covers a storage device (like a hard drive or flash memory) containing computer instructions. When these instructions are run by a processor, they cause a device to perform all the steps of the method described above.
• System Claim: This claim pertains to a physical system comprising processing circuitry and memory. The memory stores instructions that enable the system to carry out the steps of the method described above.

Second Set of Independent Claims (explicitly incorporating a Large Language Model):

• Method Claim: This method begins by receiving an "incident input" that stems from a cybersecurity event. A prompt is then generated specifically for a Large Language Model (LLM) using this incident input. The LLM processes this prompt to produce an output, which is then used to map the initial incident input to a specific "scenario" (each scenario being linked to an incident response). Subsequently, a database query is generated using the incident input and the identified scenario. This query is executed on a security database representing the computing environment, and a mitigation action is initiated based on the query's outcome.
• Non-transitory Computer-Readable Medium Claim: This claim also covers a computer-readable medium holding instructions. When executed by one or more processors, these instructions enable a device to perform the steps of this second, LLM-centric method.
• System Claim: This describes a system with processing circuitry and memory. The memory contains instructions that, when executed, configure the system to perform all the steps of this second method, including the LLM-based mapping.

Litigation and Legal Status:
US patent 12001549B1 is currently Active.
The patent family related to US12001549 has been involved in litigation.
A PTAB (Patent Trial and Appeal Board) case, IPR2025-01086, was filed against the patent but was "Not Instituted - Merits."

As of April 26, 2026, a search of CAFC (Court of Appeals for the Federal Circuit) dockets for the specific patent number 12001549 did not return any direct results indicating ongoing appellate court litigation. The general mentions of "Patent Case Summaries" from law firms for weeks ending in March and April 2026 and information about the Supreme Court patent docket in January 2026 indicate active patent litigation at various levels, but no specific mention of US12001549 was found in the provided search results for CAFC. Therefore, there is no authoritative information to confirm specific CAFC dockets for this patent number in 2026 at this time.