DETAILED ACTION
This office action is in response to the application filed on 1/20/2022.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged as a continuation of application 16/403,818 filed 05/06/2019 now US Patent 11,252,172 which has provisional application 62/669,770 filed 05/10/2018, which papers have been placed of record in the file.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 1/20/2022 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Examiner’s Note – Multiple Unannotated Claim Sets
Examiner notes that the applicant has presented two claim sets filed on 1/20/2022.  While neither is annotated, one set appears to be the original claim set filed in the parent application and the other is a slightly broadened version of the allowed claims in the parent application.  For purposes of compact prosecution, the examiner chooses the more likely claim set which is near to the previously allowed claims.  If this choice is in error, the examiner welcomes the applicant to correct the examiner.  
Examiner’s Note – Allowable Subject Matter
Claim 2 overcomes the prior art as encompassed in the reasons for allowance in the parent case.  The claim would otherwise be allowable if made to overcome the rejections below as well as being incorporated into the independent claim.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to:  
http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claim(s) 1-20 is/are rejected on the grounds of nonstatutory double patenting as being unpatentable over claims 1-20 of US Patent 11,252,172.  Although the claims at issue are not identical in form, they are not patentably distinct from each other.  Instant claims 1 and 2 are anticipated by patented claim 1.  Instant claims 3-16 are anticipated by patented claims 2-15, respectively.  Instant claims 17-20 are anticipated by patented claims 17-20, respectively.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-4, 13, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard (US 2021/0029154 A1) in view of Chen et al. (US 2011/0030057 A1). 
Regarding claims 1, 13, and 19, Picard teaches:
“A penetration testing ("PT") computer system for analyzing other computer systems and networks for potential vulnerabilities to cyber-attacks, the PT computer system including at least one processor (Picard, ¶ 10 and 73 teaches implementation of the method steps with a plurality of processors) in communication with at least one memory device (Picard, ¶ 9-10, and 73 teaches implementation with a central data storage interacting with the processors.  Further, Picard, ¶ 74 teaches implementation with a computer readable medium), the at least one processor programmed to (Picard ¶ 10 and 73 teach the processors executing instructions to perform the penetration testing system): 	receive scan data from a scan of a target computer device (Picard, Fig. 4, depicts the steps ‘Find Targets’, ‘Protocol Scanning’, and ‘Port Scanning’.  In reference to Fig. 4, Picard, ¶ 58-60 further describes the scanning process for a target system.  Picard, ¶ 34 Ln. 1-2 discloses that the reference uses the phrases ‘target system’ and ‘target computer system’ interchangeably); 	determine a plurality of attack vectors based on the scan data (Picard, Fig. 4 step ‘Vulnerability Testing’ and associated text on ¶ 60 Ln. 8 - ¶ 61 Ln. 21 discloses the process of matching potential attacks, e.g., password guessing vulnerability matched with email harvester attack.  Picard, ¶ 31 Ln. 1-2 specifically refers to this as an attack vector.  Picard, ¶ 32 states that this process is repeated for each vulnerability, therefore creating a plurality of attack vectors); 	generate a first exploit based on the plurality of attack vectors and the potential exploit (Picard, Fig. 4 step ‘Exploit Attempts’ and associated text on ¶ 60 Ln. 8 - ¶ 62 discloses the iterative process of generating more and more pervasive attacks as new information is gained about the target system from a current iteration of attack.  One of ordinary skill would recognize that if the system taught by Picard is able to build a exploit ‘whole cloth’ from basic information components, it could certainly perform the simpler task of using prebuilt exploits to attack a target), wherein the first exploit is tailored to attack the target computer device based on plurality of vulnerabilities and the plurality of attack vectors (Picard, ¶ 58, and 60-62, the specific sets of detected vulnerabilities are combined to make a unique attack path for the given target based on its weaknesses and not a generalized attack vector for all machines of similar setup); and 	execute the first exploit on the target computer device (Picard, Fig. 4 step ‘Exploit Attempts’ and associated text on ¶ 60 Ln. 8 - ¶ 62 discloses the iterative process of generating and executing more and more pervasive attacks as new information is gained about the target system from a current iteration of attack)”.
	Picard does not, but in related art, Chen teaches:	“scan one or more exploit websites to detect a potential exploit based on the one or more of the plurality of attack vectors (Chen, ¶ 162 teaches using a vulnerability identity to go to hacker websites and lookup exploit samples)”. 
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard and Chen, to modify the penetration testing and remediation reporting system of Picard to include the process to lookup existing exploits for vulnerabilities of the systems being tested as taught in Chen.  The motivation to do so constitutes applying a known technique (i.e., accessing a database that stores the information about known vulnerabilities to services) to known devices and/or methods (i.e., process to lookup existing exploits for vulnerabilities of the systems being tested) ready for improvement to yield predictable results.  Further, the reason that would have prompted a person of ordinary skill in the relevant field to combine the elements would be access existing knowledge bases for vulnerability information instead of relying solely on locally known vulnerability information.

Regarding claim 3, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 1 (Picard in view of Chen teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to: 	receive results from the execution of the first exploit on the target computer device (Picard, Fig. 4 depicts ‘Vulnerability Reporting, and Picard ¶ 41 Ln. 1-12 further describes the process of collecting the results of the exploit attacks); and 	generate a report based on the results and the plurality of attack vectors (Picard, Fig. 4 depicts ‘Vulnerability Reporting, and Picard ¶ 41 Ln. 10 - ¶ 42 Ln. 12 teaches generating a report for the client based on the results of the exploit attacks and their corresponding vulnerabilities)”.

Regarding claim 4, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 3 (Picard in view of Chen teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to: 	determine at least one fix based on the results and the plurality of attack vectors (Picard, Fig. 4 depicts ‘Vulnerability Reporting, and Picard ¶ 41 Ln. 10 - ¶ 42 Ln. 12 teaches creating a remediation plan based on vulnerabilities detected in the target system); and 	generate the report based on the results, the plurality of attack vectors, and the at least one fix (Picard, Fig. 4 depicts ‘Vulnerability Reporting, and Picard ¶ 41 Ln. 10 - ¶ 42 Ln. 12 teaches generating a report which includes the results of the exploit attacks, the discovered vulnerabilities and a remediation plan based on vulnerabilities detected in the target system)”.

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard in view of Chen in view of Hamdi (US 2018/0124072 A1).
Regarding claim 5, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 4, (Picard in view of Chen teaches the limitations of claim 4 as discussed above)” 	Picard in view of Chen does not, but in related art, Hamdi teaches:	“wherein the at least one processor is further programmed to schedule a repair of the target computer device based on the at least one fix (Hamdi, ¶ 170 teaches scheduling the patching of a computer system based on the detected vulnerability and the corresponding patch to close the detected vulnerability)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard, Chen, and Hamdi, to modify the penetration testing and remediation reporting system of Picard and Chen to include the scheduled application of the remediation as taught in Hamdi.  The motivation to as stated by Hamdi ¶ 170 would be to close detected security loopholes in a prioritized order which addresses the largest and most severe security loopholes first, thus improving the security stance of the system. 

Claim(s) 6-9 and 14-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard in view of Chen in view of Lee et al. (US 2011/0093954 A1).
Regarding claims 6 and 14, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 1 (Picard in view of Chen teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to: 	analyze the scan data to determine one or more services executing on the target computer device(Picard, Fig. 4, depicts the steps ‘Find Targets’, ‘Protocol Scanning’, and ‘Port Scanning’.  In reference to Fig. 4, Picard, ¶ 58, ¶ 60 Ln. 1-8, ¶ 61 Ln. 1-3 describes determining the services that are running based on the open listening ports)”.	Picard in view of Chen does not, but in related art, Lee teaches:
“search a local database for the plurality of attack vectors based on the one or more services (Lee, Figs. 1, 2A and ¶ 22-23, disclose that based on the version information of the probed services the profile database is searched for vulnerabilities of the given service)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard, Chen, and Lee, to modify the penetration testing and remediation reporting system of Picard and Chen, to include the implementation of a database to store the information about known vulnerabilities to services as taught in Lee.  The motivation to do so constitutes applying a known technique (i.e., accessing a database that stores the information about known vulnerabilities to services) to known devices and/or methods (i.e., penetration testing and remediation reporting system) ready for improvement to yield predictable results.  Further, the reason that would have prompted a person of ordinary skill in the relevant field to combine the elements would be provide basic data storage functionality to the combination.

Regarding claims 7 and 15, Picard in view of Chen in view of Lee teaches:
“The PT computer system in accordance with claim 6 (Picard in view of Chen in view of Lee teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to search a plurality of websites for the plurality of attack vectors based on the one or more services (Picard, ¶ 48 Ln. 13-20, discloses that in the case where the service being probed is a login portal, online databases of hacked services are checked for username and password information related to the target.  Picard, ¶ 47 Ln. 1 - ¶ 48 Ln. 13 outlines the login portal vulnerability)”.

Regarding claims 8 and 16, Picard in view of Chen in view of Lee teaches:
“The PT computer system in accordance with claim 7 (Picard in view of Chen in view of Lee teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to search a plurality of blog posts and bulletin board posts for the plurality of attack vectors (Picard, ¶ 48 Ln. 12-13, discloses that in the case where the service being probed is a login portal, forum posts and blog posts are checked for potential usernames in the form of email addresses related to the target.  Picard, ¶ 47 Ln. 1 - ¶ 48 Ln. 13 outlines the login portal vulnerability)”.

Regarding claim 9, Picard in view of Chen in view of Lee teaches:
“The PT computer system in accordance with claim 8 (Picard in view of Chen in view of Lee teaches the limitations of the parent claims as discussed above), wherein the at least one processor is further programmed to generate the first exploit based on the search of at least one of the local database (Picard, Fig. 4 step ‘Exploit Attempts’ and associated text on ¶ 60 Ln. 8 - ¶ 62 discloses the iterative process of generating attacks based on the detected vulnerable services using the locally stored information.  Lee, Figs. 1, 2A and ¶ 22-23, based on the version information of the probed services the profile database is searched for vulnerabilities of the given service)”.

Claim(s) 10 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard in view of Chen in view of Lee in view of Hamdi.
Regarding claims 10 and 17, Picard in view of Chen in view of Lee teaches:
“The PT computer system in accordance with claim 9 (Picard in view of Chen in view of Lee teaches the limitations of the parent claims as discussed above)”. 
Picard in view of Chen in view of Lee does not, but in related art, Hamdi teaches:	“wherein the at least one processor is further programmed to: update the local database with the plurality of attack vectors(Hamdi, ¶ 74 data collection engine gathers information from vendor databases to be stored on the computer environment monitoring and management system database discussed further in Hamdi ¶ 66) found on the plurality of websites (Hamdi, ¶ 72 discloses that the vendor databases include websites including common vulnerability and exposure information); and 	update the local database (Hamdi, ¶ 74 data collection engine gathers information from vendor databases to be stored on the computer environment monitoring and management system database discussed further in Hamdi ¶ 66) with the first exploit based on at least one of the blog posts and the bulletin board posts”.
(Hamdi, ¶ 72 discloses that the vendor databases include blog posts including common vulnerability and exposure information directly leading to the attack vectors)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard, Chen, Lee, and Hamdi, to modify the penetration testing and remediation reporting system of Picard, Chen, and Lee to include the implementation of a database to store and update the information about known vulnerabilities and exploits with information available on external databases as taught in Hamdi.  The motivation to do so constitutes applying a known technique (i.e., implementation of a database to store and update the information about known vulnerabilities and exploits with information available on external databases) to known devices and/or methods (i.e., penetration testing and remediation reporting system) ready for improvement to yield predictable results.  Further, the reason that would have prompted a person of ordinary skill in the relevant field to combine the elements would be access existing knowledge bases for vulnerability information instead of relying solely on locally known vulnerability information.


Claim(s) 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard in view of Chen in view of Barnes (US 2019/0007447 A1).
Regarding claim 11, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 1 (Picard in view of Chen teaches the limitations of claim 1 as discussed above)”.	Picard in view of Chen does not, but in related art Barnes teaches:
 “wherein the at least one processor is further programmed to scan the target computer device on a periodic basis (Barnes, ¶ 23, and 31 teaches performing penetration tests on target computers on a periodic basis to determine their vulnerabilities)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard, Chen, and Barnes, to modify the penetration testing and remediation reporting system of Picard and Chen to include the periodic penetration testing of target systems as taught in Barnes.  The motivation to do so, as stated by Gaul (US 2001/0034847 A1) ¶ 8 is that penetration tests should be performed weekly or whenever a configuration change occurs to ensure that new weak spots in the security stance of the system have not developed since the last test. 

Claim(s) 12, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picard in view of Chen in view of Gorodissky et al. (US 2019/0149572 A1).
Regarding claims 12, 18, and 20, Picard in view of Chen teaches:
“The PT computer system in accordance with claim 1 (Picard in view of Chen teaches the limitations of the parent claims as discussed above)”.
Picard in view of Chen does not, but in related art, Gorodissky teaches:
 “wherein the at least one processor is further programmed to: 	receive a plurality of scan data from scans of a plurality of target computer devices (Gorodissky, ¶ 18 Ln. 1-2, and ¶ 24 Ln. 5-16 disclose a penetration test campaign where a plurality of computers are scanned for vulnerabilities and observed for responses to probing); 	perform a search of at least one of a local database (Gorodissky, ¶ 28-29, during the results of probing during a penetration test campaign are correlated to a pre-compiled knowledge base to determine given vulnerabilities for each node in the campaign.  Gorodissky, ¶ 14 teaches a database in the penetration testing system to store information related to the test); 	generate one or more targeted exploits for each of the plurality of target computer devices (Gorodissky, ¶ 29, 110, and 115, each of the nodes in the penetration testing campaign has a specific exploit chosen for it based on the vulnerabilities found in the reconnaissance step); and 	execute the one or more targeted exploits on the corresponding target computer device (Gorodissky ¶ 111 and 116, the attacks are performed on teach node in the penetration campaign based on their respective vulnerabilities)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Picard in view of Chen and Gorodissky to modify the penetration testing and remediation reporting system of Picard and Chen, to include the implementation of penetration test campaign against a plurality of computers of a given client network as taught by Gorodissky.  The motivation to do as stated by Gorodissky, ¶ 2 would be to protect against cascading compromised networked computer systems in an organization where a first compromised computer system opens up the possibility for larger network compromise in potentially more sensitive information environments within the organization.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435