Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 1 of 42 PageID #: 1
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF DELAWARE
`
`
`
`
`
`
`C.A. No. ______________
`
`DEMAND FOR JURY TRIAL
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`ORCA SECURITY LTD.,
`
`
`
`
`v.
`
`
`WIZ, INC.,
`
`
`Plaintiff,
`
`Defendant.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`INTRODUCTION AND SUMMARY OF THE ACTION
`
`1.
`
`Plaintiff Orca Security Ltd. (“Orca”) brings this action against Wiz, Inc. (“Wiz”) to
`
`put an end to Wiz’s flagrant, ongoing, and unauthorized use of Orca’s patented technologies.
`
`2.
`
`Wiz has built its business on a simple business plan: copy Orca. This copying is
`
`replete throughout Wiz’s business and has manifest in myriad ways. In its marketing, Wiz copies
`
`Orca’s imagery, its message, and even the coffee it uses at trade shows. In prosecuting patents,
`
`Wiz recruited away Orca’s former patent attorney to copy Orca’s intellectual property and even
`
`the figures from Orca’s patents. And, most importantly for this action, in its products and services,
`
`Wiz has embedded a number of revolutionary inventions developed and patented by Orca, passed
`
`those inventions off falsely as Wiz innovations, and forced Orca to compete against its own
`
`technological breakthroughs in the marketplace. Wiz’s conduct in this regard is illegal, unjust,
`
`and in violation of the United States patent laws. Orca thus brings this complaint to redress Wiz’s
`
`willful and deliberate infringement of Orca’s patents.
`
`* * *
`
`
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 2 of 42 PageID #: 2
`
`
`
`3.
`
`Modern cloud computing launched in 2006, and quickly evolved from an emerging
`
`fad to the predominant technology employed across the globe. By 2018, nearly half of all
`
`companies claimed that 31% to 60% of their IT systems were cloud-based.1
`
`4.
`
`With this widespread and rapid adoption came inevitable security threats that, if
`
`left unchecked, could threaten the industry. What made the cloud so attractive—the ability to
`
`quickly spin-up or tear-down assets on demand and expand at an unprecedented pace—also made
`
`cloud computing environments exceptionally challenging to protect.
`
`5.
`
`Before Orca, stale security approaches and conventional wisdom from legacy
`
`technologies were employed. Those entrenched in the field adapted traditional security tools
`
`designed for on-premise physical computers to the cloud environment, either checking all traffic
`
`going in or going out (network security) or attempting to install agents within each virtual asset
`
`within the system (endpoint security). Those tools—effective for discrete numbers of physical
`
`machines or services—were woefully inadequate to protect cloud-computing environments with
`
`enormous and dynamically changing numbers of virtual assets. This led to multiplying
`
`vulnerabilities and tremendous uncertainty in that large organizations had little insight into which
`
`services operate in their environment, who owns those services, who is obligated to maintain them,
`
`and what risks attend them.
`
`6.
`
`Enter Avi Shua, an Israeli-born cybersecurity technologist with a life-long
`
`fascination with ways to protect—or break into—computer systems. Even as a teen, Mr. Shua led
`
`corporate IT security for his high school. Mr. Shua then spent 10 years in the Israel Defense Forces
`
`as part of Unit 8200, an elite division of the Israel Intelligence Corps responsible for collecting
`
`signal intelligence and code decryption, counterintelligence, cyberwarfare, military intelligence,
`
`
`1 https://www.comptia.org/content/research/2018-trends-in-cloud-computing
`
`2
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 3 of 42 PageID #: 3
`
`
`
`and surveillance. Following his military service, Mr. Shua joined Check Point Software, an early
`
`pioneer in the computer security industry. Mr. Shua quickly rose through the ranks during his
`
`decade at Check Point, ultimately serving as its Chief Technologist for four years.
`
`7.
`
`After leaving Check Point, Mr. Shua turned his sights toward addressing the many
`
`shortcomings he had observed in cloud computing security. Among other things, Mr. Shua
`
`realized that the transient nature of workloads in a virtual environment made it effectively
`
`impossible for traditional endpoint and network security to continuously map onto those
`
`workloads. The result was a whack-a-mole approach that looked to secure workloads by adjusting
`
`endpoint security dynamically as vulnerabilities arose. This approach resulted in long periods with
`
`no security visibility, gaping holes in protection, and prohibitive costs to implement.
`
`8.
`
`Dissatisfied, Mr. Shua looked to develop a new platform that could provide
`
`frictionless and comprehensive security coverage to a constantly evolving cloud environment. He
`
`realized that there was a better way—a more effective choke point—for analyzing cloud security
`
`within a virtual environment: the virtualization itself held the answer. In general terms, Mr. Shua
`
`conceived of a revolutionary approach that analyzed virtual cloud assets using read-only access
`
`with no impact on performance, and without deploying agents or network scanners. The result
`
`was vastly improved visibility into a cloud environment, deeper and better results, and improved
`
`speed. Mr. Shua’s innovations also enabled the integration of data into unified data models, to
`
`view cloud security threats in a context that was not possible before, and so to prioritize risks that
`
`endanger the organization’s most critical assets.
`
`9.
`
`Mr. Shua and his co-founders founded Orca in 2019 to create a cloud security tool
`
`that brought Mr. Shua’s inventions to market. The company took off like a rocket ship: the year
`
`after it was founded, Orca Security achieved more than 1,000% year-over-year growth. As noted
`
`3
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 4 of 42 PageID #: 4
`
`
`
`by customers, this success was due to the genius of Orca’s Platform. As one customer noted,
`
`“Orca Security is unique in that it locates vulnerabilities with precision and delivers tangible,
`
`actionable results—without having to sift through all of the noise.”2 And another customer echoed
`
`the sentiment, stating: “Orca is unique in that it doesn’t require the installation of cumbersome
`
`agents. This reduces integration costs, and eliminates the question we had always asked ourselves,
`
`‘are agents installed on all resources?’”3
`
`10.
`
`In the four years since its founding, Orca has raised substantial investment funds
`
`and grown from fewer than a dozen to more than 400 employees today. Orca has been recognized
`
`as one of the most innovative companies in cloud security and, in 2022, was the recipient of
`
`Amazon Web Services Global Security Partner of the Year Award.4 The U.S. Patent Office has
`
`awarded Orca several patents for Mr. Shua’s inventions, including U.S. Patent Nos. 11,663,031
`
`(the “’031 patent”), and 11,663,032 (the “’032 patent”), among others.
`
`11.
`
`Now, Orca is threatened because the Defendant, Wiz, Inc., has taken Orca’s
`
`revolutionary inventions and created a copycat cloud security platform, improperly trading off of
`
`Orca’s inventions, including those claimed in the ’031 and ’032 patents, without authorization.
`
`WIZ AND ITS WIDESPREAD COPYING OF ORCA
`
`12. Wiz was founded in January 2020 by Assaf Rappaport, Ami Luttwak, Yinon
`
`Costica, and Roy Reznikthat, a team that previously led the Cloud Security Group at Microsoft,
`
`
`2 https://web.archive.org/web/20200930194127/https://orca.security/ (Aaron Brown, Senior
`Cloud Security Engineer, Sisense).
`3 https://web.archive.org/web/20200930194127/https://orca.security/ (Jonathan Jaffe, Head of
`Information Security, Legal Counsel, people.ai).
`4 https://finance.yahoo.com/news/orca-security-awarded-2022-regional-010000110.html
`
`4
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 5 of 42 PageID #: 5
`
`
`
`one of the top providers of cloud computing environments in the world.5 According to those
`
`founders, it was their time at Microsoft that provided them the “insight” that current cloud security
`
`tools were too complicated, fragmented, and generate too many alerts.6 Wiz was thus founded to
`
`“build a platform that lets teams scan their environments across compute types and cloud services
`
`for vulnerabilities and configuration, network, and identity issues without agents”; i.e., to do
`
`exactly what Orca had already been doing for over a year.7
`
`13.
`
`This was not a coincidence or a simultaneous stroke of genius. On the contrary,
`
`Wiz was birthed from the very beginning as a counterfeit copy of Orca’s ideas—Mr. Shua had
`
`presented Orca’s Platform to Wiz’s founders at Microsoft in May 2019, and the so-called “insight”
`
`of which Wiz boasts was nothing more than the misappropriation of Mr. Shua’s ideas and Orca’s
`
`technology as presented to Wiz’s founders before they formed Wiz and sought to launch a copycat
`
`competitor to Orca. It was at this 2019 meeting that Mr. Shua explained how cloud security would
`
`forever be changed by his novel agentless cloud security platform as implemented in Orca’s cloud-
`
`native security platform. Within months, the Wiz founders left their lucrative careers at Microsoft
`
`to start Wiz, build a clone of Orca’s technology, and compete directly with Orca.
`
`14.
`
`Because of the massive head start it received from Orca and Mr. Shua, it took Wiz
`
`just months from the time the company was founded before it had a fully functioning “cloud
`
`visibility solution for enterprises that provides a complete view of security risks across clouds,
`
`
`5 https://www.darkreading.com/cloud/former-microsoft-cloud-security-leads-unveil-new-startup;
`https://www.forbes.com/sites/davidjeans/2020/12/09/wiz-sequoia-index-cybersecurity-100-
`million-former-microsoft-executives/?sh=4414df63254c (“At Microsoft, Rappaport says he
`became increasingly aware of a growing problem for large companies: managing cloud security
`threats was a fragmented process, with security teams becoming overwhelmed by alerts.”).
`6 https://www.darkreading.com/cloud/former-microsoft-cloud-security-leads-unveil-new-startup
`7 Id.
`
`5
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 6 of 42 PageID #: 6
`
`
`
`workloads and containers” that was “already used by Fortune 100 companies.”8 In August 2022,
`
`Wiz announced it had become the “fastest-growing software company ever” reaching “$100M
`
`ARR [annual recurring revenue] in 18 months.”9 And just eight months later in February 2023,
`
`Wiz raised $300 million and achieved a company valuation of $10 billion.10
`
`15. Wiz’s wholesale copying of Orca’s technology has been observed by third party
`
`industry analysts. For example, SOURCEFORGE’s comparison of Orca and Wiz lists identical
`
`“Cloud Security Features” for each platform:
`
`
`8 https://www.securityweek.com/cloud-security-firm-wiz-emerges-stealth-100m-funding/
`9
`https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-the-fastest-growing-software-
`company-ever
`10
`https://techcrunch.com/2023/02/27/cloud-security-startup-wiz-now-valued-at-10b-raises-
`300m/
`
`6
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 7 of 42 PageID #: 7
`
`
`
`
`
`
`
`https://sourceforge.net/software/compare/Orca-Security-vs-Wiz/.
`
`16.
`
`SOURCEFORGE also notes that Wiz has the same “Cybersecurity Features” as
`
`Orca:
`
`7
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 8 of 42 PageID #: 8
`
`
`
`Id.
`
`17.
`
`SOURCEFORGE further shows that Wiz has the same “Vulnerability Management
`
`Features” as Orca:
`
`8
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 9 of 42 PageID #: 9
`
`
`
`Id.
`
`
`
`
`
`18.
`
`Through all of its copying, Wiz has attributed none of its technology to Orca. In
`
`fact, Wiz has done the opposite. Wiz has claimed it was the “first cloud visibility solution”11 and
`
`the “first full stack multi-cloud security platform.”12 But even its “full stack” descriptor was copied
`
`from Orca. It was Orca that first announced its “Unprecedented Full Stack Cloud Visibility”
`
`platform in June 2019, months before Wiz was even founded.13 As another more recent example,
`
`Wiz announced in June 2022 that it had a “new vision for cloud security” with the “introduction
`
`
`11 https://web.archive.org/web/20210128014251/https://wiz.io/
`12 https://web.archive.org/web/20210422201202/https://www.wiz.io/product
`13 https://orca.security/resources/blog/orca-security-lands-6-5m-seed-round-to-deliver-it-security-
`teams-unprecedented-full-stack-cloud-visibility-securing-high-velocity-cloud-growth/
`
`9
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 10 of 42 PageID #: 10
`
`
`
`of attack path analysis.”14 But Wiz’s “attack path analysis” was not new, and it wasn’t Wiz’s
`
`vision. It was Mr. Shua’s from just two months earlier. On March 31, 2022, Mr. Shua blogged
`
`about Orca’s new “Cloud Attack Path Analysis” dashboard, which Wiz copied.15
`
`19. Wiz’s copying of Orca did not stop with the technology, but pervades Wiz’s
`
`business as a whole. For example, Orca realized early on that its cloud-native approach could be
`
`analogized to a medical MRI, providing a full model of the cloud environment without affecting
`
`it in any way. Early Orca marketing materials noted: “An apt analogy is to think of a medical
`
`MRI. Instead of probing inside the body with needles and scalpels, such imaging is an out-of-
`
`band method of obtaining a detailed picture of the organs and tissue within. The person is never
`
`physically touched.” Exhibit 3 (Orca SideScanning Technical Brief (2020)) at 15. Wiz copied
`
`this message: “Instead of using an intrusive agent, Wiz leverages cloud-native tools to perform
`
`scans without interrupting or impacting production workloads. Just like an MRI performs a 3D
`
`scan of the body without affecting the body itself, snapshot scanning achieves deep analysis of
`
`the workload without any impact or interruption to the live workload.” Exhibit 4 (Wiz “Agentless
`
`Scanning” (Jan. 19, 2022)).
`
`20.
`
`As another example, Orca promoted its technology as assuming the “heavy lifting”
`
`of contextualizing detected security threats and prioritizing those that matter most. Exhibit 3 at 15
`
`(“Context is critical; it’s the difference between effective security and dreaded analyst alert fatigue.
`
`Orca assumes responsibility for the heavy lifting associated with this additional context and
`
`assesses the real and effective risk. Orca’s mission is to provide the best contextualized security
`
`
`14 https://www.wiz.io/blog/uniting-builders-and-defenders-a-new-vision-for-cloud-security
`15 https://orca.security/resources/blog/cloud-attack-path-analysis/
`
`10
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 11 of 42 PageID #: 11
`
`
`
`intelligence possible.”). Wiz copied this too beginning with its very first website in 2020: “We do
`
`the heavy lifting, you get total visibility.”16
`
`21. Wiz even copied the more mundane aspects of Orca’s marketing. For example, at
`
`a multi-day security conference in London, Orca decided that it would break away from typical
`
`technology booths and instead sponsor a coffee booth. Wiz attended the same conference. On the
`
`first day, Wiz sponsored a typical technology booth. The following day, Wiz showed up with its
`
`own coffee machine. Just like Orca.
`
`22. Wiz also has knowingly copied Orca’s patents, its prosecution strategy, and even
`
`its prosecuting attorney. Orca’s first patent applications were filed and prosecuted by a lawyer at
`
`a small boutique firm with less than 10 attorneys, with whom Mr. Shua worked directly and
`
`confidentially. That engagement was terminated in 2021 when Orca learned that Wiz had engaged
`
`the same lawyer to file patents for Wiz on overlapping technology. Wiz’s patent applications now
`
`include figures and descriptions that are nearly identical to those found in Orca’s ’031 and ’032
`
`patents:
`
`
`16 https://web.archive.org/web/20201209145922/http://www.wiz.io/.
`
`11
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 12 of 42 PageID #: 12
`
`
`
`Orca
`
`Wiz
`
`
`
`
`’032 patent at Fig 3, 8:7-23; ’031 patent at Fig. 3,
`9:15-31.
`
`
`Wiz’s U.S. Patent No. 11,374,982 at Fig. 6,
`20:61-21:12.
`
`23.
`
`Again, this was no coincidence. On information and belief, Wiz knew that the
`
`lawyer it hired had prosecuted Orca’s patent applications and hired him to assist Wiz in its attempts
`
`to pass off Orca’s technology and intellectual property.
`
`24.
`
`In furtherance of its scheme to copy Orca, Wiz also recruited Orca’s outside
`
`corporate counsel to work for Wiz. That lawyer attended Orca’s Board of Director meetings and,
`
`as a result, was exposed to Orca’s highly confidential technology and business plans. Orca
`
`replaced its outside corporate counsel in November 2020 after it learned that Wiz had engaged the
`
`very same lawyer as its own corporate counsel. On information and belief, Wiz knew that the
`
`12
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 13 of 42 PageID #: 13
`
`
`
`lawyer it hired was Orca’s outside corporate counsel and Wiz hired him to assist Wiz in its attempts
`
`to copy Orca.
`
`25.
`
`Beyond the foregoing examples, on information and belief, Wiz has hired former
`
`Orca employees and worked with third parties to acquire Orca’s confidential information relating
`
`to current and future product plans, marketing, sales, prospective customers, and prospective
`
`employees, and has used that confidential information in furtherance of its efforts to copy and to
`
`compete unfairly with Orca.
`
`26.
`
`This action seeks to put an end to, and obtain relief for, this pattern of copying and
`
`Wiz’s willful infringement of the ’031 patent and the ’032 patent (collectively, the “Asserted
`
`Patents”).
`
`THE PARTIES
`
`27.
`
`Plaintiff Orca Security Ltd. is an Israeli company with a principal place of business
`
`at 3 Tushia St., Tel Aviv, Israel 6721803.
`
`28.
`
`On information and belief, Defendant Wiz, Inc. is a Delaware company with a
`
`principal place of business at One Manhattan West, 57th Floor, New York, New York.17
`
`JURISDICTION AND VENUE
`
`29.
`
`This action arises under the patent laws of the United States, 35 U.S.C. § 1 et seq.
`
`This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331 and 1338(a).
`
`30.
`
`This Court has personal jurisdiction over Wiz because Wiz is subject to general and
`
`specific jurisdiction in the state of Delaware. Wiz is subject to personal jurisdiction at least
`
`because Wiz is a Delaware corporation and resides in this District. Wiz has made certain minimum
`
`
`17 https://www.wiz.io/contact (Locations)
`
`13
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 14 of 42 PageID #: 14
`
`
`
`contacts with Delaware such that the maintenance of this suit does not offend traditional notions
`
`of fair play and substantial justice.
`
`31.
`
`The exercise of personal jurisdiction comports with Wiz’s right to due process
`
`because, as described above, Wiz has purposefully availed itself of the privilege of Delaware
`
`corporate laws such that it should reasonably anticipate being haled into court here.
`
`32.
`
`Venue is proper in this district pursuant to 28 U.S.C. §§ 1391 and 1400(b) at least
`
`because Wiz is incorporated in the State of Delaware and is subject to personal jurisdiction in this
`
`District.
`
`33.
`
`34.
`
`COUNT I
`(Infringement of the ’031 Patent)
`
`Orca incorporates all other allegations in this Complaint.
`
`The ’031 patent is entitled “Techniques for Securing Virtual Cloud Assets at Rest
`
`Against Cyber Threats” and was duly and legally issued on May 30, 2023. A true and correct copy
`
`of the ’031 patent is attached hereto as Exhibit 1.
`
`35.
`
`36.
`
`37.
`
`Orca is the owner of all rights, title, and interest in the ’031 patent.
`
`The ’031 patent is valid and enforceable.
`
`The inventions claimed in the ’031 patent improved on prior art cloud security
`
`systems and methods by, inter alia, taking at least one snapshot or requesting taking of at least one
`
`snapshot of a virtual machine at rest, and analyzing the at least one snapshot to detect
`
`vulnerabilities. See, e.g., ’031 patent at cls. 1-16. This snapshot-based analysis for inactive assets
`
`was not well understood, routine, or conventional. It is an inventive concept that allows virtual
`
`assets in a cloud computing platform to be analyzed and scanned for embedded vulnerabilities, at
`
`a time when the machine is inactive, because, among other things, the analysis does not require
`
`any interaction and/or information from a running virtual asset like agent-based solutions. By
`
`14
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 15 of 42 PageID #: 15
`
`
`
`analyzing virtual cloud assets at rest, the ’031 patent provides greater context for detected
`
`vulnerabilities and more comprehensive security for a cloud computing platform, including
`
`protecting against assets that may have become unsafe after they were turned off due to newly
`
`disclosed vulnerabilities or infrastructure changes.
`
`(a) Direct Infringement of the ’031 Patent
`
`38. Wiz, without authorization, directly infringes one or more claims of the ’031 patent,
`
`literally and/or under the doctrine of equivalents. Wiz infringes under 35 U.S.C. § 271 including,
`
`without limitation, 35 U.S.C. § 271(a), by making, using, selling, offering to sell, and/or importing
`
`within the United States without authority, Wiz’s CSP and/or other similar products or services,
`
`which include (or are otherwise referred to) but are not limited to Wiz’s Cloud Native Application
`
`Protection Platform (“CNAPP”), Cloud Security Posture Management (“CSPM”), Cloud
`
`Infrastructure Entitlement Management (“CIEM”), Data Security Posture Management
`
`(“DSPM”), Infrastructure-as-code (“IaC”) scanning (https://www.wiz.io/solutions/iac), and Cloud
`
`Detection and Response (“CDR”) platforms and/or features. See https://www.wiz.io/ (listing
`
`CNAPP, CSPM, CIEM, DSPM, IaC scanning, and CDR as “Product[s]”); see also
`
`https://www.wiz.io/product (same). Wiz’s infringement includes infringement of, for example,
`
`claim 9 of the ’031 patent.
`
`39.
`
`Claim 9 of the ’031 patent recites:
`1.
`A computer-implemented method for inspecting data, the method
`comprising:
`
`establishing an interface between a client environment and security
`components;
`
`using the interface to utilize cloud computing platform APIs to identify
`virtual disks of a virtual machine in the client environment;
`
`15
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 16 of 42 PageID #: 16
`
`
`
`using the computing platform APIs to query a location of at least one of the
`identified virtual disks;
`receiving an identification of the location of the virtual disks of the virtual
`machine;
`emulating the virtual disks for the virtual machine;
`performing at least one of: (i) taking at least one snapshot, and (ii)
`requesting taking at least one snapshot of the virtual machine at rest, wherein the at
`least one snapshot represents a copy of the virtual disks of the virtual machine at a
`point in time;
`analyzing the at least one snapshot to detect vulnerabilities, wherein during
`the detection of the vulnerabilities by analyzing the at least one snapshot, the virtual
`machine is inactive; and
`reporting the detected vulnerabilities as alerts.
`
`40.
`
`On information and belief, Wiz practices each and every limitation of claim 9 of
`
`the ’031 patent by and through the use of Wiz’s CSP and/or other similar products or services for
`
`Wiz’s clients or customers.
`
`41.
`
`The preamble of claim 9 recites “[a] computer-implemented method for inspecting
`
`data, the method comprising. . . .” To the extent the preamble is limiting, Wiz practices this step
`
`by, for example, using its computer-implemented CSP to inspect data in clients’ cloud computing
`
`environments, including inactive assets. See, e.g., https://www.wiz.io/solutions/cnapp (“Wiz
`
`leverages unique technology to scan PaaS resources, Virtual Machines, Containers, Serverless
`
`Functions, . . . to identify the risks in each layer”); https://www.wiz.io/blog/detect-and-prioritize-
`
`cisa-known-exploited-vulnerabilities-kev-with-wiz
`
`(“Detect and prioritize CISA Known
`
`Exploited Vulnerabilities in the cloud with Wiz”).
`
`16
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 17 of 42 PageID #: 17
`
`
`
`42.
`
`Claim 9 further recites “establishing an interface between a client environment and
`
`security components . . . .” Wiz’s public presentations and technical documentation confirm that
`
`Wiz practices this step by, for example, using Wiz’s CSP to perform “[a]gentless scanning via
`
`API” provided by AWS, GCP, and Azure, among other cloud computing environments.
`
`
`
`See Exhibit 5 (AWS re:Invent - Context is Everything: Join the CNAPP Revolution to Secure Your
`
`AWS Deployments) at 13; Exhibit 6 (Wiz Cloud Security Platform Datasheet) (supported cloud
`
`computing platforms
`
`include AWS, Azure, and Google Cloud Platform
`
`(GCP));
`
`https://support.wiz.io/hc/en-us/articles/5641497256860-Azure-Connector-Basics (“Wiz connects
`
`to your cloud environment via your cloud service provider’s APIs in order to extract metadata and
`
`perform
`
`snapshot
`
`scans.”);
`
`https://support.wiz.io/hc/en-us/articles/5449816387100-AWS-
`
`Connector-Basics
`
`(same);
`
`https://support.wiz.io/hc/en-us/articles/5642208092572-GCP-
`
`Connector-Basics (same); https://www.wiz.io/solutions/vulnerability-management (“Using a one-
`
`time cloud native API deployment, continuously assess workloads without deploying agents”).
`
`17
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 18 of 42 PageID #: 18
`
`
`
`43.
`
`Claim 9 further recites “using the interface to utilize cloud computing platform
`
`APIs to identify virtual disks of a virtual machine in the client environment . . . .” Wiz practices
`
`this step by, for example, using Wiz’s CSP to provide “[f]ull visibility” of virtual cloud assets in
`
`a client environment using an API provided by AWS, GCP, and Azure, among other cloud
`
`computing environments.
`
`
`
`See Exhibit 5 at 13; Exhibit 6 (supported cloud computing platforms include AWS, Azure, and
`
`Google Cloud Platform (GCP)). Through the API, Wiz creates a graph of a client environment
`
`“with full context on the resource[s],” which includes identifying virtual disks of virtual machines.
`
`See
`
`https://www.wiz.io/blog/uniting-builders-and-defenders-a-new-vision-for-cloud-security;
`
`Exhibit 6 at 3 (“Wiz uses the full context of your cloud and combines this information into a single
`
`graph in order to correlate related issues”), 4 (Wiz “takes a snapshot of each VM system volume
`
`and analyzes its operating system, application layer, and data layer statically with no performance
`
`impact.”).
`
`18
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 19 of 42 PageID #: 19
`
`
`
`44.
`
`Claim 9 further recites “using the computing platform APIs to query a location of
`
`at least one of the identified virtual disks . . . .” Wiz performs this step by, for example, using
`
`computing platform APIs to perform a query to locate virtual disks and other resources. See
`
`Exhibit 5 at 13 (“Agentless scanning via API”); https://www.wiz.io/blog/detect-and-prioritize-
`
`cisa-known-exploited-vulnerabilities-kev-with-wiz (“You can query and locate all the VMs,
`
`containers, and serverless functions in your cloud environment that are vulnerable to a specific
`
`CVE in the catalog with a simple query shortcut.”); https://www.wiz.io/solutions/cnapp (“Scan
`
`buckets, data volumes, and databases and quickly classify the data to track wh[ere] data is
`
`located.”);
`
`https://support.wiz.io/hc/en-us/articles/5643759466396-Security-Graph-Basics
`
`(“[C]heck out our guide for optimizing your Security Graph queries.”).
`
`45.
`
`Claim 9 further recites “receiving an identification of the location of the virtual
`
`disks of the virtual machine . . . .” Wiz practices this step by, for example, identifying virtual disks
`
`and other resources it locates when it performs a query. See https://www.wiz.io/blog/detect-and-
`
`prioritize-cisa-known-exploited-vulnerabilities-kev-with-wiz (“You can query and locate all the
`
`VMs, containers, and serverless functions in your cloud environment that are vulnerable to a
`
`specific CVE in the catalog with a simple query shortcut.”). As another example, Wiz uses Wiz’s
`
`CSP to create a graph showing the locations of virtual cloud assets, including virtual machines and
`
`virtual disks, within a client environment. See Exhibit 6 at 3 (Wiz “uses the full context of your
`
`cloud and combines this information into a single graph in order to correlate related issues”); see
`
`also Exhibit 5 at 13 (“Full visibility in minutes . . . without agents”).
`
`46.
`
`Claim 9 further recites “emulating the virtual disks for the virtual machine . . . .”
`
`On information and belief, Wiz practices this step by, for example, using Wiz’s CSP to scan “all
`
`19
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 20 of 42 PageID #: 20
`
`
`
`of [a customer’s] workloads even if a resource isn’t online” because an offline resource’s virtual
`
`disks will need to be emulated before scanning.
`
`
`
`https://legacy.wiz.io/partners/google. Wiz’s website also promotes its platform as using agentless
`
`“snapshot” scanning. See https://www.wiz.io/solutions/cnapp (“Wiz deployment leverages a
`
`single cloud role to scan your entire cloud environment: PaaS, Virtual Machines, Containers,
`
`Serverless
`
`functions,
`
`Buckets,
`
`Data
`
`volumes
`
`and
`
`Databases.”);
`
`https://www.wiz.io/solutions/vulnerability-management. As Wiz’s blog posts explain, “volume
`
`snapshot approach” where snapshots are scanned “out of band, do not rely on the cloud
`
`environment’s compute resources to run.” https://www.wiz.io/blog/agents-are-not-enough-why-
`
`cloud-security-needs-agentless-deep-scanning. Accordingly, on information and belief, Wiz uses
`
`its own separate compute resources to emulate virtual disks that it analyzes.
`
`20
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 21 of 42 PageID #: 21
`
`
`
`
`
`https://www.wiz.io/solutions/vulnerability-management.
`
`47.
`
`Claim 9 further recites “performing at least one of: (i) taking at least one snapshot,
`
`and (ii) requesting taking at least one snapshot of the virtual machine at rest, wherein the at least
`
`one snapshot represents a copy of the virtual disks of the virtual machine at a point in time . . . .”
`
`Wiz performs this step by, for example, taking a snapshot of a virtual disk in order to “analyze[]
`
`[the] operating system, application layer, and data layer” of virtual machines in a client
`
`environment. See Exhibit 6 at 4, 3 (Wiz “[s]cans the workloads inside the container to determine
`
`. . . its vulnerabilities”); see also Exhibit 5 at 27. Wiz’s technical documentation explains that
`
`“Wiz connects to [a] cloud environment via [a] cloud service provider’s APIs in order to extract
`
`metadata and perform snapshot scans.” https://support.wiz.io/hc/en-us/articles/5641497256860-
`
`Azure-Connector-Basics;
`
`https://support.wiz.io/hc/en-us/articles/5449816387100-AWS-
`
`Connector-Basics
`
`(same);
`
`https://support.wiz.io/hc/en-us/articles/5642208092572-GCP-
`
`Connector-Basics (same). On information and belief, Wiz also requests taking a snapshot of
`
`21
`
`

`

`Case 1:23-cv-00758-GBW Document 1 Filed 07/12/23 Page 22 of 42 PageID #: 22
`
`
`
`virtual disks on a virtual machine when it is offline. https://legacy.wiz.io/partners/google (“Wiz
`
`uses a unique technology to scan deep within VMs and containers without needing an agent,
`
`analyzing all of your workloads even if a resource isn’t online.”).
`
`48.
`
`Claim 9 further recites “analyzing the at least one snapshot to detect vulnerabilities,
`
`wherein during the detection of the vulnerabilities by analyzing the at least one snapshot, the virtual
`
`machine is inactive . . . .” Wiz performs this step by, for example, analyzing the snapshot of a
`
`virtual disk to determine cyber vulnerabilities affecting the virtual disk. For example, Wiz
`
`analyzes the snapshot of a virtual disk to identify potential vulnerabilities.
`
`
`
`https://www.wiz.io/solutions/vulnerability-management.
`
`49.
`
`As another example, Wiz “analyzes [the] operating system, application layer, and
`
`data layer” of virtual machines to provide full visibility into vulnerabilities across the cloud
`
`computing environme