Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 1 of 130 PageID #: 598
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF DELAWARE
`
`ORCA SECURITY LTD.,
`
`
`Plaintiff,
`
`
`
`v.
`
`
`WIZ, INC.,
`
`
`Defendant.
`
`
`
`
`
`C.A. No. 23-758 (GBW)
`
`DEMAND FOR JURY TRIAL
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`SECOND AMENDED COMPLAINT FOR PATENT INFRINGEMENT
`INTRODUCTION AND SUMMARY OF THE ACTION
`
`1.
`
`Plaintiff Orca Security Ltd. (“Orca”) brings this action against Wiz, Inc. (“Wiz”) to
`
`put an end to Wiz’s flagrant, ongoing, and unauthorized use of Orca’s patented technologies.
`
`2.
`
`Wiz has built its business on a simple business plan: copy Orca. This copying is
`
`replete throughout Wiz’s business and has manifest in myriad ways. In its marketing, Wiz copies
`
`Orca’s imagery, its message, and even the coffee it uses at trade shows. In prosecuting patents,
`
`Wiz recruited away Orca’s former patent attorney to copy Orca’s intellectual property and even
`
`the figures from Orca’s patents. And, most importantly for this action, in its products and services,
`
`Wiz has embedded a number of revolutionary inventions developed and patented by Orca, passed
`
`those inventions off falsely as Wiz innovations, and forced Orca to compete against its own
`
`technological breakthroughs in the marketplace. Wiz’s conduct in this regard is illegal, unjust,
`
`and in violation of the United States patent laws. Orca thus brings this Second Amended
`
`Complaint to redress Wiz’s willful and deliberate infringement of Orca’s patents.
`
`* * *
`
`
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 2 of 130 PageID #: 599
`
`
`
`3.
`
`Modern cloud computing launched in 2006, and quickly evolved from an emerging
`
`fad to the predominant technology employed across the globe. By 2018, nearly half of all
`
`companies claimed that 31% to 60% of their IT systems were cloud-based.1
`
`4.
`
`With this widespread and rapid adoption came inevitable security threats that, if
`
`left unchecked, could threaten the industry. What made the cloud so attractive—the ability to
`
`quickly spin-up or tear-down assets on demand and expand at an unprecedented pace—also made
`
`cloud computing environments exceptionally challenging to protect.
`
`5.
`
`Before Orca, stale security approaches and conventional wisdom from legacy
`
`technologies were employed. Those entrenched in the field adapted traditional security tools
`
`designed for on-premise physical computers to the cloud environment, either checking all traffic
`
`going in or going out (network security) or attempting to install agents within each virtual asset
`
`within the system (endpoint security). Those tools—effective for discrete numbers of physical
`
`machines or services—were woefully inadequate to protect cloud-computing environments with
`
`enormous and dynamically changing numbers of virtual assets. This led to multiplying
`
`vulnerabilities and tremendous uncertainty in that large organizations had little insight into which
`
`services operate in their environment, who owns those services, who is obligated to maintain them,
`
`and what risks attend them.
`
`6.
`
`Enter Avi Shua, an Israeli-born cybersecurity technologist with a life-long
`
`fascination with ways to protect—or break into—computer systems. Even as a teen, Mr. Shua led
`
`corporate IT security for his high school. Mr. Shua then spent 10 years in the Israel Defense Forces
`
`as part of Unit 8200, an elite division of the Israel Intelligence Corps responsible for collecting
`
`signal intelligence and code decryption, counterintelligence, cyberwarfare, military intelligence,
`
`
`https://www.comptia.org/content/research/2018-trends-in-cloud-computing
`
`1
`
`2
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 3 of 130 PageID #: 600
`
`
`
`and surveillance. Following his military service, Mr. Shua joined Check Point Software, an early
`
`pioneer in the computer security industry. Mr. Shua quickly rose through the ranks during his
`
`decade at Check Point, ultimately serving as its Chief Technologist for four years.
`
`7.
`
`After leaving Check Point, Mr. Shua turned his sights toward addressing the many
`
`shortcomings he had observed in cloud computing security. Among other things, Mr. Shua
`
`realized that the transient nature of workloads in a virtual environment made it effectively
`
`impossible for traditional endpoint and network security to continuously map onto those
`
`workloads. The result was a whack-a-mole approach that looked to secure workloads by adjusting
`
`endpoint security dynamically as vulnerabilities arose. This approach resulted in long periods with
`
`no security visibility, gaping holes in protection, and prohibitive costs to implement.
`
`8.
`
`Dissatisfied, Mr. Shua looked to develop a new platform that could provide
`
`frictionless and comprehensive security coverage to a constantly evolving cloud environment. He
`
`realized that there was a better way—a more effective choke point—for analyzing cloud security
`
`within a virtual environment: the virtualization itself held the answer. In general terms, Mr. Shua
`
`conceived of a revolutionary approach that analyzed virtual cloud assets using read-only access
`
`with no impact on performance, and without deploying agents or network scanners. The result
`
`was vastly improved visibility into a cloud environment, deeper and better results, and improved
`
`speed. Mr. Shua’s innovations also enabled the integration of data into unified data models, to
`
`view cloud security threats in a context that was not possible before, and so to prioritize risks that
`
`endanger the organization’s most critical assets.
`
`9.
`
`Mr. Shua and his co-founders founded Orca in 2019 to create a cloud security tool
`
`that brought Mr. Shua’s inventions to market. The company took off like a rocket ship: the year
`
`after it was founded, Orca Security achieved more than 1,000% year-over-year growth. As noted
`
`3
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 4 of 130 PageID #: 601
`
`
`
`by customers, this success was due to the genius of Orca’s Platform. As one customer noted,
`
`“Orca Security is unique in that it locates vulnerabilities with precision and delivers tangible,
`
`actionable results—without having to sift through all of the noise.”2 And another customer echoed
`
`the sentiment, stating: “Orca is unique in that it doesn’t require the installation of cumbersome
`
`agents. This reduces integration costs, and eliminates the question we had always asked ourselves,
`
`‘are agents installed on all resources?’”3
`
`10.
`
`In the four years since its founding, Orca has raised substantial investment funds
`
`and grown from fewer than a dozen to more than 400 employees today. Orca has been recognized
`
`as one of the most innovative companies in cloud security and, in 2022, was the recipient of
`
`Amazon Web Services Global Security Partner of the Year Award.4 The U.S. Patent Office has
`
`awarded Orca several patents for Mr. Shua’s inventions, including U.S. Patent Nos. 11,663,031
`
`(the “’031 patent”), 11,663,032 (the “’032 patent”), 11,693,685 (the “’685 patent”), 11,726,809
`
`(the “’809 patent”), 11,740,926 (the “’926 patent”), and 11,775,326 (the “’326 patent”), among
`
`others. Less than a month after the first of these patents issued on August 22, 2022, Orca
`
`announced to the public and its competitors that it had “secured a patent for its agentless
`
`SideScanning™ technology, providing visibility and risk coverage across the entire cloud estate.”5
`
`
`2
`https://web.archive.org/web/20200930194127/https://orca.security/ (Aaron Brown, Senior
`Cloud Security Engineer, Sisense).
`3
`https://web.archive.org/web/20200930194127/https://orca.security/ (Jonathan Jaffe, Head
`of Information Security, Legal Counsel, people.ai).
`4
`https://finance.yahoo.com/news/orca-security-awarded-2022-regional-010000110.html
`5
`https://orca.security/resources/press-releases/orca-security-innovation-patent-grant-
`sidescanning-technology/ (announcement dated November 10, 2022, and providing direct link to
`Orca’s U.S. Patent No. 11,431,735 (https://patents.google.com/patent/US11431735)).
`
`4
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 5 of 130 PageID #: 602
`
`
`
`Prior to issuance, Orca’s marketing materials and publications dating back to June 2019 explained
`
`that the Orca Platform used a “patent-pending SideScanning™ technology.”6
`
`11.
`
`Orca’s products, including the Orca Platform, and certain of Orca’s services,
`
`practice the ’031, ’032, ’685, ’809, ’926, and ’326 patents, among others. In accordance with
`
`35 U.S.C. § 287(a), Orca virtually marks its products and maintains a webpage identifying a listing
`
`of patents applicable to those products. See https://orca.security/virtual-patent-marking/.
`
`12.
`
`Now, Orca is threatened because the Defendant, Wiz, Inc., has taken Orca’s
`
`revolutionary inventions and created a copycat cloud security platform, improperly trading off of
`
`Orca’s inventions, including those claimed in the ’031, ’032, ’685, ’809, ’926, and ’326 patents,
`
`without authorization.
`
`WIZ AND ITS WIDESPREAD COPYING OF ORCA
`
`13. Wiz was founded in January 2020 by Assaf Rappaport, Ami Luttwak, Yinon
`
`Costica, and Roy Reznik, a team that previously led the Cloud Security Group at Microsoft, one
`
`of the top providers of cloud computing environments in the world.7 According to those founders,
`
`it was their time at Microsoft that provided them the “insight” that current cloud security tools
`
`
`6
`https://orca.security/resources/blog/orca-security-lands-6-5m-seed-round-to-deliver-it-
`security-teams-unprecedented-full-stack-cloud-visibility-securing-high-velocity-cloud-growth/
`(announcement dated June 12, 2019, “Patent-pending SideScanning™ technology deploys
`instantaneously without the impact and complexity of per-asset agents”); Exhibit 3 (Orca
`SideScanning Technical Brief (2020)) at 5 (“Orca Security uses our patent-pending
`SideScanning™ technology.”), 15 (“Delivered as SaaS, Orca Security’s patent-pending
`SideScanning™ technology reads your cloud configuration and workloads’ run-time block storage
`out-of-band. It detects vulnerabilities, malware, misconfigurations, lateral movement risk, weak
`and leaked passwords, and high-risk data such as PII.”).
`7
`https://www.darkreading.com/cloud/former-microsoft-cloud-security-leads-unveil-new-
`startup; https://www.forbes.com/sites/davidjeans/2020/12/09/wiz-sequoia-index-cybersecurity-
`100-million-former-microsoft-executives/?sh=4414df63254c (“At Microsoft, Rappaport says he
`became increasingly aware of a growing problem for large companies: managing cloud security
`threats was a fragmented process, with security teams becoming overwhelmed by alerts.”).
`
`5
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 6 of 130 PageID #: 603
`
`
`
`were too complicated, fragmented, and generate too many alerts.8 Wiz was thus founded to “build
`
`a platform that lets teams scan their environments across compute types and cloud services for
`
`vulnerabilities and configuration, network, and identity issues without agents”; i.e., to do exactly
`
`what Orca had already been doing for over a year.9
`
`14.
`
`This was not a coincidence or a simultaneous stroke of genius. On the contrary,
`
`Wiz was birthed from the very beginning as a counterfeit copy of Orca’s ideas—Mr. Shua had
`
`presented Orca’s Platform to Wiz’s founders at Microsoft in May 2019, and the so-called “insight”
`
`of which Wiz boasts was nothing more than the misappropriation of Mr. Shua’s ideas and Orca’s
`
`technology as presented to Wiz’s founders before they formed Wiz and sought to launch a copycat
`
`competitor to Orca. It was at this 2019 meeting that Mr. Shua explained how cloud security would
`
`forever be changed by his novel agentless cloud security platform as implemented in Orca’s cloud-
`
`native security platform. Within months, the Wiz founders left their lucrative careers at Microsoft
`
`to start Wiz, build a clone of Orca’s technology, and compete directly with Orca.
`
`15.
`
`Because of the massive head start it received from Orca and Mr. Shua, it took Wiz
`
`just months from the time the company was founded before it had a fully functioning “cloud
`
`visibility solution for enterprises that provides a complete view of security risks across clouds,
`
`workloads and containers” that was “already used by Fortune 100 companies.”10 In August 2022,
`
`Wiz announced it had become the “fastest-growing software company ever” reaching “$100M
`
`
`https://www.darkreading.com/cloud/former-microsoft-cloud-security-leads-unveil-new-
`
`Id.
`https://www.securityweek.com/cloud-security-firm-wiz-emerges-stealth-100m-funding/
`
`8
`startup
`9
`10
`
`6
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 7 of 130 PageID #: 604
`
`
`
`ARR [annual recurring revenue] in 18 months.”11 And just eight months later in February 2023,
`
`Wiz raised $300 million and achieved a company valuation of $10 billion.12
`
`16. Wiz’s wholesale copying of Orca’s technology has been observed by third party
`
`industry analysts. For example, SOURCEFORGE’s comparison of Orca and Wiz lists identical
`
`“Cloud Security Features” for each platform:
`
`https://sourceforge.net/software/compare/Orca-Security-vs-Wiz/.
`
`
`
`
`
`
`11
`https://www.wiz.io/blog/100m-arr-in-18-months-wiz-becomes-the-fastest-growing-
`software-company-ever
`12
`https://techcrunch.com/2023/02/27/cloud-security-startup-wiz-now-valued-at-10b-raises-
`300m/
`
`7
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 8 of 130 PageID #: 605
`
`17.
`
`SOURCEFORGE also notes that Wiz has the same “Cybersecurity Features” as
`
`
`
`Orca:
`
`Id.
`
`18.
`
`SOURCEFORGE further shows that Wiz has the same “Vulnerability Management
`
`Features” as Orca:
`
`8
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 9 of 130 PageID #: 606
`
`
`
`Id.
`
`
`
`
`
`19.
`
`Through all of its copying, Wiz has attributed none of its technology to Orca. In
`
`fact, Wiz has done the opposite. Wiz has claimed it was the “first cloud visibility solution”13 and
`
`the “first full stack multi-cloud security platform.”14 But even its “full stack” descriptor was copied
`
`from Orca. It was Orca that first announced its “Unprecedented Full Stack Cloud Visibility”
`
`platform in June 2019, months before Wiz was even founded.15 As another more recent example,
`
`
`13
`https://web.archive.org/web/20210128014251/https://wiz.io/
`14
`https://web.archive.org/web/20210422201202/https://www.wiz.io/product
`15
`https://orca.security/resources/blog/orca-security-lands-6-5m-seed-round-to-deliver-it-
`security-teams-unprecedented-full-stack-cloud-visibility-securing-high-velocity-cloud-growth/
`
`9
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 10 of 130 PageID #: 607
`
`
`
`Wiz announced in June 2022 that it had a “new vision for cloud security” with the “introduction
`
`of attack path analysis.”16 But Wiz’s “attack path analysis” was not new, and it wasn’t Wiz’s
`
`vision. It was Mr. Shua’s from just two months earlier. On March 31, 2022, Mr. Shua blogged
`
`about Orca’s new “Cloud Attack Path Analysis” dashboard, which Wiz copied.17
`
`20. Wiz’s copying of Orca did not stop with the technology, but pervades Wiz’s
`
`business as a whole. For example, Orca realized early on that its cloud-native approach could be
`
`analogized to a medical MRI, providing a full model of the cloud environment without affecting
`
`it in any way. Early Orca marketing materials noted: “An apt analogy is to think of a medical
`
`MRI. Instead of probing inside the body with needles and scalpels, such imaging is an out-of-
`
`band method of obtaining a detailed picture of the organs and tissue within. The person is never
`
`physically touched.” Exhibit 3 (Orca SideScanning Technical Brief (2020)) at 5. Wiz copied this
`
`message: “Instead of using an intrusive agent, Wiz leverages cloud-native tools to perform scans
`
`without interrupting or impacting production workloads. Just like an MRI performs a 3D scan of
`
`the body without affecting the body itself, snapshot scanning achieves deep analysis of the
`
`workload without any impact or interruption to the live workload.” Exhibit 4 (Wiz “Agentless
`
`Scanning” (Jan. 19, 2022)). And Wiz knew, or should have known, that the technology Orca
`
`analogized to an “MRI” that Wiz copied would be protected by Orca’s patent portfolio. Exhibit 3
`
`(Orca SideScanning Technical Brief (2020)) at 5 (“Orca Security uses our patent-pending
`
`SideScanning™ technology . . . [a]n apt analogy is to think of a medical MRI.”).
`
`21.
`
`As another example, Orca promoted its technology as assuming the “heavy lifting”
`
`of contextualizing detected security threats and prioritizing those that matter most. Exhibit 3 at 15
`
`
`https://www.wiz.io/blog/uniting-builders-and-defenders-a-new-vision-for-cloud-security
`https://orca.security/resources/blog/cloud-attack-path-analysis/
`
`16
`17
`
`10
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 11 of 130 PageID #: 608
`
`
`
`(“Context is critical; it’s the difference between effective security and dreaded analyst alert fatigue.
`
`Orca assumes responsibility for the heavy lifting associated with this additional context and
`
`assesses the real and effective risk. Orca’s mission is to provide the best contextualized security
`
`intelligence possible.”). Wiz copied this too beginning with its very first website in 2020: “We do
`
`the heavy lifting, you get total visibility.”18
`
`22. Wiz even copied the more mundane aspects of Orca’s marketing. For example, at
`
`a multi-day security conference in London, Orca decided that it would break away from typical
`
`technology booths and instead sponsor a coffee booth. Wiz attended the same conference. On the
`
`first day, Wiz sponsored a typical technology booth. The following day, Wiz showed up with its
`
`own coffee machine. Just like Orca.
`
`23. Wiz also has knowingly copied Orca’s patents, its prosecution strategy, and even
`
`its prosecuting attorney. Orca’s first patent applications were filed and prosecuted by a lawyer at
`
`a small boutique firm with less than 10 attorneys, with whom Mr. Shua worked directly and
`
`confidentially. That engagement was terminated in 2021 when Orca learned that Wiz had engaged
`
`the same lawyer to file patents for Wiz on overlapping technology. Wiz’s patent applications now
`
`include figures and descriptions that are nearly identical to those found in Orca’s ’031 and ’032
`
`patents:
`
`
`https://web.archive.org/web/20201209145922/http://www.wiz.io/.
`
`18
`
`11
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 12 of 130 PageID #: 609
`
`
`
`
`
`Orca
`
`Wiz
`
`
`
`
`
`’032 patent at Fig 3, 8:7-23; ’031 patent at Fig. 3,
`
`
`
`9:15-31.
`
`Wiz’s U.S. Patent No. 11,374,982 at Fig. 6,
`
`20:61-21:12.
`
`24.
`
`Again, this was no coincidence. On information and belief, Wiz knew that the
`
`lawyer it hired had prosecuted Orca’s patent applications and hired him to assist Wiz in its attempts
`
`to pass off Orca’s technology and intellectual property.
`
`25.
`
`In furtherance of its scheme to copy Orca, Wiz also recruited Orca’s outside
`
`corporate counsel to work for Wiz. That lawyer attended Orca’s Board of Director meetings and,
`
`as a result, was exposed to Orca’s highly confidential technology and business plans. Orca
`
`replaced its outside corporate counsel in November 2020 after it learned that Wiz had engaged the
`
`12
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 13 of 130 PageID #: 610
`
`
`
`very same lawyer as its own corporate counsel. On information and belief, Wiz knew that the
`
`lawyer it hired was Orca’s outside corporate counsel and Wiz hired him to assist Wiz in its attempts
`
`to copy Orca.
`
`26.
`
`Beyond the foregoing examples, on information and belief, Wiz has hired former
`
`Orca employees and worked with third parties to acquire Orca’s confidential information relating
`
`to current and future product plans, marketing, sales, prospective customers, and prospective
`
`employees, and has used that confidential information in furtherance of its collective pattern of
`
`efforts to copy and to compete unfairly with Orca.
`
`27.
`
`Certain examples provided above may be explainable as an individual occurrence.
`
`But viewed collectively, they demonstrate a pattern of copying that pervades Wiz’s business as a
`
`whole. This pattern leads to the further conclusion, on information and belief, that Wiz monitors
`
`virtually every aspect of Orca’s business, from the mundane aspects of how it presents itself at
`
`conferences, to its marketing, and Orca’s fundamental technology and patent portfolio. Wiz would
`
`have had reason to, and, on information and belief, does monitor Orca’s patent portfolio because
`
`Orca’s website and marketing materials—including those Wiz copies—explained the Orca
`
`Platform used “patent-pending” and “patented” technology. See Paragraphs 10-11, 20 above.19
`
`Wiz then copies, with intentional and/or reckless disregard for Orca’s rights, anything it deems
`
`would give it an unfair advantage.
`
`
`19
`See also, e.g., https://orca.security/platform/ (“The Orca Cloud-Native Application
`Protection Platform (CNAPP) is built on Orca’s patented SideScanning technology”);
`https://orca.security/platform/agentless-sidescanning/ (“Our patented SideScanning™ technology
`is at the heart of the Orca Platform . . .”); https://orca.security/platform/vulnerability-management/
`(“Orca’s patented SideScanning™ technology is a radical new approach that addresses the
`shortcomings of traditional vulnerability assessment and agent-based cloud security solutions.”).
`
`13
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 14 of 130 PageID #: 611
`
`
`
`28. Wiz’s continuous pattern of copying indicates, on information and belief, that Wiz
`
`had knowledge of the ’031 patent, the ’032 patent, the ’685 patent, the ’809 patent, the ’926 patent,
`
`and the ’326 patent at or around the time that each patent issued, with knowledge or reckless
`
`disregard that its actions constituted infringement thereto.
`
`29.
`
`This action seeks to put an end to, and obtain relief for, this pattern of copying and
`
`Wiz’s willful infringement of the ’031 patent, the ’032 patent, the ’685 patent, the ’809 patent, the
`
`’926 patent, and the ’326 patent (collectively, the “Asserted Patents”).
`
`THE PARTIES
`
`30.
`
`Plaintiff Orca Security Ltd. is an Israeli company with a principal place of business
`
`at 3 Tushia St., Tel Aviv, Israel 6721803.
`
`31.
`
`On information and belief, Defendant Wiz, Inc. is a Delaware company with a
`
`principal place of business at One Manhattan West, 57th Floor, New York, New York.20
`
`JURISDICTION AND VENUE
`
`32.
`
`This action arises under the patent laws of the United States, 35 U.S.C. § 1 et seq.
`
`This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331 and 1338(a).
`
`33.
`
`This Court has personal jurisdiction over Wiz because Wiz is subject to general and
`
`specific jurisdiction in the state of Delaware. Wiz is subject to personal jurisdiction at least
`
`because Wiz is a Delaware corporation and resides in this District. Wiz has made certain minimum
`
`contacts with Delaware such that the maintenance of this suit does not offend traditional notions
`
`of fair play and substantial justice.
`
`
`https://www.wiz.io/contact (Locations)
`
`20
`
`14
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 15 of 130 PageID #: 612
`
`
`
`34.
`
`The exercise of personal jurisdiction comports with Wiz’s right to due process
`
`because, as described above, Wiz has purposefully availed itself of the privilege of Delaware
`
`corporate laws such that it should reasonably anticipate being haled into court here.
`
`35.
`
`Venue is proper in this district pursuant to 28 U.S.C. §§ 1391 and 1400(b) at least
`
`because Wiz is incorporated in the State of Delaware and is subject to personal jurisdiction in this
`
`District.
`
`36.
`
`37.
`
`COUNT I
`(INFRINGEMENT OF THE ’031 PATENT)
`
`Orca incorporates all other allegations in this Second Amended Complaint.
`
`The ’031 patent is entitled “Techniques for Securing Virtual Cloud Assets at Rest
`
`Against Cyber Threats” and was duly and legally issued on May 30, 2023. A true and correct copy
`
`of the ’031 patent is attached hereto as Exhibit 1.
`
`38.
`
`39.
`
`40.
`
`Orca is the owner of all rights, title, and interest in the ’031 patent.
`
`The ’031 patent is valid and enforceable.
`
`The inventions claimed in the ’031 patent improved on prior art cloud security
`
`systems and methods by, inter alia, taking at least one snapshot or requesting taking of at least one
`
`snapshot of a virtual machine at rest, and analyzing the at least one snapshot to detect
`
`vulnerabilities. See, e.g., ’031 patent at cls. 1-16. This snapshot-based analysis for inactive assets
`
`was not well understood, routine, or conventional. It is an inventive concept that allows virtual
`
`assets in a cloud computing platform to be analyzed and scanned for embedded vulnerabilities, at
`
`a time when the machine is inactive, because, among other things, the analysis does not require
`
`any interaction and/or information from a running virtual asset like agent-based solutions. By
`
`analyzing virtual cloud assets at rest, the ’031 patent provides greater context for detected
`
`vulnerabilities and more comprehensive security for a cloud computing platform, including
`
`15
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 16 of 130 PageID #: 613
`
`
`
`protecting against assets that may have become unsafe after they were turned off due to newly
`
`disclosed vulnerabilities or infrastructure changes.
`
`(a)
`
`Direct Infringement of the ’031 Patent
`
`41. Wiz, without authorization, directly infringes one or more claims of the ’031 patent,
`
`literally and/or under the doctrine of equivalents. Wiz infringes under 35 U.S.C. § 271 including,
`
`without limitation, 35 U.S.C. § 271(a), by making, using, selling, offering to sell, and/or importing
`
`within the United States without authority, Wiz’s CSP and/or other similar products or services,
`
`which include (or are otherwise referred to) but are not limited to Wiz’s Cloud Native Application
`
`Protection Platform (“CNAPP”), Cloud Security Posture Management (“CSPM”), Cloud
`
`Infrastructure Entitlement Management (“CIEM”), Data Security Posture Management
`
`(“DSPM”), Infrastructure-as-code (“IaC”) scanning (https://www.wiz.io/solutions/iac), and Cloud
`
`Detection and Response (“CDR”) platforms and/or features. See https://www.wiz.io/ (listing
`
`CNAPP, CSPM, CIEM, DSPM, IaC scanning, and CDR as “Product[s]”); see also
`
`https://www.wiz.io/product (same). Wiz’s infringement includes infringement of, for example,
`
`claim 9 of the ’031 patent.
`
`42.
`
`Claim 9 of the ’031 patent recites:
`
`9.
`
`A computer-implemented method for inspecting data, the method
`
`comprising:
`
`establishing an interface between a client environment and security
`
`components;
`
`using the interface to utilize cloud computing platform APIs to identify
`
`virtual disks of a virtual machine in the client environment;
`
`using the computing platform APIs to query a location of at least one of the
`
`identified virtual disks;
`
`16
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 17 of 130 PageID #: 614
`
`
`
`receiving an identification of the location of the virtual disks of the virtual
`
`machine;
`
`emulating the virtual disks for the virtual machine;
`
`performing at least one of: (i) taking at least one snapshot, and (ii)
`
`requesting taking at least one snapshot of the virtual machine at rest, wherein the at
`
`least one snapshot represents a copy of the virtual disks of the virtual machine at a
`
`point in time;
`
`analyzing the at least one snapshot to detect vulnerabilities, wherein during
`
`the detection of the vulnerabilities by analyzing the at least one snapshot, the virtual
`
`machine is inactive; and
`
`reporting the detected vulnerabilities as alerts.
`
`43.
`
`On information and belief, Wiz practices each and every limitation of claim 9 of
`
`the ’031 patent by and through the use of Wiz’s CSP and/or other similar products or services for
`
`Wiz’s clients or customers.
`
`44.
`
`The preamble of claim 9 recites “[a] computer-implemented method for inspecting
`
`data, the method comprising. . . .” To the extent the preamble is limiting, Wiz practices this step
`
`by, for example, using its computer-implemented CSP to inspect data in clients’ cloud computing
`
`environments, including inactive assets. See, e.g., https://www.wiz.io/solutions/cnapp (“Wiz
`
`leverages unique technology to scan PaaS resources, Virtual Machines, Containers, Serverless
`
`Functions, . . . to identify the risks in each layer”); https://www.wiz.io/blog/detect-and-prioritize-
`
`cisa-known-exploited-vulnerabilities-kev-with-wiz
`
`(“Detect and prioritize CISA Known
`
`Exploited Vulnerabilities in the cloud with Wiz”).
`
`17
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 18 of 130 PageID #: 615
`
`
`
`45.
`
`Claim 9 further recites “establishing an interface between a client environment and
`
`security components . . . .” Wiz’s public presentations and technical documentation confirm that
`
`Wiz practices this step by, for example, using Wiz’s CSP to perform “[a]gentless scanning via
`
`API” provided by AWS, GCP, and Azure, among other cloud computing environments.
`
`
`
`See Exhibit 5 (AWS re:Invent – Context is Everything: Join the CNAPP Revolution to Secure
`
`Your AWS Deployments) at 13; Exhibit 6 (Wiz Cloud Security Platform Datasheet) (supported
`
`cloud computing platforms include AWS, Azure, and Google Cloud Platform (GCP)); Exhibit 11
`
`(“Wiz connects to your cloud environment via your cloud service provider’s APIs in order to
`
`extract
`
`metadata
`
`and
`
`perform
`
`snapshot
`
`scans.”);
`
`https://web.archive.org/web/20230609070637/https:/support.wiz.io/hc/en-
`
`us/articles/5449816387100-AWS-Connector-Basics
`
`(same);
`
`Exhibit
`
`12
`
`(same);
`
`https://www.wiz.io/solutions/vulnerability-management (“Using a one-time cloud native API
`
`deployment, continuously assess workloads without deploying agents”).
`
`18
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 19 of 130 PageID #: 616
`
`
`
`46.
`
`Claim 9 further recites “using the interface to utilize cloud computing platform
`
`APIs to identify virtual disks of a virtual machine in the client environment . . . .” Wiz practices
`
`this step by, for example, using Wiz’s CSP to provide “[f]ull visibility” of virtual cloud assets in
`
`a client environment using an API provided by AWS, GCP, and Azure, among other cloud
`
`computing environments.
`
`
`
`See Exhibit 5 at 13; Exhibit 6 (supported cloud computing platforms include AWS, Azure, and
`
`Google Cloud Platform (GCP)). Through the API, Wiz creates a graph of a client environment
`
`“with full context on the resource[s],” which includes identifying virtual disks of virtual machines.
`
`See
`
`https://www.wiz.io/blog/uniting-builders-and-defenders-a-new-vision-for-cloud-security;
`
`Exhibit 6 at 3 (“Wiz uses the full context of your cloud and combines this information into a single
`
`graph in order to correlate related issues”), 4 (Wiz “takes a snapshot of each VM system volume
`
`and analyzes its operating system, application layer, and data layer statically with no performance
`
`impact.”).
`
`19
`
`

`

`Case 1:23-cv-00758-GBW Document 15 Filed 10/10/23 Page 20 of 130 PageID #: 617
`
`
`
`47.
`
`Claim 9 further recites “using the computing platform APIs to query a location of
`
`at least one of the identified virtual disks . . . .” Wiz performs this step by, for example, using
`
`computing platform APIs to perform a query to locate virtual disks and other resources. See
`
`Exhibit 5 at 13 (“Agentless scanning via API”); https://www.wiz.io/blog/detect-and-prioritize-
`
`cisa-known-exploited-vulnerabilities-kev-with-wiz (“You can query and locate all the VMs,
`
`containers, and serverless functions in your cloud environment that are vulnerable to a specific
`
`CVE in the catalog with a simple query shortcut.”); https://www.wiz.io/solutions/cnapp (“Scan
`
`buckets, data volumes, and databases and quickly classify the data to track wh[ere] data is
`
`located.”); Exhibit 13 (“[C]heck out our guide for optimizing your Security Graph queries.”).
`
`48.
`
`Claim 9 further recites “receiving an identification of the location of the virtual
`
`disks of the virtual machine . . . .” Wiz practices this step by, for example, identifying virtual disks
`
`and other resources it locates when it performs a query. See h