DETAILED ACTION
This office action is in response to the application filed on 11/8/2021.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged as a continuation of application 16/404,860 filed 05/07/2019 now US Patent 11,201,896, which papers have been placed of record in the file.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 3/1/2022 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 
Examiner’s Note – Allowable Subject Matter
Claims 11-20 overcome the prior art, and would otherwise be allowable if made to overcome the non-statutory double patenting rejection below.
Examiner’s Note – Claim Scope in reference to MPEP 2111.04 Section II
Method claim 1 is directed to language has been considered a contingent limitation.  MPEP 2111.04 Section II states “When analyzing the claimed method as a whole, the PTAB determined that giving the claim its broadest reasonable interpretation, ‘[i]f the condition for performing a contingent step is not satisfied, the performance recited by the step need not be carried out in order for the claimed method to be performed’”.  
	Accordingly, the broadest reasonable interpretation of claim 1 is: 	“A computer-implemented method, comprising: transmitting an attack payload to a target computing system, wherein the attack payload includes executable code configured to: execute one or more exploit features on the target computing system to test for a vulnerability on the target computing system, the execution limited by an execution scope”. 
	The broadest reasonable interpretation of claim 2 is:
	“The computer-implemented method of claim 1, wherein the attack payload is generated at a vulnerability validation server” as the receiving portion of the claim relies upon conditional limitations.
	The broadest reasonable interpretation of claim 9 is the same as claim 2 above as it relies on conditional limitations.
	Examiner recommends replacing “if the vulnerability is validated based on the execution” with “in response to validating the vulnerability based on the execution”.  This clarification would cause the claim to overcome the prior art as the similar other independent claims do as discussed above.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to:  
http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claim(s) 1-20 is/are rejected on the grounds of nonstatutory double patenting as being unpatentable over claims 1-5, 7, 11, and 14,  of U.S. Patent No. 11,201,896.  Although the claims at issue are not identical in form, they are not patentably distinct from each other.
	In particular, instant claim 1 is anticipated by patented claims 1 and 5.  Instant claim 2 is anticipated by patented claims 2 and 3. Instant claim 10 is anticipated by patented claims 1, 4 and 7.  Instant claim 11 is anticipated by patented claims 14 and 5.  Instant claim 18 is anticipated by patented claim 14, 4, and 7.  Instant claim 19 is anticipated by patented claims 11 and 5.  	Regarding instant claims 3-4, 12-13 and 20 are substantially similar to patented claims 1, 14, and 11, respectively.  The patented claims do not, but in related art, Beskrovny et al. (US 2014/0082735 A1), Fig. 3, step 330, ¶ 44-46, the payload is built based upon the external probing of the target and its potential vulnerabilities.  	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny and the patented claims, to modify the payload delivery penetration testing system of the patented claims to include the selecting the vulnerability to test from a plurality of vulnerabilities as taught by Beskrovny.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.	Regarding instant claims 5 and 14 are substantially similar to patented claims 1, and 14, respectively.  The patented claims do not, but in related art, Agarwal et al. (US 2020/0242717 A1), ¶ 55 teaches using a hashing function to create a UUID.  Agarwal, ¶ 85 teaches using SHA-2 which has collision avoidance properties.  Agarwal, ¶ 79 teaches reversing the hash to look up the information behind the UUID. 	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of the patented claims and Agarwal, to modify the payload delivery penetration testing system of the patented claims to include the use of hashing to create a UUID for a payload as taught by Agarwal.  The motivation to do so constitutes applying a known technique to known devices and/or methods  ready for improvement to yield predictable results.
	Regarding instant claims 6 and 15 are substantially similar to patented claims 1, and 14, respectively.  The patented claims do not, but in related art, Parsons et al. (US 2020/0175172 A1) ¶ 58 teaches storing hash values which are identifiers of vulnerabilities in a vulnerability table.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of the patented claims and Parsons, to modify the payload delivery penetration testing system of the patented claims to include the use of table as taught in Parsons.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
	Regarding instant claims 7-8 and 16 are substantially similar to patented claims 1, and 14, respectively.  The patented claims do not, but in related art, Larson et al. (US 2016/0294793 A1) ¶ 15 teaches sending the payload to the recipient computing device using the UDP protocol.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of the patented claims and Larson, to modify the payload delivery penetration testing system of the patented claims to include the use UDP messaging for payload delivery as taught in Larson.  The motivation to do so constitutes applying a known technique to known devices and/or methods  ready for improvement to yield predictable results.
	Regarding instant claims 9 and 17 are substantially similar to patented claims 1, and 14, respectively.  The patented claims do not, but in related art, Guarnieri et al. (US 2014/0082734 A1) ¶ 20, and 23-25 teaches sending back a secure validation of the server side vulnerabilities that are discovered as part of a penetration test process.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of the patented claims and Guarnieri, to modify the payload delivery penetration testing system of the patented claims to include the use of a secure validation operation as taught by Guarnieri.  The motivation to do so constitutes applying a known technique  to known devices and/or methods ready for improvement to yield predictable results.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151 , or in an application for patent published or deemed published under section 122(b) , in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-3, and 9, is/are rejected under AIA  35 U.S.C. 102(a)(1) as being anticipated by Beskrovny et al. (US 2014/0082735 A1). 
Regarding claim 1, Beskrovny teaches:
“A computer-implemented method (Beskrovny, ¶ 5-6 and 10-11 teach a processor, memory, and computer readable medium for storing and executing instructions to perform the method), comprising: 	transmitting an attack payload to a target computing system (Beskrovny, Fig. 3, step 350, ¶ 54, the attack is initiated on the web based system), 	wherein the attack payload includes executable code (Beskrovny, Fig. 3, step 335, ¶ 47-52, the vulnerabilities for the target leads to the selection of specific type of payload such as cross site scripting or code injection) configured to: 	execute one or more exploit features on the target computing system to test for a vulnerability on the target computing system (Beskrovny, Fig. 3, step 355, ¶ 54-55, the modified code sends a response back to the testing system to validate that the exploit worked), the execution limited by an execution scope (Beskrovny, Fig. 3, step 335, ¶ 47-52, the vulnerabilities for the target leads to the selection of specific type of payload such as cross site scripting or code injection)”.
Regarding claims 2 and 9, Beskrovny teaches:
“The computer-implemented method of claim 1 (Beskrovny teaches the limitations of the parent claim as discussed above), wherein the attack payload is generated at a vulnerability validation server (Beskrovny, Fig. 3, step 330, ¶ 29-31 and 44-46, testing system 105 builds the payload and is serving the application to determine vulnerabilities of target systems)”.
Regarding claim 3, Beskrovny teaches:
“The computer-implemented method of claim 2 (Beskrovny teaches the limitations of the parent claim as discussed above), further comprising the vulnerability validation server: 	selecting the vulnerability to test from a plurality of vulnerabilities (Beskrovny, Fig. 3, step 330, ¶ 44-46, the payload is built based upon the external probing of the target and its potential vulnerabilities); 	determining the execution scope and the one or more exploit features based on the vulnerability (Beskrovny, Fig. 3, step 330, ¶ 44-46, the payload is built based upon the external probing of the target and its potential vulnerabilities); and 	generating the executable code for the one or more exploit features and based on the execution scope (Beskrovny, Fig. 3, step 335, ¶ 47-52, the vulnerabilities for the target leads to the selection of specific type of payload such as cross site scripting or code injection)”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beskrovny in view of Chen et al. (US 2011/0030057 A1). 
Regarding claim 4, Beskrovny teaches:
“The computer-implemented method of claim 3 (Beskrovny teaches the limitations of the parent claim as discussed above), further comprising the vulnerability validation server: 	generating the ID and including the ID in the attack payload (Beskrovny, ¶ 48-50 teaches developing a payload from vulnerability which has a unique string of bits in a portion of the payload to act as a signature of the payload)”.
Beskrovny does not, but in related art Chen, teaches:	“universally unique identifier (UUID) (Chen, ¶ 84 teaches a vulnerability with a universally unique identifier)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny and Chen, to modify the payload delivery penetration testing system of Beskrovny to include the use of a UUID for a payload based on a vulnerability as taught by Chen.  The motivation to do so constitutes applying a known technique (i.e., payload delivery penetration testing system) to known devices and/or methods (i.e., UUID for a payload based on a vulnerability) ready for improvement to yield predictable results.

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beskrovny in view of Agarwal et al. (US 2020/0242717 A1). 
Regarding claim 5, Beskrovny teaches:
“The computer-implemented method of claim 3, further comprising the vulnerability validation server (Beskrovny teaches the limitations of the parent claim as discussed above)”.
Beskrovny does not, but in related art Agarwal, teaches:	“generating a hashed value as the UUID (Agarwal, ¶ 55 teaches using a hashing function to create a UUID), wherein the value hashed is selected to not collide with other UUIDs generated for other attack payloads (Agarwal, ¶ 85 teaches using SHA-2 which has collision avoidance properties); and 	reversing the hashed value after the UUID is received from the target computing system (Agarwal, ¶ 79 teaches reversing the hash to look up the information behind the UUID)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny and Agarwal, to modify the payload delivery penetration testing system of Beskrovny to include the use of hashing to create a UUID for a payload as taught by Agarwal.  The motivation to do so constitutes applying a known technique to known devices and/or methods  ready for improvement to yield predictable results.
 
Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beskrovny in view of Chen in view of Parsons et al. (US 2020/0175172 A1).
Regarding claim 6, Beskrovny teaches:
“The computer-implemented method of claim 2, further comprising the vulnerability validation server(Beskrovny teaches the limitations of the parent claim as discussed above): 	generating IDs for a plurality of attack payloads to be transmitted to a plurality of target computers (Beskrovny, ¶ 48-50 teaches developing payloads from vulnerability which has a unique string of bits in a portion of the payloads to act as a signature of the payloads)”.
Beskrovny does not, but in related art Chen, teaches:	“universally unique identifier (UUID) (Chen, ¶ 84 teaches a vulnerability with a universally unique identifier)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny and Chen, to modify the payload delivery penetration testing system of Beskrovny to include the use of a UUID for a payload based on a vulnerability as taught by Chen.  The motivation to do so constitutes applying a known technique (i.e., payload delivery penetration testing system) to known devices and/or methods (i.e., UUID for a payload based on a vulnerability) ready for improvement to yield predictable results.
Beskrovny in view Chen does not, but in related art, Parsons teaches:
“maintaining the UUIDs in a vulnerability validation table (Parsons, ¶ 58 teaches storing hash values which are identifiers of vulnerabilities in a vulnerability table)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny, Parsons, and Chen, to modify the payload delivery penetration testing system of Beskrovny and Chen to include the use of table as taught in Parsons.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Claim(s) 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beskrovny in view of Larson et al. (US 2016/0294793 A1).
Regarding claim 7, Beskrovny teaches:
“The computer-implemented method of claim 2 , further comprising the vulnerability validation server (Beskrovny teaches the limitations of the parent claim as discussed above)”.
Beskrovny does not, but in related art Larson, teaches:	“transmitting the UUID to the target computing system without using a socket connection to the target computing system (Larson, ¶ 15 teaches sending the payload to the recipient computing device using the UDP protocol)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny and Larson, to modify the payload delivery penetration testing system of Beskrovny to include the use UDP messaging for payload delivery as taught in Larson.  The motivation to do so constitutes applying a known technique to known devices and/or methods  ready for improvement to yield predictable results.

Regarding claim 8, Beskrovny in view of Larson teaches:
“The computer-implemented method of claim 7 (Beskrovny in view of Larson teaches the limitations of the parent claim as discussed above), wherein the UUID is transmitted to the target computing system via a User Datagram Protocol (UDP) (Larson, ¶ 15 teaches sending the payload to the recipient computing device using the UDP protocol)”.

Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beskrovny in view of Larson in view of Jalio et al. (US 2019/0327263 A1).
Regarding claim 10, Beskrovny in view of Larson teaches:
“The computer-implemented method of claim 7 (Beskrovny in view of Larson teaches the limitations of the parent claim as discussed above), wherein the executable code is configured to: 
examine the target computing system to determine whether discovery of the exploit features is likely (Beskrovny, Fig. 3, step 330, ¶ 44-46, the payload is built based upon the external probing of the target and its potential vulnerabilities. Beskrovny, Fig. 3, step 355, ¶ 54-55, the modified code sends a response back to the testing system to validate that the exploit worked)”.
Beskrovny in view of Larson does not, but in related art, Jalio teaches:
“cease execution in response to a determination that discovery of the one or more exploit features is likely (Jalio, ¶ 5 teaches malware shutting down when detecting a sandbox environment)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Beskrovny, Jalio, and Larson, to modify the payload delivery penetration testing system of Beskrovny and Larson to include the use method to stop the code execution when detecting that the code will be detected.  The motivation to do so constitutes applying a known technique to known devices and/or methods  ready for improvement to yield predictable results.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435